Private equity
The externalised Portfolio CTO/CISO function
For mid-cap sponsors: the institutional model the largest funds have built internally — portfolio-wide standards, framework compliance, audit rights, and senior CTO/CISO judgement available to portfolio company boards. No operational responsibility.
The market window
Three forces are converging. None are speculative.
Regulatory pressure is non-discretionary
NIS2, DORA, the UK Cyber Security and Resilience Bill, and the EU AI Act bring management liability into scope across medium and large enterprises. Mid-market portfolios are disproportionately exposed because almost no portfolio company has a CISO at company level.
The 2019–2022 vintage is in exit pressure
Hold periods now average 5.3 years. Sell-side cyber due diligence is a standard buy-side requirement. Gaps found at this stage do not result in a 30-day remediation window — they result in valuation adjustments, indemnity carve-outs, or deal collapse.
AI is moving from differentiator to baseline
Sophisticated buyers underwrite AI-enabled value creation at entry. LPs are now asking GPs in fundraises who oversees AI risk across the portfolio. The pressure runs both ways: prove AI capability at exit, demonstrate AI governance at fundraising.
Our model
Four layers across the PE investment lifecycle
Pre-deal technology & cyber due diligence
Decision-grade DD reports under 2–4 week deal compression. A 20-page document, not a 60-page benchmark report. Coverage includes the technology estate and integration architecture, cyber posture and regulatory exposure (NIS2 / DORA), and an AI reality assessment — capability claims tested against the data, integration, and security foundations the buyer will inherit.
- Red-flag memo
- Cyber & regulatory exposure view
- AI reality assessment
Post-acquisition 100-day plans & integration
The first 100 days set the technology and cyber agenda for the entire hold period. Operating model, sequenced priorities, reporting cadence — and surfacing what should have come up in DD but did not.
- Sequenced Day-1 and 100-day plan
- Operating model and reporting cadence
- First-wave remediation plan
Portfolio CTO/CISO oversight (hold period)
The core proposition. Portfolio-wide standards, framework compliance monitoring (NIS2, DORA, ISO27001, NIST CSF, EU AI Act), audit rights against agreed frameworks, and CTO/CISO-level judgement available to portfolio company boards. No operational responsibility within the portfolio company. Where managed cyber operations are required, we set standards and supervise the third-party providers delivering them.
- Portfolio heatmap and quarterly operating pack
- Framework compliance and audit rights
- MSSP standards and oversight (no operational delivery)
Pre-exit value creation & exit readiness
12 to 18 months out from exit, the technology and cyber narrative the next buyer will pay for — and the gaps the next buyer's sell-side DD will find. We have done this from both sides.
- Exit narrative on technology and cyber
- Sell-side DD gap closure
- Board-ready reporting
How we contract
Engagements contract directly with the portfolio company. The sponsor introduces, agrees scope at portfolio level, and receives reporting on framework compliance and audit findings. Strathberg holds £2m professional indemnity cover. Conflicts policy: where two clients have competing interests, we disclose and obtain written acknowledgement before continuing — or we decline.
How we operate
Four principles that govern every engagement
Commercial first
Fund-level impact and asset value creation drive every recommendation.
Proportionate by asset
Controls and coverage are calibrated to actual risk and size — not a standard template.
Diagnosis into action
We move from assessment to delivery where the facts justify it.
Senior operator access
Partners lead the work. No junior delegation on critical engagements.
The boundary
What we are not
A short list because it pre-empts the most common positioning errors.
Not a benchmark-driven DD firm.
Crosslake owns that position with a dataset of 6,000+ deals; we will not win on that ground and do not try to.
Not a Big Four advisory delivering through junior teams.
We do not run team pyramids; we do not produce deliverable theatre.
Not a generalist fractional CTO or CISO marketplace.
We are senior, PE-specific, and operate at the Portfolio CTO/CISO level rather than single-company fractional level.
Not a multi-stream financial-restructuring firm.
AlixPartners, A&M, and FTI win on scale, depth of bench, and balance-sheet exposure for that work. We do not compete there.
