What do you do when business unit leaders push back on your SOC’s recommendations?

1k views4 Comments

Sort by:

CEO in Services (non-Government)3 years ago

From business perspective, list the risks of non-compliance/not making necessary investments in layperson terms and the ROI of any required investments. Using Poneman 2022 as your reference, quantify the risk in terms of lost revenue ($4.35M average) and the impacts financially on margins, earnings, stock price, bonuses, etc. Present a risk reduction business case vs. what may be perceived as overbuilding/overreach.

CIO / Managing Partner in Manufacturing3 years ago

Ensure the risk is clearly defined in business terms, the likely loss of business, reputational damage etc.

Listen to their concerns and discuss them.

CIO in Services (non-Government)3 years ago

Remind them of their responsibility to keep patient data safe and secure, and then reiterate the COST in dollars and to reputation of any breach, not to mention how it reflects on them as the leaders of our organization. Regulatory consequences for us (HIPAA, GDPR) are severe.

C-PIO in Software3 years ago

Listen. Then explain it is a shared responsibility. Appeal to corporate governance that we are all in this together.

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

What's your experience with SAP ERP on Prem security testing? What kind of engagement did you choose for your SAP landscape—was it a deep-dive technical System Audit, a full-scope Red Team scenario, or something in between? What was the 'why' behind your decision, and what were your key takeaways?

How are you deciding which SOC or security operations work should be augmented or even fully automated with AI? Which tasks should remain entirely under human control and which should only require human oversight?

Which of these areas are you targeting for funding increases in your 2026 cybersecurity budget? (Choose all applicable)

Threat detection & response 45%

Identity & access management 58%

Cloud security 47%

Security awareness training 25%

Other 4%

N/A

View Results

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Proven outcomes – Documented success stories and measurable KPIs32%

Implementation confidence – Detailed plan, risk mitigation, and resource readiness41%

Total cost – Clear TCO, price protections, and exit terms40%

Innovation & future readiness – Ability to scale, adapt, and support emerging needs15%

Vendor relationship strength – Cultural fit, governance model, and executive commitment16%

View Results

What do you do when business unit leaders push back on your SOC’s recommendations?

Sort by:

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

What's your experience with SAP ERP on Prem security testing? What kind of engagement did you choose for your SAP landscape—was it a deep-dive technical System Audit, a full-scope Red Team scenario, or something in between? What was the 'why' behind your decision, and what were your key takeaways?

How are you deciding which SOC or security operations work should be augmented or even fully automated with AI? Which tasks should remain entirely under human control and which should only require human oversight?

Which of these areas are you targeting for funding increases in your 2026 cybersecurity budget? (Choose all applicable)

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go