The CSO is implying that the super user was able to get into the system but did not have access to sensitive data, or at least did not exfiltrate that data. It's possible if their defenses are layered enough. The security model is defense in depth, rather than the "moat" concept of hard on the outside, soft on the inside. Micro-breaches are expected; it's about detecting and mitigating them. I'm not saying the CSO is telling the truth, but that's how you reconcile someone having access to the system without accessing sensitive data.