Getting business buy-in to enforce multi-factor authentication

It's always best to make sure all the right people are aware of and support changes in the business - especially when it will start to affect them directly! Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation.

If you do choose to ask an exec to sponsor this initiative, you should make sure you cover the following:

  1. Why MFA is important. Broad strokes are good - but make sure you are able to describe an attack that MFA would prevent in simple terms. This is gold should they ever need to defend MFA to another exec - if you’ve had an attack in the past that could have been prevented by MFA then even better. See our as a starting point.

  2. Any risks and what you've done to mitigate them. You can read more about this in our article about risks we’ve identified through learning from past MFA deployments, and mitigations we’ve built into this plan.

  3. Costs. Will you be asking the exec to support you in requesting additional budget for hardware tokens or upgraded licenses? Fortunately in most cases new hardware or upgraded licenses aren't needed, but it’s good to make sure there are no surprises down the road.

  4. Process and timelines. MFA rollout across multiple platforms typically takes anywhere from a month to 6 months depending on the size of the organisation. If you are a smaller (say less than 50 employees) tech-savvy team you can aim for the lower end, otherwise, it might be smart to give yourself enough space to do it gradually. Walk them through this plan just enough so they have a feeling for what to expect, and what could cause delays.

  5. Let them know if you plan to include their name in comms to the rest of your team. If they aren't comfortable with that, they may not be a great fit for a sponsor.

Tip: As you plan for the discussion, write out your talking points and notes and follow the discussion with an email summarising those key points. You can use this email template as a starting point: