Threatonomics

How to get people to care about security when they don’t report to you

by Chuck Norton , Senior Technical Security Advisor
Published

Why leading with their pain beats pushing your solution every time

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder.

In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of them report to you. Your success depends entirely on your ability to influence without authority, turning skeptical department heads into willing collaborators.

But while getting the whole team on sides is tricky, it’s not impossible. Here are three moves that finally turned “That’s not how we do it” into “Let’s pilot it”:

1. Lead with their pain, not your solution

The Strategic Value: This isn’t just about empathy — it’s about selling the solution to their problem. When you start with their operational challenges rather than your technical solutions, you demonstrate that you understand their world and speak their language. This cannot be simple lip service, either. CISOs must work closely with many diverse personalities across the organization to build genuine relationships that foster trust, build credibility, and encourage collaboration.

In Practice: Stop opening meetings with “We need to implement zero-trust architecture.” Instead, sit down with the Sales Director and say, “I noticed the CRM system went down twice during the quarter-end push last month. Walk me through what that looked like from your team’s perspective.”

Listen for the downstream impacts they mention:

  • “Prospects were calling our office every five minutes”
  • “We had to manually track leads for three days straight”
  • “The VP was asking hourly for status updates”
  • “Customers were posting complaints on social media”

The Sales Technique: Once they’ve articulated their pain points, you can position your security control as the solution to their problem, not yours. “What if we could prevent those CRM outages while actually making the login process faster for your team?” Now you’re not the security person pushing compliance—you’re the problem-solver addressing their operational headaches.

Why This Works: Departments are notoriously protective of their autonomy. They’ve seen too many “IT initiatives” that promised efficiency but ultimately delivered complexity. By starting with their problems, you signal that this conversation is about their success, not your project checklist.

2. Make them the hero of the story

The Strategic Value: People support what they help create. When stakeholders articulate the benefits in their own words and see themselves as participative, collaborative solution architects, they transform from reluctant participants into invested champions.

In Practice: Don’t pitch single sign-on as a security improvement. Instead, ask the Customer Service team: “If customers could access their account portal, support tickets, and billing dashboard with one login, what would that do for your customer satisfaction scores?”

Let them build the narrative:

  • “Customers would spend less time on password issues and more time engaging with our services”
  • “Our help desk could focus on substantive customer support instead of login problems”
  • “We could track customer engagement more effectively across platforms”
  • “The seamless experience would reinforce our ‘customer-first’ brand promise”

The Sales Technique: Take their vision and amplify it. “So if I’m hearing correctly, this is about creating a frictionless customer experience that supports your satisfaction goals and aligns with the company’s strategic objectives?” When they nod enthusiastically, you’ve transformed their customer success narrative into your cybersecurity initiative.

Advanced Move: Ask them to present the benefits to other stakeholders. “Would you be willing to share this perspective with the Operations team? They’re wondering about implementation impact, and hearing the customer satisfaction angle from you would be powerful.” Now they’re not just supporting your initiative — they’re advocating for it.

3. Start ridiculously small

The Strategic Value: Large-scale implementations feel risky and threatening to departmental autonomy. Micro-pilots feel manageable and create psychological safety. Success at a small scale builds confidence and creates proof points for broader adoption.

In Practice: Instead of proposing company-wide multifactor authentication, identify the lowest-stakes, highest-visibility opportunity. “The Finance team has been asking for better security on their expense system. What if we pilot our new MFA solution there first? It’s a small team, sensitive data, and they’re already motivated to improve security.”

The Pilot Selection Criteria:

  • Willing Champion: Find a department head who’s already bought into the problem
  • Contained Scope: Limited number of users and systems
  • Clear Success Metrics: Measurable outcomes that matter to stakeholders
  • Low Disruption: Minimal impact on critical operations during testing
  • High Visibility: Results that other departments will notice and ask about

The Sales Technique: Frame the pilot as a learning opportunity, not a rollout. “We want to understand how this works in our specific environment before we recommend it more broadly. Your team would help us refine the approach and identify potential issues before they affect other departments.”

Why This Works: Organizations value controlled experiments and measured approaches. By positioning your security initiative as a pilot study, you’re demonstrating prudent risk management and reducing perceived threat to existing workflows.

The meta-strategy: Building your influence network

These three tactics work because they tap into fundamental organizational psychology, but mastering them requires developing what many technical professionals overlook: soft skills as strategic weapons.

Every conversation with a department head becomes intelligence gathering. When you ask about their quarterly challenges or upcoming initiatives, you’re not just being friendly—you’re mapping the organizational landscape. The Operations Manager worried about system downtime becomes your entry point for discussing business continuity. The HR director frustrated with password reset tickets becomes your champion for single sign-on.

Your network of departmental relationships functions like critical infrastructure. The same way you wouldn’t run mission-critical systems without redundancy, you can’t implement security initiatives without cross-departmental allies. When Finance questions your budget, that Operations Manager who saw reduced downtime becomes your advocate. When leadership asks about ROI, that HR director with fewer help desk tickets becomes your proof point.

Stories drive adoption more effectively than statistics. While you might be tempted to lead with “this reduces our attack surface by 40%,” what resonates is “after implementing this control, the Customer Success team reported that clients could access their account status 24/7 without calling during business hours.” Collect these narratives deliberately—they become your most powerful change management tools.

The relationship investments you make today compound over time. In business, people change roles, get promoted, and move between departments. The department head who trusts your judgment today becomes the senior leader who advocates for your budget tomorrow. The manager who sees you as a problem-solver rather than a policy enforcer becomes your ally when new operational concerns arise.

You’ll know your influence strategy is working when departments proactively ask for your input on new initiatives, stakeholders cite security considerations in their own planning, peers volunteer to pilot new controls without being asked, and your security initiatives get referenced in other departments’ success stories.

The ultimate win isn’t just implementing better cybersecurity—it’s becoming the trusted advisor who helps the entire organization achieve its mission more securely.

About the Author
Chuck Norton , Senior Technical Security Advisor

You might also like

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]