The Cyber Gap Threatening Tech Portfolio Growth

The Problem with Opportunity

It’s no secret that private equity and other ownership structures are increasingly drawn to technological firms which offer an attractive combination of high profit/low overhead in contrast to many non-technical businesses in their early or middle stages. Examples of HP/LO firms that offer an attractive mix of scalability and recurring revenue include:

• Platforms offering novel solutions to specific industries
• Uniquely-optimized IT service providers
• Developers of AI-assisted technology

As attractive as these firms may be, ownership organizations are increasingly aware that several pitfalls need to be considered. This paper will highlight several of these considerations, the risks of failing to address them, and outline mitigations with the goal of safeguarding investment longevity and risk reduction. 

Bidirectional Requirements

Technology companies are not only consumers of a multitude of technologies for their own operations, but providers of these services in various forms. 

That means they are held responsible for securing not only their own data but bear a material portion of the responsibility for securing customer data and supporting customer security and privacy operations. When incidents happen to these portfolio companies or to their customers, intense scrutiny of data protection can harm public perception or future revenue opportunities.

Technology Regulation

Customers of technology solutions have regulatory obligations such as GDPR, US State privacy frameworks, HIPAA, FedRAMP, CMMC, and now EU AI Act. They also have contractual obligations to protect their own customers' data, which invites further scrutiny of portfolio companies' operations and capabilities. Failing to anticipate the needs of these customers and ensuring the portfolio company’s technology, security operations, and documentation align with those data protection requirements can mean failing to penetrate markets, killing success before it can even begin.

Outsourcing is Risk Swapping, not Risk Removal

Startups and Small and Medium Enterprises (SMEs) are not large entities. They typically lack the resources to dedicate individuals solely to GRC expertise, Internal Audit, Risk Management, SOC, penetration testing, and supply chain risk management for every security obligation that arises. 

In practice, this results in significant outsourcing, which brings various risks and considerations related to supply chain data protection, compliance, and contractual adherence. Moreover, the larger the service provider is in relation to the portfolio company, the less likely they are to be willing to address requests for security improvements or tailor controls to suit the portfolio company's unique needs.

While outsourcing greatly improves near-term scalability, it means that portfolio companies bear increased customer liability for ensuring that upstream providers will meet critical security requirements.

Success in Growth Is Highly Variable

Winning large contracts often underpins the growth trajectory of startups. These support revenue projections and, consequently, fundraising for later seed, series, or even IPO events. In turn, the funds support hiring, building out organizational support resources, infrastructure, or third-party service investments. If all goes to plan, the budding company will scale and improve its operational and competitive positioning as a result.

However, organizations in all sectors are increasingly focusing on how a new seller of services (the portfolio company, in this case) can protect their own data, reputation, and compliance requirements, especially for smaller and non-established organizations, as is typical of many PE portfolios.

In certain cases, failure to fully meet regulatory and contractual requirements can lead to lawsuits or contract terminations due to misrepresenting security capabilities or unidentified security flaws in acquired tools/platforms.

The Solution To Complexity: Portfolio Alignment

In these scenarios, the power of ownership can be demonstrated through security governance. Ownership has the authority to strategically design and coordinate information security, compliance, risk management, and supply chain compliance across its portfolio companies. Ownership-driven information security programming utilizing a broad, scaled approach can simultaneously strengthen value propositions and market positioning with customers while improving the value proposition for internal rates of return in future company investments. This is achieved primarily by anticipating and mitigating compliance and security risks from the earliest stages of growth.

Program Overview: The "What"

Good security programs are built with a birds-eye view of all the pieces on the board. 

Effective centralized program design includes consideration for:

• Portfolio architecture: Reflect on your strategic positioning: Why did you acquire these companies? What unique proposition does your group bring to the landscape of sectors accessed by your companies?
• Security and compliance alignment: What standard security and compliance obligations are shared across the portfolio?
• Technology and infrastructure alignment: What standard technology and infrastructure services are (or can be) shared across the portfolio? Commonalities are opportunities for efficient control implementation and compliance oversight.
• Intra-portfolio Synergy: What synergies may exist between your portfolio companies' ability to support one another's security, compliance, or supply chain risk management? Do any portfolio or partner companies possess cybersecurity, compliance, legal, technology-specific, or operations-specific expertise that can be leveraged?
• Customer Archetype: Understanding commonalities and disparities between target customers will highlight ways that portfolios can share common positioning for compliance adherence, response to questionnaires, audit and accreditation cycles, and more.
• Operating Partner Structure: Consider your own operating partner structure, and how each one can contribute to program design and/or oversight as it is rolled out. This step is the most variable, as every ownership organization is composed of different matrices of partner skillsets and experience.

It’s helpful to create an alignment matrix to begin seeing where security journeys are likely to overlap across portfolio companies.

A Solid Foundation: Know Where You Are Today

Before an adaptive and scalable security program can be rolled out, it’s best to start at “square one”; basic cyber hygiene and security foundations that can be applied regardless of technology, team size, or offerings. 

The effects of security incidents, significant missed contract opportunities, or reputational damage can be devastating, primarily if they result directly from a cybersecurity or compliance failure. The time and effort required to clean up the mess always exceed the cost of basic prevention.

