All posts
For CISOs9 min read·April 16, 2026

One Monday with Elena: How a CISO Actually Uses Aertous

A narrative walkthrough of a CISO's real Monday, from board prep and auditor emails to vendor renewals and workforce engagement. Including the parts that do not work perfectly yet.

One Monday with Elena: How a CISO Actually Uses Aertous

A user story showing what "security posture as a live measurement" looks like in practice, including the parts that do not work yet.

Note: Elena and Vormex are illustrative. The product behaviour described in this story is real.

Elena Vasquez walks into the office at 8:47 AM on a Monday in April. She is the CISO at Vormex, a 400-person fintech operating across the EU and preparing for two things at once: SOC 2 Type II, and genuine compliance with NIS 2. Not the performative kind.

Elena has a board meeting on Thursday. An auditor email landed Friday afternoon asking for control evidence. Her head of engineering wants to know if a vendor renewal is safe to sign. And her team of three has to move the programme forward while handling everything else.

In her old job, Monday morning meant opening five spreadsheets, three dashboards, and her inbox, then stitching together a story. This morning she opens one tab: the Aertous Home page.

8:50 AM. The 30-second read

The Home page does not shout. Three things are at the top of her attention:

  • Security Posture score: 67, up +3 since last week. Under it, one sentence: "Recent work: 2 objectives completed." She notes the objectives: "Implement account lockout and brute force protections" and "Network Security and Systematic Vulnerability Management." Her engineering lead shipped both on Friday. The number moved because the work moved. It was not tuned.

  • Audit Readiness, three framework rings side by side. SOC 2 is at 84%, Good Shape. ISO 27001 at 71%, In Progress. NIS 2 at 58%, Getting Started. Each framework shows her the #1 thing blocking it: for NIS 2, "7 KPIs missing measurements." The ring tells her the state. The row below tells her the next action.

  • Need Attention, grouped and prioritised. Five items: 1 risk without objectives, 3 overdue tasks, 1 policy review overdue, 2 at-risk milestones, 1 budget line over pace. Each is a row she can click.

She knows in 30 seconds whether her Monday is a normal Monday or a fire. Today: normal.

9:10 AM. Answering the auditor

The auditor's request is for SOC 2 evidence around access control: "Provide evidence of periodic access reviews, privileged account monitoring, and session termination policy."

She opens the Compliance page, selects SOC 2, and clicks the access control section. Every applicable control is there, and each shows what is linked: the policy that was approved last month with its committee acknowledgement record, the vendor attestation from her IAM provider, the KPI tracking failed-login volume updated three days ago, the security objective whose stages were completed with evidence. Under each control, team members have left at-mentioned notes, including a timestamped one from her engineering lead explaining the MFA rollout.

One control, "Evidence of quarterly access recertification", is flagged with a yellow "needs manual validation" badge. Her IAM provider exports certification data as a PDF, not an API stream, so the most recent quarter's results still have to be linked by hand. Elena drops the PDF in, tags the relevant control, and moves on. It is a 90-second job, and the system remembers that this is where the manual step lives so her team does not hunt for it next quarter.

She exports the evidence bundle and replies to the auditor in under 30 minutes. Not because everything is automated, but because Aertous captures evidence as the work happens, and makes the manual gaps obvious instead of hiding them.

9:45 AM. The risk register, personalized at scale

Elena's programme has 99 risks across the org. Last week her team ran Smart Configure on the risk categories that had been neglected. One click configured 22 Critical and High risks in the Network Security category.

What does "configured" actually mean? Aertous ships with a curated risk library mapped to NIST CSF 2.0, ISO 27001, NIS 2, DORA, and GDPR. About 420 risks, each pre-mapped to the frameworks it satisfies and to a set of recommended security objectives. Smart Configure does not invent anything. For the category Elena selected, it:

  1. Assigns the risk owner she picked from her team to every risk in that category.
  2. Links the existing controls she selected (vendors, policies, KPIs) to each of those risks.
  3. Pulls the recommended security objectives for those specific risks from the library, and creates one per risk with the owner and deadline Elena chose.
  4. Marks each risk as reviewed, so the audit trail records who personalized it and when.

Every action is sourced from the library mappings. Nothing is generated out of thin air. Elena reviews the generated objectives before anything persists; when a recommendation does not fit her environment, she edits or removes it. On Network Security she kept 20 of the 22 generated objectives and removed 2 that were redundant with controls she already had. For Asset Management, she hit Accept as-is on the risks where the library defaults were correct. The system records "Anton accepted defaults on 2026-04-21" without forcing a fake edit.

It is not magic. It is leverage. A week of workshops becomes a forty-five-minute working session, and the CISO still owns every decision.

10:30 AM. The vendor renewal question

Her head of engineering pings her: "CrowdStrike Falcon renews in 60 days, are we safe to roll over?"

She opens the Vendor Hub. CrowdStrike's card shows:

  • Criticality Critical, type MSSP, data it processes.
  • A 2024 SOC 2 Type II attached; AI-parsed last month, with extracted commitments flagged against her controls. Two gaps were noted: one has been closed, one is still open.
  • The questionnaire she sent them in January. Completed, reviewed, exportable as a branded Excel.
  • Six risks in her register name CrowdStrike as an existing control. Residual scores on all six have moved down since the vendor was added.

The AI got most of the SOC 2 right, but one section (subservice organisation responsibilities) was flagged for manual review because the language was ambiguous. Elena spends three minutes reading that specific paragraph, confirms it is fine, and clicks "Reviewed." The AI did the heavy lift. The human did the judgement. Both are logged.

