IN PARTNERSHIP WITH

Leave Compliance Firefighting in 2025 🔥

Make 2026 the year of continuous trust. 

Drata automates the manual chaos so you can spend your time engineering—not extinguishing audit emergencies. Discover the power of continuous, automated control monitoring, real-time risk insights, and an AI-powered trust management platform that scales with your architecture.

CARD 004: CISO

You've collected Product Managers (who decide what gets built), Security Engineers (who reduce threats), and Software Engineers (who build it). Now meet the CISO - the person who sets security strategy, controls the budget, and answers to the board.

This is the relationship that determines whether your GRC programme is a strategic security function or a sales enablement cost centre.

Let's collect Card 004. 🎴

Table of Contents

• 🪪 Core Identity

• 💭 What They Actually Care About

• ⚡ How GRC Intersects Their World

• 📅 Key Milestones in Their Calendar

• 🤝 Critical Meetings They Run

• 🌐 Their Key Stakeholders

• 🏆 What Success Looks Like to Them

• 💬 How to Start the Conversation

• 🚩 Red Flags (When They'll Resist GRC)

• 🧠 Their Mindset & Philosophy

• 🗣️ The Language They Speak

• 🎴 Key Takeaways

🪪 Core Identity

Role: Chief Information Security Officer (CISO)
Department: Security / Information Security
Reports To: CEO, Board of Directors (sometimes CTO or CFO)
Key Metric: Security incidents prevented, board confidence, audit outcomes, security programme maturity, team retention

💭 What They Actually Care About

• Board confidence and risk communication - Quarterly questions: "What's our cyber risk? Could we be the next headline?" CISOs translate technical security into business language. Need risk trajectory, not compliance percentages.

• Budget optimization across competing priorities - Every pound for GRC is a pound not spent on SOC analysts or threat intelligence. Constant trade-offs. Each team must justify value in security outcomes, not compliance outputs.

• Building and retaining high-performing teams - When GRC creates compliance theatre frustrating technical teams, it becomes CISO's retention problem.

• Strategic risk prioritization from threat landscape - "Credential attacks up 40%, need zero-trust." Audit-driven compliance disconnected from active threats feels arbitrary.

• Enabling business growth whilst managing risk - Security enables M&A, expansion, scaling. Measured on business outcomes enabled, not just breaches prevented.

• Company valuation and M&A positioning - Security posture impacts valuation. Due diligence findings kill deals. CISOs view security as business asset.

GRC-Specific:

• GRC should be CISO's most strategic partner (only team with breadth across security domains), not audit preparation service disappearing between certifications.

⚡ How GRC Intersects Their World

GRC enters the CISO's world during board preparation, budget planning, when sister security teams complain about GRC not collaborating, or when GRC requests headcount without demonstrating security impact.

When GRC Becomes Their Problem

Scenario 1: GRC Operating in Compliance Silo

AppSec team needed GRC support to get developers implementing comprehensive logging for threat detection. Not tied to any control requirement, just necessary for security operations. Engineering was pushing back. AppSec asked GRC: "Can you help make the case this logging is necessary?"

GRC declined: "This isn't a control requirement for our audit scope. We focus on audit readiness. This is your initiative."

AppSec fought alone, lost credibility with Engineering. Escalated to CISO: "We needed GRC as organizational weight. They wouldn't help because it wasn't compliance-driven."

CISO's reaction: "I've got AppSec, SecOps, and GRC. They don't collaborate. GRC only shows up for audits, then disappears. This creates organizational friction I have to manage instead of focusing on risk reduction."

Lesson: GRC teams reporting to CISO must support sister security teams proactively, not just during audit cycles. Your compliance expertise should enable AppSec, SecOps, and Infrastructure Security even when initiatives aren't driven by control requirements. When security teams complain to CISO about GRC not helping, you've damaged strategic positioning.

Scenario 2: Sales Enablement Trap (The Certification Treadmill)

GRC team's quarterly updates to CISO followed a pattern over 18 months:

• Q1: "Achieved SOC 2 Type 2. Sales can pursue enterprise customers."

• Q2: "Completed ISO 27001. Unblocks European expansion."

• Q3: "Pursuing HIPAA for healthcare vertical."

• Q4: "Starting ISO 27701 for privacy. Opens new markets."

Every conversation centred on certifications enabling Sales to enter markets or close deals.

