How to Align Stakeholders and Get Budget for SaaS Security

Ruby Life is a mid-size technology company. We develop niche dating apps – but we’re much more than that! We’re a tech company that delivers privacy and security to end users as part of what we do. As the CISO, it’s my job to ensure we meet stringent security and compliance requirements while enabling business innovation. That includes being able to advocate for new security investments, and push the right people to action, when a solution is needed.

‍

At mid-size companies like Ruby, securing a budget for a new tool requires building support from multiple stakeholders across the organization, each with different priorities. For Ruby, while I’m ultimately responsible for our security program, all of my colleagues play a role - so having them informed as to how we’re continuing to build on our security program is a key feature of our security approach. Telling them you need something is not enough. Everyone “needs” something. So how can you rally people around your initiative? 

‍

Through the tactics outlined in this blog, we were able to foster support from stakeholders, secure budget, and deploy Reco to solve multiple SaaS and AI security challenges here at Ruby. I offer this blog so other CISOs in a similar situation might be able to take a page out of our playbook. Keep reading to learn how we gained executive support to buy Reco.

‍

The Need for SaaS Security

‍

To provide a little background, our initial need for a SaaS security solution like Reco was driven by several factors:

• Remote Workforce: the Covid-19 pandemic drove our workforce remote, and since then it has stayed that way. This resulted in greater reliance on SaaS collaboration tools.
• Embrace of AI:  Our employees want to leverage and benefit from AI innovations. But from my end, we have to make sure that any embrace of AI is coupled with deployment of security controls and management.
• Insider Threats: It is common security industry knowledge that one of the biggest threat vectors organizations face today is from within, particularly in a fully remote workforce environment. Insider threats can be difficult to detect, and insiders have easier access to sensitive information than outsiders. You only have to look as far as the recent Rippling scandal to understand how much damage can be done.
• Compliance: We follow NIST 800-53 to guide our policy enforcement. As we became more heavily reliant on SaaS, we needed more visibility into SaaS configurations to effectively map to these benchmarks.

An industry peer initially brought Reco to my attention. After taking a look, we got the sense it could help us solve some of our most pressing issues, especially around AI usage. But it was going to take more than that to get this thing over the line.

‍

Step 1: Identify Stakeholders in Your Buying Process

‍

Getting the budget for such a tool at a mid-size company first requires understanding who you need to communicate to internally. Key decision-makers fall into two categories:

‍

Business & Finance Stakeholders (CEO, CFO, Board) These folks are focused on revenue generation and business enablement. They have multiple competing budget priorities and are used to different business units asking them for money. They need clear business justification, not technical explanations.

‍

Technical Stakeholders (CIO, CTO, Engineering) My technical team deals with these security gaps every day. They understand the challenges, appreciate operational efficiency, and generally are easier to convince once you show them something that actually works.

‍

Step 2: Align Technical Stakeholders Around SaaS Security

‍

Getting buy-in from technical stakeholders is much easier than doing so with business stakeholders. We deal with these problems every day, so when something solves the problem, they are eager to implement trusted, validated solutions.

‍

My approach was simple: I let the security team own the evaluation and I didn’t interfere. They loved the enhanced visibility, the intuitive interface, and how easily it could help us deal with the issue of shadow IT and shadow AI. It also gave us enhanced internal visibility  capabilities with Reco’s  user behavior monitoring feature. Plus, Reco makes it easy to convert findings into reports—which, as an executive, I always appreciate because it makes my life easier when dealing with the higher-ups.

‍

Something my team and I appreciate about Reco is that it’s multiple tools in one: you get the shadow IT solution, the access governance, the posture management, and the threat detection. Solving these challenges a different way would’ve required stitching together multiple solutions.

‍

Step 3: Align Business Stakeholders Around SaaS Security

‍

One of the more enjoyable challenges to be faced as a security leader, particularly in a medium-sized business, is the alignment of security goals with that of the business. It can take some creative thinking and executive politicking, but keeping your program desires and goals aligned with the overall business strategy is certainly doable:

‍

Here are my tips for getting buy-in from business stakeholders.

