It's no secret: executives can be the biggest obstacle to security, even when they say it's important. The difference is between what affects employees and what impacts them. I recently had a conversation with the founder of a financial planning firm that caters to the high and ultra high net worth. The concern was: 'my clients expect me to have everything at my fingertips and don't want to wait. Will this make it harder for me to get that information?'
The “ask” (for me) was to "do me last". There's some wisdom in that, because I don't like to make too many changes all at once. That makes it more difficult to troubleshoot problems and supporting it can be overwhelming and unpredictable. Users with different roles will determine the level of impact and handholding that's necessary for implementation. It might be controversial, but sometimes security is less significant than business for an SME.
There are risks you may decide to accept, such when a big sale is on the line. You wouldn't want a security solution with an AI "brain" to disable network access over some pattern or alert (not when it impacts business) After all, there's backups. However, a regulated industry poses potentially higher costs, and those costs are rising. I wonder how those high net worth clients would feel about their personal documents leaking onto the web. Hint: not very pleased.
Reason works too. I've explained that a breach will soon become a "preexisting condition" for cyber insurance. The C-level mindset is often, "well, I'm covered for that". Not anymore. Underwriters are refusing to cover negligent clients. That will make it easier to continue the conversation versus being shut down by people whose opinions aren't often challenged. I was lucked that this person is very open to new ideas and just needed to understand better.
There's more than one approach to overcome objections from C-level executives who won't comply with policies. Sometimes, you just have to shake your head and do what you can. But increasingly, There's something I don't do: endorse their misconception(s) that security has to be difficult and cower to the pushback. A good advisor doesn't do that.
I've had success just showing them how things work in practice. Modern authentication can be passwordless using certs. PINs and hardware-based devices that are often easier than typing in a password. The employees won't only demonstrate that users cope with security; they'll show that it can make a user's experience better (even an exec).