The Ask Was Simple. The Cost Wouldn’t Be.

Earlier this year, I was hired to spearhead a privileged access management (PAM) proof of concept (POC) at a $2.5 billion public cybersecurity company. Scope was clear. Expectations were set. Everyone wanted this to work.

But two weeks in, after a handful of stakeholder interviews, the signals started shifting.

Teams weren’t just hesitant—they were resistant. And not in the passive-aggressive, “we’ll get to it later” way. Some of them had already built high-integrity PAM solutions using HashiCorp Vault, with role-based access managed through Okta. These weren’t hacks or shortcuts. These were engineered, maintained, and trusted.

The more I listened, the clearer it became: this wasn’t a PAM problem. It was a non-human identity (NHI) problem. And the proposed solution didn’t match the shape of the real need.

When the Stakeholders Whisper, You Listen

Most CISOs don’t get the luxury of hindsight in real time. They’re under pressure to act, perform, and show progress—fast.

But in this case, I wasn’t the one under pressure.

The VP of Global Cybersecurity & GRC I was advising had aspirations beyond the current org chart. A successful PAM deployment would’ve been a feather in his cap—a proof point on his way to the C-suite. He was sharp. He was motivated. But his assumptions were brittle.

He wanted a centralized PAM system. The org wasn’t ready.

What the teams actually needed was a lightweight, internal solution that improved NHI hygiene without rewriting the security culture overnight. Centralizing control would’ve sparked more friction than value—politically, technically, and financially.

So I Did What a Consultant Is Supposed to Do. I Told the Truth.

I stepped back, reframed the problem, and presented the VP with a different option:

Pivot from PAM to NHI governance.
Leverage the existing Vault + Okta + Conductor One integrations.
Avoid a disruptive vendor rollout.
Save $2M in year one.

That’s not the kind of advice that protects your billable hours. But it’s the kind of advice that protects the customer from self-inflicted wounds.

We talk a lot about vendor lock-in and feature gaps. But sometimes the real danger is strategic misalignment—pushing forward because the project is in motion, not because it still makes sense.

You Don’t Always Need More Tools. You Need More Foresight.

How does this happen? In 2026, with all the conferences, research, and chatter on LinkedIn, how does a well-funded cybersecurity firm almost walk straight into a multimillion-dollar misstep?

Simple: the landscape is changing faster than most teams can track. Tools blur. Categories shift. What looked like a clear roadmap three quarters ago might be outdated today.

And even if the VP had perfect market intelligence, he still would’ve faced internal resistance. The engineering teams weren’t bought in. IT had their own ideas. SREs weren’t even in the room.

The risk wasn’t just a failed implementation. It was organizational backlash, political fallout, and lost trust.

The Customer Isn’t Always Right — But They’re Always Worth Protecting

This is one of those moments where I didn’t have all the answers. I wasn’t the most technical person in the room. I didn’t know more about Vault or Okta or NHI architecture than the people building it.

But I did know how to read a room. I knew how to map incentives. I knew what happens when strategy and execution fall out of sync. And I knew when the smartest move was to stop the train before it jumped the track.

That’s the real work of a strategic advisor.

It’s not about selling the scope. It’s about saving the system.

Start with Feasibility, Not Fantasy

If you’re leading a cybersecurity team right now, here’s the uncomfortable truth:

You can execute flawlessly—on the wrong thing.

That’s the story I want to expand from The CISO On The Razor’s Edge—the second CISO from “A Tale of Two CISOs” who had the right vision, but the wrong timing. Not because they were naïve or underprepared. But because they didn’t step back and ask the harder question:

Is this right—for this org, right now?

The temptation to push forward is strong. Especially when budget is secured, headcount is assigned, and the goal is tied to your performance review. But leading on the razor’s edge means something different. It means having the guts to pause. To pivot. To protect your people—even from well-meaning plans.

Saving $2M Wasn’t the Point. Saving Trust Was.

A failed PAM rollout would’ve cost $2 million. But the deeper cost would’ve been internal fragmentation, eroded credibility, and another data point in the “security slows us down” narrative.

Instead, we shipped something leaner. We built momentum. We delivered a win. And we set the stage for bigger change later—when the organization is ready to absorb it.

That’s how transformation really works.

Not by forcing tools into cultures that don’t want them. But by sequencing moves that build trust, reduce noise, and surface insight.

Final Thought: The Consultant’s Real Job Isn’t Delivery. It’s Discernment.

What most companies need isn’t more vendors, more dashboards, or more “strategy in a box.”

What they need is someone who can sit across the table and say, “I hear you. I get it. But I think there’s a better way.”

They need someone who isn’t afraid to ask:

• Is the problem what you think it is?

• Are you solving for optics or outcomes?

• Are you ready for what this solution will really change?

This isn’t theory. This is real leadership, in the real world.

And sometimes, it looks like walking away from a $2 million implementation—because the most valuable thing you can build is trust.

Like this post?
If you’re leading a complex cybersecurity program and wondering if your current path still makes sense, I’m here to help. Let’s talk.