Why Your Portcos All Handle This Differently
Pull up your portfolio operating dashboard. The one you actually use, not the one in the LP deck.
You'll see standardized financial reporting — same chart of accounts, same monthly close cadence, same KPI definitions across every portco. You'll see a board meeting rhythm that runs on rails. You'll see a 100-day plan template, a talent scorecard, a procurement playbook, and a customer health framework that gets applied the same way at the $20M ARR portco and the $120M ARR portco.
Now find the cyber column.
There isn't one. And if there is, it's a free-text field that says something like "SOC 2 in progress" at one portco, "working with a vCISO" at another, and "???" at the third.
This is the PE portfolio paradox. You systematize every operational discipline that affects value — except the one that increasingly determines whether enterprise deals close, what cyber insurance costs, and how an LP scores your operational risk posture.
It's not because operating partners don't care. It's because cyber arrived in the value creation conversation later than finance, talent, and GTM, and it arrived wrapped in technical language that made it feel like a CTO problem rather than an operations problem. So every portco hired its own answer. One stood up an internal security team. One bought a GRC platform and let it gather dust. One signed a $180K annual retainer with a Big Four firm. One did nothing and is hoping the next enterprise prospect doesn't ask.
You'd never accept this in finance. Imagine each portco picking its own accounting standard and its own audit firm, with no portfolio-level visibility into how any of it compares. That's exactly the posture you have on cyber right now.
The fix isn't to centralize cyber the way you centralize the CFO function. It's to standardize the measurement layer — the same way you standardized financial reporting without taking over each portco's accounting team. One framework. One scoring rubric. One view across the portfolio that tells you which companies are on track, which are at risk, and where a small investment closes the biggest gap.
Your action this week: Run the inventory. For each portco, fill in five fields:
Current SOC 2 / ISO / NIST status (none, in progress, completed, expired)
Last third-party security assessment - audit, pen test, vulnerability scan (date and firm)
Cyber insurance posture (carrier, premium trend, exclusions added at renewal)
Active enterprise deals where vendor security review is on the critical path
Who owns this at the portco (named person and title)
That's the column that's missing from your dashboard. Building it takes an afternoon. Not building it is the choice you're making by default.
— Sierra
P.S. Next Wednesday: the one diagnostic question that turns this inventory into a scoring rubric you can take to your GP.