After 18 months and four certifications, GRC requested 40% budget increase: additional programme manager and GRC platform upgrade to handle growing certification portfolio.

CISO's response: "What have you done for actual security posture? You measure success in certificates that enable Sales, not improvements that reduce risk. Every certification is table stakes. Once we have it, maintaining it is overhead. You haven't shown strategic security value."

Budget denied. CISO allocated GRC's requested budget to Security Operations instead. Told VP Sales: "Compliance is sales enablement expense. If Sales needs ISO 27701 for European deals, Sales budget can fund the GRC headcount."

The underlying issue: GRC positioned as sales support (unlocking deals) rather than security strategy (reducing risk). When budget tightened, CISO chose threat reduction over certification collection.

Lesson: Certifications are table stakes that unlock markets, but from CISO's perspective they're not strategic security achievements. Demonstrating value purely through compliance programmes positions you as sales support. CISOs fund teams that measurably reduce risk. Frame work in security impact (reduced attack surface, improved control effectiveness, faster incident detection) not compliance outputs (certifications achieved, audits passed). If quarterly updates focus on enabling Sales rather than strengthening security, you'll get defunded when budget pressure increases.

Scenario 3: Wrong Abstraction Layer (The Stale Data Problem)

GRC team was ONLY function with visibility into all security domains: Application Security, Infrastructure Security, Corporate Security, Security Operations, Privacy. Should be CISO's most strategic partner for board reporting because they see everything.

CISO preparing quarterly board deck needed consolidated security posture. Asked GRC for dashboard.

GRC provided control compliance percentages: "SOC 2: 96% implemented. ISO 27001: 89% active. CIS Top 18: 94% deployed."

CISO's reaction: "This data is stale. Updated only for audits. Doesn't tell me actual security posture or risk concentration. Can't present this to board. They'll ask 'what's our biggest risk?' and '96% compliant' isn't an answer."

What CISO actually did:

Built own dashboard pulling from AppSec vulnerability scanner, InfraSec cloud security posture, CorpSec endpoint data, SecOps SIEM metrics. Bypassed GRC entirely.

The missed opportunity:

GRC could synthesize cross-domain insights: "34% of critical vulnerabilities concentrated in payments infrastructure, driven by technical debt in legacy APIs. SecOps seeing reconnaissance targeting payment endpoints, suggesting threat actor interest. Recommend board discussion on payments modernization investment to reduce concentration risk."

Instead, GRC reported: "Application security controls 94% compliant."

Lesson: GRC's unique organizational position - breadth across all security domains - is wasted if you only report compliance percentages. CISOs need synthesized risk intelligence at strategic abstraction layer for board communication, not control metrics. Your data should be continuous and actionable (like Security Operations' threat intelligence), not stale annual snapshots. If CISO builds dashboards bypassing GRC, you've failed to leverage your strategic advantage.

📅 Key Milestones in Their Calendar

• Q1 (January-March): Annual security strategy finalized. Budget allocated. Post-holiday incidents often spike. New year objectives communicated.

  • GRC insight: CISO evaluates last year's GRC performance. If you underdelivered or overconsumed budget, Q1 is when trust erodes. Come with security impact metrics showing value delivered.

• Q2 (April-June): Execution quarter. Board meeting mid-quarter. Audit season peaks (ISO renewals, SOC 2 cycles).

  • GRC insight: Don't let audit prep consume all CISO bandwidth. If every interaction is audit-related, you're reinforcing compliance theatre perception.

• Q3 (July-September): Mid-year course corrections. CISO forming 2026 budget requests.

  • GRC insight: Q3 is your window to influence next year's GRC budget. Begin conversations NOW with business cases showing security impact and ROI.

• Q4 (October-December): Year-end push. 2026 security strategy development. Budget battles across security teams.

  • GRC insight: CISO decides 2026 GRC budget now. Come with clear roadmap showing: security outcomes you'll deliver, resource requirements, how you'll measure success in risk reduction terms.

• Board Meetings (Quarterly/Monthly): CISOs prepare extensively. Board asks: What's our biggest risk? Could we be the next headline? What's your confidence level?

  • GRC insight: Help CISO prepare board materials with synthesized risk intelligence, not compliance percentages.

IN PARTNERSHIP WITH

The security leader’s playbook to GRC

Manual compliance work is costing your team time - and fueling burnout.

