There is a conversation that co-founders of growth-stage companies rarely have with one another about cyber, and that absence is itself the conversation worth writing about. The cyber conversation that does happen, when it happens, is usually delegated downward — to the CTO, to the head of engineering, to a contract CISO retained for compliance reasons. The conversation between the people whose names appear on the company’s founding documents, who collectively carry the personal reputation and fiduciary responsibility for the venture, is conspicuously rare. In 2026, with cyber events increasingly capable of inflicting irreversible damage on growth-stage companies, that absence is no longer defensible.
The World Economic Forum’s 2025 Global Cybersecurity Outlook identifies growth-stage companies — those between Series B and Series D, between fifty and five hundred employees — as the cohort with the largest gap between cyber risk exposure and cyber governance maturity. Crunchbase and PitchBook data on growth-stage failures attributable to security incidents has trended upward over the last three reporting cycles. IBM’s 2025 Cost of a Data Breach Report finds that breach costs as a percentage of annual revenue are highest in growth-stage companies, where the absolute revenue base is small relative to the fixed costs of breach response. CISA’s guidance for startups and emerging businesses provides the public framing that growth-stage co-founders should be familiar with regardless of their technical orientation.
Why This Conversation Belongs Between Co-Founders
Cyber is a business risk that interacts with every other strategic decision a company makes. Where you raise capital, where you sell, who you hire, what data you collect, how you integrate with partners, how you exit — each of these decisions has a cyber dimension that shapes the company’s risk trajectory in ways that compound. The decisions are not technical. They are strategic, and they belong at the level where strategic decisions are owned. In a venture-backed growth-stage company, that level is the co-founders. Delegating the conversation entirely to the technical organization is reasonable for many implementation decisions and unreasonable for the strategic ones the implementation flows from.
The conversation we coach co-founders to have is not technical. It is a strategic conversation about what kind of company they intend to be on the worst day they will ever experience. The answers reveal a great deal — about risk appetite, about cultural posture, about regulatory aspiration, about the company they are building rather than the company they are pretending to be. The exercise of articulating these answers in dialogue with one another is itself the value, regardless of whether the answers are ever shared more broadly. We have yet to facilitate this conversation between any pair of co-founders without it producing meaningful insight that subsequently shaped a strategic decision.
“The most useful cyber conversation I have ever had as a CEO was the first one I had with my co-founder about what we would actually do if our company went through a breach. Everything before that was abstract.”
Senior founder-level cyber, iSECTECH engagement notes
What a Co-Founder Cyber Conversation Should Cover
A useful co-founder conversation about cyber covers four areas. The first is risk appetite — what is the company’s honest tolerance for cyber risk, expressed in plain language rather than in framework terminology, and how does that tolerance compare to the implicit one embedded in current operating decisions. The second is investment philosophy — what percentage of the engineering budget the company is willing to commit to security work that does not advance the product roadmap, and what governance the co-founders will apply to that commitment over time. The third is reputation posture — how the company will publicly characterize its security work, what claims it is willing to make and not willing to make, and how it will handle communications during an event. The fourth is succession — who has the standing authority to make consequential cyber decisions during the inevitable moments when both co-founders are not simultaneously available.
Three Boardroom Conversations That Defined This Letter
We coach co-founders to schedule this conversation as a half-day session, off-site, without other participants, with explicit framing that the purpose is strategic alignment rather than tactical planning. The output is not a deck. The output is a one-page document, signed by both co-founders, that captures the agreements reached in each of the four areas. That document then becomes the founding artifact against which subsequent decisions are checked. Most pairs of co-founders we have facilitated through this conversation report being surprised by the magnitude of pre-existing implicit disagreement that the conversation surfaced and resolved.
