In this Help Net Security interview, John O’Rourke, CISO at PPG, discusses what security means to drive business value. He explains how mature security programs reduce friction in sales cycles and M&A processes, and how trust is built over time.
O’Rourke also discusses how consumer sophistication has raised the bar for marketers, why less regulated industries lag behind their more regulated counterparts, and which companies will benefit from basic security investments. The discussion covers five questions about cybersecurity strategy, ROI, and the cost of deferring security work.
“Security as an investment” risks becoming the next empty buzzword. What is the concrete, measurable form of that concept, and what should managers of the watered type suspect?
The quantifiable version of “security as a currency” is when security takes the friction out of growth in ways you can track. For example, agile processing is integrated into the acquisition (M&A) and sales cycles when customers buy your product. At PPG, we have created a diverse operational plan and M&A team focused on cybersecurity. This allows us to evaluate potential companies that use a repeatable integration plan while minimizing cybersecurity risk.
In general, a program that has the knowledge of cybersecurity has standard documents and processes that will allow responses and control with minimal effort. This leads to a reduction in closing time or a reduction in pending sales deals. There are many standards available that cyber organizations should measure themselves against, such as the National Institute of Standard and Technology (NIST) and certifications from the International Standards Organization (ISO), Systems and Organizations Controls (SOC2), or if you are in a regulated industry, Cyber Maturity Model Certification (CMMC).
Security does not “create money” directly, however, investments in this area prevent the security from being liable for delay or loss of money. A few examples of how security reduces conflicts within PPG include automated sign-on and sign-off processes, increasing access to services through proper behavior in identity and access control, and improved audit readiness that enables business initiatives to proceed without delay.
How do you measure trust? Security teams are often asked to prove ROI, but the value of not losing customer trust is notoriously difficult to put on a spreadsheet. What designs work?
In all organizations, especially in the cybersecurity space, trust is certainly not tracked on a spreadsheet and not defined by a “checkbox.” It takes more effort to build trust than it does to lose trust. Whether you use a formal plan or not, there are ways to turn isolated events into potential financial losses or downtime that affect taxes or the company’s reputation. Ultimately, ROI reduces the scope of these events, allowing the company to generate uninterrupted revenue and continue to build trust.
Consumers are more sophisticated about security than they were five years ago. How has that changed the conversation, and are there ways it’s made the sales process harder instead of easier?
From a security organization perspective, this question is best viewed through two lenses. First, security vendors are constantly introducing new features, acquiring new capabilities, and rebranding solutions. This continuous integration and expansion often results in a change in vocabulary and corresponding performance. As a result, purchasing decisions cannot be considered as a solution of facts. Each investment requires a rigorous analysis of the infrastructure, operational processes, and governance implications. The tools must be thoroughly validated to ensure they deliver the intended functionality, integrate cleanly across the business, and provide security without introducing unnecessary complications or risk.
Second, from the customer’s point of view, interest in the provider’s cybersecurity system has gained more interest through reviews and questions. Cybersecurity questions from customers are more common than ever and can be overwhelming.
PPG wants to protect our supply chain and therefore has the same interest as our supplier’s position on cybersecurity. The bottom line is that growth and awareness of cyber security continues among the private sector, yet the industry must transition to a more standardized approach to software testing. Program growth does not always equate to guaranteed security, but a program with real operational growth will stand out among customers and help reduce exposure.
Industries such as fintech, healthtech, and defense contracting have long considered security a licensing requirement. Are there lessons from those sectors that poorly regulated industries are still failing to apply?
More regulated industries often have certifications or requirements that must be met in order to operate. These certifications or requirements lead to basic control that is implemented through inspections that ensure the operation of the systems. Poorly managed departments often postpone security until after revenue growth, leading to broken infrastructure, identity proliferation and technical debt that is too costly to recover later.
Threat actors are opportunistic and indiscriminate, so the growth of cybersecurity across industries is unsustainable. Security controls and infrastructure must be considered as early as possible during business planning discussions. Security programs must have a framework in place where they can regularly test and validate their program.
Five years from now, which companies will look back and realize that their investment in security was one of the smartest growth decisions they made, and which will have taken it as a cost center and paid for it?
Companies that have invested heavily in basic security are in a better position to adopt and adapt to technology, enabling business continuity while maintaining a consistent security posture. These organizations not only invest in security, but understand the importance of digital trust for growth initiatives.
Companies that view security as a “cost center” are the ones that do enough to do audits, postpone core work and not create a flexible cyber program. These organizations will face long recovery times, increased costs from regulatory exposure, reduced trust and increased conflict. As AI continues to evolve, companies that have invested in core management will be in a better position to leverage AI with reduced friction and less investment in security. Those who don’t will find themselves spending more money, moving slower and taking more risks.
#Trust #conflict #ROI #CISOs #making #security #work #business #Net #Security