May 12, 2021

Last Updated on January 13, 2024

All too often there’s a disconnect between technology leaders and business leaders. We tend to talk different languages—bits, bytes and acronyms on one side, ROI and balance sheets on the other.

What frequently happens is that technologists collectively create a plan to introduce new capabilities, generally for the best of reasons. They agree on the plan and how to execute it. And then… suddenly somebody’s in the CFO’s office and it’s not going well…

How can a CISO or other technology exec get past his or her inherent biases to successfully pitch big-ticket, business-critical matters like preparing for a Cybersecurity Maturity Model Certification (CMMC) compliance audit with the CFO, COO or other business leaders? What are they thinking, and how can you meet them where they are?

To get the highest-value coaching and guidance in the shortest possible time, we turned to our special guest John Sheridan, a best-selling author and business coach, on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.

“What I want to talk about here applies not just to that large project, but to just about anything that someone in these situations wants to get done in an organization,” John Sheridan reveals. “Probably the most important principle you need to understand is this: People do things for their reasons, not for your reasons.

“Before you walk into that office—and you may be armed with all kinds of facts and reasons that mean something to you—I think you have to stop first and say to yourself, ‘My reasons don’t count. They really don’t care about my reasons. What are theirs?’” advises John Sheridan. “Put yourself in their chair, shift the scope of what you have to worry about to theirs, and figure out what their reasons are. What do they care about? What are the consequences for them if things go right? What are the consequences if they go wrong? Then frame up your approach in their frame, not yours. That’s at the root of influence, which is what we’re really talking about here.”

“In a weird way, that sounds a lot like the concept of marketing,” notes John Verry. “We have a tendency to think of our product and what we deliver from our perspective instead of the customers’ perspective. So you’re saying the CFO is now my customer in pitching this project. The challenge is understanding that customer profile.”

What’s Next?

If you’re an IT manager looking to invest in security, and needing to show your CFO how that relates to the health and profitability of your organization versus just scrutinizing the direct spend, this podcast with author and business coach John Sheridan has your name all over it.

To listen to this show all the way through, click here. If you don’t use Apple Podcasts, you can find all our podcast episodes here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.