There’s a quiet problem running through private equity portfolio management, and it has nothing to do with firewalls or zero-day vulnerabilities. It has to do with advice.
Too many portfolio companies are receiving cybersecurity guidance that is either over-engineered for their context, disconnected from the realities of a mid-market operating environment, or quietly shaped by vendor incentives. The result? PortCos that are confused about what to prioritise, overwhelmed by complexity they don’t need, and still exposed on the basics that genuinely matter.
At Black Creek Cyber, we work exclusively within private equity and portfolio company environments. And when you operate in a single sector long enough, the patterns become impossible to ignore. The issue is rarely a lack of cybersecurity spend. It’s a lack of cybersecurity honesty.
The Six Questions Every PortCo Deserves Straight Answers To
When a portfolio company engages with a cybersecurity advisor, there are six questions that should be on the table from day one:
- What actually matters? Not everything in a security framework is equally urgent. Prioritisation is everything at the PortCo level, where IT teams are lean and bandwidth is finite.
- What can wait? Knowing what not to do right now is just as valuable as knowing what to act on. Good advice protects time and budget, not just systems.
- Where are we exposed today? Not theoretically, not in the abstract. Right now, in this business, with this tech stack and these suppliers. Specific, honest, actionable.
- What is overkill? Enterprise-grade solutions sold into mid-market environments is one of the most common and costly mismatches in cybersecurity consulting. If a control doesn’t fit the risk profile, it shouldn’t be on the roadmap.
- What is not optional? There is a non-negotiable floor of essential hygiene. Below it, the exposure is real and the consequences (whether regulatory, reputational, or financial) are material.
- What has changed in the last three to six months that warrants revisiting all of the above? This is the question that gets skipped most often, and it’s increasingly the most important one. A bolt-on acquisition, a newly deployed third-party platform, a change in cloud infrastructure, any of these can shift the risk picture overnight.
The Problem with the “Transformation” Pitch
There is no shortage of vendors and consultants willing to propose sweeping cybersecurity transformation programs for portfolio companies. Some of these programs are genuinely warranted. Most are not.
For the average PortCo (mid-market, resource-constrained, in active value-creation mode) a giant transformation program is a distraction at best and a liability at worst. It consumes capacity, creates initiative fatigue, and often leaves the most critical basics unresolved while attention is consumed by complexity upstream.
What the middle market needs is practical controls, clear accountability, and steady improvement over time.
Working Against a Defined Line
This is the philosophy behind Black Creek Cyber’s Top 7 Cyber Poverty Line: a defined, proprietary framework of the seven essential security indicators that every PortCo must have in place to be operating at an acceptable baseline.
The model is deliberately focused. It is not designed to cover every conceivable risk. It is designed to ensure that portfolio companies are addressing the controls that are most likely to matter, and tracking progress against those controls consistently over time.
PortCo Shield, Black Creek Cyber’s portfolio dashboard, maps every company against the Top 7 in real time. PE deal teams and operating partners get a single, clear view of where each PortCo stands: who is above the line, who is falling behind, what has changed, and what needs to happen next. Incidents are logged and tracked with full transparency. Tasks, deadlines, and accountabilities are visible to everyone who needs to see them.
It is not a flashy product. Neither is the approach behind it.
But for private equity firms that want honest, independent guidance, not vendor-driven recommendations, not unnecessary complexity, it really works.
Get above the line on the essentials. Track them. Improve them. Stay the course.
To learn more about the Top 7 Cyber Poverty Line or how PortCo Shield delivers portfolio-wide cyber visibility – or, if you’ve had an incident and need a confidential, no-obligation review, get in touch and we’ll be happy to help.