Introduction
By now, most private equity professionals have read their share of high-level takes on cyber due diligence. You know what it is, you understand why it matters, and you're probably tired of reading generic advice on the topic. The real challenge? Execution. And one of the biggest hurdles we consistently see in proper execution is getting helpful assistance from the target company’s IT stakeholders. This step can make or break the entire process, turning what should be a straight forward review of a target's cybersecurity posture into a minefield of resistance and "miscommunication."
That resistance isn’t accidental. Stakeholders, particularly those in IT and security, hold the keys to vital information, yet they’re often the least eager to participate. For private equity professionals, this hesitation is more than an inconvenience – it’s a liability. Misalignment with IT stakeholders can obscure cyber risks, derail timelines, and magnify post-acquisition risks. And let’s be honest: from their perspective, cyber due diligence feels disruptive, time-consuming, and let's be honest... could expose things they’d rather keep hidden. IT teams are naturally protective of their systems. We can’t fault them – they’ve spent years building and protecting these environments, only for us outsiders to arrive asking sensitive questions. We've found that this dynamic is often overlooked by most cybersecurity consultants and it's something that can domino into a serious issue for private equity firms. To navigate cyber due diligence effectively, we need to shift IT stakeholders' perception of us from invasive auditors to trusted partners.
🔎If your coffee is getting cold and you’re tempted to skim, here’s the quick takeaway🔎
Cyber due diligence isn’t just about assessing systems, it’s also about managing relationships. To succeed in cyber due diligence, you have to break free from the stereotype of us nerdy consultants hunched over our laptops, churning through cybersecurity controls and billable hours. The real game changer isn't just technical expertise; it's teamwork – getting the deal team, IT leads, and security analysts to speak the same language. Without it, you're not managing risk; you're just racking up invoices.
The Importance of Collaborating with Stakeholders in Cyber Due Diligence
Imagine discovering a cybersecurity issue mid-transaction. It can derail progress, cause delays, and, in some cases, put the entire deal at risk. But that’s only half the battle. The real challenge begins when you have to work with the target company’s IT team to fix it. And here’s where many due diligence efforts go off the rails: successful cyber due diligence doesn’t rest solely on fancy tools and technical know-how... it hinges on your ability to work with the people who have the knowledge and info you need.
Without strong stakeholder cooperation, even the best-laid plans fall apart. You need their insights to assess the security posture accurately, address vulnerabilities, and implement realistic post-acquisition action plans. That means building trust, managing expectations, and keeping everyone aligned on the ultimate goal: a smooth and secure transaction that benefits all parties involved.
But effective collaboration isn’t just about keeping everyone happy during due diligence – it can also give you an edge during deal negotiations. When technical stakeholders see you as a partner rather than a nitpicking auditor trying to find their mistakes, the entire dynamic shifts. Suddenly, the people who hold the keys to the company’s digital castle are willing to open a few doors for you and may even point out the ones with rusted hinges.
Say you uncover a gap in endpoint security. It might not be enough to knock a few million off the price tag, but it could become a condition precedent, requiring the company to address it before the deal closes.
FYI - for those of you wondering why you'd want to encourage increased costs prior to closing, here’s where a little perspective helps: endpoint security isn’t just a nice-to-have. In the eyes of the insurance market, it’s table stakes. Cyber insurers require robust endpoint protection before they’ll even issue coverage. That standard should give private equity professionals pause. If the insurance market sees this as a dealbreaker, why wouldn’t you? It’s a clear baseline for what any well-run organization needs, and falling short of it means you're not just buying a business – you’re buying risk.
Going back to our example - odds are, the IT or cybersecurity team knows that they need endpoint security. They’ve probably been lobbying for the budget to fix the issue only to be told “maybe next quarter.” But if they see you as a partner, not an auditor, they’re far more likely to share this gap with you and walk you through some of the ways they've mitigated the risk. That kind of insight doesn’t just make your due diligence smoother; it ensures you’re aligned with best practices that can shield both you and your investment from costly surprises down the road.
