CISOs/heads of security - when capacity constraints are getting in the way of your goals, do you generally feel comfortable explaining this to your exec team? How do you approach that convo without potentially inviting doubts about your own capabilities?

Internal CXO RelationshipsSecurity & GRC
2k viewscircle icon2 Comments
Sort by:
Chief Information Security Officer in Healthcare and Biotech2 years ago

In our periodic meeting, I always put a small para; about some unknown risk which can hit us and when even I feel any unknown risk looks high and bring to the spotlight.  

Chief Information Security Officer in Software2 years ago

As a CISO or head of security, your role should include managing capacity and communicating effectively with the executive team. When capacity constraints could prevent you from achieving your security goals, it is important to have a candid discussion with your team. It doesn't mean you're incapable, but that there are limitations in resources (i.e., human, technical, financial, etc.) that need to be addressed to achieve a successful outcome. In my experience, everyone is typically working towards the same goal: the success of the organization. Your exec team is there to provide support, and they need your expertise to understand the situation and make informed decisions.

Lightbulb on1

Content you might like

Zoom Video Communications has agreed to pay $85 million to settle a California lawsuit. They have been accused  of improperly sharing customer information with Facebook, Google and LinkedIn and allowing strangers to enter unprotected Zoom meetings in an activity known as "Zoombombing." Have you ever been "zoombombed" in a meeting?

Yes60%

No39%

Which mobile threat vector is most important to your organization’s risk profile right now?

Compromised and vulnerable devices20%

Unsafe networks65%

Malicious and risky applications8%

Phishing5%

View Results

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?