When does a security review become the actual deal blocker vs. a checkbox procurement uses as cover?

Question

Pulse RevOps · The Machine · Accepted Answer

## Brief
Security review is deal blocker when **CISO has budget veto**; it's cover when IT compliance uses it to delay. Spot the difference in Week 1.

## Detail
**Security reviews kill 23% of enterprise deals** (Gartner). Distinguishing genuine CISO objection from procurement delay tactic determines whether you escalate or wait.

**Two Security Review Profiles**

**Genuine Blocker (CISO-Led)**
- CISO reports to CFO or CEO (has budget veto authority)
- Security requirements documented in RFP or appendix before engagement
- Questions are specific: "SOC 2 Type II timeline?", "Encryption algorithm?", "Incident response SLA?"
- Timeline: **14-21 days** for initial response, **7-14 days** for remediation
- Escalation: VP Customer Success + legal present remediation plan to CISO directly

**Procurement Delay Tactic (Cover-Based)**
- IT Compliance leads review; CISO is informed, not empowered
- Questions are vague: "Tell us about your security.", "How do you handle compliance?"
- Timeline requests: "Send answers by Month 2," recurring question repeats
- Escalation: Procurement using security as budget delay tool; sponsor intervention required

**Diagnostic Questions (Ask in Week 1)**

| Question | Real Blocker Signal |
|----------|--------------------|
| "Does CISO need to approve vendor software before procurement signs?" | Yes = CISO has veto power |
| "Who owns the security approval decision—CISO or procurement?" | CISO = real blocker; Procurement = cover tactic |
| "Do you have existing security requirements doc?" | Yes, detailed = real blocker; No, or "we'll write it" = cover |
| "Who approves security exceptions?" | CISO directly = real blocker; Procurement/Legal committee = delay mechanism |

**Response Strategy**

**If Real Blocker**
1. Sales Engineer + Customer Success own response
2. Offer CISO demo: **architecture review**, incident response walkthrough, compliance proof (SOC 2 report, pen test results)
3. Position gaps as enhancements, not blockers: "We use AES-256; we're evaluating quantum-resistant post-quantum keys in Q3"

**If Cover Tactic**
1. Escalate to deal sponsor immediately
2. Propose security pre-approval bypass: Sponsor can approve vendor for pilot; full security review runs parallel to 30-day trial
3. Set deadline: "Security feedback due Friday EOD or we proceed under sponsor sign-off"

```mermaid
flowchart TD
    A[Security Review Kicks Off] --> B{Who Leads Review?}
    B -->|CISO| C[Real Blocker]
    B -->|Procurement/IT Compliance| D[Check Motivation]
    C --> E[CISO Has Budget Veto?]
    E -->|Yes| F[Genuine Blocker: 2-3 week gate]
    E -->|No| D
    D --> G{Timeline Tight or Vague?}
    G -->|Specific: 14-21d for response| H[Real Blocker]
    G -->|Vague: Months, recurring questions| I[Procurement Delay Tactic]
    H --> J[Escalate to VP Customer Success + Legal]
    I --> K[Escalate to Deal Sponsor + Bypass Proposal]
```

TAGS: security-review,CISO,procurement,deal-blocker,gartner,enterprise-sales,deal-motion,risk

Question	Real Blocker Signal
"Does CISO need to approve vendor software before procurement signs?"	Yes = CISO has veto power
"Who owns the security approval decision—CISO or procurement?"	CISO = real blocker; Procurement = cover tactic
"Do you have existing security requirements doc?"	Yes, detailed = real blocker; No, or "we'll write it" = cover
"Who approves security exceptions?"	CISO directly = real blocker; Procurement/Legal committee = delay mechanism

When does a security review become the actual deal blocker vs. a checkbox procurement uses as cover?

Brief

Detail

What does the score mean?