How to Get Buy-In for Your Cloud Security Strategy

DZone 's Guide to

How to Get Buy-In for Your Cloud Security Strategy

Want to secure your cloud footprint? You need buy-in first. Learn how to get it, and get your cloud security strategy moving.

· Cloud Zone ·
Free Resource

Ah, team buy-in. It’s often one of the toughest processes to go through! Getting the green light on a new cloud security strategy (including the workflows, tools, and processes that go along with it) can require several layers of definition and validation, and often times, security teams are just too busy to fight the battle and see it through to the end. When it comes to implementing better cloud security practices, however, there is a real risk to delaying—or worse—giving up on your strategy because of a difficult approval process.

A point to remember: To get control of cloud security in your organization, you need to put an encompassing strategy in place to balance the interests of security, development, and operations—and to seamlessly manage day-to-day tactics. To successfully define, implement, and govern this strategy, you need buy-in from the right people—the people who understand the key issues and have the authority, ability, and desire to provide their support throughout the process.

Using the framework, your task comes down to identifying the right stakeholders and then asking them to endorse the proposed strategy by describing how it will further the organization’s business goals, protect infrastructure and data, integrate technically and operationally, enable the company to meet compliance requirements, etc.

So with no more ado, here is an overview of the approach developed to help you attract stakeholder commitment to your cloud security strategy.

1. Define the Stakeholders

One of the quickest ways you can paint yourself into a corner is by reaching out to the wrong people. Frantically emailing anyone and everyone who will support your strategy just won’t work, and, in fact, it might even damage your efforts by inviting too many cooks, or the wrong cooks, into the kitchen.

Instead, strategically assess the situation by uncovering who is involved in your organization’s cloud security decisions today and who needs to be involved in the future. Start by noting who they are, what their roles are in the security roadmap, and what tasks they own. The Stakeholder Matrix below, taken directly from our Cloud Security Playbook, can help you identify the stakeholders usually involved in implementing a cloud security strategy. Taking this matrix into account as you develop your cloud security strategy will help you as you go about seeking approval, building a strategy, selecting the right cloud security solution, and defining operational processes.

The Stakeholder Matrix









At my organization, this is:

CEO, Owner, Founder, President, Principal

Making sure the team meets its business goals (e.g., entering a new market where privacy is a big deal)

Line of business owner

Executive level

Protect company reputation by minimizing security threats

Financial stability and success, Security coverage (check the box, don’t get breached)

Ensuring customer and end-user trust (minimizing vulnerability)

Driving business results

Fills an immediate need

Short time to value

Clear benefits

Technology Leader

At my organization, this is:

CTO, Technology Director, VP of Engineering

Managing technology resources to meet company goals

Developing and delivering a technology roadmap that helps the business accomplish its goals

Control costs, improve performance, protect investments, meet compliance

Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, putting out fires

Visibility into what the security side of the house is doing

Reasonable costs (set-up, maintenance, labor, etc.)

Good value

Security Leader

At my organization, this is:

CSO, Security Engineer, InfoSec, Incident Response, Compliance

Managing technology resources to meet company goals

Developing and delivering a security roadmap that helps the business secure its data and that of its customers/users

Control costs, improve performance, protect investments, meet compliance

Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, putting out fies

Quick to get up and running

Security team doesn’t mind using it

Doesn’t affect productivity

Good value


At my organization, this is:

DevOps, SecDevOps, Operations, Developer, Sysadmin

Delivering speed and efficiency to delight customers

Operationalizing security, exploring AWS capabilities

Real life/real day functionality: need to be efficient; keep systems up to date and working while scaling and growing in complexity; delighting customers; streamlining operations; continuous integration; enabling fast feedback Engineering resources, manpower hours




Doesn’t slow down release cycles or hamper productivity

*Who: The exact title will depend on your organization.

**What: What they want in a cloud security solution.

2. Move Step-by-Step

Often there is significant confusion around who owns what part of the security process, and roles can differ company-to-company according to size and organizational structure. That’s why you will want to spend time figuring out exactly whose buy-in you need at each step of the way. It may be the CSO who needs to approve the budget, for example, the CTO who needs to approve the implementation roadmap, and a specific engineer who can confirm the technical requirements.  

By understanding early on which areas each stakeholder is responsible for, you can involve them at the right times and in the right order. This will have a strong impact on moving the process along as seamlessly as possible.

3. Identify Goals and Challenges

Once you know who the main stakeholders are and at what stage they come into the picture, begin mapping your strategy to their goals and challenges by answering questions that include the following:

  • Will the new strategy be scalable as we grow?
  • Will it be cost effective?
  • Will it help us meet our security, operations, and business goals?
  • Will it help us meet compliance mandates?
  • The more you can tailor your strategy to fit current and future needs, the more likely you are to have your plan endorsed. Let’s say, for example, that your compliance manager is in the midst of preparing for an SOC2 audit. By explaining how your proposed strategy can help streamline their efforts, meet compliance regulations, and so on, the easier it is for them to visualize how the strategy would benefit them day-to-day and over the long term. Generally speaking, approaching stakeholders with a well laid-out plan that makes their jobs easier and more productive will go a long way toward getting their commitment early on.

    A Final Word

    Stakeholder buy-in is a foundational part of your cloud security strategy. Don’t start building without it. The more clarity you have about who your stakeholders are and what they care about, the more likely it is that you will secure their initial buy-in as well as their ongoing commitment to supporting your security strategy once it’s in operation.

    cloud, security

    Published at DZone with permission of Venkat Pothamsetty , DZone MVB. See the original article here.

    Opinions expressed by DZone contributors are their own.

    {{ parent.title || parent.header.title}}

    {{ parent.tldr }}

    {{ parent.urlSource.name }}