I worked with one company that hadn’t done much in terms of formalized security previously. One of the things I did for them was to meet the qualifications for & achieve enrollment in some public-facing security programs. One goal being to establish something that the company – and the Sales team in particular – could reference when speaking with clients and potential clients, and use as a differentiator in comparison to competitors.
After having gone to all the trouble of setting it up for them, the Sales organization used this not at all. It turned out the Head of Sales was not the least bit interested in security – even when security was able to help their organization – and the company – sell more new business, as well as retain existing customers.
One lesson I took away from this is that a specific chat with the Head of Sales to get their buy-in could have been beneficial and could have helped with adoption. And even if buy-in wasn’t possible, it would have at least given me a better understanding of their mindset. I probably still would have done the security work, because it was the right thing to do, but that understanding could have likely lessened the disappointment. Another is that not all good deeds are appreciated. That doesn’t mean we shouldn’t do them; we should just know that going in.