In most cases, it’s due to missing some of the basics of hygiene. A cybersecurity program for your portfolio cannot take off if the most likely, easiest-to-prevent risks are not addressed first.

The first step of successful program design is a solid foundation of technical controls. It’s vital to perform a preliminary gap analysis against these types of controls across your portfolio. When you identify these gaps, you can have candid conversations about purchasing security tools or services, building cultural security with portfolio leadership and operational teams, and strengthening relationships while setting the tone of security expectations across the board.

At Coalfire, our initial steps for securing portfolio companies include:

• Evaluating and securing customer and internal access capabilities across platforms and SSO
• Ensuring patching is in place for critical systems
• Implementing endpoint protection, file sharing, and secure email usage measures
• Implementing backups and recovery capabilities for crucial systems and data. 

This is also an opportunity to review the portfolio and explore what solutions for these basic measures other portfolio companies may offer. Opportunities for synergy here may streamline programmatic management in the long run and can typically be negotiated for a reduced cost. In more ambitious cases, you may wish to standardize tooling and procedures across the entire portfolio in such a manner.

Advancing The Framework

With initial steps implemented, it’s time to armor the security capabilities with the following: 

• Vulnerability scanning and penetration testing for infrastructure and developed software
• Basic risk assessment and management program implementation
• User security awareness training
• Log aggregation, monitoring, and alerting
• Building a security and privacy compliance program (Documentation, governance)

It’s best to consider using widely accepted security standards such as NIST CSF or ISO 27001 to perform evaluations of how your portfolio companies are meeting these standards. In some cases, portfolio companies may have additional industry- or data-specific compliance requirements, such as those related to private data (GDPR, CCPA), automotive (TISAX), education (HECVAT), federal defense (CMMC), healthcare (HIPAA), or one of many others. Be sure to assess those portfolio companies against those standards simultaneously.

With these pieces in place, your portfolio will have established a foundational cybersecurity practice capable of anticipating and preventing common risks before they are realized, along with proactive adherence to necessary customer and regulatory requirements.

A Long View

It’s at this stage, where your portfolio companies may have basic processes in place for some time, that we commonly encounter a false sense of confidence in security capabilities. At this stage, many security leaders struggle to demonstrate the long-term value of new security investments, and projects are sidelined for other budgetary priorities. 

However, this is where the greatest risks lie.

As with all things technology, the risks facing your portfolio companies change with time, but the information security risk profile of the company itself changes as it grows; New quarterly and annual business objectives come up, new markets are targeted, new technology may be procured or developed, new business lines are added, acquisitions or spinoffs occur, and regulatory landscapes change.

When these foundational shifts occur beneath a stagnant security program, your portfolio is likely to suffer the most significant impacts yet from incidents or lost contract opportunities. When disruptions or incidents occur, we often see leaders having the untimely realization that the security program was built for how the organization was, rather than for how it will be. 

However, because the company has grown, so too has the magnitude of the disruptions that were believed to have been prevented.

The solution? Ongoing cybersecurity governance. Governance is the key to cybersecurity adaptability and resilience for the long term. True resilience, compliance, and data protection risks cannot be adequately accounted for without:

• Maintaining a constant flow of communication between business and IT stakeholders
• Establishment of responsibilities for the execution of recurring cybersecurity activities
• Regularly maintained policies, procedures, and playbooks
• Re-evaluating risks and compliance adherence each year
• Ongoing internal program measurement and feedback
• Adequate budgetary planning, discussion, and expectation setting

By establishing governance programs within your portfolio companies, you can ensure that each organization is adaptive and resilient not only to direct technical cybersecurity risks but also to changes in customer demands, regulations, organizational restructuring, product changes, geopolitical changes, and more.

Conclusion

Stocking a portfolio with technology firms, while potentially lucrative, requires careful consideration, evaluation against industry standards, and strategic architecture for cybersecurity success. Your portfolio both consumes IT services and provides technological solutions to customers, assuming varying degrees of compliance and continuity risk. 

Utilizing cutting-edge or novel technology or software deployments introduces potential for novel or atypical risks that cannot be addressed by checking the proverbial boxes. 

Without adequate preparation and program design consideration, your portfolio will be subject to:

• Higher intensity of customer and regulatory scrutiny.
• Higher hurdles to acquisitions, customer retention, & relationship-building,
• A greater risk of liquidity event from churn if customers are not satisfied with the portfolio company’s management of security obligations.

In order to reduce exposure to significant legal and operational disruption risk in the near term and missed opportunity for sustainable growth, Coalfire recommends an at-the-ready approach to portfolio company security program management, including:

• Centralized security program design and governance
• Adequate and relevant policies, procedures, and plans
• Secure development training
• Incident response training and planning
• Business continuity and incident response exercises
• Tailored technology monitoring and alerting
• Unified control frameworks, as applicable
• Continuous controls monitoring
• Data loss prevention
• Active failover mechanisms
• Enterprise risk assessments
• Business impact analysis

Next Steps

Take the next step in protecting your upside. Our Cybersecurity Snapshot is an excellent first step to strategically evaluate how your portfolio company or small-to-medium enterprise would most-optimally benefit from a cybersecurity program.