In this Drata and Tines guide, learn how to replace reactive compliance with continuous, automated GRC. Get workflows for evidence collection and audit prep, and best practices for building a resilient, proactive GRC program.

🤝 Critical Meetings They Run

Weekly: Security leadership team, incident review, 1:1s with direct reports, executive leadership meeting

Monthly: Security metrics review, board prep (if monthly cadence), budget variance, vendor management

Quarterly: Board security presentation (biggest time investment), OKR reviews, security strategy refresh, audit readiness discussions

Annually: Security strategy development, budget planning, programme maturity assessment, compensation reviews, external penetration test reviews

GRC insight: Don't create additional meetings unless necessary. Embed into existing leadership meetings or request async input. Provide written briefs with recommendations.

🌐 Their Key Stakeholders

Upstream: Board (Audit Committee), CEO, sometimes CFO/CTO, external auditors, cyber insurance providers

Downstream: AppSec, Infrastructure Security, Security Operations, GRC/Compliance, Corporate Security, Privacy, IAM

Peers: CFO (budget), CTO/VP Engineering (security requirements), General Counsel (regulatory), VP Sales (customer requirements), VP Product, HR

External: Security vendors, peer CISOs, industry groups (ISACs), security researchers

Critical note: CISO translates between board-level risk language and technical security execution. GRC should help with this translation, not add to burden by only speaking in compliance frameworks.

🏆 What Success Looks Like to Them

Short-term (this quarter):

No security incidents reaching board awareness. Audit findings within acceptable range. Team retention stable. Budget on track. Quarterly board presentation delivered confidently.

Medium-term (this year):

Security programme maturity measurably improved. Board confidence increased. Key initiatives delivered on schedule. Security hiring completed. Major investments showing ROI.

Long-term (career):

Company avoids major breach damaging brand. Security programme enables business growth: M&A without blockers, expansion with compliance, enterprise adoption increased. Built high-performing organization with low attrition. Industry recognition. Potentially CISO at larger company or Board role.

💬 How to Start the Conversation

Opening That Works:

"I want GRC to be your most strategic partner, not just audit preparation. We're the only team with visibility across all security domains. I'd like to transform how we deliver value: from annual compliance snapshots to continuous risk intelligence helping you communicate to board and prioritize investments. Can we align our 2026 roadmap with your strategic priorities?"

Frame GRC As:

Board communication enabler: "We synthesize insights from AppSec, InfraSec, SecOps into strategic risk narrative showing risk trajectory, concentration areas, investment recommendations. Transform compliance percentages into risk intelligence."

Security budget force multiplier: "We help get security initiatives funded by translating technical needs into business risk language CFO and CEO approve. Build business cases showing ROI, risk reduction, and compliance coverage simultaneously."

Strategic partner, not sales enablement: "Yes, certifications enable market expansion. But primary value is strengthening security posture measurably. Sales benefits are secondary outcome, not primary mission."

Cross-functional coordinator: "We connect initiatives across teams. When AppSec identifies vulnerability pattern, InfraSec has cloud misconfiguration in same area, and SecOps sees reconnaissance, we synthesize: 'payments infrastructure requires board investment discussion.'"

Avoid Saying:

❌ "We need your approval for this audit finding response" (positioning as subordinate seeking permission)

❌ "Can you attend this 2-hour audit meeting?" (consuming executive time for operational compliance)

❌ "We're pursuing ISO 27001 to help Sales close deals" (reinforcing sales enablement positioning)

❌ "This is required for compliance" (without explaining actual risk or business value)

❌ "We need bigger budget for GRC platform and headcount" (without quantifying security impact and ROI)

🚩 Red Flags (When They'll Resist GRC)

Trigger #1: Operating Without Strategic Input

GRC makes major decisions autonomously: selects ISO 27001, purchases £150K platform, implements audit programme without CISO involvement.

How to defuse: Major decisions require CISO approval before execution. Present business case with alignment to strategic priorities.

Trigger #2: Budget Without Security Impact

GRC requests 40% increase for "growing compliance burden" and "maintaining certifications." No mention of security improvements.

How to defuse: Frame in security impact and ROI. Show continuous monitoring, audit prep reduction freeing teams, consolidated risk dashboard, reduced overhead.

Trigger #3: Sales Enablement Positioning

Every update focuses on certifications unlocking markets, customer questionnaires completed. No security posture improvements discussed.

How to defuse: Lead with security impact, mention compliance as secondary. Position certifications as side-effect of strong security, not primary mission.

🧠 Their Mindset & Philosophy

Core Beliefs

• Security is business enabler, not cost centre.

• Risk quantified for executive decisions.

• Threat landscape drives strategy, compliance follows.

• Continuous monitoring beats annual snapshots.

• Team collaboration directly impacts security outcomes.

• Budget always constrained.

Daily Frustrations

• Board asking questions nobody can answer confidently.

• Security teams not collaborating or competing for resources.

• Compliance requirements appearing last minute.

• Security incidents escalating to board before CISO aware.

• Expensive tools with low adoption.

• Talented people leaving due to burnout.

What Motivates Them

• Successfully preventing breach that could destroy company.

• Security programme recognized as competitive advantage.

• Building organization others want to join.

• Board confidence and trust in security leadership.

• Enabling business growth through security maturity.

• Industry recognition and peer respect.

🗣️ The Language They Speak

Phrases CISOs Use:

"What's our risk appetite here?" (How much risk will board accept?)

"How does this affect our board narrative?" (What story do we tell about security posture?)

"What's the total cost of ownership over 3 years?" (Not just purchase price - implementation, maintenance, team time)

"Is this a fiduciary risk?" (Legal liability for board members or executives?)

"How do we quantify this for board?" (Translate to financial impact, customer trust, regulatory consequences)

"What's our cyber insurance position?" (Will this trigger claim? Coverage? Premium impact?)

Translation Guide:

❌ "We need to implement control AC-2.17 for SOC 2 compliance"
✅ "SOC 2 finding AC-2.17 indicates logging gaps in authentication. Creates two risks: £300K potential GDPR fine if breach occurs, and three enterprise deals worth £5M blocked on SOC 2 completion. Remediation: 4 weeks, £50K cost. ROI is 100x in prevented fines and enabled revenue."

❌ "Annual penetration test required for compliance"
✅ "Shift from annual pen test to continuous security validation: quarterly targeted assessments focusing on highest-risk areas plus ongoing bug bounty. Same budget, distributed across four assessments. Benefits: earlier vulnerability detection, continuous board assurance, maintains SOC 2/ISO coverage."

❌ "GRC needs £200K budget increase for platform and additional headcount"
✅ "Platform upgrade automates 70% of evidence collection through API integrations. Investment: £150K platform, £50K implementation. ROI: saves 1,008 hours annually (£75,600), reduces audit prep from 6 weeks to 2 weeks, enables continuous control monitoring for board, provides SecOps real-time control dashboard. Payback: 14 months. Additional headcount not required due to automation."

❌ "We completed ISO 27001 and ISO 27701 certifications this quarter"
✅ "Q2 improvements: implemented continuous monitoring across 18 critical controls, detected 12 control failures before they became incidents. Automated 60% of evidence collection. Identified vulnerability concentration in payments infrastructure through cross-domain analysis, elevated to board. Reduced audit readiness from 6 weeks to 10 days. Maintained SOC 2, achieved ISO 27001/27701 with 40% less team time than previous year."

❌ "Audit identified 15 findings requiring remediation"
✅ "15 findings identified. Recommend: close 3 critical immediately (authentication logging gaps, actual security risk, 2 weeks, £30K). Close 5 medium over next quarter (documentation, low impact). Risk-accept 7 low findings (£100K to fix for minimal benefit, auditors confirmed acceptance viable). Board memo explaining rationale and residual risk quantification (£20K maximum exposure)."

🎴 Key Takeaways

• Be strategic security partner, not sales enablement - Lead with security impact and risk reduction, not certifications achieved. Frame updates in threat reduction, control effectiveness improvements, security posture measurability. CISOs fund teams that strengthen security, not collect certificates.

• Transform compliance data into continuous risk intelligence - Use your unique position (breadth across security domains) to synthesize cross-domain insights for board communication. CISOs need: "Where is risk concentrated? What's the trend? What requires board investment?" Not control compliance percentages. Continuous monitoring serving both audit and security operations.

• Support sister security teams proactively, not just during audits - When AppSec, SecOps, or Infrastructure Security need organizational weight for security initiatives, provide compliance expertise and business case support even when not tied to controls. GRC operating in silo creates friction CISO must manage, damaging your positioning. Collaborative security is force multiplier. Siloed compliance gets defunded.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!