How long does a basic security implementation take?

90 days for core controls (MFA, MDM, backups, firewall segmentation). MFA and MDM take 30 days. Infrastructure hardening and audit take 60 additional days. Compliance frameworks (SOC 2, ISO 27001) take 4-6 months separate.

What's the minimum security investment for a 30-person company?

$8K-$15K per month for managed services, or $150K/year for embedded part-time security staff, or both. That's half the cost of a ransomware recovery.

Do we need SOC 2 or ISO 27001 immediately after acquisition?

Only if your customers require it for contract compliance. Build the foundation first (MFA, backups, RBAC, SIEM). Plan certification as a separate 4-6 month project once you pass your own audit.

What's the biggest security mistake PE-backed companies make?

Inheriting legacy systems with no documentation, no access controls, and no incident response plan. Then treating it as an IT operations problem instead of a board-level risk. It needs CTO/ops ownership with CEO accountability.

How do you know if your backups actually work?

You test a full restore quarterly. Not just checking that the backup file exists. Actually recover data to a test environment and validate it. If you haven't done this in 6 months, your backups don't work.

IT Security & Compliance Checklist for PE Portfolio Companies

Why PE Portfolio Companies Get IT Security Wrong

You've closed the deal. The integration is live. Your new portfolio company is hitting revenue targets. Then the board asks: "What's our security posture? Are we audit-ready? What happens if we get breached?"

Most founders and operating partners inherit fragmented security practices. Legacy systems. No documentation. Compliance gaps. And zero visibility into what's actually protected.

This isn't theoretical. A ransomware incident during your hold period destroys valuation. A compliance failure during diligence adds 90 days to your exit. We've seen both.

The Core Security & Compliance Stack

You don't need 47 security tools. You need the right ones, implemented correctly, with clear ownership.

1. Identity & Access Control

Every employee with a device needs managed credentials. Not everyone needs admin. Not everyone needs database access.

Multi-Factor Authentication (MFA): Non-negotiable. Cloud and on-premise systems. 30 days to full deployment.
Single Sign-On (SSO): One master password. One audit trail. Reduces support tickets by 40%.
Role-Based Access Control (RBAC): Finance sees financials. Support sees tickets. Engineers see code. Clear boundaries.

2. Data Protection & Backup

Data loss isn't when your systems fail. It's when you realize you have no backup.

Automated Daily Backups: Cloud, onsite, tested monthly. Ransomware can't encrypt what you've already recovered.
Encryption in Transit & at Rest: Standard for cloud. Non-negotiable for on-premise.
Data Retention Policies: Audit logs 12 months. Customer data per contract. Delete what you don't need.

3. Endpoint Security & Device Management

Every laptop, phone, and tablet is an entry point. Manage them centrally.

Mobile Device Management (MDM): Remote wipe capability. Enforced screen locks. App whitelisting for critical roles.
Patch Management: Critical patches within 7 days. Everything else within 30. Automated where possible.
Antivirus & EDR: Not just signature-based detection. You need behavioral analysis and threat hunting.

4. Network Segmentation & Monitoring

Your network should have walls. Sales doesn't need access to customer data. Contractors don't need production access.

Firewall Rules: Default deny. Whitelist what's actually needed. Test quarterly.
VPN for Remote Work: Not a suggestion. Mandatory for any external access to production systems.
Security Information & Event Management (SIEM): Central logging. Real-time alerts. Forensic trail for incidents.

Your 90-Day Implementation Roadmap

This isn't a waterfall project. You run it like an integration sprint.

Days 1-30: Assessment & Quick Wins

Inventory all systems, devices, and data repositories. You can't secure what you don't see.
Enable MFA on all critical accounts (email, cloud infrastructure, VPN). Takes 2 hours per person. Highest ROI activity.
Deploy MDM. Enforce screen locks and automatic wipes. Takes 5 days to rollout.
Establish basic password policy. 12+ characters. No reuse. 90-day rotation.
Owner: CTO or VP Ops. Weekly check-in with CEO.

Days 31-60: Infrastructure Hardening

Implement RBAC for all critical applications. Finance systems first. Then customer data access.
Deploy automated backup solution. Test restore procedure. Document recovery time objective (RTO) and recovery point objective (RPO).
Configure firewall segmentation. Network diagram required. Rules documented and approved by CTO.
Install SIEM or managed log aggregation. 90 days of retention minimum.
Owner: Infrastructure Lead. Board update on day 45.

Days 61-90: Audit & Documentation

Third-party vulnerability scan. Remediate critical/high findings within 30 days.
Conduct tabletop incident response drill. Document playbook. Assign on-call rotation.
Complete security policy documentation. Sign-off from every department head.
Prepare SOC 2 or ISO 27001 readiness assessment. Identify gaps for future phases.
Owner: CTO or Security Lead. Board presents findings on day 90.

Compliance Frameworks That Matter

You don't need all of them. You need the right one for your vertical and your customers.

SOC 2 Type II: SaaS companies. Customer requirement for enterprise deals. Plan 6 months ahead.
ISO 27001: Consultancies, agencies, managed services. Third-party audits add credibility. Heavy documentation.
HIPAA: Healthcare tech. Non-negotiable if you touch patient data. Budget for compliance officer or external consultant.
PCI DSS: Payment card processing. Required by card networks. Annual audits. Encryption mandatory.
GDPR/CCPA: Customer data across EU or California. Privacy policies. Data deletion procedures. User consent tracking.

Start with one. Build the foundation. Layer on others as customers require it.

Red Flags in Your Current Security Posture

If you see any of these, escalate immediately:

Employees sharing passwords. No SSO. Manual credential reset takes 2 days.
No backup tested in the last 6 months. Or "backups" stored on the same network as production.
Admin accounts used for daily work. Database engineers logging in as root.
Customer data stored in shared folders or personal accounts. No access logs.
No incident response plan. Or a plan that's 18 months old and irrelevant.
Compliance gaps identified in diligence but never addressed post-acquisition.

What This Actually Costs (and Why It's Cheap)

Security isn't free. But breaches are expensive.

A basic stack: MFA, MDM, SIEM, backups, firewall hardening. Budget $8K-$15K per month for a 30-50 person company. Or embed a part-time security engineer at $150K/year. Or both.

A ransomware incident: $500K-$2M in recovery costs, downtime, legal, and regulatory fines. And it derails your exit timeline.

The math is clear.

Who Owns This?

This is a CTO/VP Operations project with board accountability. Not an IT ticket.

Assign clear owners to each section. Weekly sync. Monthly board reporting. Security isn't a project you finish—it's how you operate.

Next Steps

Take the checklist above. Map it against your current state. Identify the biggest gaps. Assign owners. Lock 90-day timelines.

Don't outsource the accountability. You can outsource the execution (that's what we do), but the owner is always internal. When the board asks "Are we secure?", it's your answer that matters.

Need help executing this roadmap? We specialize in embedded IT leadership for PE portfolio companies. We've done this 47 times. We know the integration patterns. We know what breaks. We fix it before it becomes a board conversation.