Some firms learn cybersecurity lessons the hard way – after a deal goes south. Clark Sandlin prefers to catch problems before they blow up. After spending 33 years in the trenches of private equity tech, he’s watched too many good deals crater because nobody looked past the surface numbers. Through his firm Zyrka, Clark helps private equity groups and family offices spot the tech problems that spreadsheets miss. His approach comes from hard-won experience navigating the increasingly hostile world of cybersecurity, where one overlooked vulnerability can sink an entire acquisition.
Elevating Cybersecurity to a Strategic Priority
These days, cybersecurity isn’t just an IT problem hiding in some back office. Clark, founder of Zyrka, has watched it climb straight to the top of boardroom priorities. Private equity groups and family offices are finding themselves in an increasingly hostile digital landscape, where one overlooked vulnerability can sink an entire deal. “Staying ahead of this requires much more than just technology,” Clark explains. “It demands vision and strategy.”
Drawing from his decades of experience guiding firms through complex IT challenges, he breaks down three critical tips for making sure cybersecurity doesn’t derail your next acquisition.
Tip 1: Don’t Trust the Spreadsheet
Here’s a common scene in private equity: Someone good with Excel thinks they understand technology. Clark sees this mistake all the time. “The most important thing overlooked in acquisition analysis is trusting the spreadsheet guy who knows tech,” he warns. Numbers tell part of the story, but they miss the messy reality of IT infrastructure. “Having a solid grasp of financial metrics or operational data does not equate to understanding the intricate layers of IT Network infrastructure and cybersecurity,” Clark points out. When firms rely on in-house analysts for tech evaluation, they’re rolling the dice with their investment.
The risks go beyond just losing money. “Hidden vulnerabilities, outdated systems, and compliance issues do not show up on the balance sheet,” he explains. These invisible problems can “devastate value post-acquisition or even open the door to future cyber attacks.” His bottom line? “If you’re trusting spreadsheets over specialists, you’re not analyzing the full picture – you’re just hoping for the best, and hope is not a strategy.”
Tip 2: Evaluate Legacy Systems Early
Legacy systems are like old houses – there’s always something that needs fixing. “Outdated technology often harbors unpatched vulnerabilities, misconfigured settings, or unsupported software that create easy entry points for cyber threats,” Clark notes.
Smart buyers spot these issues during due diligence, not after closing. This early detection lets you “factor remediation cost into the deal and avoid inheriting systems that could jeopardize long-term business stability.” Clark insists on bringing in real expertise: “A technology visionary with real-world experience is a must during this process.” For sellers, there’s an opportunity here too. “You can eliminate bargaining over technology by bringing your systems current without spending too much money if you have the right strategies to tidy up the network,” he advises.
Tip 3: Inspect What You Expect
Compliance documents can look great on paper while hiding serious problems. “Audits, pen tests, checking compliance tech boxes mean nothing if you’re not digging into the results and verifying the data,” Clark warns. “A superficial glance at an attestation isn’t due diligence – it’s a dangerous shortcut.”
This isn’t about being paranoid – it’s about being thorough. “Third-party vendors and internal IT teams might gloss over critical vulnerabilities or downplay systemic issues to avoid raising alarms,” he explains. His advice? “If you’re not actively questioning, challenging, and validating the findings, you’re setting yourself up for failure.” The stakes are too high for shortcuts. “Assumptions don’t close deals – they destroy them,” Clark states bluntly. “True oversight means leaving no stone unturned and no question unanswered. Anything less is negligence.”
Through Zyrka, Clark’s firm tackles these challenges head-on, focusing on uncovering hidden risks and modernizing IT infrastructure. His message is clear: “Cybersecurity isn’t just a checklist item in due diligence – it’s a critical factor that can determine the success or failure of the acquisition.”
To learn more about Clark Sandlin and Zyrka, check out his LinkedIn profile.
