ABSTRACT
The Board of Directors holds the CISO or the Cyber Risk Manager (if you are fortune enough to have one) accountable for the effectiveness of the cyber risk program. The CISO is responsible for communicating useful information that is needed for identifying, prioritizing, resourcing, and budgeting programs that reduce cyber risk. The type of data the Board and Senior Executives need is based upon the organization's industry, regulatory requirements, operating activities, geographic footprint, and cyber risk profile. The CISO is tasked with translating technical and tactical details about cybersecurity into business terms, so the firm implement effective strategies with proper resources and budget that will reduce cyber risk down to acceptable levels.
It is important to view cybersecurity strategy through multiple lenses. Cyber touches privacy, audit, legal, regulatory, compliance, etc. Regardless of the maturity of a company, a digital asset approach applies, and is useful to the CISO to translate difficult information to the business in laypersons terms.
How the CISO approaches the cybersecurity strategy is based on the maturity of the current security program, the business culture of the firm, and the current threats facing the business. Because these factors are different for each organization, we will look at multiple approaches that I have used over the years to create an effective cybersecurity strategy for any organization. This chapter will focus on providing the right data to the Board to build business cases, roadmaps and provide what they need to succeed.
