To be an effective security, risk management or compliance leader, you need to advocate for your team's needs and secure resources to improve cyber defense posture, mitigate risks and ensure compliance with industry standards. While securing the resources you need isn't necessarily a difficult endeavor, you may not always know what steps are needed to get the outcome you want.
Wondering how to get your top executives and other key stakeholders to align?
Here is a set of five best practice activities compliance and security professionals need to take to get what they want:
1. Understand your organization's procurement process
Ideally, you want to gain an understanding of your organization's procurement process before you talk to any vendors. This way, when you select a vendor, you can coach the sales rep on how to best navigate the process.
Many organizations design their tools budget based on departmental needs, but because managing risks and keeping up with compliance requirements is inherently cross-functional, most organizations have not created budgets that factor in the purchase of new tools specifically for risk and compliance management.
To get the budget you need to purchase tools, you'll likely need to move outside of the "normal" documented process and go up the chain of command to senior leadership who can approve new purchases outside of the normal budgeting cycle.
2. Frame your message for executive decision-makers
Once you've identified the person(s) who can approve the budget for needed resources, it's time to frame your request in a way that will compel them to act. The best way to do that is to align your message with the executive's key priorities.
Almost all executives are aware that an attack could happen to their company. Because of this, they're likely interested in knowing how well your organization is currently doing in mitigating the cyber risk scenarios that are likely to happen. Your executives also want to make sure that your organization will be able to pass upcoming audits. Last but not least, leadership will be concerned about costs and operational efficiency.
As such, you'll want to tie your budget request back to your security and compliance capabilities and your ability to deliver business value. If your current capabilities do not allow you to adequately identify or address risks arising from operations, that introduces too much risk to your organization.
For instance, you may bring up challenges such as:
Falling behind in responding to customers' security/privacy questions in a timely manner
Coping with COVID-19 and the security risks that haven't been fully addressed
Keeping up with an increasing number of regulatory and customer requirements and minimizing liability
Needing to minimize the impact of compromised cyber security should an organization fall victim to ransomware or other form of cyber attack
3. Identify your allies
When you're asking for budget approval on pricey software, it's important to have allies. This way, executives can see that although there is an upfront cost, the problem(s) you're tackling with this solution is an enterprise-wide concern.
When it comes to risk and compliance software, there are multiple groups of stakeholders who can benefit, including:
Key control operators across IT, Engineering, Product Development, Finance teams
Risk management/legal team members
Internal audit team members
Once you've identified allies, work with them to determine how to best influence the final decision-maker.
4. Understand the implementation plan and timeline
To powerfully communicate the level of impact you'd expect to achieve with your proposed solution, talk to the key decision-maker about time-to-value. With this software and the support you'll get from the vendor company, how long will it take for you to achieve major milestones?
To ensure your initiative yields results quickly, it's important to understand how intuitive and self-service (vs. technical) it would be to get started with the software product.
By confirming the timeline needed to achieve key milestones early in the sales process, you'll be able to present a reasonably accurate forecast of time-to-value for the software.
5. Treat your sales rep as a collaborator and allow them to help you
A great sales rep should work collaboratively with you, helping you orchestrate meetings to win over key decision-makers. They can also bring specialists into meetings – so that questions and concerns coming from your organization can be satisfactorily addressed.
If you've done due diligence on the software and feel quite positive about it, it is time to be candid with your sales rep. Brief them on your procurement process, who the decision-makers and influencers are on your side, their concerns and the questions they're likely to raise – so your sales rep can do their part to support you and make you look like a hero in meetings.