Challenge The Status Quo

January 16, 2023

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us



This week I read an “op-ed” on data privacy and security, written by a SaaS vendor in the data management space. I agreed with much of what they said but cringed as they concluded that their cloud product would solve all data problems easily, with a minimum of effort on the customer’s part.

It got me thinking about our industry’s continuing obsession with “quick fixes” — something we know doesn’t work in education, in business, in our careers, or in our personal lives.

Tech First, Tech Always

When it comes to solving information security challenges, our industry continues to rely on technology to the exclusion of people and process. Instead of thoughtful research, careful strategy setting, and long-term planning, we gravitate to products promising they’re “easy to use,” with “minimal interaction,” and “powerful reporting.” We want to skip the beginning and middle parts and get directly to the end of the story.

As a result, our data security and privacy plans read more like product implementation schedules and less like business goals, objectives, and tangible outcomes.

What would happen if we tossed away the crutches of technology? What would a process with more integrity look like? How could we make people the focal point (again)?

Who, What, Where, When, Why

One way for security leaders to become more proactive is to put away all the screens, take out a blank sheet of paper, find a quiet place (inside and out), and use the 5 W’s (Who, What, Where, When, and Why) to outline a data risk management strategy:


  • Name the senior leaders in your organization who have the most to lose — or the most to gain — from data. What’s at stake for them?
  • Name the one person in your organization who is most responsible for operational (day-to-day) data security and privacy. Is this a cabinet-level executive with authority to set strategic direction? Do they control budget, and if so, how does it compare with your IT, legal, or facilities budget?
  • Which senior leader is most aware of and educated about data risks facing your organization? Has that person been vocal about it? If so, how?


  • If your board of directors were forced to write out your organization’s one-paragraph strategy for data risk governance, what would they say?
  • What data do you have? Can you name 10 different types of data you collect, store, process, transmit, buy, sell, or manage (and of those, what are the most sensitive data types, and why)?
  • How much data do you have in total?


  • What platforms is your data stored on, and in which locations?
  • Where do you operate (internationally, multi-nationally, in one country, state, locality, in one or more industries)?
  • Where does your cloud data “live”? Can you verify it?


  • How long would it take to account for all your data assets? What would you provide to a regulator or investigator? How would you go about it?
  • From the moment a data breach is detected, or suspected, how long would it take to begin, conduct, and likely conclude an “incident response” process? Who is responsible for each aspect of the response effort?


  • What would your organization do if it had high-quality, integrated, actionable, protected data to base business decisions on? Would that have financial value, and if so, how much value?
  • If your organization suffered a catastrophic data breach or loss, who would be blamed and why? What would happen to that person?
  • Is better data a potential competitive advantage for your organization? How could you use it to outperform, improve, sell more, or provide better service?

It’s Never Too Late to Start

Security leaders often ask me how to get out of their technology “box” and engage senior executives in substantial business conversations.

The first thing I tell them is that it may be the most difficult challenge they’ve ever faced. The second thing I tell them is that it may be the most important skill they’ll ever learn.

One approach I’ve seen work is the “Challenger” sales approach described in Matthew Dixon’s book, The Challenger Sale: Taking Control of the Customer Conversation. In the Challenger model, you don’t try to build relationships or make friends; you teach your customers something new, educating them about challenges and business impacts, proving out your case, and offering a solution with tangible (hopefully unique) benefits.

Importantly, this has nothing to do with technology.

“Sell” Like a Challenger

After identifying Who, What, Where, When, and Why, you should take 6 basic steps (thanks to’s succinct breakdown):

  1. Build credibility. Point out to the Board that moving all customer data to the cloud might make it more susceptible to loss and compromise.
  2. Reframe the problem. Mention that secure data sharing creates deeper customer loyalty and repeat business.
  3. Prove your point. Show recent research proving how customers increase repeat purchases and generate higher Promoter Scores when their information is actively protected.
  4. Demonstrate direct impacts to the business. Highlight an alarming trend: the business has had lower customer retention and recurring revenues over the past several quarters.
  5. Propose a new approach. Tell your Board “our customer data could be more than just something we have to provide — we could offer unique, data-driven insights to our customers (something our competitors don’t offer), and develop new ways to engage more deeply throughout the customer lifecycle.”
  6. Offer a solution (now that your audience is convinced). Suggest selectively migrating customer data to the cloud, creating a secure customer portal that provides data access AND insights into activities, and providing direct links back to your e-commerce platform for additional purchases.

Lining Up with the Bottom Line

Instead of nagging senior leaders — for the thousandth time — not to go to the cloud (because it’s not safe), take them on an educational journey about how to improve customer retention and pump-up revenues (while just happening to achieve your data protection goals).

Is this approach simple or easy? Nope. Is there a technology quick fix here? Not at all.

But this approach works. It will help you redefine and elevate your role with senior leaders, and meaningfully align you with the organizational mission.

You’ll go from being both a victim and a scapegoat, to becoming a partner with a seat at the executive table.

To learn more about building out a comprehensive data risk management program, check out Infolock’s Data Risk Management Framework

To learn more about Matthew Dixon and the Challenger approach, check out

To learn more about bite-sized non-fiction reads, check out

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022