• By focusing on the Crown Jewels of the organization and adding robust security intelligence about real threats the appropriate metrics and measurements can be defined that enable a superior cyber security governance and decision-making framework.
• In many industry verticals now, good cyber security is considered “table stakes” but truly focused cyber security excellence is used as a business differentiator for many, and can provide business competitive advantage, which drives customer and employee trust.
• Cyber attacks are a business with typical business goals, understanding and monitoring these trends and changes is instructive for managing cyber security business risk. Measure risk by business unit in your framework.
• Build security metrics and performance dashboard based on crown jewels protection and business priorities, not IT activity.
• Most poor security circumstances are a result from a business decision made, either with or without risk understanding. Bring transparency to those business decisions and ensure the risk taken on aligns with executive guidance. Track decision-making performance versus risk over time.
• Track and measure risk creation and expected mitigation by the leader, align expected risk resource allocation and results to performance pay metrics.
• Disconnect from the idea that security tools by themselves will solve your problems, you need good processes, policies, communication, and aware employees and contractors to create an environment where security tools can create their value.
• Security capabilities are created every day that can greatly reduce business cyber risk but are rarely implemented because innovation dollars are assigned elsewhere, and risk strategy is stuck in traditional thinking. Real expertise can break the logjam.
• Much of the industry is, not surprising, invested in just selling you more……. recognize what this is and ensure your spend decisions are actually reducing risk specific to what matters the most. 

• Boards should engage and take an active role in cyber security governance: The expectations of private and public board members in governing cyber security risks in under more scrutiny and legal and personal liability benchmarks are evolving.
• Disengaging cyber security from compliance requirements reporting is critical in understanding cause and effect in cyber security.
• Cyber security is a business issue, not IT, embed cyber security deep into the business and the protection of the business crown jewels.
• Boards should focus on getting the right metrics reported to them that clearly articulate cyber risks to business priorities in business context, they should reject tactical conversations.
• Disconnect traditional funding models from Cyber Security conversations, establish how much risk is acceptable and the risk/threats brought on by business decisions, then align strategies to those decisions or accept the new risks. Doing nothing delivers the latter.
• Spend the time to get advanced security threat intelligence that can refine your understanding of the real risks that face your specific organization, inform the right security strategy, and enable the business to act boldly where risk is low.
• Leaving cyber security to IT, sticking cyber security in the audit committee purview, and giving the topic 10 minutes on a quarterly management agenda pretty much ensures you will be a victim – that may sound blunt but its backed by a lot of hacking incident data.
• You do not have to spend a fortune to protect what is important to your organization – you would be surprised how much inefficient and ineffective security spend exists inside organizations, but strategy and clear tone from the top will be needed to break log jams when trade offs need to be made.
• Business strategy dogma often creates business plans without cyber security considered, then the business complains cyber security says no or is in the way – solution, put them in the total conversation so they can ensure they find the safe way on how to achieve the business goals.

• The number one reason why cyber security programs fail is the business is misaligned or completely missing cyber security strategy.
• How much you spend on cyber security does not reflect the level of your protection, it is how and what you focus on and the expertise it is executed with.
• The amount others spend does not inform your comparative protection with others’ level of protection. – Gartner 2021 (Benchmarking is not a good comparison)
• Get a real cyber security pro who is ruthlessly focused on the business’s success, and protection, IT, compliance, and privacy will follow as a byproduct.
• Do not expect IT to solve this issue, Cyber is a business issue and must be located there to effectively develop the right strategy.
• Cast out all turf, sacred cows, and organizational limits – align cyber priorities directly with business decisions and priorities – in the same breath as a major business decision, the cyber risk issues should be a strategic component.
• The right advisor can cut through the noise, get rid of the IT speak, and align your security strategy directly to the business – it's business expertise combined with cyber security understanding that creates the right strategic thinking and advice.
• The board’s role should focus on strategic goals, to do this, they need to have clarity on the investment worth crown jewels of the company and the realistic threats against them.
• Hackers love budget restrictions, project delays, and other business decisions that make it easy for them to hack you. Your strategy needs to be dynamic and support daily decision-making on changing risk issues.

The cybersecurity industry, as a whole, is invested in selling solutions that reduce the most general security issues, not solving your company’s specific problems or the problems that will hurt you the most! So there’s a lot of snake oil--or maybe not snake oil, but solutions that don’t fit the problem. Maybe they are over-engineered, or maybe they don’t do what they’re supposed to. So executives and board members need to look out for that. How do they navigate this, then? What should they do? Let’s focus on the board here. Because, really, the board has a different role here then the business leaders within the organization. What is the board’s role in finding the right cybersecurity advisor or solution?