Governance & Leadership
How TechAbout is governed — the organization structure, decision rights, and the charters that define what every leader, department head and project lead is responsible for.
Security Leadership (CISO Mandate)
This charter defines the role that leads information security at TechAbout — the Chief Information Security Officer (CISO) mandate. It is written for every employee and leader, and for clients and candidates who want to understand how we take security seriously. It describes the role, not any individual.
Mandate
Security leadership owns TechAbout's information security programme end to end — the policies, the risk decisions, and the response when something goes wrong. The defining feature of this role is independence from delivery pressure. Shipping fast, closing a deal, or pleasing a client can never be allowed to quietly override a genuine security risk. This role exists to make sure the company sees its real exposure clearly and acts on it, even when that is inconvenient. In a small team, the CTO commonly holds this mandate until a dedicated CISO is appointed; the responsibilities below apply regardless of the title on the door.
Core Responsibilities
- Own the security policy set. Maintain and evolve the security, data-protection, and acceptable-use policies that govern how we build and operate.
- Maintain the risk register. Keep a living inventory of security risks, their severity, their owners, and their remediation status — so risk is managed deliberately, not discovered during an incident.
- Lead incident response. Own the incident-response plan, run response when an event occurs, and drive the post-incident review so we learn rather than repeat.
- Run security awareness. Ensure everyone — engineers, delivery, and support — knows how to handle credentials, client data, and phishing, and understands their obligations under Pakistan's Prevention of Electronic Crimes Act 2016 (PECA) and the country's developing data-protection framework.
- Review vendor and client security. Assess the security posture of tools, subprocessors, and partners before we depend on them, and support client security due-diligence for international engagements.
- Report posture to leadership and the board. Give an honest, plain-language account of where we stand — open risks, incidents, and progress — on a regular cadence.
Security is measured by the risks we prevent and contain, not by the releases we approve.
Decision Rights
- Owns: the security policy set, risk-acceptance decisions within agreed thresholds, incident classification and response, and vendor security sign-off.
- Can pause a release. Where a change carries unacceptable, unmitigated risk, this role has the authority to hold a deployment or a launch until the risk is addressed or formally accepted by the appropriate owner.
- Escalates: risk acceptances above agreed thresholds, major incidents, and any conflict between security and commercial priorities — with a direct escalation path to the CEO and the board that no other function can filter or block.
How Success Is Measured
- Time to detect, contain, and recover from incidents — trending down.
- Known high-severity risks tracked, owned, and closing on schedule.
- Security awareness reaching every team member, with phishing resilience improving.
- Client and audit security requirements met on time, with alignment toward standards such as ISO/IEC 27001 and OWASP for the work that warrants them.
Who They Work With
Closely with engineering and delivery (secure-by-design and safe releases), IT/Admin (access and infrastructure), People/HR on joiner-and-leaver access and awareness training, and the CEO and board on posture and material risk. For international clients, this role supports contractual security and privacy commitments, referencing GDPR where relevant.
Boundaries
This role does not own delivery timelines, product roadmaps, or commercial targets — it advises and, where necessary, pauses. It does not provide legal advice; specifics touching PECA 2016, the Protection Against Harassment of Women at the Workplace Act 2010, or data-protection obligations are subject to review by qualified local counsel and current law. It does not handle general HR grievances — route those through Grievance & Complaint Escalation.
While the team is small, one person may currently hold this mandate alongside another role, most often the CTO. The accountability described here stays with the mandate whoever holds it, and a dedicated CISO is appointed as the company grows.
Questions? Contact security@techabout.com (people matters: hr@techabout.com).
Need a role or decision clarified?
Ask the People team if a responsibility, decision right, or reporting line is unclear.