Guide

Getting to Yes

A guide to becoming a great advocate for your security, compliance, and risk management program

Introduction

To be an effective security, risk management, or compliance leader, you need to be able to advocate for your team’s needs and secure the resources needed to improve your organization’s cyber defense posture, mitigate the risks that impact your organization’s mission, and ensure your organization complies with industry standards, regulations, and contractual agreements. While securing the resources you need isn’t necessarily a difficult endeavor, you may not always know what steps are needed to get the outcome you want – especially if you’re new to an organization or work in a large company with lots of red tape.

Decorative - People working together in office environment

Many security, compliance, and technical leaders are put in a tight, uncomfortable spot. They are worried that they’re missing some key capabilities needed to adequately safeguard the company’s infrastructure and data. Their team is chronically overworked. They know that risk and compliance management processes are still ad-hoc or siloed between teams. Their compliance team is using hacked-together, homegrown tools like spreadsheets that aren’t scalable.

They’re worried that the level of security and compliance risk their organization has taken on is too high. Like someone juggling an increasing number of porcelain plates, it’s only a matter of time until one falls and shatters.

These leaders see a path forward that involves standing up good processes and new workflows and using dedicated resources. They see the benefit in using better tools that provide visibility into their risks, reduce manual, repetitive work around supporting audits, and support better control validation processes. But how do they get their top executives and other key stakeholders to see a unified vision and want the same things?

In this guide, we’ll show you what you can do to become a highly effective advocate for your security, compliance, and risk management initiatives. We’ll provide guidance and tips on how you can tie your initiatives (including purchase of new software tools and hiring specialists) back to risk mitigation and business value creation so it becomes easy for your executives to say yes.

The Key Steps to Getting to Yes

By learning from the behaviors of Hyperproof’s best customers – seasoned compliance leaders at mid-size and enterprise organizations in a number of industries – we’ve identified a set of five best practice activities compliance and security professionals need to utilize to get what they want.

Understand the procurement process within your organization.
Identify the key decision-makers and the messages they’ll need to hear to seriously consider your proposal.
Identify your internal allies to expand the scope of the problem you’re addressing and galvanize action.
Think through the implementation plan so you can talk to your execs about time-to-value.
Treat your sales rep as a collaborator and tell them what they can do to help you navigate through the procurement process and make you look like a hero.

1. Understand your organization’s procurement process

Ideally, you want to gain an understanding of your organization’s procurement process before you talk to any vendors. This way, when you do finally select a vendor, you can coach the sales rep there on how to best work with you to get through the procurement process smoothly.

Start by asking the following questions to your direct manager, your CFO, or another tenured colleague that you trust:

Is there already a budget allocated for purchasing the category of software solution you’re looking for?
If so, how much is that budget?
If there is not an existing budget, what needs to happen and who do you need to talk to to make sure this type of software is up for consideration and the budget can be secured?
Are there other departments/groups that will benefit from the use of this solution? If so, can they be engaged to provide support for the solution?

Who exactly you ask these questions to depends on your organizational culture.

According to Aaron Poulsen, Hyperproof’s former Senior Director of Security, Risk and Compliance, “It’s more likely than not that your organization does not have an existing budget dedicated to a GRC or a compliance management tool. That budget will need to be created somehow.”

It’s more likely than not that your organization does not have an existing budget dedicated to a GRC or a compliance management tool. That budget will need to be created somehow.”

Aaron Poulsen

Former Sr. Director of Security, Risk and Compliance // Hyperproof

Many organizations design their tools budget based on departmental-level needs (e.g., there are budgets for individual departments like sales, IT, etc.). However, because managing risks and keeping up with compliance requirements are inherently cross-functional endeavors – and what happens within the risk and compliance management groups is often not well-understood by outsiders – most organizations have not created budgets that factor in the purchase of new tools to be used specifically for risk and compliance management.

