Effective people are not problem-minded; they're opportunity-minded. They feed opportunities and starve problems.

— Stephen R. Covey

Opportunity

This chapter marks the end of Part I of the book. Up to this point, we have reviewed how to read a financial report and equipped you with essential knowledge and vocabulary. We have explored several business strategy tools. Specifically, we reviewed frameworks that decompose a business by examining its business model and value streams. We learned that business decisions often involve uncertainty and are not entirely rational because many psychological factors affect deliberate and snap decisions. Further, we looked at several methods for valuing a business (asset-based, market-based, and discounted cashflow) to help you directly connect the activities you perform inside your cybersecurity program to the value engines of your business. In the process, we showed how important it is to tell compelling stories.

There are a few outstanding concepts we would be remiss to omit. We'll burnish Part I of the book with a review of several cost concepts. Then, we'll illustrate these concepts via the business case. Building a business case is the final, essential skill that will serve as a natural capstone for our discussion on the first pillar of The CISO Evolution, Foundational Business Knowledge.

As I'm writing this, CVE-2021-3156 recently surfaced. If you are not familiar, a heap-based buffer overflow ...