I was at BSides Luxembourg recently and attended a workshop called Zero to Trusted Adviser: Selling Security to the Business. Four hours. And honestly more useful than most certification prep I have done — not because it covered threats or frameworks, but because it tackled the one thing nobody actually trains you for in this industry.

How do you get people to act?

You can know everything. You can have the certs, the data, the risk assessments, the audit findings. You can walk into a boardroom knowing exactly what needs to happen and walk out with nothing — no budget, no decision, no urgency. Not because you were wrong. Because you spoke the wrong language to the wrong people in the wrong way. That is what this workshop fixed.

Know Who Is Actually Sitting Across From You

Before you pitch anything, you need to know who you are pitching to. Not their job title — what they actually care about, how much influence they hold, and how much they currently care about security.

High Influence · High Interest
Champions
CISO, CIO, Risk Manager, Board Risk Subcommittee
They get it. Engage closely. Use them as internal allies.
High Influence · Low Interest ← Focus here
Sponsors
CFO, COO, General Counsel
Control budget. Not hostile — focused elsewhere. Your job: make it relevant to what they already care about.
Low Influence · High Interest
Advocates
Developers, IT helpdesk, HR, end users
Care deeply but cannot unlock anything. Keep informed. Use for ground-level momentum.
Low Influence · Low Interest
Passive Stakeholders
Admin, junior staff, facilities
Monitor only.

The five-step process: identify your stakeholders, rate their influence and interest, map them, build specific influence strategies, and identify what personally drives each one. That last step is what most people skip. And it is the only one that actually matters.

The Psychology in the Room Is Working Against You

The people you are trying to convince are not irrational. They are human. And they are operating through biases that will quietly kill every pitch you make.

Anchoring Bias
Stuck on the first number or story they heard. A past expensive security failure sits in the room with you whether you know it or not.
Availability Heuristic
People believe what is most recent and visible. No recent incident means the threat does not feel real, regardless of the data.
Optimism Bias
We are fine, we are not a target, nothing will happen to us. Not arrogance — just wiring.
Status Quo Bias
Why change what is working? The silent killer of security programmes. Not active resistance — comfortable inertia.
Loss Aversion
People are more driven by avoiding loss than gaining something. Frame accordingly.
Affect Heuristic
Emotional reactions running ahead of analysis. A bad experience with a previous vendor will colour every security conversation a leader has.
The answer is not more data.

Speak in dollars and cents. Not CVE scores, not risk matrices, not breach statistics. What does this cost us if it goes wrong? What is the daily cost of being down? Speak in the currency they already think in.

The Art of Making It Their Problem

The pitching framework was three things: problem, solution, benefit. Simple — but the execution is everything.

The problem has to belong to everyone in the room, not just you. The moment it sounds like a security department issue that needs a security department budget, everyone else mentally hands it back to you. A data breach is not a CISO failure. It is a business failure. A regulatory fine does not land on the security team. It lands on the company.

Then come with a solution — a real one, a clear one, with a specific ask. Be the person who walks in with the answer, not just the question. Then make the business value explicit. Tie it to something they already care about — revenue, compliance, operations, customer trust. A well-designed single slide will land harder in a boardroom than forty pages of threat intelligence every time.

When They Push Back — And They Will

The surface objection is almost never the real one. Someone saying we do not have budget right now might actually be saying I do not trust that this will deliver. Respond to the real thing, not the surface thing.

Leave FUD at the door entirely.

Fear, uncertainty and doubt might create a reaction in the room but it does not create trust. It is essentially threatening people into action and it will work exactly once before they stop inviting you to meetings.

The Terms I Am Taking Away

Squeaky Wheels
The people who push back are not always the problem. Sometimes they are your best brainstorming partners.
Shiny Objects
Vendors will always bring something new and exciting. Some of it matters. A lot of it just shines.
Executive Cartoons
Simple graphs that deliver the message in minimum time with maximum impact. One picture, one point.
Butt Sandwich
Have your if and else prepared before you walk in. You cannot be caught off guard by your own proposal.
Clear Call to Action
If you leave the room without a specific next step, you left with nothing. Always know what you are asking for.
So What
Someone will always say it. Have your answer ready and glide through it.
We spend years learning how to protect systems. We should probably spend more time learning how to persuade the people who fund them.