Not an internal hire substitute pretending to be cheaper.
A sponsor that needs a full-time Portfolio CTO/CISO should hire one. We are for sponsors with the demand pattern but not the volume to justify the salary.
Not an operational arm of the portfolio company.
The CEO runs the company; we oversee, audit, and advise. The cyber and technology posture meets the sponsor's standard because we hold the standard, not because we run the function.
Proof
Work our partners have led
Selected engagements where our partners have delivered measurable outcomes for PE funds and their portfolio companies. Each is tagged to the lifecycle layer it most closely maps to.
Layer 3 — Portfolio CTO/CISO oversight · Layer 4 — Exit readiness
WGSN — Apax Partners
Digital jewel, stabilised.
Apax was concerned about the technology of WGSN, the digital asset within the EMAP group. George Mudie was engaged to diagnose the problem, replace the CTO, and stabilise the platform and team. The ~12-month engagement was judged successful by the fund and protected the value of the asset ahead of exit.
Layer 3 — Portfolio CTO/CISO oversight
Kinetic — Inflexion
From Excel to portal.
Inflexion had acquired an interest in Kinetic, the world's largest provider of agricultural data. The business was profitable but unscalable — services were being produced by hand in Excel and PowerPoint. George Mudie coached the incumbent CEO on the shift to a digital service model, unlocking scalability and positioning the asset for growth.
Layer 3 — Portfolio CTO/CISO oversight · Layer 4 — Exit readiness (public listing)
ASOS — cybersecurity rebuild
From exposed to defensible.
ASOS sells high-value brands to consumers — a permanent target for organised fraud and cyber-enabled crime. George Mudie rebuilt the cybersecurity function from a weak posture and a cyber-as-a-service model that was not returning tangible improvements, into a defensible operation covering fraud, payments, identity, and incident response.
Layer 3 — Portfolio CTO/CISO oversight (AI value creation)
ASOS — AI fraud platform
Payback in three months.
The AI-driven fraud platform introduced at ASOS paid for itself within three months. Approval rates improved, fraud losses fell, and the team was right-sized from 48 to 8 as automation took on the operational load. One of the earliest production deployments of AI for retail fraud at scale.
Layer 3 — Portfolio CTO/CISO oversight
A €20bn global retailer — cyber function rebuild
From fragmented to audit-ready.
A €20bn global retail group with a cybersecurity function managed largely by non-specialists. No coherent approach. Board reporting that did not reflect the operational reality. Over 750,000 open vulnerabilities and no mechanism to prioritise them. George Mudie rebuilt the team, the operating model, and the standards — whilst managing serious incidents, franchise-partner compromises, and the geopolitical cyber impact of the Ukraine conflict. The external auditor is now satisfied with the trajectory.
Layer 2 — 100-day plans · Layer 3 — Portfolio CTO/CISO oversight
A €20bn global retailer — Gartner CIO score
1.0 to 3.0 minus in 24 months.
As Group CTO of a €20bn global retailer, George Mudie drove the technology agenda from a Gartner CIO score of 1.0 to 2.0 minus to 3.0 minus in 24 months (industry target: 3.0). An independently assessed measure of enterprise technology effectiveness, rarely moved at this pace at this scale.
Layer 1 — Pre-deal DD (AI reality assessment) · Layer 3 — Hold-period oversight
A €20bn global retailer — AI foundations
AI without the hype.
An AI foundations programme identifying where workflows would generate real value if augmented or replaced by AI and automation — and equally where they would not. The conclusion was clear: data management, data governance, and honest assessment of the total cost of AI are the prerequisites for sustained value. Not every workflow was a candidate. The ones that were, delivered.
Layer 2 — 100-day plans · Layer 3 — Portfolio CTO/CISO oversight
A €20bn global retailer — transformation cost reduction
€150m in transformation savings.
Dan Vale led the execution of the IT transformation function at a €20bn global retailer — resizing the organisation, implementing new delivery and budgeting models, and standardising tooling. Programme delivered approximately €150m in cost savings whilst strengthening governance across finance, delivery, and risk.
