Karakor
CYBERSECURITY · FOUNDER-LED

Pre-IPO companies carry mid-market threat models with worse staffing. The fix is not hiring a security organisation; it is buying the right scoped engagement at the right moment.

An org chart with an empty CISO box at the top labelled "no name yet." Beneath it, a bound security posture document in the position the role would otherwise occupy. Founder, CTO, and IT lead connected to the document, not the empty role above. Three unchecked CISO-trigger conditions on the right. Warm grey and brass on near-black.
Shahed Daoud6 min read

A founder of a Series B biotech asked me last month whether her company should hire a Head of Security. The diligence questionnaire from a prospective enterprise customer had asked who held the role; she did not have a name to write down. Her CTO was already running infrastructure, the engineering team had nineteen people, and the company's runway assumed nineteen people for another twelve months.

The honest answer was: not yet. What she needed first was the document the questionnaire was actually asking about. The role could come later, when the company was bigger, when there was a security practice for the role to lead, and when the cost of a senior hire was justified by something other than a single procurement question.

This is the gap a lot of founder-led companies sit in. They have built something worth protecting — IP, customer data, a code base that is the company's core asset — and they are encountering the security question for the first time, usually triggered by an enterprise customer, an investor, or a partnership conversation. The instinct is to hire. The instinct is wrong, or at least premature.

What the question is actually asking

When a Fortune 500 procurement team asks "who is your CISO," they are not really asking for a name. They are asking a longer question that the questionnaire format does not have a field for: *can you defend your security posture in writing, against a real threat model, with real controls in place?*

A name in a CISO field, attached to a company with no security documentation, no written incident response procedure, no audit trail, and no controls beyond the founder's instincts, fails the diligence anyway. The name buys nothing.

The thing the procurement team actually wants to read is the same document a Series D company would hand them, or that a mid-market firm would maintain on a quarterly review cadence. A bound security posture, twenty to forty pages, naming the controls and their owners. That document does not require a CISO to exist. It requires four to eight weeks of structured work.

What the threat model looks like at this stage

A pre-IPO company with sensitive IP — patent prosecution files, training data for an in-house model, source code that competitors would pay for, customer information under contract — operates under roughly the same threat model as a mid-market firm. The worst case is not regulatory exposure or downtime. It is one of these:

  • An engineer leaves with a USB drive of training data, or with their personal GitHub still authorised against the company's organisation.
  • A founder's email account is compromised through credential reuse and an attacker exfiltrates a year of investor correspondence, including the next-round term sheet.
  • A vendor that the company gave a dataset to for due diligence has a breach. The dataset is in the press.
  • A partner's enterprise security questionnaire arrives during an active sales cycle and cannot be answered in time.

Each of these is operational, not theoretical. Most of the founder-led companies we have advised had at least one of them already happen, usually before the founder was paying attention. The work is calibrated to the threat model the company actually faces, not to a generic SOC 2 template.

What to buy instead of hiring

The right next purchase, in the eighteen months before a CISO hire makes sense, is a scoped assessment with a written remediation plan and a posture document.

The assessment runs four to six weeks. The output is a thirty-to-sixty page report with findings ranked by exploitability and a remediation roadmap the in-house CTO and IT lead can run with. The posture document is calibrated to the questionnaire the company is most likely to receive next quarter, and to the regulatory regimes the company actually operates under. The whole engagement costs less than a CISO's first six months.

The work the engagement produces also has compounding value. The next questionnaire the company receives gets answered in a half-day instead of a week of evenings. The next investor diligence call gets a written attachment instead of a defensive verbal answer. The next time an enterprise customer asks about subprocessor mapping, the answer is in writing, signed, and dated.

When the CISO hire is the right call

The trigger for the CISO hire, in our experience, is usually one of three signals. The first is regulatory inflection — the company moves into a market or product category where a named security executive is legally required. The second is operational scale — the company crosses roughly two hundred employees and has a security organisation that needs leadership. The third is incident maturity — the company has handled enough security events that the response work is now a full-time function in itself.

Until at least one of those three is true, the right move is to buy the work, write down the posture, and put the CTO and the IT lead in a position to execute against it. The role comes later. The posture comes first.

Founder-led companies are one of the industries we serve because the gap we are describing here is the kind of gap a scoped engagement closes well, and a perpetual managed-service relationship closes badly. The deliverable ends. The company owns it after we are gone. That is the right shape of help at this stage — not a CISO, not a retainer, not a vendor.