Having a great cybersecurity idea is only half the battle. The real challenge? Getting others to embrace it. When security initiatives fail, it's rarely due to technical flaws. It's almost always because we couldn't convince the right people to get on board.
The cost of this failure is staggering. Organizations worldwide spend billions annually on cybersecurity, yet breaches continue to rise. According to IBM, the average data breach now costs $4.45 million. More troubling is the hidden cost of abandoned security initiatives; billions wasted on partially implemented solutions that never gained sufficient support to realize their potential.
Let me share a recent example that illustrates this challenge. A mid-sized healthcare provider had identified serious vulnerabilities in their patient data systems. Their security team developed a solid remediation plan, but couldn't convince leadership to prioritize the fixes. Six months of meetings and presentations led nowhere. Then came the inevitable: a ransomware attack that encrypted patient records, forced appointment cancellations for three weeks, and ultimately cost more than $12 million in recovery costs, regulatory fines, and lost revenue. All preventable if the cybersecurity team had mastered the art of getting buy-in.
The good news? Getting buy-in isn't magic. It's a skill anyone can learn. Let me walk you through a four-step approach that has consistently worked for me and the dozens of security leaders I've mentored.
Step 1: Take stock
Before charging into the boardroom with your brilliant idea, pause and assess your current position. I learned this lesson the hard way early in my career when I presented what I thought was an airtight case for a new endpoint security solution. I was met with blank stares and a quick "let's table this for now." Later, I discovered that the CIO had already started a similar initiative. Information I could have learned with minimal preparation.
Initial assessment
Begin by reviewing your current position. Is your plan fully formed? Have you incorporated feedback from preliminary discussions? Where does support currently stand?
I once worked with a security director who thought their data loss prevention proposal was being ignored due to budget concerns. When we dug deeper, we discovered the real issue: They had consulted IT but completely overlooked the legal and compliance teams who had critical requirements.
Communication review
Examine your previous communications: one-on-one conversations, meetings, memos, and emails. You might be surprised at what you find. I've seen cases where executives were actually supportive of a security initiative but didn't realize the security team was waiting for more explicit approval.
A healthcare CISO I mentored was frustrated by apparent lack of support for a medical device security program. When we reviewed past communications, we found they had been using highly technical language that non-security leaders simply couldn't follow. Once they adjusted their messaging to focus on patient safety rather than technical vulnerabilities, support materialized quickly.
Key questions checklist
To become masterful at getting buy-in, start by answering these five critical questions:
- Do you know who needs to buy in? Map all stakeholders and their specific concerns.
- What concrete evidence of buy-in exists? Words of support are nice, but look for actions: allocated budget, assigned resources, or scheduled implementation steps.
- Have standard communication tasks been completed? Have you briefed key influencers one-on-one before group presentations?
- Is your idea crystal clear? If you can't explain it simply, you haven't refined it enough.
- Can you explain it during an elevator ride? Create a 30-second version that captures the essence.
Stakeholder engagement
Have you consulted likely supporters? Are they positioned to address potential attacks? Creating allies before big meetings is essential.
I recall a security leader who struggled to get support for a privileged access management program until they identified and briefed three respected senior engineers who became vocal advocates in subsequent meetings. Their endorsement carried more weight with leadership than all their technical arguments combined.
Meeting preparation
Role-play potential meetings. Have supporters act as attackers in practice sessions. This simulation helps you develop muscle memory for handling objections gracefully.
Communication best practices
Remember: you can't overcommunicate. Use different settings and formats. Some executives absorb information better in one-on-one settings, others in written proposals, and others in group presentations.
Step 2: Understand attack and response patterns
In any discussion about change, expect resistance. Just as attackers use predictable tactics against your network, skeptics use predictable patterns to challenge your ideas. Understanding these patterns is your best defense.
Attack categories
Virtually all objections fall into three categories:
- "The problem doesn't exist" – Denying there's a risk worth addressing
- "The solution isn't good" – Accepting the problem but rejecting your approach
- "It won't work here" – Acknowledging both the problem and solution but claiming special circumstances
Core response elements
When responding to attacks:
- Welcome attackers into the discussion – Treat objections as valuable input rather than opposition.
- Keep responses clear, simple, and logical – Emotional reactions undermine your credibility.
- Show consistent respect – The moment you appear dismissive, you lose potential allies.
- Focus on the broader audience – In group settings, your real goal is to persuade silent observers.
- Prepare thoroughly – Especially for high-stakes situations
Common attacks and responses
Let's look at examples from each category.
Category 1: "The problem doesn't exist"
Their Attack: "We've never required multi-factor authentication for internal applications before, and we haven't had any major breaches. It will just slow people down."
Your Response: "True, but consider what happened to MGM Resorts in September 2023. A single compromised employee credential led to a $100 million loss. The threat landscape has fundamentally changed—cybercriminals are specifically targeting companies that rely solely on passwords. Companies that don't adapt their authentication practices to today's threats are increasingly becoming victims of costly breaches."
