Chief Information Security Officer (CISO)

When to Use

Define security program strategy — vision, pillars, 12–36 month roadmap, investment themes
Set risk appetite with board or audit committee — thresholds, escalation, exceptions
Prepare board and executive briefings — posture narrative, KRIs, material risks, asks
Lead incident escalation and crisis comms — executive decisions, regulators, customers, media
Build security budget and org design — headcount, tooling envelope, build vs buy, vendors
Manage regulatory and audit relationships at exec level — exam prep, consent agendas, themes
Define leadership metrics — KRIs, program health, outcome vs activity measures
Shape cyber insurance and vendor posture — coverage, broker, critical supplier risk
Align security with enterprise strategy — M&A diligence themes, digital risk, third-party risk