To get the budget you need to purchase tools that can help you improve the productivity of risk and compliance management workflows, you’ll likely need to move outside of the “normal” documented process and go up the chain of command to senior leadership who have the authority to approve new purchases outside of the normal budgeting cycle. Depending on how your organization is structured, these might include such roles as:

Chief Information Officer

Benefit: Less demand on the IT team to respond reactively to audit requests throughout the year

Head of Sales

Benefit: Quicker response to customer requests for compliance information should decrease sales cycle time and improve competitiveness

Chief Financial Officer

Benefit: Stronger internal control environment by enabling the right people across the organization to work on controls

Chief Compliance Officer

Benefit: Greater confidence in the compliance posture of the organization

General Counsel

Benefit: Easier to demonstrate to outside stakeholders that the organization is taking due care in meeting its obligations

2. Frame your message for executive decision-makers

Once you’ve identified the person (or people) who can approve the budget for the resources you need, it’s time to frame your request in a way that will compel them to act. The best way to do that is to align your message with the executive’s key interests and priorities and understand their primary concerns.

Decorative - Woman working in office environment

Given the extensive media coverage on cyber attacks today, almost all executives are aware that a cyber attack could happen to their company. They’re interested in knowing how well your organization is currently doing in mitigating the cyber risk scenarios that are likely to happen in organizations like yours (and those threat events that are less likely to happen but can cause a lot of damage if they do materialize). Your executives also want to make sure that your organization will be able to pass upcoming audits – so business with important customers doesn’t become jeopardized by a perception of a poor security/compliance posture.

Last but not least, your executives will be concerned about costs and operational efficiency. They understand that they have to invest in compliance to an extent. But, since managing risks and staying compliant isn’t a revenue-generating function, they’re hoping to not spend any more than they have to in this realm (and that costs and headcount won’t rise too much even as the compliance team deals with an increasing number of regulations and demanding customers).

As such, you’ll want to tie your budget request back to your security and compliance capabilities and your ability to deliver business value. If your current capabilities do not allow you to adequately identify and/or address the risks arising from operations, or do not allow you to maintain the level of vigilance over your controls that’s expected from your auditors, that introduces too much risk to your organization’s ability to perform its mission and meet key objectives. This may not be the message your executives want to hear, but it’s the one that will push them into action.

To form an argument that ties having a software tool to business value, you may cite one or more of the following issues common to what many are grappling with today:

Decorative - Woman working on computer in office environment

Being responsive to customers’ security/privacy questions and their need for assurance
Reinforcing privacy; ensuring that the organization is living up to its privacy values and principles and meeting its obligations
Coping with COVID-19 and the security risks that haven’t been fully addressed (e.g., ensuring that a fully remote or a hybrid work environment is functioning effectively while securing platforms and delivery systems)
Dealing with an increasing number of regulatory, industry, and customer requirements; ensuring the organization can keep up and isn’t taking on too much liability as the scope of its business expands
Figuring out how to minimize the impact of compromised cybersecurity should an organization fall victim to ransomware or other form of cyber attack

Security and privacy-based arguments

When compliance teams are chronically under-resourced and overworked – and use ad-hoc tools at their disposal to try to keep up with their legal, industry, and customers’ security and privacy requirements – they’re likely to run into operational security and legal concerns. Some examples of problems include:

Imprecise understanding of vendor risk
Inability to see the full picture of all controls that exist in an organization and their implementation/operational status
Not having time to assess and uncover the imminent threat that is already likely in an organization’s systems
Not having the time to thoroughly test and validate the effectiveness of critical controls due to the fact that most of a compliance team’s time is going towards audit prep tasks
Forgetting that a requirement has to be met because someone did not record it in the shared spreadsheet
Increasing the liability the organization faces because an executive unintentionally made a false compliance representation
Failing an audit because the organization wasn’t able to provide the auditor with sufficient evidence to conclude that key control activities had been conducted on a timely basis
Increased risk of employees ignoring security protocols due to burnout and apathy

Example

Someone signed off on a customer contract attesting that your organization complies with a list of regulations. Prior to signing off, individuals who have the most knowledge about the matter were consulted and said, “Yes, we’re fine,” but no one expended the extra effort to review official control language or the evidence showing that such a process was truly operational since the documentation is too difficult to track down.