She replies: "Safe to renew. The one open gap is operational logging, track via the open milestone on the SOC visibility objective."

11:15 AM. Milestone progress, and one KPI that still lives in a spreadsheet

Her team has been working on milestone "Complete Asset Inventory and Classification Programme." The objective has five stages, each weighted. Two are done with approved evidence; one is in review; two have not started. Performance is computed automatically at 25%, and the linked risk's residual score reflects that.

The default Kanban view shows only tasks, the ad-hoc operational work. Milestones live in their own tab when she wants to see them, and the primary way to progress a milestone is through its stages on the risk card, where the evidence actually matters.

One KPI, "Phishing simulation click rate", still requires manual entry each month. Her training provider's API integration is on the Aertous roadmap but not shipped yet, so once a month someone on her team reads the provider's dashboard and types the number into Aertous. It is on a calendar reminder. The KPI shows a small "manual entry" badge. When the API is eventually delivered, this disappears. Until then, the friction is visible, honest, and calendared.

2:00 PM. The board slide

Elena has a board meeting Thursday. The CEO wants one slide: "Are we actually safer than we were last quarter?"

She opens the Security Posture trend chart, three months of daily snapshots. The line is up from 58 to 67. She clicks the Score Coach card. The AI reads the current state and gives her a three-paragraph executive narrative:

"Your overall posture has moved from 58 to 67 across the last 90 days. Five security objectives completed in this window, notably around account lockout and network vulnerability management, and KPI coverage on your cryptography programme is now on target. Two Critical risks remain at the top of your register: DoS/DDoS prevention and Concentration Risk across DORA-regulated vendors. The projected posture if you complete the next two queued milestones is approximately 72 by mid-May."

Importantly, the coach does not claim "the score went up because of these risks." Aertous does not snapshot per-risk deltas, and the system explicitly refuses to invent causation it cannot prove. It states the current state, names the work that actually completed, and gives a projection grounded in real reductions.

Elena copies three sentences into her slide. She spends the remaining hour on the narrative she cares about: "We cut residual risk exposure by X% this quarter, here is what that bought, here is what we are investing next."

3:45 PM. The workforce signal

A junior engineer in Berlin acknowledges the updated Incident Response Policy. A contractor in Dublin completes their mandatory security awareness training. A product manager in Lisbon flags a third-party tool in the procurement survey that requires a vendor assessment.

None of this passes through Elena. And yet all of it lands in the same ledger her board slide is computed from. The policy acknowledgement closes a line on the Policy Compliance card. The training completion ticks a control under SOC 2 CC1. The procurement flag creates a vendor draft on her TPRM page.

This is the thing most security platforms quietly refuse to do: get past the security team. Aertous assumes the workforce is part of the posture, and gives every employee a personal workspace that feeds the same ground truth the CISO reads. A thousand people, each doing their small piece, moving one real number.

What Elena would have done without Aertous

  • Monday morning would have been an hour, not thirty seconds.
  • The auditor email would have taken a week, not an hour.
  • The vendor renewal question would have bounced between two team members for three days.
  • The board slide would have been assembled from four spreadsheets and rounded up.
  • Personalizing 99 risks would have been a quarterly exercise that got deferred.
  • Seventeen people across the org would have no idea their actions changed the security number on the board deck. Because they do not, in most tools.

What makes Aertous different

Most GRC tools stop at documentation. They do not compute reality. They help you produce the artefacts an auditor wants to see: checklists, policies, attestations. What they do not do is measure whether any of it is actually operating. Aertous is built on the opposite bet.

Three things separate it:

1. Posture is a measurement, not a document

Every score on every screen is recomputed from ground truth. KPI readings, verified controls, acknowledged policies, completed milestones, closed vendor assessments: these move the number. Hand-tuning, padding, and "trust me" do not exist as mechanisms. If the number improved, something real improved. If it did not, no amount of paperwork will hide that.

2. One ledger, all the moving parts

Risks, controls, policies, vendors, KPIs, budget, people, and compliance obligations reference the same set of facts. Changing a vendor status updates the risks it mitigates, the frameworks that depend on it, and the budget line it is tied to: consistently, automatically. Most tools stitch this together through CSV exports and quarterly reconciliation meetings.

3. The whole organisation is on the canvas

Every employee has a workspace that feeds the posture measurement. Security stops being something five people do in a corner; it becomes something the whole company contributes to, and the CISO can see exactly whose contribution moved which number. This is what no GRC platform in Elena's category ships today.

The bet, in one line

Security posture should behave like a measurement that moves every day, powered not just by the security team, but by every employee in the organisation, so the number on your board slide is the number you can defend.

Elena closes her laptop at 5:30 PM. She spent her day on three things: answering real questions, making real decisions, and moving the programme forward. She spent zero minutes reconciling spreadsheets, reconstructing evidence, or defending numbers she could not back up.

Not everything in Aertous is automated. One KPI still needs a manual read every month. One control needs a PDF dropped in each quarter. One AI-parsed SOC 2 had a paragraph that needed human judgement. Those frictions are real, and they are visible. Not hidden, not rounded up, not assumed away.

The goal was never a product that does everything. The goal was a product where the number you show is the number you can defend.

That is the difference.

A
Aertous Team

Written by cybersecurity practitioners building the posture management platform for modern teams.

Run your security program, not just your compliance.

Request early access to Aertous.

Request Access
Back to all posts