When Executives Reject Your Security Recommendation

A rejected security recommendation feels personal, but it often reflects competing demands the security team doesn't fully see. Knowing how to act on that reality helps the CISO become someone the business trusts with its priorities.

As cybersecurity leaders, we’ve inevitably felt frustrated when executives didn’t act on our recommendation. The instinct is to conclude that leadership doesn’t take security seriously, but that take is usually counterproductive.

Executive managers are weighing cyber risks against revenue targets, hiring plans, product launches, and dozens of competing priorities. Sometimes they’re right to choose differently, and the rejection itself can sharpen our thinking by forcing a more targeted approach. To move past merely advising, we need to understand why they disagree and find ways to frame our perspective on their terms.

Disagreements Shouldn’t Surprise Us

That colleagues disagree with us shouldn’t be a surprise, but it often is. We invest time and energy in identifying, prioritizing, and explaining risks, and that effort fosters a sense of ownership. Behavioral economists call it the endowment effect, which is the tendency to overvalue what we possess. An executive who hasn’t spent hours analyzing the same security issue doesn’t share that sense of ownership. As a result, the same risk might weigh less in their mind than in ours.

Decision fatigue amplifies the problem. Executives make hundreds of resource allocation decisions in a given week. When our risk perspective reaches them, they may be operating with diminished attention. The status quo wins, not because it’s the right call, but because it requires the least effort.

Traditional justifications for security spending often fall short, even when executives are paying full attention. As Phil Venables has explained, arguments based on loss avoidance, reputational risk, and return on security investment don’t justify the accumulated costs of the mitigations we propose. Executives have learned this through experience, having watched companies suffer high-profile breaches and recover. Many have drawn their own conclusions about how severe the consequences really are and have grown skeptical of our severity ratings.

None of this means the disagreeing executive made the wrong call, assuming they made an informed decision. They’re evaluating a broader set of tradeoffs than we see from the security team’s perspective. If the problem isn’t that they failed to understand us, repeating the same arguments louder won’t help. We need to change how we respond to disagreement.

How We Make Rejection Worse

When executives reject a recommendation, we tend to make predictable mistakes that weaken our ability to influence:

We take it personally. We interpret the rejection as the organization not valuing security. In most cases, the decision reflects resource allocation priorities, similar to deprioritizing a feature or deferring a hire. Other functions in the company face such constraints, too.

We double down with more data. We respond to “no” by piling on more proof that the risk is real. If we did our best with the original explanation, additional details are unlikely to change the executive’s decision. They probably already agreed that the risk exists and decided that the mitigation wasn’t worth pursuing right now.

We don’t ask why. We walk away frustrated instead of asking what would need to change to get a different answer. The right question, asked genuinely, can reveal the constraints we didn’t see and open persuasion paths we didn’t consider, possibly for a later conversation.

These reactions assume the problem sits with the executive. None starts by examining our own framing. If they understood the risk and chose differently, we should either accept the decision or return to it with a different approach.

A Slide Deck Isn’t a Handoff

Security governance is a shared organizational responsibility, not something the CISO carries alone. But our job doesn’t stop at presenting risks. As Allan Alford has argued, “I presented the numbers and leadership decided” is where our work starts, not where it ends. If the message didn’t land, we adjust the framing and try again.

Allan also pointed out that we decide which risks reach the executives’ desks and which ones we handle quietly. When we “walk into a budget meeting requesting funding for three initiatives and stay silent on four others,” we implicitly make a risk acceptance decision. We should be deliberate about what we defer and transparent about why.

A genuine handoff requires explicit terms, not a checkbox on a slide deck. It sounds like “We’ll accept this for six months, revisit in Q3, and add monitoring in the meantime.” That specificity creates a shared commitment that both sides can track.

Even after that handoff, our work continues as part of regular governance. Circumstances change, so we monitor whether the original risk decision still holds through periodic risk reviews. The executive takes input from many sources, so we continue shaping the conversation through allies and timing. And we build resilience that makes it easier for the business to accept risks. Defenses, guardrails, and buffers absorb tolerable insecurity so the organization can move forward.

Make It About What They Already Want

Understanding why executives said no reveals what might make them say yes. The most effective way to earn that yes is to connect our recommendation to something the business already wants:

Offer options, not ultimatums. An executive who says no to a $1M project might say yes to a $100K first step. That first step addresses the highest-priority exposure, prioritized by business context. Presenting tiered alternatives gives them a way to say yes to something rather than no to everything.

Build allies before you need them. A recommendation that arrives with the CFO’s or CTO’s support lands differently than one from security alone. Invest in cross-functional collaboration before the critical ask. Phil Venables has observed that formal committees confirm decisions, not make them. Allies shape those decisions before the meeting starts. He calls this building a “base of support” by being useful beyond the immediate boundaries of the security role.

Connect to outcomes they already measure. When security solves a problem another team already has, the ask sells itself. Automating manual access provisioning saves the dev team 10 hours per sprint, for example. Achieving SOC 2 unblocks enterprise deals stuck in procurement. Frame the expense as unblocking revenue or velocity, not reducing risk.

Make the cost of inaction specific to their world. A concrete scenario tied to the business is more persuasive than generalized breach statistics. What separates specificity from FUD is a named customer, a dated deadline, or a measurable outcome. “If customer X asks about this in their next security review and we can’t answer, that’s a renewal risk.” Understand what motivates individuals, not just the organization.

From Opinion to Influence

When we prioritize risks and articulate them in the executive’s terms, a “no” becomes the beginning of a conversation, not the end of one. Each conversation handled this way compounds our credibility. We stop selling security to the business and start helping the business succeed through security.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →