Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
We continue our effort to underscore certain patterns and themes found throughout the OODAcast library of over 80 conversations with leaders and decision-makers, on topics such as leadership, empowering a team, clear decision-making while operating in a low information environment, the qualities and best practices of a true leader, the future of intelligence, the future of cyber threats, the cybersecurity marketplace, innovation, exponential technologies, and strategic action.
In May of 2020, OODA CTO Bob Gourley had a conversation with Boston Merdian’s co-founder and partner JC Raby. Boston Meridian is an innovative investment banking firm focused on providing strategic M&A advisory and capital raising services to fast-growing private and small-cap public growth companies. Since its founding in 2004, they have closed more than $6 billion in transaction value.
JC has more than 16 years of investment banking experience in mergers and acquisitions as well as private and public financings. JC’s clients include leading Fortune 500 acquirers and middle-market growth companies across a number of industries including media and Technology (software, business services, and communications equipment) manufacturing, and consumer products, together accounting for over $9 billion in transaction value.
In July of 2020, Bob spoke with Andrew (Andy) Lustig, a partner at the high tech law firm Cooley where he focuses on private equity investments, mergers and acquisitions, and the general corporate representation of high-growth technology companies in both the commercial and government marketplace. His practice includes a wide range of industry sectors including information technology, national security, cybersecurity, data analytics, software, and telecommunications. He also represents a number of leading venture capital and private equity firms. Cooley is widely known for its work with high-growth tech and life sciences companies.
“For everybody that is innovating, there is someone that is getting cut out that might just have someone sitting on K street.”
Bob Gourley: I want to ask you questions about your view of the market, but one thing that intrigued me was hearing your views about innovators and regulators, and how there is this synergistic dynamic between innovators and regulators. What are your views there?
J.D. Raby: They are inevitably drawn together. The synergies are tougher, in so far as innovation from a high level: innovation like everything we see from Silicon Valley, where I’m based outside of, and on a global basis, innovation really doesn’t give much consideration towards regulation. It is first to market that is a business advantage. Everything from an infrastructure perspective that you see happening around us, containerization, the ability to kind of drop a business idea onto a serverless infrastructure and deploy, all that rushes to the forefront, because that is how companies accrue business value today is that rapid development and deployment of business applications out to customers – and very oftentimes leave things like security and privacy at the back end.
We are used to changing the way we do something faster than any regulator, who are usually, I mean God bless ‘em, more bureaucratic souls – based around centers of leadership, of governments in Europe and the U.S and otherwise – who are always constantly playing catch up, because they see the impact on their constituents who are upset. Or there are some lobbyists – from some other side that is losing out on innovation – who are pushing them.
Take any area: where are the key areas of innovation? Obviously, cloud computing, IoT, digital health, direct to consumer, E-sports where we’ve been active, autonomous vehicles, alternative power, and AI, all of these are really pushing the boundaries every single day of innovation. Capital is just flying in, and everybody wants to ride that charge.
But they have very profound effects, when you think of it, on the populous. If you think about IoT and all this pushing of innovation through 5G and otherwise, I mean leaving aside what people think about whether the infrastructure is rewiring our brains are not from a signal perspective, what does it mean for, the ability to exploit our networks by either a nation-state or even something as a simple hack which takes a 5G connected car off the road into a pile of burning flames. , there’s just, there’s always this element that lags innovation that is like, “Oh, wow, we didn’t think of that.” And there are real ramifications that are happening.
Gourley: And it seems like society needs regulations sometimes to moderate the impacts. But we don’t want that innovation to be stifled because of regulation. And it seems like it is going to be a constant dynamic.
Raby: Regulation tends to be impulsive, and it tends to follow pathways of years prior experience versus cutting edge. It takes a long time to catch up to the benefits of innovation. Silicon Valley is Mars to downtown D.C. And then you bring in the pressure of lobbyists and others that are representing kind of the “old-line” – who have the deepest pocketbooks- and that plays a factor too. For everybody that is innovating, there is someone that is getting cut out that might just have someone sitting on K street. But, as we have seen [during the pandemic], when the social need is great enough and the impact is necessary, we have seen the regulation kind of ease up a little bit.
“…surround yourself with some fantastic people that are innovators – and good things come when you’re patient and you lean forward and just offer a helping hand. So that is our approach.”
Bob Gourley: I wanted to ask you: when should a startup start a conversation with a company like Cooley to get advice or formal legal counsel to really get things in order?
Andy Lustig: What I would say is they have to ask themselves if they are the right kind of startup to work with a firm like Cooley. We do our best work, and we can be most helpful, for companies that are on high growth trajectories or that want to be on high growth trajectories. Usually, that means that they are not the lifestyle kind of company where – where you start up a company to be your main source of income. And, and it’s something that you want to really ride all the way into the sunset and maybe pass along to your family and sort of be a generational kind of a business. There’s nothing wrong with that. We do work with some businesses like that, but the norm is more of the companies that are going to go access capital venture capital, angel money, venture, capital growth, equity, private equity, and really to make their business plans go to work and then pursue liquidity events and exits and high growth in a short amount of time.
And those historically have been technology companies which is foundational to Cooley. Life sciences companies, biotech. We probably have over 20 or 30 companies working on COVID vaccines right now. It is amazing. I think we’ve done over 25 IPOs [in 2020] alone, a majority of which have been life sciences companies based on everything that is happening in the world right now. So, life sciences companies, tech companies – those are the kind of companies that we tend to really work well with that are on those kinds of trajectories. And that extends to all ends of when we say technology or life sciences – it is high growth companies, environmental companies, it could be space companies, satellite companies, you name – it is anything that is innovative and fast and requires capital to grow.
As far as entrepreneurs go, I would say the sooner the better. We talk to folks all the time before they really need legal services. And part of, our passion is just getting the ecosystem – whether it’s local out here in the DC Metro area, or whether it’s national or international – but leveraging everything we can to help that ecosystem. And that means often that we have to lean forward and help companies before they have any work to give us. And a lot of times they need help, but they just don’t have the resources to pay for it. But we are just like the venture capitalist in the sense that we take risks and we make bets on companies and we make bets on people. And that is where it is fun and fulfilling and exciting – much the same way you guys have done in your careers. Just surround yourself with some fantastic people that are innovators – and good things come when you’re patient and you lean forward and just offer a helping hand. So that is our approach.
“There are a lot of mistakes that you can head off and avoid if you just surround yourself with the right people on the front end.”
Gourley: That raises a couple of other points. I wanted to ask you about these young companies – the startup that is on a high growth trajectory. Before there is some event in their future, there is going to be an examination of all their finances and their technology, a due diligence assessment by either an investor or an acquirer. So starting things on the right track early is important. What is due diligence in your mind?
Lustig: So if I had to boil it down, I would say it is kind of a three-step process in which you identify risk as the first step. You quantify risk as a second step, and then you mitigate that risk as the third step. And so if you think about what that really means, it is identifying whether there are issues in your company that are tolerable and that somebody can get past before they invest in you or before they buy you. And every company has issues, so there is no secret there. Lots of them are in your control and lots of them are not. And so diligence is about just getting down to what risk can you live with when you partner with another company?
Gourley: Do you have advice for the high-growth CEO on how to prepare his company for due diligence?
Lustig: Well, it’s interesting. I think one of the prevailing pieces of advice that we give is always to surround yourself as soon as possible with people that have been there and done that. And one of the things that is very fulfilling and exciting about the entrepreneur ecosystem is that they are very good about giving back to other entrepreneurs. They are excited to do it. They are happy to do it. It is one of those ecosystems that loves to do that. It is very reciprocal in nature. And so I could not emphasize more that the best thing you can do is go find other CEOs that have started companies or other founders who have started companies and raised money, sold them, or companies that have had problems that have not worked out have had to be liquidated. Surround yourself with as many people as you can that have been there and done that and ask a lot of questions on the front end. There are a lot of mistakes that you can head off and avoid if you just surround yourself with the right people on the front end.
“And there is consumerization going on at the same time where – not knowing anything about security – I can become a script kitty and go try to hack a third-world bank. It is literally that type of kind of growth that is going on out there.”
Gourley: I would love to hear your views on the cybersecurity market. And one way I thought would be a huge benefit to our community is if you could give advice to the CEO of a company that wants to make sure he’s poised for a good transaction in the future. What can CEOs do to make sure their company is ready for a transaction and that the transaction is as valuable as possible?
Raby: What is most interesting is, if you looked historically speaking, the perfect type of company would have a very strong kind of enterprise sales process entombed into it. It would be proven to be able to sell licenses to large Fortune 500 companies and have the sales force that would take them out to golf and take their counterpart out to golf and wine them and dine them for 12 months and then land this big contract. And we are now obviously on a Software-as-a-Service (SaaS) type of base revenue platform because, if you think about a crisis like COVID, the ability to have a decent runway – where the customers already bought and deployed maybe on one-to-three-year type of recurring revenue platforms – it really softens the impact of a technology company when a kind of situational spike arises which cuts off demand or flow.
So the SaaS model for one. But most importantly, what we have seen is the enterprise sales model has really moved the value in cybersecurity into my channel, right? Because what we’re seeing is, at the same time the sales model changing, is the fact I cannot – even if I’m one of the biggest financial services firms in the world – I cannot manage my own security posture because the nature of the threats is becoming much more complicated. They are usually backed by state actors with unlimited budgets. And there is consumerization going on at the same time where – not knowing anything about security – I can become a script kitty and go try to hack a third-world bank. It is literally that type of kind of growth that is going on out there.
“…the vulnerabilities will continue, created by humans, exploited by humans…so you need to constantly inure yourself in the DevOps cycle, going back into that. You need to learn and protect.”
Raby: And so what that means is that we are pushing the problem out to the partners – pushing it out to the channel. We are going downmarket, small and medium-sized businesses that would have traditionally sold me some of my storage and some of my compute. And now we are turning them into security professionals through technologies. We’re really kind of expanding the nature of the ecosystem to push security away from the biggest clients all the way down to the bottom. And so what that means is your product must really be able to fit a channel distribution strategy of either turning Managed Service Providers (MSPs) into Managed Security Service Providers (MSSP) MSSPs – and then enabling them to be their first, manage multiple customers, do the incident response and take that all on.
So that is pushing out the sales effort to democratizing it – meaning your platform, your product, has to be able to quickly land in someone’s toolkit and be brought to market. The ones we have seen most win are ones that are enabled to apply their value and a toolkit that a developer can quickly wrap on and deploy – getting back to this whole idea that business value is really coming about speed to the deployment of that value.
So we’re seeing great companies like the HashiCorps of the world, and other ones, that are really able to take your business fundamental application, wrap all this infrastructure around it, put it into a container, and fire that container off to the world – but then be able to secure it as different vulnerabilities arrive, different people, figure out how to exploit that application or the infrastructure around it – being able to change and keep that dynamic. And then take all that and push it back into the codebase at the point you’re writing the next iteration of the product.
So you are always taking those vulnerabilities and you are pushing them back into the DevOps cycle. So that is a really fascinating thing to see and be a part of, but if you are going to position your company for sale, you need to really be able to link rapid deployment of value back to the developer community.
Gourley: So to summarize a couple of big thoughts. You used to tell me it is important to think about product-market fit. Now you’re saying product-channel-market fit?
Raby: That’s right.
Gourley: And, and when it comes to the code base, it needs to be like a platform that is continually securely improved both the security and functionality of that program.
Raby: That’s right because the vulnerabilities will continue, created by humans, exploited by humans – humans now with a lot of powerful technology to find those exploits. So you need to constantly inure yourself in the DevOps cycle, going back into that. You need to learn and protect.
“….as all these remote sensors begin beaming back data from every corner of the globe and eventually the universe – it is going to be interesting to see what happens…”
Gourley: I want to give you a thesis and tell me if it is wrong or right. The next 20 years are going to be the Bioscience Revolution. It will be the biotech decades where all the innovation will be driven by biotech. What do you think of that thesis?
