Getting Business Buy-in for Security Projects is Difficult

Most CISOs know how challenging it is to convince businesses to implement new security projects. Creating an ROI analysis for IT projects is possible, but how do you create and justify ROI for a security initiative. Not impossible, but definitely more difficult.

Some of the companies we know and work with are stuck there, they want to implement a Data Leakage Program – but business buy-in is a challenge. So what do you do?

It is Better to Show than to Tell

What do you do when change is hard? This tip is from the book, “Switch: How to Change Things when Change is Hard” by Chip Heath and Dan Heath. As they say, “Knowing something isn’t enough to cause change.”

Telling is not enough, you have to show. Showing or demonstrating the problem of data leakage is a far better approach than talking about the data leakage problem. When you enable business to participate in the decision making process they are more apt to accepting it.

Get a Data Leakage Risk Assessment Done!

A DLRA assessment will help you understand the data leakage issues in your organization. Once you have proof or evidence there is a business risk, it is more likely you will get buy-in. To know more about Data Leakage Risk Assessment, email me at


Jayesh Kamath
Practice Head – IRAS, Aujas