Three Habits the Best Co-Founder Pairs Build
The first habit is annual refresh. The co-founder cyber alignment document is refreshed at least once a year, ideally before the annual fundraising cycle, with explicit attention to how the company’s risk profile has evolved. The second habit is named delegation. Specific cyber decisions are delegated to specific roles within the company with documented authority limits, and both co-founders agree on what decisions remain at their level versus what decisions flow down. The third habit is incident pre-rehearsal. The two co-founders walk through, at least annually, what they would each personally do in the first twenty-four hours of a serious cyber event, including the decisions they would expect to make jointly, the communications they would expect to lead, and the personal commitments they would honor during the event period.
“Co-founder alignment on cyber is not a technical document. It is a marriage contract for the company’s worst week. The pairs that have it function. The pairs that do not, improvise under conditions where improvisation is catastrophic.”
Tarah Wheeler, cyber-policy researcher and board advisor, public industry remarks
Where This Conversation Belongs on the Calendar
This conversation does not belong as an agenda item in a regular co-founder operations review. It does not belong in a board meeting. It belongs as a dedicated strategic session between the co-founders themselves, scheduled with the same gravity as other founding-document conversations — the equity allocation, the cap table, the strategic positioning. Treating it as anything less is the most common founder governance gap we see in growth-stage companies, and the cost of that gap becomes visible only during events that the conversation would have shaped differently in advance.
How This Connects to the Rest of Your Security Program
If you want to see how this conversation operationally maps to the rest of the security program, our work on the CEO-CFO cyber question covers the parallel conversation with the finance leadership once the company has matured beyond pure founder governance. Our piece on ransomware negotiation and the three conversations that decide the outcome covers the operational decision sequence that the co-founder conversation prepares for. And our work on cyber tabletop for the C-suite covers the executive rehearsal that complements the strategic alignment.
What to Read Before Monday Morning
If you read one document this week alongside this letter, read the World Economic Forum’s 2025 Global Cybersecurity Outlook chapter on growth-stage cyber governance. It is the clearest articulation of why the gap between cyber risk and cyber governance is concentrated in the growth-stage cohort, and what closes it. The chapter is short, free, and unflinching about the structural conditions that produce the gap.
What to Do This Week
If you do one thing this week, calendar the half-day off-site cyber conversation with your co-founder for some point in the next ninety days. Do not let the calendar conversation become a working-meeting compromise. Hold the off-site format and the dedicated time. The pairs that have invested in this conversation report a durable change in how they navigate every subsequent cyber-relevant decision the company makes.
Talk to a Senior founder-level cyber Practitioner
If you would like a senior iSECTECH founder-level cyber practitioner to facilitate the first version of this conversation between you and your co-founder, we run these sessions confidentially across venture-backed and bootstrapped companies in healthcare, financial services, technology and adjacent industries. The output is a one-page strategic alignment document that becomes the foundation of every subsequent cyber decision the company makes. Contact us to begin the conversation.
A Final Word on Investors and Cyber
Investors are an increasingly important constituency in the growth-stage cyber conversation. Lead investors who sit on boards are beginning to ask measurably better cyber questions than they were three years ago, and the questions they ask shape the conversations co-founders are having with one another. Co-founders who proactively bring their alignment document to investors find that the conversation moves from defensive to strategic, often with investors offering useful pattern recognition from their broader portfolio. Co-founders who wait for investors to raise the topic find themselves answering questions on the investor’s timeline rather than on their own. The strategic posture is to lead the conversation, not to wait for it.
“Across the engagements we reviewed this quarter, fewer than one in eight growth-stage company pairs had a documented co-founder cyber alignment document of any kind.”
iSECTECH iSECTECH quarterly growth-stage cyber review summary review summary
A Quiet Note to the Co-Founder Reading This
If you are a co-founder reading this on a Sunday evening, the conversation above is not one you need to have tonight. It is one you need to put on the calendar with your co-founder for some point in the next ninety days. The first version of the conversation will be uncomfortable, and it will surface implicit disagreements that may take a second session to resolve. The pairs that have had this conversation describe it, almost without exception, as one of the most useful strategic exchanges they have ever had with their co-founder. The pairs that have not had it eventually wish they had, usually under conditions where the conversation cannot be had calmly anymore.