A few weeks ago, a new acquaintance made a cynical joke about the CISO being the person to blame and fire when a cybersecurity breach occurs in a company. While I privately grinned in dismay about the comment, there is some truth to the statement. It reminds me of a very critical question every CISO job candidate must ask during a job interview: \u201cIf the company has a cybersecurity breach, will I be fired?\u201dAs we all know, cybersecurity is everybody\u2019s responsibility, not just the CISO who is in charge of cybersecurity. For many years, cybersecurity has been ignored as evidenced with the high number of security breaches, which leads to the comment that we hear very often from the C-Suite: \u201cAre we safe?\u201d This loaded question is ridiculous from where we sit, as it will evoke a loaded answer from any CISO. Trying to determine if a company is \u201csafe\u201d from cyber-attacks has so many variables and components that nobody could really quantify that level of protection a company really has without lots of metrics and Power Point slides.\u00a0\u00a0I saw a recent commercial for a Sleep Number bed on television talking about \u201cwhat is your Sleep Number*?\u201d I thought about the sleep number and it made me think of, \u201cWhat is your Risk Number?\u201d As a CISO, you should have an enterprise risk statement that defines what the company\u2019s risk appetite is, and how granular cybersecurity needs to be. Without it, you are flying blind and will most likely end up leaving your post out of frustration.Without having this number, how do you know what is the right amount of staff, budget, and resources to sustain a cybersecurity program outside of the typical metrics we use to measure and quantify cybersecurity through metrics such as resource loading?As the CISO for your company, you might want a rigid cybersecurity program with a high amount of formality and standards, yet the C-Suite and Board of Directors may only care if the cybersecurity program is \u201cgood enough\u201d in order to accommodate the business and rely on a cybersecurity insurance policy as a backup plan. The Board of Directors may want a risk number of 3.5, but you think the company should be 8.5 as a risk number. This is the defining line that will dictate how long a CISO will last in a company, because the risk level has not been defined.At the end of the day, we are risk managers functioning as CISOs within companies and many CISOs have mismatched risk levels. When a CIO is most likely hiring a CISO, the CIO does not know what they are getting and have to go through a vetting process to hopefully qualify the CISO candidate and determine if this CISO is a \u201chard-ass\u201d or a happy-go-lucky CISO candidate. Knowing the risk number of an individual to the enterprise will help clarify and properly communicate mutual expectations for a more harmonious relationship within the C-Suite and reduce the risk of being perceived as the \u201canti-business\u201d CISO.[ ALSO ON CSO: How to manage cyber risk ]The CISO can guide this process to determine what the enterprise risk number should be, but you should never determine the number on your own, because you may be misaligned with the C-Suite. When a collaborative process is followed in the C-Suite, the risk number will determine how you will successfully run your department and manage resources.Sample industries of what a customary \u201crisk number\u201d may look like:Paper Manufacturing-2.5Pet Care-3.5Hospitality\/Hotel Services-7.0Utilities-6.25Aerospace-8.0Higher Education-6.0Payment Processor-8.5Cloud Service Provider-7.5Car Manufacturer-6.75Retail Industry-7.5US Military-10.0Financial Institutions (Big Banks)-10.0We have been discussing the overall enterprise risk number, but risk varies within an enterprise. For instance, a \u201csub-risk number\u201d would be a rating of a 3 for the shipping department, but a 9.0 for the CFOs' finance department. Every company will have different overall enterprise risk numbers as well as sub-risk numbers to properly apply the right amount of cybersecurity controls without suffocating the entire business.Imagine a heat risk map for your entire company. Some parts of the company need very strong cybersecurity controls and other parts may only need the bare minimum of cybersecurity. You typically would never take a \u201cone-size-fits-all\u201d approach to cybersecurity and apply the same amount of cybersecurity for the entire enterprise.Sample \u201csub-risk number\u201d within a company based on function:C-Suite Officers-8.5Contact Center-6.0IT\/Engineering-7.5Warehouse-2.75Operations-3.0Front Desk\/Reception Area-2.5What is your Risk Number? It should be determined by the type of industry your company is in, size of company, what is at risk, what type of data to protect, intellectual property, financial systems, what your senior executive leadership team desires, and what is the overall risk appetite defined by the senior executive leadership team.*Sleep Number is a registered TrademarkSpecial thanks to Mansur Hasib (Author of Cybersecurity Leadership: Powering the Modern Organization) for peer review.