Lenny Zeltser

When an executive rejects a security recommendation, it's worth asking what would need to change for a different answer. That question reveals constraints we didn't see and persuasion paths we didn't consider.

https://zeltser.com/rejected-security-recommendations

#cybersecurity #securityleadership #CISO #infosec

When Executives Reject Your Security Recommendations

A rejected security recommendation feels personal, but it often reflects competing demands the security team doesn't fully see. Knowing how to act on that reality helps the CISO become someone the business trusts with its priorities.

Lenny Zeltser
May 27 at 6:36pmWeb
Show threadJ. R. DePriest    :EA DATA. SF:6d ago

@lennyzeltser

I hate that your article is right.

"Here is a real, prioritized, risk; therefore we must fix it" is so much easier to understand.

The problem I've had with pitching the $1,000,000 vs $100,000 solution is that they never want to budget for the other $900,000 and feel like they did you a favor by approving the first part. The comments are mostly "didn't we already have that conversation nine months ago? Why are you bringing up ancient history?"

And that's what happens: we have to rebuild the "case for" from scratch, possibly look at other vendors, and go through the entire project approval process again.

The business processes are not designed around piecemeal solutions. They want five year projections before they'll even give you a dollar. That's not even possible in today's world.

So that's a question: even if you get executive buy-in, how do you wrangle procurement, project management, legal, finance, third-party risk, the board of directors? They've moved on.

Show threadTeflonTrout  he/him5d ago

@jrdepriest @lennyzeltser

Sounds like executives are ripe for replacement by an LLM everyone ignores