In the end, an engaged and cooperative team not only makes the due diligence process more effective but also strengthens your hand when it comes time to finalize the transaction. But none of this collaboration happens in a vacuum. It starts with engaging the right people – those who have the insights, authority, and context needed to paint a full picture of the company’s security posture. Missing even one key player can leave blind spots that undermine your entire assessment.
Identifying Key Stakeholders for Effective Cyber Due Diligence
Recognizing the right stakeholders early is essential to a smooth cyber due diligence process. These individuals aren’t just sources of information; they’re the gatekeepers who can make or break your efforts to obtain a clear and accurate picture of the company’s cybersecurity landscape. Engaging them early and setting clear expectations is crucial.
💻 IT Leadership
Start with the CIO or IT Directors. These are the people who live in the wiring diagrams and system architecture maps that everyone else pretends to understand. They’re your best source for the high-level view – think legacy systems, cloud migrations, or that expensive ERP project that’s been “almost done” for two years. But here’s something to watch out for: they’ll be quick to point you to shiny new initiatives while hoping you don’t notice the Frankenstein server running mission-critical systems in the back room.
🔐 Information Security Officers
The CISO or Head of Cybersecurity is your ultimate gatekeeper. Many SMBs won't have a designated role here, so it's up to you to figure out who wears that hat. They’re the ones with the full ledger of what’s secure, what’s broken, and what’s quietly hoping to retire before anyone notices. Their job is to think about threats no one else wants to, which makes them your best source for understanding how prepared – or unprepared – the company is for an attack. The trick? Balancing their instinct to protect their turf with your need for transparency. Done right, you’ll walk away knowing whether their risk strategy is proactive or just a series of excuses waiting for the next breach.
⚖️ Compliance and Risk Teams
These are the rule-keepers. They know exactly how far the company’s flirted with non-compliance on GDPR or CCPA, and they’ll have opinions about whether it’s a one-off error or a ticking time bomb. They also carry a unique burden: if things go wrong, they’re the ones who’ll be stuck explaining why. Lean on them to understand the company’s regulatory footprint, but watch for overly polished answers – they might just be hoping the fine print stays fine.
🌐 Managed Service Providers (MSPs) / Outsourced Security Team
If the internal IT team is the quarterback, MSPs are the offensive line. They handle the grunt work that keeps systems running and often know more about security than the CIO would like to admit. If you're primarily sourcing deals in the SMB market, familiarize yourself with MSPs and how they operate because they do a lot of the heavy lifting. Word of advice: dig into their contracts – MSPs can be notoriously slippery about their scope of responsibility. You don’t want to find out too late that their idea of “24/7 support” is conditional on it not being a big game on Sunday.
📝 Legal Counsel
Internal and external legal teams aren’t just for paperwork. They’re the ones who can tell you if the skeletons in the closet are minor infractions or lawsuits waiting to happen. From past breaches to contract clauses, legal counsel can flag risks that no firewall can protect against. They’re also the ones who’ll remind you that what’s technically secure isn’t always legally sound – and vice versa.
👥 HR Leadership
An odd pick, sure, but HR is where you’ll uncover the human element of cybersecurity. They manage training programs, insider threat policies, and the cultural signals that determine whether employees view security as a nuisance or a necessity. If HR seems indifferent, that’s a red flag: a weak security culture is where incidents start and accountability ends.
🤝 Vendors and Third-Party Partners
Third-party risks are the landmines of modern cybersecurity and vendors are where most of them get planted. Look closely at who has access to sensitive data or provides critical IT services. Then look at their contracts. A vague agreement with a third-party provider is less a partnership and more a liability waiting to happen.
Each of these stakeholders provides a unique piece of the puzzle. Missing one could leave you with blind spots that blow up your entire due diligence effort. But identifying these stakeholders is just the first step. To get the insights you need, you’ll have to navigate their specific concerns and reservations – especially those of technical teams who might view the process as a threat rather than an opportunity.
Addressing Common Stakeholder Concerns to Build Trust in Cyber Due Diligence
Mapping out the key players is one thing. Understanding what keeps them up at night is another. Private equity professionals are no strangers to managing stakeholder tensions – whether it’s soothing sellers who think they’re leaving money on the table or reassuring employees who fear their department is about to be wiped out. But IT and security stakeholders? That’s a whole different ballgame.
