r/ciso

I’m working on a permission reduction problem right now for non-human identities and getting stuck on the question: what’s the better unit to actually reduce against, IAM role/user or DB user/service credentials?

IAM is where a lot of permissioning starts, but DB user often feels closer to the real blast radius. On the other hand, shared DB users can make that messy.

Curious how people here actually do it in production:

• Where do you start?
• What do app owners/security teams find more actionable?
• What gives you better evidence to reduce safely?

Would love concrete examples rather than theory.

If you're still running a full 24/7 SOC entirely in-house, the math is probably working against you right now.

Came across a recent Economic Times report that put things into perspective:

India’s share of global SOC-as-a-service revenue is projected to grow from ~5% to 20%.

That’s not just growth that’s a shift in how security is being built and funded.

What’s causing it?

• Salaries for skilled threat hunters are skyrocketing
• Building and maintaining an AI-driven SOC stack requires heavy upfront investment
• Burnout from 24/7 monitoring is real

So teams are stuck between rising costs and operational pressure.

What we’re seeing more teams adopt is a hybrid SOC model:

• Offload high-volume work (24/7 monitoring, alert triage, pentesting)
• Keep incident response, business context, and decision-making in-house

It turns security from a high, fixed cost into a more predictable operational model without giving up control.

Not saying in-house is dead. But doing everything in-house is getting harder to justify.

Curious how others here are handling it:

• Fully in-house?
• Outsourced/MSSP?
• Hybrid model?

What’s actually working for you right now?

Curious what people are seeing in the field. Most companies I've spoken with fall into three buckets:

1. Unaware — don't realize the Act applies to them even if they have EU customers or operations
2. Aware but paralyzed — know they need to do something but don't know where to start
3. Spreadsheet governance — tracking AI tools in Excel and hoping that's enough

The practical starting point that seems to work is a proper AI inventory — just knowing what AI systems you have, what data they touch, and who owns them. That alone gets you 40% of the way there.

NIST AI RMF is the cleanest US-friendly framework to structure around. The four functions — Govern, Map, Measure, Manage — map reasonably well to EU AI Act requirements too.

What are you seeing? Anyone found tools or approaches that actually work at mid-market scale without requiring a six-month consulting engagement?