Adventures in Venture Capital

Before the Pandemic, I had a BLAST working in #VC ! I got to see absolute cutting-edge solutions spanning mind-blowing solutions in cybersecurity, technology, energy, optics, and more. In fact, it's part of the reason I launched (and sold!) my own company. But those are stories for another day. Let's talk about some of the things I looked for when doing #duediligence pre-funding.

Note: This is not legal or financial advice and is certainly not all inclusive. It's also limited to just security, which was just one subset of the work that I did. This is meant to spark ideas and I'm certainly not going to give away all of my secrets!

Keep in mind, there were generally three questions we wanted to know:

1. What's your spend?
2. Are you spending in the right places?
3. How confident are we in your program?

Conveniently, those are also the top three questions most boards want to know about their own program!

Unfortunately, the answer to Part 1 is the easiest answer, and Parts 2 and 3 are significantly more complex.

Another Note: This is a snapshot of pre-funding due diligence and rhymes with but isn't the same as post-funding due diligence!

An Additional Note: This completely changes whether you're looking at SMB, Mid-market, or Enterprise and changes again depending on industry vertical.

One More Note: Read the room before and adjust how you ask questions and demand deliverables!

Spend

• How much are you currently spending and how much are you projected to spend along these three avenues
• Cyber people - full time, part time, contractors and what roles/gaps do they fill?
• Services - such as external auditors, contracted operations centers
• Technologies - Purchased products and point solutions ranging from corporate firewalls to hyperscaler services.
• Any other retainers including outside security counsel, pre-purchased ransom bitcoin
• Have you disbursed any funds in reaction to any security incidents: both publicly disclosed and or not held internally? If so, list any and all spend (including $0 contracts) and what that spend accomplished.
• Are you spending enough?
• Are you spending in the right places?

Insurance

• How much cyber insurance do you have?
• How much have your premiums gone up and why?
• Have you been denied insurance previously?

Recent or Pending Cyber Incidents

• Are you currently pending any litigation and or are you on a legal hold where security was at least a portion of the claims either root cause or compounding allegations?
• Has the company had any recent legal judgements against it?
• Are you currently or have you recently been under breach including but not limited to ransomware and other serious cyber incidents?

Incident Response

• Meeting notes including attendees from your most recent two Incident Response exercises
• Your incident response external messaging policy signed off by your communications team
• Produce your external Incident Response retainer
• Which of your incident response partners on your insurance company's approved vendor list?

Produce your current and projected Cyber Defense Matrices for the following:

• Corporate environment
• Development, Test, and Production environments
• IoT and or plant environment
• Any legacy environments you may have such as mainframe environments

Produce your 18-36 month security roadmap aligned to business objectives

• Business alignment, such as: moves into new markets
• Employee awareness and training
• Compliance & Audit
• Company-Wide Program and Change Management
• Internal Security Program & People Development
• Penetration Tests and the scope for each
• Asset Management
• Detection
• Emerging Threats & Vulnerability Management
• Incident Response - Including Incident Response Rehearsals
• Internal and External Communication Strategy
• Partner Relationships - Including Vendor lock-in
• Customer Relationships - Internal if B2B, Internal and External if B2C or platform
• Public Relations

Produce scan results from the following:

• Note: We recommend bringing in a third party to validate self-attestation
• External Attack Surface
• Penetration Tests of all environments including clearly defined scope
• External tests
• Internal tests
• Application penetration tests
• List any and all gaps in penetration tests conducted within the last 18 months and explain why
• Recent vulnerability scans mapped to current asset inventory
• Any standard containers you use in your CI/CD pipeline or other development process?
• Reports of permissions in your identity management solution (M365, Azure, GCP, AWS)
• The policy that governs how you prioritize vulnerability remediate efforts

Compliance

• What compliance frameworks are you mapped to?
• Do you operate in any markets that you are obligated to comply with mandated compliance efforts?
• If you are obligated to follow any compliance frameworks, how strongly do you comply?
• What is your current overall compliance score and by what evaluation metrics?

Essential Eight - Show how you accomplish the following:

1. Application Control: Preventing unauthorized scripts and executables from running in all environments
2. Patch Applications
3. Restrict Office Macros
4. Browser Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems?
7. Multi-Factor Authentication
8. Backups

List any other Confidentiality, Integrity, and or Availability concerns and or issues that may be applicable to you and or your industry

-------------END OF LIST-------------

Summary

Most companies at the Angel and early VC-level won't have answers for much of this because they've been focused on building their tech and getting funding. It's often not until Series A/B or Private Equity levels that most companies start having great answers. The goal isn't necessarily for the portco or opco to really understand where they're at on the journey or have perfect coverage, the goal is for the investor to understand the risk of their potential investment!