By Michael Henry, CEO, Accelerynt
In this article:
- Why “easy fixes” stall in Change Advisory Board meetings
- The friction debate security leaders rarely win
- How staging shifts the conversation from proposal to proof
The auditors just left. You survived another cycle–just in time for Thanksgiving.
And you got lucky. The vulnerability they identified is “easy to fix.” It’s a gap in your help desk verification process. You know exactly what to do. You might even have the technical configuration ready to go. You figure you can patch this gap, close the ticket, and enjoy the holiday break.
Then, you walk into the Change Advisory Board (CAB) meeting.
You present the fix. And instead of a rubber stamp, you hit the Change Management Wall.
“We can’t add that step. The Service Desk calls will spike.”
“The executives won’t tolerate the friction.”
“Let’s table this for Q1.”
And there the “easy fix” dies. The CAB becomes the graveyard of good security.
Why the “Process” Is a Liability
The trap here is the Friction Debate.
In most organizations, the Change Management process is designed to protect availability, not security. Its primary job is to prevent downtime and user inconvenience.
When you propose a new security control, like a callback verification or an MFA step-up, the business sees it as a “risk to productivity,” not a “reduction of risk.” Research confirms their fear: 69% of employees admit to bypassing security controls just to get work done* The business is terrified of that user revolt.
So, you enter a negotiation you are destined to lose. You are trading a theoretical risk (a breach that hasn’t happened yet) against a guaranteed cost (user complaints today). In that trade, “user experience” almost always wins.
The result? You leave the meeting with a “Compensating Control” (usually more training) and the vulnerability remains wide open.
The Mindset Shift: From Proposing to Proving
To break through this wall, you must change the currency of the negotiation.
The Old Mindset (The Trap): “I need permission to build a solution that might cause friction.”
The New Mindset (The Solution): “I need to demonstrate a solution that I have already proven is safe.”
This shifts the CISO from a “petitioner” asking for a budget to an “architect” presenting a finished product.
The Path Forward: Validating Before You Ask
The Active Assurance Model gives you the tool to win this debate: Staging.
Instead of asking for permission to start a project, you use your finding to immediately stage the technical guardrail in a test environment (e.g., a test tenant in Entra ID).
You build the callback workflow. You configure the conditional access policy. You run the test against real-world scenarios.
When you finally go to the CAB, you aren’t bringing a slide deck with a “proposal.” You are bringing a video of the working solution.
“Here is the control. We tested it. It adds exactly 14 seconds to the reset process. It stopped 100% of the test attacks. It is ready to deploy.”
You have removed the “fear of the unknown.” You aren’t asking them to imagine the friction; you are showing them the reality. You turn a political debate into a “Go/No-Go” decision on a finished capability.
The Takeaway
The “Change Management Wall” is built on fear of disruption. The only way to dismantle that fear is with proof.
Don’t tell them it will work. Stage it, test it, and show them.
Read the full playbook on how to stage your defense in our active assurance guide: The Help Desk Is Now a CISO-Level Liability.
In our final post in this series, we’ll cover the CISO’s third trap: The “Vendor Black Box.”
* Source: Gartner, “Predicts 2023: Cybersecurity Industry Focuses on the Human Deal,” February 22, 2023. Based on the 2022 Gartner Drivers of Secure Behavior Survey conducted May–June 2022 among 1,310 employees.
About Accelerynt
Accelerynt is a Microsoft-native security operations company, founded and led by practitioners who’ve built enterprise security programs. We build and run SIEM, MDR, and MSSP programs inside our clients’ Microsoft tenants using Sentinel, Defender, and Entra ID.