Lustig: I think it is a really accurate assessment. I think when you look at what’s happening with the speed of computing and analytics and AI and what that translates into in terms of the ability to solve what used to be almost impossible, very tough medical life sciences-based problem sets, DNA sequencing, and creation of vaccines, rapid innovation of medicine. Those are all highly formula and science and math-driven you – which lends itself to taking advantage of all the innovation. These tools now that are becoming more accessible to folks are becoming interesting in the hands of scientists, life scientists, and biotech firms.
So I think there’s no question we are on the very, very front edge of a massive sort of biotech surge in innovation. I also think there are some other areas that are, that are equally poised for growth. Space remote communications. Every time there is a new satellite that goes up there is an unbelievable amount of data that now becomes accessible that wasn’t there before So the sheer volume of data that is going to become accessible over the years as IoT environments continue to expand. And as all these remote sensors begin beaming back data from every corner of the globe and eventually the universe – it is going to be interesting to see what happens and what that means with all the compute capabilities trailing behind.
“What matters to your business? What can set off this business? What can damage this business? At its core, inevitably, you are going to get to security and I think people are going to start looking at it differently.”
Lustig: With that thesis and that future: what scares you about it?
Gourley: What scares me about it is the fact that after two decades of working in security, we didn’t fix security for the old architectures. There are still challenges. So why should anybody think security will be fixed for the new world of quantum computing and space communications, space remote sensing, and the biotech revolution? It’s not going to be fixed. There will always be issues of trust and risk and risk mitigation and optimizing in a world where the adversary can be observing all your actions. So that is what worries me. I’m still an optimist. This is going to be a great and wonderful tech-enabled future, but there will always be a need for professionals to assess risk and mitigate risk when it comes to cybersecurity.
Lustig: I couldn’t agree more. And I still feel – from an M&A standpoint, from a diligence standpoint, from a financing standpoint – if you’d asked me five years ago, what my prediction would be in terms of technology diligence and cyber diligence? I would have said that they would become absolute hand-in-hand partners in terms of legal diligence and transaction diligence and company diligence. And that that cyber diligence would be the star of the show, right? Because everything was so reliant on security and technology that whether its life sciences company protecting its secret sauce for a vaccine.
Or whether it is a technology company that launches satellites into orbit and must protect everything about that process. There is going to be so much more at stake that it was going to just a given that cybersecurity would be top of the list. It has grown and it is more recognized. It is on the checklist now. I still feel like it has not quite played out the way I thought it would in terms of prominence.
I’m concerned that the stakes are getting higher and higher as we go. I mean if you look at COVID in terms of monitoring from a privacy standpoint. Everyone’s being monitored. People are asking for a lot more data, health data, in the interest of trying to track the spread of viruses and things like that. And this will not be the last time. The stakes are getting higher and higher, and the boundaries are getting broader and broader in terms of who is impacted by these issues. And so my hope is that we are starting to really think about the right questions to ask in terms of resiliency. And when people start asking the right question, it is also: What matters to your business? What can set off this business? What can damage this business? At its core, inevitably, you are going to get to security and I think people are going to start looking at it differently.
JC Raby of Boston Meridian Partners
Andy Lustig On Legal and Due Diligence Support In The High Tech Era
Intelligence Gathering Tools and Analysis, Strategic Thinking and Uncertainty (Carmen Medina)
Leadership, Management, Decisionmaking and Intelligence (Paul Becker)
Russia’s Long Game, Leadership Lessons, and Learning from Failure (Rob Richer)
Chet Richards and the Origin Story of The OODA Loop (Part 1 of 2)
Chet Richards on Applying OODA Loops in Business (Part 2 of 2)
Dan Gerstein and Lance Mortlock on Technology Futures and Scenario Planning
Ellen McCarthy and Kathy and Randy Pherson on Intelligent Leadership and Critical Thinking
Richer and Becker on Domestic Terrorism, Cyber, China, Iran, Russia, and Decision-Making
Omand and Medina on Disinformation, Cognitive Bias, Cognitive Traps and Decision-making
Decision-Making Inside the CIA Counterterrorism Center Before, During, and After 9/11
A CIA Officer and Delta Force Operator Share Perspectives on 9/11
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence