One of the biggest challenges Private Equity Groups (PEGs) face when it comes to cybersecurity is summed up neatly in a single phrase: trust but verify.

On paper, it sounds simple. You set expectations, PortCos confirm they’ve deployed the right tools, and everyone sleeps soundly at night. In reality? It’s rarely that straightforward.

 

The Challenge of “Trust but Verify”

Most PEGs want to believe their PortCos are implementing the cybersecurity solutions they’ve invested in. And many PortCos are trying their best. But here’s the rub: deploying solutions correctly and exhaustively can be surprisingly difficult.

Tools are misconfigured, processes are only half-implemented, and reports are sometimes more about looking compliant than being secure.

That’s not to say PortCos are acting in bad faith. More often than not, they’re simply overwhelmed, under-resourced, or not fully clear on what “good” actually looks like. 

The end result? PEGs are left with assurances that may or may not hold up under scrutiny.

 

Complexity Grows With Portfolio Diversity

Now let’s add another layer of complexity: portfolio diversity.

When you’re overseeing 10 – 20 companies, each with its own sector, size, and risk profile, the “trust but verify” mantra becomes a game of whack-a-mole. What works for a consumer products PortCo doesn’t translate directly to a healthcare or manufacturing PortCo.

I’ve written before about the importance of tailoring your approach to portfolio diversity here. The short version: cybersecurity isn’t one-size-fits-all, and trying to manage it as if it were only compounds the challenge.

 

A Real World Example

Take something as “basic” as Security Awareness Training (SAT) and mock phishing campaigns. On the surface, it seems straightforward: roll out training, send a few phish tests, measure results. But in practice, it’s rarely that simple, especially when the whole thing is outsourced to a third-party IT MSP.

  • For one, communication can be a problem. Do managers and users actually understand what’s expected and why, or are they just told to click through modules? How much time are people given to complete the training, and do the reported completion rates conveniently ignore anyone who finishes after the deadline? 
  • Then there are the technical quirks: in a funny karmic twist, sometimes the mock phishes themselves get snagged by the company’s own security filters. It’s hard to blame employees for low completion rates if the training never even lands in their inbox.
  • Reporting adds another wrinkle. If you’re seeing 100% timely completion month after month, that’s almost always too good to be true, we can’t expect every employee to be a cybersecurity Eagle Scout! 
  • On the flip side, if the mock phishing fail rate is sitting at 0% for months, it probably means the tests are so easy they’re not teaching anyone anything. 
  • Finally, there’s execution. A click on a mock phish is one thing, but the real learning moment comes when someone actually tries to type in a password or MFA code on a fake login page. That’s uncomfortable, but it’s also the single best opportunity to turn a risky behavior into a teachable one.

 

Why Experience (and Patience) Matters

This is where many PEG-side operations folks get stuck. Even the most seasoned ops teams can lack the time, technical depth, or patience to keep peeling back the layers when explanations from PortCos start sounding a little… polished.

That’s where I come in. My job isn’t to catch people out, it’s to separate signal from noise. 

Over years of doing this, I’ve developed a healthy radar for excuses, a toolkit to cut through the chaff, and the persistence to keep asking the right questions until we get the results we need.

 

How Black Creek Cyber and PortCoShield™ Help

At Black Creek Cyber, I bring both the PE perspective and the cybersecurity expertise. I know what PEGs really need: the essentials, no unnecessary extras, and clear visibility across the portfolio.

That’s why I built PortCoShield™ – a platform designed specifically to give PEGs a single, reliable lens into their PortCos’ cybersecurity posture. Instead of juggling disparate reports and vague assurances, you get actionable insights that help you verify, not just trust, that your PortCos are secure.

 

Ready to See for Yourself?

If you’re wrestling with the “trust but verify” problem across your portfolio, let’s talk. I’d be happy to share how I work with PEGs to keep things simple, focused, and effective, and I can give you a demo of PortCoShieldTM so you can see exactly how it works in practice.

Get in touch with me here to set up a chat or request a demo.

Because in the world of PE, trust is essential, but verification is what keeps everyone safe.