When it comes to security vendor risk management, what strategies have you found effective to win stakeholder buy-in?

The one thing that I've found very useful for changing paradigms is to put somebody through a mock deposition. Having been deposed multiple times—with people making decisions or looking the other way—they're either going to perjure themselves, which is one problem, or they'll tell the truth, which then means they're more liable.

Typically in security roles—especially if you're replacing someone or have been brought in to fix an issue with the prior management—most companies don't just agree to spend a lot of money on security. There's a reason; there's some compliance they're trying to seek to do bigger, better, or different things.

One of the best ways to get everybody's buy-in is to frame the conversation around that business ask. Maybe the four key areas that you're looking at are access, security, change management, and backup, which happen to be critical focus areas if you are doing something bigger than private. Explain that if they want to be compliant to do that, here’s what they have to do. Maybe we have to invest in security. And auditors will say the same thing—the reason you were hired might have been because auditors have already told them that.

If you focus on the business ask, then you can start to bubble it up and tie it to your stack of priorities. Do you protect the crown jewels? What are the programs around that? Keep branching that out so that by year two or three, you feel a bit more secure than you did in month four. We also need to use numbers and metrics as a fear factor. For the cyber security month kickoff, I pulled metrics from IBM, specifically what one incident would cost for companies up to a thousand employees, etc.