All of these risks can be significantly reduced when an organization has an effective software platform that gives them visibility into all their risks, helps them track all compliance obligations and customer security requirements in an organized fashion, and allows them to manage and monitor critical controls on a continuous basis.

Opportunity-based arguments

On the positive side, there are solid arguments you can make focusing on the gains and opportunities for improvement that can be realized by implementing risk and compliance software. These arguments include operational efficiency gains, boosted productivity, better morale among those responsible for security and compliance, being more prepared for audits, and helping employees gain greater security awareness.

When used in the right way, risk and compliance software can help:

Reduce audit fatigue. For many large organizations, audits are happening multiple times a year – often enough that business unit stakeholders are frustrated that so much of their precious time at work is going towards supporting compliance instead of their core responsibilities. When you have a central place to organize all of your audit requests, controls, and evidence and the ability to reuse that evidence, the compliance team will not need to start from scratch every time an audit is scheduled. When a compliance team can easily access and reference evidence they previously collected when making requests of business unit stakeholders, business unit stakeholders can respond much faster and more accurately.
Improve security awareness. With software, a compliance manager can add many users to the system and assign risks and controls to various individuals and/or teams to manage. Control management tasks can be clearly defined and sent out automatically to these control operators, and information about what constitutes valid “evidence” of controls’ performance can be included too – so stakeholders know what they need to do to demonstrate compliance.
Improve operational efficiency. Not only is it efficient to define such a standardized control management process as just mentioned, but more importantly, it distributes the responsibility for security and compliance to individuals on the front lines of operations. Controls can be automatically monitored via a combination of automation features (e.g., evidence collection and testing), notifications, tasks, and dashboards. This way, compliance and internal audit professionals get the transparency they need to monitor the compliance program without manually checking everything themselves. They can spend their time on higher-value tasks.
Be prepared to pass an audit at any time. When a company doesn’t have an organized system or repeatable process in place to gather evidence and validate controls’ effectiveness, not only do they run the risk of failing an audit, but preparing for an audit becomes an anxiety-filled affair. With risk and compliance software, compliance professionals can automate the collection of evidence all together and set autoreminders for control owners to provide fresh evidence. Once a type of evidence is linked to the relevant controls, any subsequent evidence generated is automatically tied to those controls. This makes it quick and easy for evidence to be found and submitted to an auditor – so an organization is ready for an audit on the spot.
Reduce risks and remediation costs. With software, an organization is able to continuously monitor their critical risks in real-time. For instance, in Hyperproof, risks in a risk register can be linked to controls. The software automatically calculates the actual risk level of each risk item based on the statuses of the controls linked to the risk. If a risk has exceeded its designated tolerance level because an underlying control process has failed, decision-makers can see that data immediately on a dashboard or receive notification via email that there’s something they need to review. As such, the organization may be able to address a security problem before it becomes more expensive to fix.

3. Identify your internal allies

When you’re asking for budget approval on software that costs five or six figures, it is important to have allies on your side. This way, executives can see that although there is an upfront cost associated with the purchase, the problems you’re tackling with this software solution aren’t niche, and that they are actually an enterprise-wide concern felt by multiple teams.