Their concerns aren’t only about deal terms or severance packages. They’re worried about the systems they’ve built, the vulnerabilities that might get exposed, and whether they’re about to be blamed for something that was never in their job description. To them, cyber due diligence isn’t just inconvenient – it’s personal. Think less, “What’s in it for me?” and more, “Am I about to become the next Joe Sullivan?” (If you missed it, Sullivan, Uber’s ex-CISO, was convicted on two felonies for his handling of a data breach. Not exactly an aspirational career arc.)
Below, we dive into the most common concerns these technical stakeholders have and how to turn potential roadblocks into opportunities for collaboration.
1. Exposure of Cybersecurity Gaps
The Fear: CIOs and CISOs dread the prospect of due diligence uncovering flaws that paint them as negligent. A critical issue could lower the valuation, embarrass the team, or even put their jobs at risk. It’s not just about the deal – it’s about their reputation.
The Solution: Reframe the process. Emphasize that your goal is to create a complete picture of the company’s cybersecurity posture – not to assign blame. When gaps emerge, position them as opportunities for improvement rather than failures to manage. Make it clear that fixing these issues pre-closing benefits everyone, preventing problems that could escalate into disasters later. A little empathy goes a long way here: the difference between “You missed this” and “Let’s tackle this together” is everything.
2. Discovery of a Data Breach
The Fear: A hidden breach uncovered during due diligence is the nightmare scenario. It threatens the deal, exposes the company to lawsuits and regulatory scrutiny, and could leave leadership on the hook for failing to notice earlier.
The Solution: Set the tone early. Make it clear that full-blown breaches are rare in these assessments and that most findings focus on areas for incremental improvement. But be prepared for the worst: establish a confidential process for ensuring confidentiality, preferably under attorney-client privilege via outside counsel, to handle discoveries discreetly. Having a remediation plan – including a trusted incident response partner – positions you as a problem-solver, not a whistleblower. And if a breach is found? Keep the focus on solutions, not finger-pointing.
3. Impact on Staff and Morale
The Fear: IT teams often perceive due diligence as a professional critique and every flagged issue feels like a mark against them. Add in the constant fear of layoffs post-closing, and you’ve got the perfect recipe for resistance.
The Solution: Flip the script. Frame the process as an opportunity to showcase the team’s work and achievements. Make it clear that your intent is to strengthen their efforts, not undermine them. Encourage the CIO to stay transparent with their staff to tamp down rumors. Open communication can transform the process from an audit into a shared project – and one where their expertise is valued, not questioned.
4. Pressure to Produce Documentation Quickly
The Fear: A request for loads of documentation on a tight deadline can send technical teams into a panic, especially if their documentation is outdated, incomplete, or nonexistent. The stress can create the impression of chaos, even in a well-run operation.
The Solution: Be upfront about what’s needed and when, but stay flexible. If documentation isn’t readily available, work with the team to identify alternatives or establish phased deadlines. Reinforce that the goal isn’t a flawless paperwork trail but an understanding of how controls and processes are actually implemented. Documentation is just a tool – not the endgame.
5. Potential Operational Disruption
The Fear: Deep-dive interviews and technical tests can pull key personnel away from critical projects, straining already overstretched teams. The result? Burnout, delays, frustration, and reluctance.
The Solution: Consolidate your requests and coordinate with leadership to minimize disruptions. Automate data collection wherever possible, and respect the team’s existing priorities. Show that you understand the demands they’re under and that you’re doing everything you can to make their lives easier, not harder.
6. Lack of Control Over Third-Party Providers
The Fear: When vendors drop the ball, internal teams often take the blame. Add a resistant or underperforming third-party provider to the mix and you’ve got a recipe for tension and defensiveness.
The Solution: Engage vendors directly (with the target's approval/involvement) and position the evaluation as a neutral assessment of vendor risk, not an analysis of why they've chosen certain third-parties. If a vendor’s falling short, present alternatives, but tread carefully. Internal teams may have deep relationships with these providers, so focus on offering options, not ultimatums. Demonstrating that you’re there to solve problems – not create them – can turn a defensive team into a cooperative one.
