Nowadays, people know the price of everything and the value of nothing.

— Oscar Wilde

Opportunity

Until your organization can relate cybersecurity activities directly to the value they preserve or create, your budget will be a function of compliance. Business executives need to know that you are thinking about value the way they do. As CISO, it isn't your job to determine the value of the business. In fact, quite the opposite. Determining business value should come from other offices. However, CISOs should use the knowledge presented below to ensure they understand what other execs say about business value. My goal here is to establish a foundation that enables you to immerse yourself in your own company's value creation engines. Then you should leverage that knowledge to drive cybersecurity priorities and investments.

By the time you finish this chapter, I hope you are equipped to more easily:

• Structure and align your thinking to the business,
• Engage others in your company to fully understand the unique ways your company creates value, and
• Identify additional resources that can help you quickly and continuously align your cybersecurity program with the primary value drivers in your business.

We start with an analogy. Real estate is often the most significant investment most individuals make. Likewise, it is through real estate that I have learned the most about value. Early in my life, there were several transitions, each featuring real estate. ...