How to Handle:
“IT/Security needs to approve this”
The prospect is indicating that IT or information security teams must review and approve your solution before purchase. This is standard for any software, data, or technology-related purchase and is especially rigorous in regulated industries.
Why Prospects Say This
Organizations must protect their data, systems, and networks. IT security reviews assess vendor security practices, data handling, integration requirements, and compliance. This is a legitimate requirement that protects both the company and their customers.
Best Responses
The Security Champion
“Completely understand—security review is essential and we're happy to support it. I can send over our SOC 2 report, security questionnaire, and architecture documentation. What specific areas does your security team typically focus on?”
Why It Works
Shows you're prepared and take security seriously. Identifies their specific concerns.
Best For
All technology purchases, especially in regulated industries
The Technical Bridge
“Happy to facilitate that process. Would it be helpful to set up a call between your IT security team and our security engineering team? They can have a direct technical conversation and answer questions in real-time.”
Why It Works
Technical teams prefer talking to other technical teams. Speeds up the review process.
Best For
Complex integrations, enterprise security requirements
The Questionnaire Ready
“We're used to thorough security reviews. Do you have a vendor security questionnaire you'd like us to complete? We've filled out hundreds of these and have most answers pre-documented.”
Why It Works
Shows experience and preparedness. Gets their formal process started.
Best For
Organizations with formal vendor security programs
The Compliance Credential
“Security is a top priority for us too. We're SOC 2 Type II certified, and we work with [similar companies in regulated industries]. I can share our complete compliance package including penetration test results and our security whitepaper. What certifications matter most to your team?”
Why It Works
Leads with credentials and social proof. Addresses concerns before they're raised.
Best For
Highly regulated industries, enterprise security teams
Do's and Don'ts
Do This
- Have security documentation ready: SOC 2, penetration tests, security whitepaper, compliance certs
- Offer direct communication between security teams
- Complete their vendor security questionnaire thoroughly and quickly
- Be transparent about your security practices—don't oversell
- Understand their specific security requirements and compliance needs
Don't Do This
- Downplay security concerns or suggest they're being overly cautious
- Promise security capabilities you don't have
- Let the security review go dark without follow-up
- Assume your business champion can answer security team questions
- Rush or pressure the security review process
Follow-up Questions to Ask
“What security certifications or compliance standards are most important to your team?”
“Do you have a vendor security questionnaire you'd like us to complete?”
“Would it help to set up a call between our security teams?”
“What's your typical timeline for security reviews?”
“Are there any specific security concerns related to your industry I should be aware of?”
Industry-Specific Variations
“We need to verify HIPAA compliance and complete a security assessment.”
“HIPAA compliance is fundamental to what we do. I'll send our BAA, security assessment, and HIPAA documentation package. We're happy to complete your security questionnaire and have our security team discuss our PHI handling practices directly with yours.”
“Our CISO team needs to complete a full vendor security assessment.”
“We work with many financial institutions and understand the rigor required. I'll send our SOC 2 Type II report, penetration test summary, and security architecture documentation. Should I set up a call between our CISO and your security team?”
“Our security team needs to review the API and integration security.”
“Our APIs are designed with security first. I can share our API security documentation, authentication methods, and encryption standards. Would your team like to do a technical deep-dive with our engineering team?”
Pro Tips
- Build a 'security ready' package: SOC 2 report, security questionnaire, penetration test summary, architecture diagram, data flow diagram. Send it proactively.
- Security teams appreciate vendors who know their stuff. Have technical team members available for security discussions.
- Be honest about what you can and can't do. Security teams smell overselling from a mile away, and it kills trust.
- Some security reviews can take months in enterprise. Get started early—don't wait until the business is ready to buy.
- Ask if they have preferred security standards (SOC 2, ISO 27001, FedRAMP). Knowing their framework helps you speak their language.
Tired of Handling Objections?
Let us handle the prospecting and objections for you. We book qualified meetings with decision-makers who are ready to talk - no cold call rejections.
Get Qualified Meetings