Trust, friction, and ROI: A CISO’s take on making security work for the business

In this Help Net Security interview, John O’Rourke, CISO at PPG, talks about what it means for security to drive business value. He explains how mature security programs reduce friction in sales cycles and M&A processes, and how trust is built over time.

O’Rourke also addresses how buyer sophistication has raised the bar for suppliers, why less-regulated industries lag behind their more-regulated counterparts, and which companies will benefit from foundational security investments. The interview covers five questions on cybersecurity strategy, ROI, and the cost of deferring security work.

“Security as a revenue enabler” risks becoming the next hollow buzzword. What is the concrete, measurable version of that idea, and what is the watered-down version executives should be skeptical of?

The measurable version of “security as a revenue enabler” is when security removes friction from growth in ways you can track. For example, faster due diligence cycles in mergers and acquisitions (M&A) and sales cycles when customers are purchasing your product. At PPG, we have built a cross functional framework and team for M&A with a heavy focus on cybersecurity. This allows us to assess potential companies utilizing a repeatable framework for integration while reducing the cybersecurity risk.

In general, a mature cybersecurity program has standard documentation and processes which will allow responses and controls with minimal effort. This leads to reduced time to close or fewer stalled sales deals. There are several available frameworks that cyber organizations should be measuring themselves against, such as the National Institute of Standard and Technology (NIST) and certifications from International Standards Organization (ISO), Systems and Organizations Controls (SOC2), or if you are in a regulated industry, Cyber Maturity Model Certification (CMMC).

Security is not “creating revenue” directly, however, investment in this area prevents security from being responsible for delayed or lost revenue. A few examples of how security reduces friction within PPG include automated joiner and leaver processes, increased self service access with appropriate guardrails within identity and access management, and improved audit readiness that enables business initiatives to move forward without delay.

How do you quantify trust? Security teams are often asked to prove ROI, but the value of not losing a customer’s confidence is notoriously hard to put in a spreadsheet. What frameworks work?

Across teams and especially in the cybersecurity space, trust is definitely not tracked in a spreadsheet and not defined by a “checkbox.” It takes a lot more effort to build trust than it takes to lose trust. Whether utilizing an official framework or not, there are ways to look at translating specific events into probable financial loss or downtime affecting the revenue or reputation of a company. Ultimately, ROI is minimizing the extent of these events, allowing the company to make revenue uninterrupted and continuing to build trust.

Buyers are more sophisticated about security than they were five years ago. How has that changed the conversation, and are there ways it has made the sales process harder rather than easier?

From a security organization perspective, this question is best viewed through two lenses. First, security vendors continuously introduce new features, acquire new capabilities, and rebrand solutions. This ongoing consolidation and expansion often result in shifting terminology and overlapping functionality. As a result, purchasing decisions cannot be treated as point solutions. Each investment requires a rigorous review of architecture alignment, operational processes, and governance implications. Tools must be deeply validated to ensure they deliver the intended functionality, integrate cleanly across the enterprise, and provide coverage without introducing unnecessary complexity or risk.

Second, from a customer point of view, interest in a supplier’s cybersecurity governance has gained more interest through assessments and questionnaires. Cybersecurity questionnaires from customers are more common than ever and can be extensive.

PPG wants to protect our supply chain and therefore has the same interest in our vendor’s cybersecurity posture. The upside is that the maturity and awareness of cybersecurity is progressing amongst the private sector, however the industry must move towards some sort of standardization in program assessments. Program maturity does not always equal guaranteed protection, but a program with real operational maturity will stand out among customers and will help reduce exposure.

Industries like fintech, healthtech, and defense contracting have always treated security as a licensing requirement. Are there lessons from those sectors that less-regulated industries are still failing to apply?

Industries that are more regulated often have certifications or requirements that must be met to operate. These certifications or requirements lead to baseline controls being implemented with reviews that validate the implementation of the controls. Less regulated sectors often defer security until after revenue growth, which leads to fragile architectures, identity sprawl and technical debt that becomes prohibitively expensive to unwind later.

Threat actors are opportunistic and don’t discriminate by sector, therefore cybersecurity maturity between industries is not sustainable. Security controls and architecture must be considered as early as possible during enterprise architecture discussions. Security programs must align themselves to frameworks where they can consistently assess and validate their program.

Five years from now, which companies will look back and recognize that their investment in security was one of the smartest growth decisions they made, and which ones will have treated it as a cost center and paid for it?

Companies that have invested heavily in foundational security are better positioned to embrace and adjust to the technological landscapes, enabling business continuity while maintaining consistent levels of protection. These organizations invest not only in protections, but they understand the importance of digital trust for growth initiatives.

Companies treating security as a “cost center” are the ones that are doing just enough to pass audits, deferring foundational work and not establishing an adaptable cyber program. These organizations will face significant incident recovery times, increased expense from regulatory exposures, reduction of trust and increased friction. As AI continues to evolve, the companies that have invested in foundational controls will be in a better position to enable AI with reduced friction and less security investment. Those that did not will find themselves spending more, moving slower and exposing themselves to higher risk.