As a CISO, you should have an enterprise risk statement that defines what the companys risk appetite is, and how granular cybersecurity needs to be. The C-Suite and Board of Directors may only care if the cybersecurity program is good enough in order to accommodate the business and rely on a cybersecurity insurance policy as a backup plan. Without this number, how do you know what is the right amount of staff, budget, and resources to sustain a cybersecurity program outside of the typical metrics we use to measure and quantify cybersecurity through metrics such as resource loading?”]
Source: https://www.csoonline.com/article/3025152/what-is-your-risk-number.html