Getting Organizational Buy-In from Enterprise Stakeholders: Eight Big Tips for CISOs
As a cybersecurity team leader, probably one of the biggest challenges you’ll face is getting other parts of the organization to take cybersecurity seriously. Sure, it’s “serious,” but is it really “that” serious? This can be particularly frustrating when securing resources, budget, or executive support.
Here are a few strategies and tactics you can use to get buy-in from your enterprise stakeholders:
- Speak their language: With security, it can be easy to get bogged down in technical jargon. It’s not the job of most of our other contributors to know MFA from the IoT, and if you want to get buy-in from other parts of the organization, it’s crucial that you speak in terms that “the layperson” will understand.This might mean translating your message from technical speak to business speak, ditching those security-specific three-letter acronyms (TLAs), and tailoring your approach to the specific needs and concerns of different stakeholders. What do they need? What are their problems? What cybersecurity issues affect their departments directly?
- Emphasize the business value of security: Most enterprise stakeholders care about security, but they may not understand how it directly impacts their bottom line. By demonstrating how security initiatives can improve productivity, protect assets, and reduce risk, you can help build support for your initiatives. What is the cost to them of reduced protection? What’s the return on investment? In their language, how can your team provide a solution and value?
- Build relationships: Building solid relationships with key stakeholders is essential for getting buy-in. This means taking the time to understand their priorities, building trust, and demonstrating that you have their best interests at heart. By doing this, you can create allies who will advocate on your behalf and help you secure the resources and support you need. Sending a representative to the dev team daily stand-up or just grabbing a coffee with the head of accounts to chat about Zero Trust can go a long way to fostering understanding and inter-departmental relationships.
- Be transparent: Lack of transparency is a major contributor to the lack of buy-in from the c-suite and those stakeholders who aren’t as au fait with what the cybersecurity team does for the organization.When stakeholders don’t understand what’s happening or why, they’re more likely to resist change. To avoid this, be transparent about your initiatives and their reasoning. Explain how you came to your conclusions, your priorities, and what you’re trying to achieve. Yes, cybersecurity is a secretive science by nature, but if you show concerned parties behind the curtain it can go a long way to demystifying what you do and showcasing its importance and your technical expertise. I once heard a colleague say, “Cybersecurity is like sound on a film. People only notice when the sound is bad, and no one takes any notice of who wins the Oscar.” So true, but once you listen, it changes how you appreciate a movie.
- Provide regular updates: Keeping stakeholders informed and up-to-date is crucial for building trust and ensuring continued buy-in. Regular updates help to dispel rumors, address concerns, and demonstrate your commitment to transparency.
- Get executive buy-in: Executive buy-in is critical for securing resources and budget for your initiatives. To get executive buy-in, you’ll need to present a clear and compelling case for why security is important, what you’re trying to achieve, and what the benefits will be. You know why, but they don’t, and remember to keep it in language that’s friendly to your audience and make sure it relates to their interests.
- Involve stakeholders in the process: Involving stakeholders in the process is another important step towards getting buy-in. This can be as simple as asking for their input or feedback, or it can involve giving them a more formal role in the decision-making process. Through their participation, you demonstrate that their opinions and concerns matter, and you build support for your initiatives.
- Lead by example: Finally, the best way to get buy-in from stakeholders is to lead by example. By demonstrating your own commitment to security, you set a positive tone and help build support for your initiatives.
In conclusion, getting organizational buy-in from enterprise stakeholders can be challenging, but it’s crucial for the success of your cybersecurity initiatives and future funding.
By speaking their language, emphasizing the business value of security, building relationships, being transparent, providing regular updates, getting executive buy-in, involving stakeholders in the process, and leading by example, you can help build support and ensure the success of your initiatives.
- Translate technical speak to business speak
- Emphasize the business value of security
- Build relationships with key stakeholders
- Be transparent about initiatives and reasoning
- Provide regular updates to stakeholders
- Get executive buy-in
- Involve stakeholders in the process