PSG is a growth equity firm that partners with software and technology-enabled services companies to help them navigate transformational growth, capitalize on strategic opportunities, and build strong teams. Having backed more than 150 companies and facilitated over 520 add-on acquisitions, PSG brings extensive investment experience, deep expertise in software and technology, and a firm commitment to collaborating with management teams. Founded in 2014, PSG operates out of offices in Boston, Kansas City, London, Paris, Madrid, and Tel Aviv. To learn more about PSG, visit www.psgequity.com.

‍

PSG takes a strategic and pragmatic approach to operational enablement, security included. When they looked to unify application security across the portfolio, they turned to Aikido.

We spoke with Adam Glick, Chief Information Security Officer at PSG, about how Aikido helps the firm support security and the role the platform now plays in diligence, oversight, and enablement.
‍

Hey Adam! Could you start by introducing yourself and your role at PSG?

I'm the CISO at PSG. I've been with the firm for about two years. My responsibilities are twofold: I oversee internal IT and InfoSec at PSG itself, and I also act as a governance and oversight function for the portfolio companies. That means helping ensure our Portfolio Companies (“PortCos” or “portfolio companies”) are investing in security, maturing their programs, and shipping secure code.

‍

How does PSG support its portfolio companies when it comes to security?

We have an operations team that helps our PortCos day-to-day: whether it's tech selection, hiring, GTM strategy, or yes, security. We work alongside them to evaluate vendors, create policies, prep for audits, or address compliance challenges.

On the security front, we’re there to help our portfolio companies understand what’s needed and find the right tools and partners to get there.

‍

What role does application security play in the frameworks you encourage?

We believe that AppSec is one of the core tenets of any development organization. We expect our PortCos to prioritize secure coding practices, both for organizational risk and reputational integrity. Our job is to support our PortCos in their evaluation and adoption of secure coding tooling. 

‍

What prompted PSG to explore a portfolio-wide application security initiative?

Any initiative we can implement across the portfolio is a win. If we can identify a programmatic or systemic need (especially in something like security) it’s worth solving in a unified way. 

‍

How did you identify the right tooling for this kind of initiative?

We have regular touchpoints with our PortCos and have an understanding of their maturity. This level of engagement  gives us visibility into where shared solutions could be supportive portfolio-wide.

The biggest challenge when adopting a portfolio-wide application initiative is minimizing friction. Every company is different. The question is: what’s the common denominator? We needed a solution that could work for the majority of companies with minimal deployment hurdles.

‍

So how did Aikido stand out?

Deployment ease was a major factor. Once we completed our diligence and signed the contract, we could connect a company to Aikido and start scanning in seconds, literally. No fine-tuning, no headaches. That alone eliminated a major barrier.

‍

“Once we completed our diligence and signed the contract, we could connect a company to Aikido and start scanning in seconds, literally.”

‍

But beyond that, the breadth of technical capabilities: SAST, DAST, CSPM, secrets scanning… all built into a single platform, was really compelling. For PSG the deployment was lightweight on effort and heavyweight on results.

And the executive relationship mattered. We want to know that if something goes wrong, we have people at the helm helping us resolve it fast. Our experience with the executive team at Aikido has been positive.

‍

How did you approach rollout across the portfolio?

We took rollout seriously. It wasn’t just, “Here’s a tool, go use it.” We had awareness sessions, office hours, 1:1s with dev leaders, documentation, Slack channels for real-time support… Basically everything we could to make sure our PortCos were set up for success.

‍

“It wasn’t just, ‘Here’s a tool, go use it.’ We had awareness sessions, office hours, 1:1s... basically everything we could to make sure our PortCos were set up for success.”

‍

Both Aikido and PSG had points of contact. We were available across multiple channels to ensure fast responses. The enablement side was just as important as the tech itself.

‍

What role does the Aikido Partner Portal play in your oversight?

There’s a lot of potential there. Today, we use it to quickly identify major CVEs (like “Who’s got CVE-2024-XXXX?”) and reach out to affected companies.

That said, we’re pushing for stronger reporting capabilities. We’d love to see more macro-level trends. Things like portfolio-wide vulnerability trends or company-by-company remediation rates. Aikido’s been very receptive to this feedback, and we’re collaborating on improvements.

‍

How would you describe the “before” and “after” of security coordination at PSG?

Before, tooling was more fragmented. Every PortCo picked what worked for them. That’s not inherently bad, but it makes oversight and support a lot harder.

Now, there’s something central in place that wasn’t there before. We’ve had positive feedback from users. The tool is easy to adopt and genuinely helpful. We’re still early in quantifying the impact, but anecdotally, it’s been very positive.

‍

Have you started using Aikido in other ways beyond portfolio security?

‍

“We’re beginning to incorporate Aikido into our diligence workflows… It gives us a more informed view of what we’re acquiring.”

‍

Yes. We’re beginning to incorporate Aikido into our diligence workflows. As we evaluate new companies for potential acquisition, we can plug them into Aikido and get immediate insights into their security posture, without needing access to the code itself. We feel that it gives us a more informed view of what we’re acquiring.

‍

Any advice for others rolling out technology initiatives across a portfolio?

‍

“There’s no one-size-fits-all, but there is a one-size-fits-most, and we think Aikido fits that sweet spot.”

‍

Absolutely. One thing we’ve learned is not to be overly prescriptive in the IT space. We use what I call the “Netflix road well-traveled” approach (based on the company’s management style). We tell companies what outcomes we need. Say, a secure coding program, for example, but we don’t dictate exactly how to get there.

Aikido is a great example: it’s a strong recommendation, not a mandate. If it works for you, amazing. If not, find what does. There’s no one-size-fits-all, but there is a one-size-fits-most, and we think Aikido fits that sweet spot.

‍

Final thoughts?

‍

Aikido’s been a tremendous partner. Whether it’s support in the Slack channel, leadership availability, or product responsiveness, they’ve consistently delivered. It’s been a great relationship.

‍