At the end of the day, addressing these concerns isn’t just about playing nice. It’s about building the trust and transparency you’ll need throughout the entire deal lifecycle. When stakeholders see you as a partner – not an adversary – the process transforms. Proactive solutions, clear communication, and mutual respect don’t just make the work smoother; they lay the groundwork for long-term success.
Building Trust and Partnership with IT Stakeholders During Cyber Due Diligence
Once concerns are acknowledged and addressed, the focus shifts to building deeper trust. One key step to winning over stakeholders – particularly the IT and security teams – is to stop acting like an auditor armed with a magnifying glass and a checklist. These people aren’t just wary of outsiders; they’ve built their careers on protecting their systems against them. To get anywhere, you have to shift their perception from unwelcome inspector to trusted ally.
Earn Credibility Early
Credentials alone won’t cut it. Everyone’s met the self-proclaimed “cyber experts” who parade an alphabet soup of acronyms and deliver nothing but jargon. The real key is curiosity. Ask sharp, thoughtful questions that show you’re genuinely interested in their environment and the challenges they face. Skip the monologue about what you need; focus on theirs.
At BlackSwan, we prioritize learning the lay of the land early – digging into the technical realities while connecting them to the bigger business picture. Instead of treating due diligence as a witch hunt for flaws, position it as a shared effort to mitigate risks and strengthen the business. A phrase like, “We know your team has put a lot of thought into balancing security controls with business needs, and we’d love to understand what’s working well so we can identify gaps,” works wonders. It doesn’t just open doors; it shifts the entire dynamic. Now, you’re someone who wants to build on their strengths, not point fingers at their weaknesses.
Build Reliability Through Predictability
Credibility gets you in the room. Consistency keeps you there. Lay out a clear plan for how the process will unfold – timelines, deliverables, and communication protocols – and then deliver on those promises. Better yet, exceed them. If you tell the CISO you’ll review their incident response plan and follow up, send your feedback for their review a day early. This isn’t just about being polite; it shows you’re reliable, thoughtful, and one step ahead.
Stakeholders who see that you deliver on what you say – and that you do so with minimal disruption – are far more likely to collaborate. Consistency builds trust, and trust smooths the entire process.
Build Rapport by Showing Respect
Rapport isn’t about becoming everyone’s favorite person; it’s about creating an environment where people feel heard and valued. Respect their expertise. Don’t just ask for a list of controls – ask why those controls exist and how they work. Instead of a data collection exercise, this becomes a dialogue, where their insights are front and center.
And when you spot a gap, resist the urge to criticize. Try, “I noticed there aren’t automated alerts for privileged account changes – is that a resource issue or a strategic decision to use manual processes?” It’s a small difference, but it shifts the tone. Now, you’re not a critic – you’re someone interested in understanding their constraints and finding solutions.
Reframe the Process Around Their Needs
The quickest way to lose trust is to make it all about you; your needs, your concerns, your timeline. If every conversation starts with, “We need this by Friday,” you’ll be seen as a taskmaster, not a partner. Instead, frame everything around the value for them. “We want to ensure that lessons from past incidents are incorporated into our assessment so that we can improve the company’s response efforts in the future” signals that this isn’t just a box-checking exercise – it’s about protecting their work and their company.
During one due diligence project, we hit a wall when requesting the latest third-party pentest report. The IT team hesitated and was concerned about sharing sensitive findings. Instead of pushing harder, we reframed the ask: we acknowledged the sensitivity, offered to review the results together in a group meeting, and kept our focus on understanding the key risks. By the end of that session, not only had we eased their concerns, but they willingly handed over the full report for our indepth review.
Acknowledge Their Fears
Stakeholders in IT and security often approach due diligence like they’re preparing for battle – and why wouldn’t they? An outsider is stepping into the systems they’ve spent years building and safeguarding, looking for problems. It’s personal. Address this head-on: “I know this process can feel invasive. We’re not here to critique the incredible work you’ve done – we’re here to identify areas where we can help protect it going forward.” A little empathy goes a long way in shifting the narrative from “us vs. them” to “we’re in this together.”
