How to Get Buy-In for Your Cloud Security Strategy

“All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” – Sun Tzu

Ah, team buy-in. It’s often one of the toughest processes to go through! Getting the green light on a new cloud security strategy (including the workflows, tools, and processes that go along with it) can require several layers of definition and validation, and often times, security teams are just too busy to fight the battle and see it through to the end. When it comes to implementing better cloud security practices, however, there is a real risk to delaying — or worse — giving up on your strategy because of a difficult approval process.

A point to remember: To get control of cloud security in your organization, you need to put an encompassing strategy in place to balance the interests of security, development, and operations — and to seamlessly manage day-to-day tactics. To successfully define, implement, and govern this strategy, you need buy-in from the right people — the people who understand the key issues and have the authority, ability, and desire to provide their support throughout the process.

As part of Threat Stack’s Cloud Security Playbook, we introduced a straightforward framework to help you obtain buy-in on your cloud security strategy. It’s designed to be both efficient (saving you time) and effective (with as few painful, unproductive meetings as possible), and to result in meaningful support from the right people.

Using the framework, your task comes down to identifying the right stakeholders and then asking them to endorse the proposed strategy by describing how it will further the organization’s business goals, protect infrastructure and data, integrate technically and operationally, enable the company to meet compliance requirements, etc.

So with no more ado, here is an overview of the approach developed to help you attract stakeholder commitment to your cloud security strategy:

1. Define the Stakeholders

One of the quickest ways you can paint yourself into a corner is by reaching out to the wrong people. Frantically emailing anyone and everyone who will support your strategy just won’t work, and, in fact, it might even damage your efforts by inviting too many cooks, or the wrong cooks, into the kitchen.

Instead, strategically assess the situation by getting clear about who is involved in your organization’s cloud security decisions today and who needs to be involved in the future. Start by noting who they are, what their roles are in the security roadmap, and what tasks they own. The Stakeholder Matrix below, taken directly from our Cloud Security Playbook, can help you identify the stakeholders usually involved in implementing a cloud security strategy. Taking this matrix into account as you develop your cloud security strategy will help you as you go about seeking approval, building a strategy, selecting the right cloud security solution, and defining operational processes.

The Stakeholder Matrix

Who*

Title Focus  Role Goals Challenges

What**

Executive

At my organization, this is:

CEO, Owner, Founder, President, Principal Making sure the team meets its business goals (e.g., entering a new market where privacy is a big deal) Line of business owner

Executive level

Protect company reputation by minimizing security threats

Financial stability and success, Security coverage (check the box, don’t get breached) Ensuring customer and end-user trust (minimizing vulnerability)

Driving business results

Fills an immediate need

Short time to value

Clear benefits

Technology Leader

At my organization, this is:

CTO, Technology Director, VP of Engineering Managing technology resources to meet company goals Developing and delivering a technology roadmap that helps the business accomplish its goals Control costs, improve performance, protect investments, meet compliance Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, putting out fires Visibility into what the security side of the house is doing

Reasonable costs (set-up, maintenance, labor, etc.)

Good value

Security Leader

At my organization, this is:

CSO, Security Engineer, InfoSec, Incident Response, Compliance Managing technology resources to meet company goals Developing and delivering a security roadmap that helps the business secure its data and that of its customers/users Control costs, improve performance, protect investments, meet compliance Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, putting out fies Quick to get up and running

Security team doesn’t mind using it

Doesn’t affect productivity

Good value

Engineer

At my organization, this is:

DevOps, SecDevOps, Operations, Developer, Sysadmin Delivering speed and efficiency to delight customers Operationalizing security, exploring AWS capabilities Real life/real day functionality: need to be efficient; keep systems up to date and working while scaling and growing in complexity; delighting customers; streamlining operations; continuous integration; enabling fast feedback Engineering resources, manpower hours Efficient

Scalable

Streamlined

Doesn’t slow down release cycles or hamper productivity

*Who: The exact title will depend on your organization.

**What: What they want in a cloud security solution.

2. Move Step-by-Step

Often there is significant confusion around who owns what part of the security process, and roles can differ company-to-company according to size and organizational structure. That’s why you will want to spend time figuring out exactly whose buy-in you need at each step of the way. It may be the CSO who needs to approve the budget, for example, the CTO who needs to approve the implementation roadmap, and a specific engineer who can confirm the technical requirements.  

By understanding early on which areas each stakeholder is responsible for, you can involve them at the right times and in the right order. This will have a strong impact on moving the process along as seamlessly as possible.

3. Identify Goals and Challenges

Once you know who the main stakeholders are and at what stage they come into the picture, begin mapping your strategy to their goals and challenges by answering questions that include the following:

  • Will the new strategy be scalable as we grow?
  • Will it be cost effective?
  • Will it help us meet our security, operations, and business goals?
  • Will it help us meet compliance mandates?

The more you can tailor your strategy to fit current and future needs, the more likely you are to have your plan endorsed. Let’s say, for example, that your compliance manager is in the midst of preparing for a SOC2 audit. By explaining how your proposed strategy can help streamline their efforts, meet compliance regulations, and so on, the easier it is for them to visualize how the strategy would benefit them day-to-day and over the long term. Generally speaking, approaching stakeholders with a well laid-out plan that makes their jobs easier and more productive will go a long way toward getting their commitment early on.

A Final Word

Stakeholder buy-in is a foundational part of your cloud security strategy. Don’t start building without it. The more clarity you have about who your stakeholders are and what they care about, the more likely it is that you will secure their initial buy-in as well as their ongoing commitment to supporting your security strategy once it’s in operation

For more information on stakeholder buy-in and to see where this fits within the overall approach to developing and implementing an effective cloud security strategy, be sure to download our free playbook.