When it comes to risk and compliance software, there are multiple groups of stakeholders who can benefit from it. Here are the main ones to consider:

Key control operators: If you’re always asking certain product managers, system admins and engineers to support you and provide information for various audits, they (and their bosses) may be quite pleased to hear that you’re planning to implement software that cuts down the amount of requests coming from you and the work their teams have to do. You may want to ask the most senior person on those teams to help you champion your cause.
Risk management/legal team members: If you’re on the compliance team and you have a separate risk management team, they may be quite interested in having better software for tracking, reporting and monitoring enterprise risks than the one they use today. They know that not having enough visibility into the risks is a risk in and of itself.
Internal audit team members: If you’re on the compliance team and your organization has a separate internal audit function, these colleagues may want a better solution for conducting internal audits, including tracking all working papers in one place, communicating with control operators, collecting evidence, and sharing their findings. It’s worth finding out how they’re currently running internal audits and if there’s desire for better processes and tools.
Compliance teams for other product lines, compliance standards, or geographical regions: If your organization has multiple compliance teams – each responsible for a specific scope of work – it’s worthwhile talking to those teams about having everyone using the same best-in-class software.

Once you’ve identified your allies, work with them to determine how to best influence the final decision-maker.

4. Understand the implementation plan and timeline so you can talk to your execs about time-to-value

Decorative - Group of people working together in office environment

At this point, you’ve nailed your talking points about the severity and scope of the problem you’re trying to address. You have a strategic framework for talking about your proposed solution, and you’ve got some supporters and champions lined up.

The next key piece is to put some details around the level of impact you’d expect to achieve with your proposed solution. It is especially powerful if you can talk to the key decision-maker about time-to-value.

Start with the end goal in mind: What outcomes are you looking to achieve by executing on this initiative? Then, define the key milestones along the way.

Some potential milestones may include:

Putting all of your existing controls into the new software and mapping them to the legal, industry, and customer requirements you have to meet. By completing this work, you’ve immediately improved the visibility you have over your current compliance posture.
Putting your risks (currently in spreadsheets) into a central risk register. By completing this work, you’ve immediately implemented a more organized, central system to track risks and quantify them.
Identifying critical controls for your organization and tying them to the risks in the risk register. By completing this work, you’ve set up the foundation for a dynamic risk monitoring application.
Setting up standardized procedures for managing the common controls that are audited by multiple auditors and letting software handle the evidence collection, testing and notifications workflows.
Completing an audit via the software, instead of via email and other ad-hoc tools. When you use software instead of ad-hoc tools to execute your audit process (including collaborating with your external auditor), the auditor is more likely to have the information they need.

Next, determine the following: With this software and the training/support you’ll get from the vendor company, how long will it take for you to achieve the first, second, and third major milestone you’d set out for your initiative?

To ensure your initiative yields results quickly – and avoid negative surprises down the road – it’s important to understand how intuitive and self-service (vs. technical) it would be to get started with the software product, including how much or little training your employees would require to effectively use the software. You’ll also want to understand what type of implementation and ongoing support you’ll receive from the vendor company.

By confirming the timeline needed to achieve key milestones early in your software evaluation process, you’ll be able to present a reasonably accurate forecast of time-to-value for the software, which will help you win the executive support you need to make the purchase.

5. Treat your sales rep as a collaborator and allow them to help you

Decorative - Group of people working together in office

A great sales rep is someone who is honest about what their product can and cannot do. They should work collaboratively with you throughout the sales process. They should deeply understand what it is that you, your team and your organization as a whole is looking to accomplish with their product. They can help you orchestrate the meetings that need to happen in order to win over internal stakeholders and key decisionmakers. A great sales rep can also bring their executives, product managers, and/or other specialists into key meetings so that questions and concerns coming from your organization (e.g., security, procurement, executive leadership) can be satisfactorily addressed.

If you’ve done your own due diligence on the software and feel quite positive about it, it is time to be candid with your sales rep. Brief them on your procurement process, who the decision-makers and influencers are on your side, their concerns, and the questions they’re likely to raise so your sales rep and the team supporting them vendor-side can do their part to support you and make you look like a hero in the meetings.

What if I also need to hire a compliance specialist?

Depending on the scope of the compliance and security assurance work your team has to do, getting a tool may not fully solve your problem. You may also need to hire a compliance operations manager/ specialist – someone who can effectively implement and manage the tool.

How do you make this headcount request seem logical and reasonable?