Skip to main content
Passwork LogoPasswork LogoSecurity champion course

Getting management buy-in

You can't be an effective Security Champion without management support. That means dedicated time, authority to create tickets, access to systems, and recognition that this work matters.

Getting that support requires speaking a language most technical people aren't comfortable with: the language of business risk, money, and competitive advantage.

This chapter teaches you how to make the case.

Why technical arguments don't work

When engineers talk to leadership about security, conversations usually go like this:

"We should implement MFA because it's a security best practice."

The CEO nods. Nothing happens.

"Our dependencies have known CVEs. We should update them."

The CTO says "add it to the backlog." It sits there for six months.

"We need to do access reviews. It's basic hygiene."

Everyone agrees. Nobody schedules it.

The problem isn't that leadership doesn't care. It's that "best practice" and "hygiene" don't connect to anything they're measured on. Revenue, customer retention, deal velocity, operational costs — these are the metrics that drive decisions.

If you want security to get resources, you have to connect it to those metrics.

The three arguments that work

After watching Champions succeed and fail at getting buy-in, I've seen three arguments that actually move leadership.

Argument 1: We're losing deals

This is the strongest argument for B2B companies.

Enterprise customers send security questionnaires. If you can't answer them convincingly, you lose the deal. Sometimes you don't even know you lost it — the prospect just goes quiet.

Here's how to make this argument:

"Last quarter, we got three security questionnaires from prospects. We couldn't answer basic questions: Do you have MFA? Do you do access reviews? Do you have an incident response plan? We don't know how many deals we've lost because of this, but I know we failed at least one questionnaire completely."

"A Security Champion can fix this. In one month, I can implement MFA, document our access review process, and write an incident response plan. Then we can answer these questionnaires honestly."

This works because it connects directly to revenue. Security isn't a cost — it's a sales enabler.

Argument 2: An incident will cost more than prevention

This argument works when you can point to concrete risks.

"Right now, we have AWS credentials in three repositories. If any of those leak, we're looking at crypto mining charges — I've seen companies get $10k bills overnight. Or worse, data access."

"A Security Champion can scan all our repos for secrets and set up blocking so this can't happen again. That's a few hours of work versus potentially tens of thousands in damage."

The key is specificity. Don't say "we have security risks." Say "we have AWS keys in public repos, and here's what happens when those leak."

Argument 3: It costs almost nothing

Leadership worries that security means expensive tools and dedicated headcount. Your job is to show that the Champion model is different.

"I'm not asking for budget. I'm not asking you to hire anyone. I'm asking for four hours of my time per week and permission to prioritize security tasks."

"In exchange, we get MFA everywhere, secrets out of repos, access reviews every quarter, and someone who can answer security questions when clients ask."

When the cost is almost zero and the benefit is concrete, the decision gets easier.

Understanding what leadership actually worries about

Before you present, understand what's on their mind.

CEOs worry about:

  • Revenue and growth
  • Customer churn
  • Reputation
  • Investor/board expectations
  • Competitive positioning

CTOs worry about:

  • Shipping velocity
  • Technical debt
  • Team productivity
  • System reliability
  • Hiring and retention

CFOs worry about:

  • Cost control
  • Predictable expenses
  • Audit findings
  • Insurance premiums

Your Security Champion pitch needs to connect to these concerns. "Best practice" connects to none of them. "We can win bigger deals" connects to what the CEO cares about. "This won't slow down shipping" addresses the CTO's fear. "No new budget required" makes the CFO relax.

Building your one-pager

Before any meeting, write a one-page summary. This forces clarity and gives leadership something to reference later.

Structure:

Problem (2-3 sentences)

What's the current state? Be specific about gaps, not abstract about risks.

Example: "We have no systematic security practices. MFA is optional. Former employees retain access. No one reviews dependencies for vulnerabilities. We can't answer basic security questionnaires from clients."

Risk (2-3 sentences)

What could go wrong? Use concrete scenarios, not fear-mongering.

Example: "A credential leak could result in significant cloud bills and potential data exposure. A ransomware incident could halt development for days. We're declining to pursue enterprise deals because we can't pass security reviews."

Proposal (2-3 sentences)

What are you asking for? Be specific.

Example: "I propose acting as Security Champion with 4 hours/week dedicated to security work. I'll implement MFA, clean up access, set up secret scanning, and create basic documentation. No additional budget required."

Expected outcomes (bullet points)

What will be different in 3 months?

  • MFA enabled for all critical services
  • Quarterly access reviews running
  • Secrets removed from repositories
  • Able to answer standard security questionnaires
  • Basic incident response process documented

What I need

  • 4 hours/week of protected time
  • Authority to create security-related tickets
  • Admin access for audit purposes
  • Quarterly check-in with leadership on progress

Keep it to one page. If you can't explain it in one page, you don't understand it well enough.

The 5-minute conversation

Sometimes you don't get a meeting. You get five minutes after standup or a Slack thread that leadership might read.

Here's the short version:

"I want to take on security as a side responsibility — about 4 hours a week. No budget needed. I'll implement MFA, clean up access, and make sure we can answer client security questions. Can we try this for a quarter and see how it goes?"

That's it. You're asking for permission to help, not asking for resources. Most leaders will say yes to that.