This response acknowledges their point while introducing compelling evidence of the evolving risk. By referencing a well-known breach at a similar organization, you make the threat concrete rather than theoretical.
Category 2: "The solution isn't good"
Their Attack: "Monitoring employee activities through DLP tools goes against our culture of trust and autonomy."
Your Response: "Our core value is protecting our employees, customers, and their data. Companies like Netflix demonstrate how security monitoring actually supports trust; they're famous for their culture of freedom and responsibility, yet they maintain robust security monitoring to protect their people and intellectual property. We're not proposing surveillance; we're implementing guardrails that protect everyone while maintaining privacy."
This response reframes the solution to align with organizational values and provides a concrete example of a company known for its progressive culture that still implements strong security controls.
Category 3: "It won't work here"
Their Attack: "We don't have the budget or staff to implement and maintain a security orchestration and automated response (SOAR) platform."
Your Response: "Consider Equifax's experience: they spent $1.4 billion on breach cleanup, plus $1.38 billion in settlement costs. Their incident could have been prevented with much smaller investments in basic security automation. We're not suggesting an enterprise SOAR implementation—we can start with simple automation using Microsoft Power Automate, which we already own. Norwegian Cruise Line began this way, automating basic incident response with existing tools. They reduced response time by 90% with minimal investment. We can follow a similar low-resource approach."
This response acknowledges resource constraints while highlighting the cost of inaction and offering a scaled-down approach that addresses the core objection.
Step 3: Prepare through brainstorming
For high-stakes situations, group brainstorming can identify potential attacks and develop effective responses you might not think of alone.
Brainstorming guidelines
- Work with small, diverse groups of 3-5 people.
- Include creative thinkers as well as subject matter experts.
- Review all attack types systematically.
- Develop situation-specific responses.
I worked with a bank CISO who was struggling to get approval for a cloud security program. We assembled a brainstorming team that included an engineer, a risk manager, a business analyst, and, surprisingly, a marketing specialist. The marketing person suggested framing the cloud security initiative as an "innovation enabler" rather than a control function. This simple reframing, which no one on the security team had considered, completely changed the conversation with executives and led to quick approval.
Step 4: Implementation
Once you've secured initial buy-in, the real work begins. Remember that implementation is a continuous process of maintaining and expanding support.
I've seen too many security leaders win the initial battle for approval only to lose the war during implementation. A retail CISO secured executive support for a comprehensive security awareness program but failed to maintain communication during rollout. When the program encountered initial user resistance, executives quickly withdrew support, assuming the plan was flawed rather than recognizing that change always faces initial friction.
Making it real: A success story
Let me share how this approach transformed a struggling initiative into a success story.
Sarah, a newly appointed CISO at a manufacturing company, inherited a failed multi-factor authentication project. Her predecessor had made three unsuccessful attempts to implement MFA, each time facing fierce resistance from operations leaders who saw it as disruptive to production processes.
Rather than immediately trying again, Sarah took stock. She discovered that previous attempts had focused entirely on security benefits without addressing operational concerns. She scheduled one-on-one conversations with each operations leader, not to pitch MFA but to understand their processes and challenges.
During these conversations, she identified their real concern: production lines couldn't afford authentication delays during shift changes. She also discovered potential allies in IT who supported the initiative but hadn't been properly included in planning.
Sarah then brainstormed with her team and IT allies to develop responses to likely objections. When a production manager argued "MFA will slow down shift changes and cost us thousands in lost production," she was ready with a tailored response: "We've designed a solution using proximity badges for the factory floor that actually speeds up authentication compared to the current password system, while dramatically improving security."
At the executive presentation, Sarah didn't lead with security benefits. Instead, she began with: "We've developed an authentication approach that will reduce shift-change delays by 30% while protecting our production systems from the kind of attacks that shut down Colonial Pipeline for six days." The same executives who had rejected previous MFA proposals enthusiastically approved Sarah's plan.
Conclusion
Securing buy-in isn't about having the most technical knowledge or the perfect security solution. It's about understanding human dynamics, preparing for predictable resistance patterns, and communicating in ways that resonate with your audience's priorities.
The four steps—taking stock, understanding attack patterns, preparing through brainstorming, and implementing effectively—provide a structured approach that can dramatically improve your success rate. I've seen this method transform security leaders who previously struggled to get any initiatives approved into organizational influencers whose recommendations are actively sought out.
Remember that good ideas deserve strong defense. The most brilliant security strategy is worthless if it remains unimplemented. By mastering the art of getting buy-in, you not only advance your security program but also elevate your role from technical expert to business leader.
The average tenure of a CISO is under three years. Your ability to gain buy-in may be the most important skill in your professional toolkit. It certainly has been in mine.