Trust isn’t something you build once and file away like paperwork – it’s a living, breathing part of the process, and it requires constant tending. Communication has to stay open, even when things get messy (and they will). That’s why a strong feedback and escalation framework isn’t just helpful – it’s essential. It’s what keeps trust from fraying when the pressure’s on and ensures that everyone stays aligned through the twists and turns of due diligence.
Maintaining Momentum: Building Engagement Through Dialogue and Collaboration
Trust isn’t built in a single kickoff meeting. It’s forged – or destroyed – in the thousand small interactions that follow. It’s about showing up consistently, communicating clearly, and proving you’re here to collaborate, not critique. Real engagement doesn’t just mean listening – it means making stakeholders feel heard and respected.
Here’s how to keep the process on track without tempting the target IT team to throw their laptops out the window - or at you.
Share Preliminary Findings Early to Spark Dialogue
Waiting until the final report to reveal findings is the corporate equivalent of a surprise party no one asked for. If you want to avoid unnecessary drama then I beg that you share insights as soon as they surface. For example, let’s say your review turns up inconsistent access controls. Instead of saving it for a climactic reveal, flag it early: “Is this something already on your radar?” The question does two things: it starts a dialogue and shows you’re not there to catch anyone off guard. You’re solving problems together, not building a list of grievances to present at the end.
Build Regular Check-Ins Into the Process
Nobody enjoys the surprise of an end-of-project feedback session that feels more like a report card. Instead, schedule short, structured check-ins – weekly or bi-weekly – to keep communication flowing. Use these calls to recap progress, outline next steps, and ask for input: “What’s working? What’s not? Are there any blockers we need to clear?”
This approach does two things. First, it makes the engagement feel collaborative rather than top-down. Second, it signals that you’re willing to adjust based on their input, which continues to build goodwill and trust.
Have an Escalation Plan – But Use It Sparingly
Even with the best intentions, resistance and issues will arise. Maybe a technical lead keeps dragging their feet or an IT manager flatly refuses a request. That’s when a defined escalation point becomes critical. The trick? Use it wisely. Escalating to the CIO or General Counsel too soon can backfire, but knowing when to “pass the ball up the chain” keeps the process moving without unnecessary friction.
Handled correctly, escalation isn’t about pulling rank – it’s about addressing roadblocks respectfully and efficiently. The message isn’t “We’re going over your head”... it’s “We need to work together to find a solution.”
Find Compromises Without Sacrificing Integrity
Flexibility isn’t weakness; it’s strategy. Sometimes the best way to resolve friction is to meet stakeholders halfway without compromising the integrity of your process. For example, imagine your team wants to conduct an independent pentest, but the target’s IT team pushes back, pointing to a recent pentest they just completed. Instead of digging in, suggest a compromise: have your pentest provider validate the scope, methodology, and findings of their assessment. This approach ticks all the boxes. You get the assurance you need, they avoid duplication of effort, and everyone leaves the conversation feeling respected. Small adjustments like this can turn tension into collaboration.
Managing feedback and navigating issues are critical for keeping the process on track, but they’re not the whole story. To truly engage stakeholders, you need to show them that cyber due diligence isn’t just a short-term hassle – it’s the first step toward a shared vision of long-term success.
Creating a Shared Vision: Aligning Cybersecurity Goals for Post-Acquisition Success
Creating a shared vision isn’t about painting a dreamy future where everyone magically agrees – it’s about crafting a narrative that makes the process feel like a team effort instead of an interrogation. The right framing can transform cyber due diligence from an adversarial review into a cooperative mission.
You're probably wondering... why bother? Because when IT and security teams see the end goal as something they want to achieve – not just something being done to them – they’re far more likely to prioritize your requests, share information openly, and lean into the process even if it’s inconvenient.
Imagine the difference between starting with, “We’re here to find and fix your security gaps,” versus, “We’re working together to ensure the company’s security posture is strong enough to support future growth and withstand regulatory scrutiny.” One approach sounds like a dentist’s office; the other feels like building something meaningful. It shifts the narrative from “outsiders versus insiders” to a shared effort aimed at long-term success.
