When Buy-In Goes Wrong — Perspectives From A Former CISO/CSO

In my last blog, I talked about how “it takes a village” from the perspective of the job being bigger than any one person and the many benefits of being involved in the CISO community to leverage the collective power of a broad support base. There is another aspect to this concept, however. Today, security matters. It touches just about everything we do and every part of the business.

To be successful, security leaders need to wield influence to enlist our employees and peers in the organization to acknowledge, advocate for, and be an active and willing participant in securing the organization. But nothing good happens when that does not go as planned. Some of the more significant issues include unclear or duplicated responsibilities, stifled innovation, damaged relationships, and even eroded customer, employee, and partner trust due to security incidents.

Let’s dive into a few of the bigger concerns and some approaches to turning these challenges into successes.

They’ve Gone Rogue!

This is perhaps a tad dramatic, but the issue here is real. In this case, you have gotten buy-in, which is a true win, but the team or business unit in question believes that they fully understand what’s needed from a security and governance perspective — so much so that they stop engaging with security and start making decisions in a silo. I have seen this in action, and the result was some unfortunate decisions being made that could have resulted in tangible risk. A good example here was a decision to skip code/pen testing under the mistaken belief that it wasn’t needed. Rarely does security testing not turn up issues. If those issues had not been caught, they easily could have left a key solution exposed. This also could have impacted the certifications that the solution was under.

Recommendations: It’s great that you got them on board and that they are trying to do the right thing. You definitely don’t want to discourage that, but you need to make sure that security is involved in the planning, change control, and approval processes so that you and your team have the ability to step in when and if needed. Make sure that security is plugged in at each of these stages:

  • Getting involved in the planning stages is always the best answer. This allows you to address potential problems and/or offer alternatives well before they turn into issues or become disruptive.
  • Change control. Being an active participant in the change control process offers another opportunity to review, catch, and correct potential issues.
  • Ideally, you want to catch issues well before being asked to supply your approval. This is still an important last chance to catch things, however, especially in cases such as this where we are talking about groups outside of security that are empowered and working with you.

It’s important to note that in all of these cases, they are opportunities to provide guidance, educate, influence, and enable/empower the very teams you need on your side to drive success.

An Information Security Steering Committee with engaged, empowered members is a catalyst for new perspectives, ideas, and, ultimately, action, leading to greater visibility as those perspectives, ideas, and actions are socialized by committee members within and throughout their own functions.

Who’s On First?

We all know that cloud is a shared responsibility model. But the shared responsibility isn’t just between the organization and the cloud provider. What used to be a clear delineation of responsibilities when it came to security is now blurred. You have architecture and IT operations teams configuring and supporting native security functions and solutions in the cloud. Just as in the example above, if the right relationships, controls, and structure aren’t in place, you can have significant, albeit unintentional, consequences ranging from missed or lapsed controls, improper or missing configurations, and other unmitigated exposures that put your company, data, partners, and/or customers at risk.

Recommendation: A RASCI chart is a great place to start, assuming it doesn’t just gather dust on a proverbial shelf. Another viable approach in addition to the RASCI is to create a new team comprised of the right resources from across the organization. For example, create a cloud fusion team, a cloud center of excellence, or an attack surface management team.

You Bought What?

When teams outside of security scope or purchase solutions or licensing that include features/functions that would normally be considered core security elements, it can result in a potential host. This is becoming more of an issue, as we are seeing a continued consolidation of security services and technologies by the biggest players and not just within core/traditional security providers.

With the right approach and involvement, teams outside of security making recommendations and offering alternatives and possible consolidation can be a win for the organization. Reduced costs, fewer tools and vendors, and better integration are all possible outcomes. When this is done in a vacuum, however, this can result in the opposite outcome, resulting in numerous issues, including:

  • Duplication of tooling leading to increased cost and operational overhead or confusion of ownership (i.e., someone else bought it … who is responsible for it?).
  • Depending on what the tool does, you also run the risk of missed alerts, as neither group is paying attention.
  • Forced budget and/or tool reductions.
  • Reduced or lost functionality.

Any of the above can result in increased risk to the organization and, if nothing else, damaged relationships between the teams involved and with the solution provider. For more in-depth research on this subject, be on the lookout for Jeff Pollard and Jess Burn’s upcoming report on a clear example of this.

Recommendation: Addressing potential issues before they become reality is the best approach. Establish when and how security should be involved and who has the actual approval authority. If you don’t have them already, consider hiring (or promoting from within) business information security officers to embed themselves in business unit management teams to help them make security- and risk-informed decisions.


How have you dealt with these situations in your organization? Reach out to share your stories and best practices — or to speak with me or one of our analysts about solving or avoiding these issues.