A risk management program cannot be considered mature or effective if it can't reliably measure risk. And here's some additional food for thought—which maturity model in our industry accounts for ANY of the points I've discussed in these two posts? None that I'm aware of. They all call for risk measurement and prioritization to take place and then assume that it's going to be done well. Clearly, this is a missed opportunity to fundamentally improve the efficacy of risk management programs.

—Jack Jones, author of the FAIR standard

INTRODUCTION

The previous chapter explained how important it is to ensure that cybersecurity strategy enables business objectives. Since we now assume that the organization has a robust cybersecurity strategy, this chapter focuses on articulating the dollar value of mitigating cyber risk, and this chapter also attempts to answer some questions highlighted in the previous chapter. The second foundational precept, cyber value, enables you as a member of the BOD or a C-LE to build from the cybersecurity strategy and have information that helps the BOD and C-LEs have straightforward discussions in business language about dollars. Organizations can now reliably calculate the financial impact of cyber risks such as data breaches, identity theft, and critical infrastructure outages,

As in the previous chapter on cybersecurity strategy, the BOD and C-LEs expect robust cyber risk management that mitigates ...