The cybersecurity industry is booming, but not always in ways that benefit you.
You ever walk into a fast food joint just wanting a burger and before you know it, you’re holding a family-sized combo meal, a milkshake, and maybe a novelty toy too?
That’s kind of what it’s like buying cybersecurity services today.
You show up looking for help with, say, a simple risk assessment. Next thing you know, you’re handed a 15 page proposal. You think, but are not sure, that the annual package includes dark web scans, vulnerability scans, managed SOC, full NIST assessment, a penetration test, and complicated dashboards…. And you’ll get even more options if you’re talking to a desktop support IT MSP. It can be very overwhelming.
Let’s call it what it is: upselling. And it’s become the default strategy for many of the big players in cybersecurity.
This blog isn’t a rant (okay, maybe just a little one) but more importantly, it’s a heads-up. Because if you’re a Private Equity Group with a diverse set of portfolio companies (and doing so without your own in-house security expertise), you’re in the crosshairs of a system that’s more focused on selling than solving.
Let’s unpack why.
What’s Driving the Upsell?
The VC and PE playbook is shaping your security buying experience.
Cybersecurity has exploded over the past decade. According to Gartner, “worldwide end-user spending on information security is projected to total $212 billion in 2025, an increase of 15.1% from 2024. And that number’s only going one direction. (Gartner, November 2024)
Now, here’s the twist: many of the largest cybersecurity providers are themselves backed by venture capital or private equity. So they’re playing the same growth game you are, just from the other side of the table.
That means they’ve got big targets to hit. And who better to hit them with than you?
The result? Large sales teams with P&L responsibilities, comp. plans tied to product bundles, and account managers more focused on wallet share than whether your PortCo actually needs SOC 2 Type 2 certification – or just better patching.
Don’t get me wrong: some of those services are valuable. But the incentives at play mean you’re not always being sold what’s best for your business, just what’s next in the catalog.
The Impact on Buyers
You’re left to navigate a confusing – and crowded – vendor landscape.
Let’s be real: if you’re in PE Ops or acting as an informal CISO for a handful of PortCos, the sheer volume of tools, acronyms, and frameworks you inherited at the point of acquisition is enough to make your head spin. And when you’re time-poor (as you usually are), it’s tempting to just pick a provider and tick the box.
Unfortunately, that approach can backfire.
You might:
- Overspend on tech that adds complexity instead of clarity.
- Commit to annual pen tests that no one reads, let alone actions.
- Buy “endpoint protection” that’s basically a branded screensaver.
- Push HiTrust or ISO 27001 certification effort on a PortCo that doesn’t have significant Sensitive Information and has no clients asking for it.
All of these missteps come at a cost: wasted money, wasted time, and missed opportunities to focus on your top priority: growing the business for a profitable exit. It’s unnecessary friction in the life of the deal.
I see it all the time, PortCos buried under shelfware and overwhelmed by compliance noise. Not because they’re careless, but because they don’t have the depth and breadth of cyber experience and were upsold by someone who didn’t take the time to ask, “Do you actually need this?”
How Black Creek Cyber is Different
We sit on your side of the negotiating table: no fries unless you need them.
Here’s the thing about Black Creek: we’re not here to sell you anything except clarity.
We don’t take commissions, kickbacks, or free trips to vendor golf tournaments. We’re not tied to a single suite of tools or service partners. Our only incentive is to give you advice that actually serves your goals, not someone else’s quota.
That means:
- If a $12/month email filtering tool gets the job done? We’ll say so.
- If you don’t need a SOC? We won’t pretend otherwise.
- If there’s a better, cheaper, or simpler vendor for your needs? We’ll bring them to the table.
Our job is to help you understand your risks and make smart, tailored decisions that actually reduce them. No fluff. No filler.
Real Partnership, Not Just Procurement
Get clarity, not a cluttered tech stack.
We don’t believe in “drive-by consulting.” Our best work happens when we act as an embedded partner, someone who knows your PortCos, your strategy, and the broader risk profile across the portfolio.
That could mean:
- Helping you negotiate with vendors (yes, we know what those contracts should look like).
- Building a right-sized roadmap that reflects actual business risk.
- Creating rational frameworks for what needs to be done now, what can wait, and what doesn’t need to happen at all.
The beauty of that last point is that most often not much needs to happen immediately. It’s a marathon, not a sprint; you just want to be better tomorrow than you were yesterday. The end goal? A security posture that’s proportionate, defensible, and easy to explain to your LPs and your PortCo CEOs.
Checklist: 5 Signs You’re Being Upsold by Your Cyber Vendor
1. Pushing “Best-in-Class” When “Good Enough” Is Better: Not every org needs military-grade endpoint detection or deep NIST assessments every year.
2. You’re told every PortCo needs the same solution: One-size-fits-all security? That’s convenient. For them. Not necessarily right for you.
3. The jargon keeps piling up, but clarity doesn’t: Buzzwords like “next-gen”, “zero trust”, and “military-grade” don’t mean much without context or clear outcomes.
4. Unclear Incentives or Commissions: If the provider is also recommending vendors or tools, ask if they earn referral fees or resell markups — some firms bury these relationships.
5. Frequent Scope Expansions: If the provider keeps proposing add-ons or upgrades shortly after engagement, especially without clear risk justification or measurable impact, it’s often sales-driven.
Tired of Buying Fries You Didn’t Order? Let’s Talk.
Whether you’re just starting to build out a cybersecurity approach across your PortCos, or rethinking an existing strategy that feels bloated, we’re here to help.
No obligation. No pressure. Just an honest conversation about where you are, what you actually need and what you definitely don’t.
Let’s skip the jargon, ditch the unnecessary side dishes, and build a cyber program that’s clean, clear, and right for you. Contact me here, and let’s chat.