What do you do when business unit leaders push back on your SOC’s recommendations?

Security & GRCRelationship Management
1k viewscircle icon4 Comments
Sort by:
CEO in Services (non-Government)2 years ago

From business perspective, list the risks of non-compliance/not making necessary investments  in layperson terms and the ROI of any required investments. Using Poneman 2022 as your reference, quantify the risk in terms of lost revenue ($4.35M average) and the impacts financially on margins, earnings, stock price, bonuses, etc.  Present a risk reduction business case vs. what may be perceived as overbuilding/overreach.   

CIO / Managing Partner in Manufacturing2 years ago

Ensure the risk is clearly defined in business terms, the likely loss of business, reputational damage etc.

Listen to their concerns and discuss them.

CIO in Services (non-Government)2 years ago

Remind them of their responsibility to keep patient data safe and secure, and then reiterate the COST in dollars and to reputation of any breach, not to mention how it reflects on them as the leaders of our organization.  Regulatory consequences for us (HIPAA, GDPR) are severe.

C-PIO in Software2 years ago

Listen. Then explain it is a shared responsibility. Appeal to corporate governance that we are all in this together. 

Content you might like

Which key pentesting capability do current AI-driven vendor solutions most fail to cover?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Read More Comments

We are in a world obsessed with the latest technologies, where it seems everything even working should be updated or upgraded to avoid the "imposed" in my opinion "digital obsolescence myth". How inclined are you towards innovation and change when the existing systems are certainly working effectively?

Very inclined: I believe in constantly pushing for innovation and improvement, even if the current systems are effective46%

Moderately inclined: I'm open to innovation and change, but only if it clearly enhances or adds value to the existing systems48%

Not inclined: If the current systems are working effectively, I prefer to maintain stability and avoid unnecessary changes5%

View Results

Can you share any tips for new security leaders to identify blind spots in their organization? How have you approached this when starting a new role in the past?

Is footprinting an effective way to do vulnerability management?

Very effective1%

Somewhat effective52%

Slightly effective31%

Slightly ineffective8%

Somewhat ineffective3%

Not at all effective

Not sure yet1%

View Results