Insights from category creators and the investors who believe in them.

What CISOs Should Consider on the Road to IPO

October 19, 2022
By Oren Yunger

Every startup dreams of an IPO. Most think of it in the context of finance and legal, but in fact there are several other constituents to the IPO process—an important one being security. Whenever I meet CISOs who have successfully navigated the IPO process, I’m always curious: What advice would they give others? What do they wish they’d known? 

At ICON’s recent Cyber Day in Silicon Valley, I posed these questions (and more) to top CISOs who have recently gone through the journey from private to public. Based on their experiences, here are five things that every CISO should consider on the road to IPO:

Learn to embrace corporate governance 

Chief Security Officer Talha Tariq had about a year to oversee the buildup to HashiCorp’s December 2021 IPO. Rather than focusing only on the “cool technology infrastructure work,” Tariq says their security program “had to start pulling through a lot of internal controls, corporate governance, and IPO readiness. How do you run risk committees? How do you mature reporting?” 

Expect change at all levels

While getting ready to go public, some companies may undergo rapid changes in the workforce. Mario Duarte, VP of Security at Snowflake, recalls when this took place before the Data Cloud company’s September 2020 IPO. For Duarte, this meant adjusting his role to have more of “a global focus and making the corporate environment more mature [and] more seasoned.”

When Mandy Andress joined Elastic in May 2018 as its CISO, the startup was six months from its October IPO. Armed with a laundry list of getting controls and policies in place, her responsibilities also included “find[ing] the folks that had the same mindset. That was the most challenging part—just helping teams make that transition from a startup mindset to now we're going to go public,” she says. 

Safeguard against phishing and other threats

When your company’s IPO plans are still internal and private, it’s easier to control details and the security of “docs, PowerPoints, and spreadsheets—that's literally what your life is in terms of risk reporting requirements and diligence,” Tariq says. But as soon as you file for an IPO and that proverbial switch gets flipped, things can change quickly. “The amount of noise you get from PR, from phishing, from just awareness of the employees—we had to spend a lot more energy,” he says. Working with the legal team and the PR team was key. “And I think phishing still is an unsolved problem,” he says.

Balance between governance and productivity

Leading up to and after your IPO, “there's just so much more governance being put on your teams, your employees, and the engineers,” Duarte says. “So the challenge for all of us [is]: How do I improve that security, or the oversight from auditors without impacting productivity?”

You’ll also want to remember the CIA triad: Confidentiality, integrity, and availability. For example: In order to ensure the integrity of your financial reporting, you may need to assess whether your billing vendors are enterprise-ready and have the right security compliance controls.

Effectively manage all of your stakeholders 

Whether you find yourself in front of a cyber-focused audit committee quarterly or in monthly 1:1 meetings, anticipate spending more time with board members and other stakeholders. Simultaneously, you’ll want to try “to be very transparent with the team on what conversations are happening and what business drivers are changing that are leading us to take these new priorities or shift in this direction,” Andress says.

Tariq adds: “The good thing with most CISOs these days [is] they do have a dotted line reporting to the audit committee or the board. So it’s their responsibility to bubble up the risks, incidents, trends, and disclosures to those committees outside the executive team.” 

At the end of the day, the journey from private to public is an important milestone in building enduring companies. But as these three CISOs know from firsthand experience, the post-IPO stage is an important one that can really set companies apart. As Duarte says, “the hard work begins after—not before.”

ICON (Israel Collaboration Network) is a non-profit organization based in Silicon Valley and Israel. ICON is an entryway to Silicon Valley, a place where Israeli founders can get connected, get support from others, and find mentorship. Learn more about ICON