Here’s how to make that vision stick with technical stakeholders:
Position Security Changes as Investments in Future Growth
Changes to their cybersecurity tooling shouldn’t feel like a chore; it should feel like stepping stones to something better. During a recent engagement, we hit resistance from an IT team over deploying a new Endpoint Detection and Response (EDR) tool. The PE firm’s preferred vendor had advanced capabilities, but the target's IT team pushed back, arguing it would stretch their already overworked staff and wasn’t necessary given their current risk profile. A valid argument.
Rather than hammering home the technical merits of the EDR, we reframed the conversation. We emphasized how it could support their team's growth because we could negotiate deep discounts with the vendor to free up enough budget for two additional IT hires – something the team had been begging for. Now, instead of viewing the upgrade as a burden, the IT team saw it as an opportunity to expand their headcount and spread their large workload.
By aligning the initiative with their priorities, we shifted the focus from plugging gaps we found to building a stronger, more scalable foundation. The result? A solution that didn’t just meet technical needs but also reinforced the broader business case for growth.
Show How Their Current Efforts Fit Into the Big Picture
Nobody likes seeing their hard work reduced to a list of flaws. Reframe the process as a chance to spotlight the successes that can serve as a springboard for future achievements.
When assessing a target company’s cybersecurity posture, it’s common to encounter initiatives that are partially implemented or struggling to scale. Rather than highlighting these as failures, they should be positioned as promising starts... proof-of-concepts that, with the right investments, can evolve into comprehensive strategies. By connecting these efforts to a forward-looking roadmap, you can validate the team’s work and demonstrate how it aligns with the broader, business-focused goals. This approach not only builds goodwill but also highlights opportunities for growth and improvement that can enhance the company’s long-term value.
Additionally, this flags future costs for the acquiring firm, giving them a clear reason to bake those investments into their valuation. In the end, everyone leaves the table feeling like they’ve contributed to a shared success story – not just survived an inspection.
Align the Process With Post-Acquisition Roles and Strategy
Cyber due diligence isn’t just about the now – it’s about setting up for what’s next. This is especially critical if the acquiring firm plans to grow the business through bolt-on acquisitions. The current IT leadership will likely play a pivotal role in integrating new businesses, standardizing security practices, and managing a more complex IT environment.
Frame the process as preparation for these expanded responsibilities. During due diligence, highlight what tools, resources, or additional headcount will be needed to support that growth. For example, involve the acquiring firm’s technical leaders in discussions about long-term scalability. By focusing on the future rather than just the immediate gaps, you make the current IT team a strategic partner in building that vision.
It’s the difference between saying, “Here’s what’s wrong,” and asking, “How do we build something that works for the business we can become?" For technical stakeholders, that’s the equivalent of being handed better tools and a clear game plan – something they’re far more likely to rally behind.
Creating a shared vision isn’t just about making stakeholders feel warm and fuzzy – it’s about transforming cyber due diligence into the first step of a lasting partnership. This way, technical stakeholders are more likely to engage, cooperate, and align with your goals. The result? A security framework that isn’t just set up to survive scrutiny but is built to thrive in the long run.
Conclusion: Achieving Cyber Due Diligence Success Through Partnership and Strategic Alignment
Cyber due diligence isn’t just about running technical tests and checking boxes – it’s about managing people, perceptions, and priorities. Success starts with building real partnerships. When you identify the right stakeholders early, address their concerns head-on, and treat them as collaborators rather than gatekeepers, you create a foundation of trust that transforms friction into alignment. It’s not magic; it’s about clear expectations, open communication, and a mindset that views challenges as opportunities to build something better.
IT and security professionals aren’t naturally inclined to roll out the red carpet for outsiders – and who can blame them? Their jobs require skepticism and caution, qualities that make due diligence a balancing act. That’s where BlackSwan Cyber comes in. We don’t just identify risks... we connect them to business realities, giving private equity firms a clear and actionable roadmap for navigating the complexities of cybersecurity.
If you’re facing a tough cyber due diligence scenario, we’d love to help. At BlackSwan Cyber, our focus isn’t just on smoothing out the process – it’s on setting the stage for long-term value. With us by your side, you’ll move forward with confidence, knowing your investment is built on a foundation that’s secure, scalable, and ready for what comes next.
FAQ
