Picture a conversation that plays out, in some version, all the time. A founder, two or three years into building something genuinely good, reaches out because an enterprise customer has sent over a security questionnaire. Three hundred questions. A demand for SOC 2. A deadline that lands the week before the largest contract in the company's short history is due to close. The founder, who has spent those years thinking about product, hiring, and runway, realises they have never once been asked to think seriously about security. Not by a customer, until now. And not, tellingly, by any of their investors.
That last part is the one worth sitting with.
Private equity now mandates a CISO across many of its portfolios. It would not be unreasonable to expect venture capital to do something similar. Largely, it does not. The two look alike from a distance — pools of capital, portfolios of companies, professional investors with real money at stake — but underneath they can be very different. The difference is not a matter of diligence or appetite. It is structural. Once you see it, the rest follows almost inevitably.
Private equity is a farmer. Venture capital is a gardener.
A private equity firm buys the farm, owns the farm, works the farm, sells off equipment or fields as they see fit and sells the crop at harvest. Control is not incidental to the model, it is the model. So when private equity concludes that cyber risk is now material to value, it can act on that conclusion directly: a named security leader in the first ninety days, standardised reporting, the mandate enforced from above.
A venture capitalist is a different creature. A gardener, tending an orchard they do not own. They helped to plant a seed, they hold a meaningful interest in the tree growing tall, and they can offer water, fertiliser, advice, and a stake to lean on. What they cannot do is prune against the owner's wishes. They hold a minority position. They may have a board seat and a great deal of influence — but influence is not control, and the gap between the two is widest on the questions that are easiest to defer. Security is perhaps the most deferrable question there is.
This answers what people outside the industry most often ask. Do venture firms mandate their companies cybersecurity? Largely, no — they have no mechanism to. Do they pay for it as part of the deal? Almost never; the capital is for growth, and security is treated as the company's own operating concern. So they wait until the company asks for help? Historically, yes. That is the honest description of the default. The orchard is left to grow, and the gardener is called over only once a tree visibly has a problem.
For most of venture's history, this was, for all its faults, rational.
The old logic held. It no longer does.
You do not optimise a seedling for the storms it will face at thirty feet. You optimise it to survive the first winter. When a company might fail within eighteen months for want of product-market fit, asking a founder to spend scarce engineering time building a control framework for customers they do not yet have is hard to justify. The problem is that three changes have made the old reasoning obsolete.
The first is that security has moved from a late-stage concern to a deal-stage one. The questionnaire in the opening scenario used to arrive only when a company began selling to banks or hospitals — large, regulated, late in the journey. It now arrives far earlier, because buyers of every size have been burned by a supplier's breach and have learned to push the risk down the chain. A Series A company selling to mid-market customers now meets demands once reserved for the enterprise. Security has become a gate on revenue, and revenue is the one thing a venture-backed company cannot afford to have gated.
The second is that the cost of getting it wrong has risen while the time to react has collapsed. The tooling available to attackers has compressed the gap between a weakness appearing and its being exploited from weeks to, in some cases, hours. A small company with no security leadership is not merely under-defended against this — it frequently has no one whose job it is even to notice. The disease no longer progresses slowly. It spreads in an afternoon.
The third is the one founders feel most and discuss least. An unattended security posture has become a discount at the next round and at exit. When a company raises later or sells, the incoming investor or acquirer now runs technical diligence they would once have waved through. The absence of any security function is no longer read as neutral. It is read — correctly — as a signal that risk has been accumulating unwatched, and it is priced accordingly. The deferral that felt free for years presents its bill at the precise moment the founder has least leverage to dispute the total.
Venture has not been wrong to avoid the heavy hand of a mandate. It has simply been slow to notice that the market reclassified security from "something the company gets to eventually" into "a precondition for the things the company exists to do."
Between mandate and waiting, there is a third position
A handful of venture firms have worked out something the structure of their model had seemed to forbid: that you do not need control to be useful.
The reasoning runs roughly as follows. We cannot mandate — that is settled, it comes with the asset class. But it does not follow that our only remaining choice is to wait. Between the two sits a third position, and it turns out to be the strongest one available to a minority investor. You cannot compel the right thing. You can, however, make it the easy thing.
In practice that means an enabling offer made available across the portfolio rather than a directive imposed on it. A pre-arranged relationship with security leadership that any portfolio company can draw on, at terms the firm has already negotiated, without each founder having to find, vet, and hire someone in the panicked fortnight after a questionnaire lands. Some firms subsidise the first engagement. Most simply remove the friction — the introduction is made, the groundwork is laid, and the founder gets experienced help in days rather than confronting a market of vendors they have no means to assess.
The economics are persuasive. A single fractional security leader can lay sound foundations for a company that does not need, and could not justify, a full-time CISO. Extend that across a portfolio and the firm lifts the floor for everyone, cheaply, without claiming authority it does not possess. It is the gardener bringing in one experienced hand to walk the whole orchard, rather than each tree owner separately discovering, too late, that they should have.
This is, admittedly, close to the model The CISO Network is built around — so weigh the enthusiasm accordingly. But the logic stands whoever provides it. The firms moving this way are not being generous. They are protecting the value of their own stake by making it easy for founders to do the thing that founders, left entirely to themselves, reliably defer until it hurts.
Two questions worth leaving you with
If you are a founder: the question was never whether you can afford to think about security. It is whether you can afford to think about it for the first time in the same week you are trying to close your largest contract. That is the worst possible moment to begin, and it is exactly the moment at which most companies do.
If you are an investor: you have rightly concluded that you cannot mandate. The temptation is to conclude from that you can only wait. The better firms have found the move in between — make the right thing the easy thing, before the disease takes hold, while it still costs almost nothing.
The gardener cannot force the tree to grow healthily. But leaving it wholly to chance was never the only alternative to trying.

