The journey from risk appetite to security operations is complicated and thus often plagued with loose ends that may create gaps in compliance with enterprise policy as well as industry and regulatory standards. Therefore, a CISO should have some kind of a feedback loop to provide assurance that the cybersecurity policies, processes, standards, and procedures (PPSP) actually resulted in the risk appetite reduction that policy is designed to produce. In some organizations, the assurance is achieved with a formal risk assessment led by the CRO wherein each business process owner compares their own operations to enterprise PPSPs. Because it is performed by the organization under review, this is referred to as a Risk and Control Self Assessment (RCSA). Organizations may also conduct or contract regulatory and/or best practice assessments that compare their cybersecurity program to some well‐defined standards like HIPAA or NIST CSF. Another assessment methodology is a “pentest,” an amalgam of the words “penetration” and “test.” It is a test by cybersecurity professionals trained in the tactics of threat actors. They scan enterprise systems for vulnerabilities in public‐facing sites and if any are found, exploit the vulnerable to gain access to internal systems; that is, to penetrate them. A more formal assessment is the one by independent evaluators who analyze risk in the context of PPSPs, and also collect tangible artifacts of the cybersecurity program to identify ...