If they push back, you have two responses:

"What's the concern?" — Sometimes they have a real objection you can address.

"Can we try it for one month?" — Lower the commitment. One month is easy to say yes to.

Handling objections

Here are objections you'll hear and how to respond.

"We don't have time for this."

"I understand the team is stretched. That's why I'm proposing to take this on myself with just 4 hours a week. I'll handle it without pulling others away from their work. And honestly, the time we'll save by not dealing with security incidents is worth more than 4 hours."

"We'll hire a security person eventually."

"That makes sense for the long term. But hiring takes time, and even when we do hire, they'll need someone who understands our systems. The work I do now builds the foundation they'll inherit. And it addresses immediate risks while we figure out the hiring timeline."

"We haven't had any security incidents."

"That's good, but it's partly luck. We have credentials in repos that anyone could find. We have ex-employees with production access. These aren't theoretical risks — they're things that cause incidents at companies like ours every week. A Champion role is about fixing these before they become incidents."

"Our customers aren't asking for this."

"Some are. We've had three security questionnaires in the last quarter. But even for customers who don't ask, security is becoming table stakes. Our competitors are investing here. If we don't, we'll start losing deals to companies that can answer security questions confidently."

"What if you leave?"

"Fair question. Everything I do will be documented. The processes I set up will run without me — like quarterly access reviews or automated scanning. And if the company decides to hire a security person later, they'll have a head start because the basics are already in place."

The deck (if you need one)

Sometimes leadership wants a presentation. Here's a structure that works:

Slide 1: The problem

  • 2-3 specific gaps (no MFA, credentials in code, no access reviews)
  • One sentence on why this matters now

Slide 2: The risk

  • What happens if we don't act
  • One concrete example (a similar company, a close call we had)

Slide 3: The proposal

  • Security Champion role: what it is
  • What I'll do in the first quarter
  • What I'm asking for (time, access, authority)

Slide 4: Expected outcomes

  • 3-5 concrete deliverables
  • How we'll measure success

Slide 5: Timeline

  • Month 1: [specific goals]
  • Month 2: [specific goals]
  • Month 3: [specific goals]

Slide 6: The ask

  • Summary of what you need
  • Next step (approval to start)

Keep it under 10 minutes. Leadership attention is short. If they want more detail, they'll ask.

After you get the yes

Buy-in isn't a one-time event. You need to maintain it.

Week 1: Quick win

Do something visible in the first week. Enable MFA for leadership accounts. Remove one ex-employee's access. Find one secret in a repo. Send a short update: "Here's what I found and fixed in week one."

This builds credibility. It shows you're serious and capable.

Monthly: Progress update

Send a brief monthly update. Three sections:

  • What I did
  • What I found (risks, gaps)
  • What I need help with

Keep it short. Leadership doesn't want to read a report. They want to know things are moving.

Quarterly: Review meeting

Every quarter, schedule 30 minutes with whoever approved the program. Review what you accomplished, what you learned, and what's next.

This is also when you renegotiate scope if needed. "I've done the basics. Here's what I'd like to tackle next quarter. I might need a bit more time or access."

When buy-in fails

Sometimes leadership says no. Or says yes but doesn't follow through.

If they say no outright:

  • Ask what would change their mind
  • Propose a smaller pilot ("Can I just spend 2 hours on this for a month?")
  • Wait for an external trigger (a security questionnaire, a close call, a competitor getting breached) and bring it up again

If they say yes but don't give you time:

  • Start doing it anyway at a minimal level
  • Document what you're doing and what's blocked
  • When something goes wrong (an incident, a failed questionnaire), you have evidence that you tried to prevent it

Sometimes the right answer is to leave. If a company won't invest any attention in security, they're taking on risk that will eventually catch up with them. You don't have to be there when it does.

Workshop: build your pitch

Take 30 minutes to prepare your own buy-in materials.

Step 1: List three specific gaps (5 minutes)

What security problems can you point to in your company right now?

Not "we have bad security" — specific things like "MFA is optional," "we don't remove access when people leave," "there are AWS keys in our main repo."

Step 2: Connect each gap to a business risk (5 minutes)

For each gap, what's the business consequence?

  • Lost deal opportunity
  • Potential financial loss
  • Operational disruption
  • Reputation damage

Step 3: Write your one-pager (15 minutes)

Use the structure from earlier in this chapter:

  • Problem (2-3 sentences)
  • Risk (2-3 sentences)
  • Proposal (2-3 sentences)
  • Expected outcomes (bullets)
  • What you need

Step 4: Practice the 5-minute version (5 minutes)

Condense your pitch to something you can say in a hallway conversation. Practice it out loud. Time it.

Deliverable: A one-page pitch document and a 5-minute verbal version, ready to use.

Conclusion

Getting buy-in is a skill, and it's one most engineers never learn. But it's essential for the Champion role.

The key insight: leadership doesn't care about security for its own sake. They care about revenue, costs, and risk. Your job is to translate security work into those terms.

Do that well, and you'll get the time, access, and authority you need. Do it poorly, and you'll be doing security work on your own time with no support — which isn't sustainable.

This completes the first section of the course. You now understand what a Security Champion is, what the role involves day-to-day, how it helps your career, and how to get leadership support.

Next: the practical work — quick wins that prove your value and build momentum.

© 2017–2026 Passwork
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center