‍

1. Tie to Business Outcomes - Driving More Revenue

‍

At the higher C-suite and board level, the conversation needs to be about business enablement. Especially now that money is more scrutinized and interest rates aren't what they were five years ago, they need to understand how a security investment enables their ability to drive more revenue.

‍

As the technology leadership, we focused on how SaaS security is a business enabler, not a cost center. Our organization wanted to lean into utilizing AI, and they wanted to empower workers to use AI across all of our tools and functions. So we positioned Reco as the foundation that would allow us to safely embrace AI tools, which would allow more AI usage and generate more productivity.

‍

We also needed it for compliance, and compliance is necessary for maintaining business relationships with key customers and partners. 

‍

Once they were able to connect Reco to customer retention and revenue growth, we could see the wheels turning. Resistance began to change into cooperation.

‍

2. Use the POC to Make Risks Tangible

‍

The proof of concept was critical to our success. Once we deployed Reco in our environment, we were  able to reduce  tangible business risks – not just hypothetical “what-if’s”. We showed them:

• Good credential management: Our enterprise application credentials were well-kept, but we were also able to discover a very small number of accounts where credentials were giventhat weren't being deprovisioned once projects ended.
• A lack of shadow IT proliferation: We discovered some limited unauthorized AI tools and applications, demonstrating Reco’s ability to truly enhance our internal visibility. 
• Reduced access anomalies: A small number of accounts that hadn't been used in 90+ days but still had active permissions.

We explained how these stale credentials could be used to compromise us through applications they still had access to but shouldn't. And we were  able to really shine a light on how big of a problem we potentially had with shadow IT and shadow AI. And most importantly, how the Reco tool could help us close these gaps and reduce risk.

‍

3. Find Opportunities for Cost Savings Elsewhere

‍

Here's what really sealed the deal: I took our cyber insurance, which was up for renewal, and shopped around the market to find a different broker. I was able to secure a large discount compared with last year's policy.

‍

Using that savings, I went to my C-suite and said, "Hey, look, this solves a bunch of problems for us. My CIO likes this, the team loves this, it's well-priced, and I saved us money elsewhere."

‍

The lesson: Security leaders in the mid-market especially have to be leaders across the whole business. Ask yourself, how can I contribute to the top line and bottom line? We can't just stay in our silos because security is too sensitive and too expensive for us to be sitting in our little part of the conversation. If we're not influencers across the entire company, it becomes very hard to get buy-in to purchase innovative new tools like Reco in the timeframe we want.

‍

What Made This Work

‍

Several factors contributed to our success:

1. Vendor Partnership: Reco makes itself affordable for mid-market shops like mine. They knocked technical performance out of the park, and there's a real partnership-based approach where they're committed to helping clients succeed. With other vendors, off-roadmap requests are treated as prohibitively disruptive. With Reco, they take feedback and meet customer requests quickly.
   
2. Business Alignment: I connected our security needs to business priorities—AI enablement, compliance, and revenue growth.
   
3. Technical Validation: I let my team validate the solution without interference, which gave them ownership of the decision.

Key Lessons for Other CISOs

1. Reframe the conversation: Move from risk mitigation to business enablement
2. Speak their language: Business stakeholders here care about security but must also balance targets for revenue, compliance, and competitive advantage. Cost assurance is a critical consideration for them.
3. Use data to make risks tangible: POCs should reveal business-relevant findings, not just technical issues
4. Be a business leader: Find ways to contribute to the organization's financial success
5. Let technical teams validate: Give your team ownership of the technical evaluation
6. Build partnerships: Work with vendors who understand your business challenges

The Bottom Line

‍

As mid-market security leaders, we can't just be security experts anymore. We have to be business leaders who understand how to tie security investments to organizational success. That’s the only way we’re going to be able to foster support for new, emerging security investments like Reco.

‍

To learn more about Ruby Life, visit our site. Or connect with me on LinkedIn.