Layer 3 — Portfolio CTO/CISO oversight (cost discipline & resilience)
A €20bn global retailer — cyber run-rate and fraud exposure
€10m+ in run-rate savings and €15m+ fraud exposure reduction.
As Head of Cybersecurity Portfolio & Program Management at a €20bn global retailer, Dan Vale delivered over €10m in run-rate savings through automation, consolidation, and rationalisation — whilst reducing fraud-loss exposure by over €15m.
Layer 3 — Portfolio CTO/CISO oversight (cyber transformation & regulatory readiness)
LEGO Group
Cyber strategy built and shipped, NIS2 across critical infrastructure.
As Director of Cybersecurity at the LEGO Group (€8.8bn revenue, ~25,000 employees), Dan Vale developed and executed the Cybersecurity Strategy 2025–2027, delivered NIS2 readiness across factory and energy-generation operations, and directed BC/DR and ransomware recoverability validation.
Outcomes listed above reflect engagements led by Strathberg's partners in prior roles at former employers and clients. Work delivered by Strathberg Limited will be reported separately as those engagements complete.
Common questions
How does Strathberg support PE funds across the deal lifecycle?
Strathberg works as a four-layer lifecycle model: pre-deal technology and cyber due diligence (including AI reality assessment); post-acquisition 100-day plans and integration; Portfolio CTO/CISO oversight through the hold period; and pre-exit value creation and exit readiness. One relationship covers all four. The sponsor receives consistent senior operator access without building a heavy internal team.
Why now?
Three forces are converging in mid-market PE over the next 12 to 24 months. Regulatory pressure is now non-discretionary — NIS2, DORA, the UK Cyber Security and Resilience Bill, and the EU AI Act all bring management liability into scope, and almost no portfolio company has a CISO at company level. The 2019–2022 vintage is now in exit pressure, with sell-side cyber due diligence a standard buy-side requirement. And AI is moving from differentiator to underwriting baseline, with LPs asking GPs in fundraises who oversees AI risk across the portfolio. The Portfolio CTO/CISO gap that the largest funds have closed internally is open at mid-cap; that window will narrow.
Do you take operational responsibility inside the portfolio company?
No. The CEO retains executive accountability for the function. We oversee, audit against agreed frameworks, and advise. Where managed cyber operations are required at the portfolio company, we set standards and supervise the third-party providers delivering them — we do not deliver operations ourselves. This is the same boundary the largest funds enforce internally and is part of why the model works.
How does Strathberg's Portfolio CTO/CISO oversight work?
Portfolio-wide standards, framework compliance monitoring (NIS2, DORA, ISO27001, NIST CSF, EU AI Act), audit rights against those frameworks, and CTO/CISO-level judgement available to portfolio company boards. Sponsors receive a quarterly operating pack and a portfolio heatmap that surfaces which assets require intervention and why. Engagements typically run two to six days per month per portfolio company, working with the CEO, the Chair, and the sponsor’s investment team.
How is Strathberg different from a fractional CTO or CISO firm?
Fractional CTO networks (such as Freeman Clarke) and fractional CISO offerings (such as Cyber Execs, Boardman, and individual interim CISOs) operate at the lower end of the market — generalist, scaled, partner-staffed by capable practitioners, matched to clients from a bench. Strathberg is senior, narrower, PE-specific, and operates at the Portfolio CTO/CISO level rather than at single-company fractional CTO or CISO level. We deliver pre-deal due diligence, 100-day plans, hold-period oversight, and exit readiness as one relationship — covering CTO, CISO, GRC, legal, and AI governance through two principals, not a coordinator across multiple advisers.
How is Strathberg different from a scaled tech due diligence firm?
Scaled tech DD firms deliver through analyst teams running framework-based assessments. Strathberg delivers through senior operators who have run the functions being assessed. For mid-market PE, that means findings grounded in operating reality, recommendations calibrated to the asset's actual complexity, an explicit AI reality assessment alongside the technology and cyber view, and no bench-time markup on the fee.