Security as a Growth Engine:
The Commercial Realities Shaping the Modern CISO Role
Insights from Mike Zachman (CSO, Zebra Technologies) and Bill Briggs (CISO/Senior Security Leader, Fintech/Manufacturing/Energy/Banking/Retail)
Our first article focused on the evolution of CISO leadership; how influence, communication, and trust define security at board level.
Part Two dives deeper into the operational and commercial realities behind that leadership.
If Part One explores how CISOs lead, this article explores how they create enterprise impact.
From AI governance to regulatory pressure to talent models, this segment of the conversation reveals how CISOs are turning security from a cost centre into a genuine value driver.
01
Influence, governance & AI: From gatekeeper to enabler
Security is no longer a technical function. It’s a governance function, one rooted in commercial awareness, stakeholder influence, and constantly changing innovation cycles.
For Mike, effective influence at board level starts with recognising that governance isn’t one-size-fits-all:
“There’s an old saying: ‘What works for one board works for one board.’ Translating technical execution into board-level understanding, that’s where the art comes in.”
That ability to translate risk into the language of the business becomes especially critical as organisations accelerate AI adoption.
From Bill’s perspective, the risk equation around AI isn’t just about control, it’s about missed opportunity:
“For us, the biggest risk was not exploiting AI responsibly.”
Boards want speed, efficiency, and competitive advantage. CISOs are expected to enable that momentum, without exposing the organisation to unmanaged risk. Mike’s approach reframes governance not as a brake on innovation, but as its enabler:
“My job isn’t to say ‘no’; it’s to say ‘know.’ The purpose of brakes isn’t to stop, it’s to let you go fast safely.”
Taken together, their views reflect a fundamental shift in expectations. The modern CISO is no longer positioned as a roadblock to progress. Instead, they design the guardrails that allow innovation to move quickly, confidently, and in line with the organisation’s risk appetite.
The takeaway:
Influence, governance, and AI stewardship are no longer defensive functions. Done well, they turn security into an accelerator of enterprise value.
02
Operationalising trust:
How security shapes customer expectations and market confidence
Across private equity portfolios and high-growth sectors, the conversation has moved beyond whether a business can pass an audit. The real differentiator is whether it can demonstrate resilience and credibility under pressure, to customers, regulators, and investors alike.
Rather than treating compliance as an end goal, both Mike and Bill describe it as a forcing function: something that reveals how well a business actually operates when it matters most.
Bill spoke candidly about how attitudes toward compliance vary by industry and scale:
“No board would consciously say compliance alone is enough, but attitudes vary by industry and size… You often have to explain why passing an audit doesn’t mean the controls will protect valuation if they fail once.”
Mike highlighted how regulatory pressure can sharpen this focus, not just on compliance, but on decision-making quality during incidents:
“SEC reporting timelines gave us an opportunity to improve executive decision-making during incidents like ransomware. It forced us to become structured and aligned across the C-suite.”
That distinction becomes critical in sectors with intense vendor scrutiny (including finance, healthcare, logistics, manufacturing, and SaaS), where customers are no longer satisfied by certifications alone.
Instead, they are implicitly asking:
- Can this business respond effectively under real-world stress?
- Do its controls hold up beyond documentation?
- Would a failure here expose us to operational, reputational, or regulatory risk?
This is where trust becomes operational. Not through policies or checklists, but through how organisations behave when something goes wrong, and whether they can evidence maturity, coordination, and accountability in moments that matter.
In private equity–backed environments, that capability translates directly into value. Strong trust signals reduce friction during diligence, increase buyer confidence, and support a more credible investment narrative, particularly where regulatory scrutiny or operational risk is high.
The takeaway:
Audits confirm compliance. Resilience builds trust. Organisations that operationalise trust through real-world readiness (not just documented controls) stand out in crowded markets and protect long-term value.
03
Resilience as revenue protection: Why “secure enough” isn’t enough
For many organisations, security investment is still justified in terms of prevention: stopping attacks, passing audits, avoiding fines. But in practice, the commercial value of security is most clearly revealed when something goes wrong.
Both Mike and Bill emphasised that compliance alone does not guarantee resilience, and that the real test of security maturity shows up under pressure.
Bill reflected on how organisations often only recognise this after disruption:
“Sadly, sometimes culture only changes after an incident. It’s a wake-up call, but it can permanently change how the organisation thinks about security.”
From Mike’s perspective, resilience is closely tied to decision-making and preparedness at the executive level:
“Compliance is necessary, but it’s insufficient for security. You can be compliant and still not be secure.”
Together, these perspectives underline a critical commercial reality. Resilience is not just about recovery plans or technical controls; it’s about whether leadership can make informed decisions quickly, communicate clearly, and maintain confidence with customers, partners, and regulators when the organisation is under stress.
In practical terms, this is what boards and investors increasingly care about:
- How quickly can we understand the true impact of an incident?
- Can leadership make effective decisions in compressed timeframes?
- Will stakeholders trust how disruption is handled?
When those answers are unclear, the cost isn’t theoretical. It shows up as delayed revenue, extended diligence cycles, reduced valuation multiples, and long-term brand damage.
In private equity–backed environments, especially, resilience becomes a value preservation mechanism. It protects downside during the hold period and strengthens the investment narrative for future buyers.
In this context, the CISO’s role extends beyond prevention. They become stewards of organisational readiness, meaning the business can absorb disruption, respond coherently, and recover without eroding enterprise value.
The takeaway:
Strong security helps prevent incidents and protects revenue, reputation, and valuation.
In summary:
Turning security into a strategic advantage
Whether advising a portfolio company or stepping into a new CISO role, the message from both leaders is clear:
Security drives value when it enables the business, not when it merely protects it.
Influence. Governance. Innovation. Customer trust. Talent.
These are the levers that elevate security from cost centre to strategic differentiator.
Thank you to Mike Zachman and Bill Briggs for their candour and insight, and for demonstrating what modern, business-aligned security leadership truly looks like.