Business leaders spend most of their time conducting risk\/reward analyses of virtually every decision they make. Will expanding the sales staff generate enough profit to more than pay for the added costs? Can our new product launch hit the market before the competitors shift their own strategies? Do we know enough about the geopolitical climate in a new market to justify the added costs and hassles in compliance and governance? Cybersecurity is another critical area where risk must be constantly assessed.\u00a0The risk of unanticipated service interruptions\u2014not to mention the many direct and indirect costs of data loss\u2014is substantial. Virtually everything an organization does today\u2014from billing customers and creating marketing programs to answering police calls and ensuring the cleanliness of waterways\u2014is digitized. Add in the new reality of entirely new classes of digital endpoints and you can see that hackers have more opportunity than ever to wreak havoc.While the impact of those and other cybersecurity risks is undeniable, too many organizations fail to build their cybersecurity strategies and tactics around the concept\u2014and realities\u2014of risk. Why?Compliance blurs organizational vision for cybersecurityIn recent years, the rapid, often relentless expansion of regulatory compliance for everything from identity protection to data governance has put many organizations back on their heels. As more compliance regulations\u2014and harsher penalties for violations\u2014pop up, business leaders and board members have understandably prioritized a simple cybersecurity rallying cry: Follow the rules. And that is necessary, of course. After all, the specter of non-compliance certainly represents a risk no business leader wants to take.\u00a0\u00a0While regulations aim to broadly address cyber risk and ease the minds of governments and business stakeholders, they are generally not effective enough to protect companies from today\u2019s threat actors.\u00a0 Cyber criminals are actively monitoring regulatory requirements and adjusting their tactics in real time.\u00a0 Leaders who rely on high compliance scores to manage their risk may be overlooking important gaps that are specific to their specific operating environment.Defining cybersecurity risk and putting in place the correct resources, strategies, and guardrails needs a broader and more business-based perspective than defaulting to \u201cwe need to take this security step because it\u2019s part of our (fill-in-the-blank) compliance protocol.\u201d In many organizations\u2013 especially large enterprises that deal with a much more significant compliance footprint\u2014the audit function often drives decisions on how, when, and where to spend cybersecurity dollars.\u00a0Most smaller organizations take a different, risk-centric approach to their cybersecurity strategies and tactics. Perhaps it\u2019s because they don\u2019t have quite as many compliance hoops to jump through; however, it\u2019s likely due to the fact that they simply don\u2019t have the budget or personnel to view every security issue through a compliance lens. In these smaller, leaner organizations the approach to cybersecurity is much more straightforward and, I believe, more appropriate for today\u2019s increasingly complex landscape:\u00a0Focus on where a security compromise can do the most harm to your organization\u00a0Define the highest-risk areasMake reasoned, fact-based decisions on where to place your resourcesDefining and measuring organizational riskThere is another important reason why many organizations don\u2019t consistently use a risk-based methodology for their cybersecurity strategy: They often lack a common definition for risk and a common vocabulary to help everyone in the organization make risk-based cybersecurity decisions.Most business leaders are familiar with the classic definition of risk: What is the likelihood of something happening and how bad would the impact be if it happened? It\u2019s a definition that has worked for just about all other business scenarios, including the ones I covered at the beginning of this article. But to truly address risk, leaders must align on how likelihood and impact should be measured, and then agree on the appropriate risk tolerance of the organization so that policies and technologies can be applied to maintain a posture that keeps risk under the threshold.In today\u2019s digital-first environment, many business executives identify and measure risk differently\u2014and there isn\u2019t always universal agreement among leadership about how much of a risk appetite the organization has or should have. After all, every business stakeholder has a different risk threshold. If your CRM application is compromised, that\u2019s a showstopper for anyone on the revenue side of the house, but it might not be perceived as critically by the team managing warehouse logistics (even though they are obviously related).An important first step is establishing a common understanding around how to measure the impact of cybersecurity risk specifically. Before joining Chevron, I worked at a very small organization; we only had two in-house IT professionals and outsourced everything else. Because our company was growing exponentially, the company agreed that I needed to build a bigger in-house organization. I started out by asking my boss what he worried about most when it came to securing the company\u2019s most important data. We struggled to have a productive discussion because he thought of IT solely in terms of uptime for applications and systems critical to operations. I realized that I needed to educate the company\u2019s leadership around cybersecurity risk.While this example focused on what happened at a typical small organization, it\u2019s really not much different at larger ones. In fact, larger companies often substantially underestimate cybersecurity risk because they have no real understanding of where their data is stored or how many of their systems, processes, and \u201cthings\u201d are connected to the internet, either directly or through cloud services. And they may overestimate risk because they are hyper-focused on the cost of operational disruption to their business, with little thought about the mitigating controls that exist to prevent the \u201cworst-case scenario\u201d. Establishing a logical method for identifying and ranking the top business impacts that could result from a cyber-attack is a good place to start.The next step is to discuss likelihood which is when things get muddy. Discussions about cyber likelihood require a certain level of technical knowledge that is scarce in most companies. I have close friends and colleagues who study cyber-attack techniques, and I am frankly amazed at how easy it is for a patient and determined adversary to find the smallest crack in a technology\u2019s security stack and exploit it. In today\u2019s environment, business leaders simply must assume that compromise of anything connected to (or through) the internet is a possibility and any protection or detection capabilities that are in place will reduce, but not eliminate, that risk. The question is, once we have determined where our risks are, how much protection is \u201cenough\u201d?One of the least scientific, yet highly visceral, approaches I like to take in talking to internal colleagues about risk tolerance is asking a simple question: \u201cIn your mind, when does system downtime or data loss go from inconvenient to painful?\u201d It\u2019s always interesting to note where business executives draw the line, such as, \u201cI may get annoyed if our email system is unavailable for a few hours, but I can\u2019t sleep at night if our supply chain management system is down for 10 minutes.\u201d And beyond anecdotal inputs, there is also value in leveraging any prior decisions around business insurance, as most business leaders at least have thought about risk tolerance in terms of legal protection or inability to operate due to disaster scenarios. Metrics like \u201clost revenue per day\u201d and insurance coverage amounts can help a technology leader understand the company\u2019s tolerance for risk in general and then derive the cyber-related risk tolerance from there.Get outside help to assess your cyber riskWhile I\u2019m not necessarily an advocate of outsourcing key IT functions, I am a huge proponent of using experienced and proven outside organizations to evaluate an organization\u2019s risk exposure and its impact on the business. For a variety of reasons, organizations often struggle to account for every source of cybersecurity risk in their environment. Maybe they aren\u2019t collaborative by nature and overlook the input of stakeholders from all corners of the enterprise, or maybe they just haven\u2019t seen and felt the impact of a cyberattack \u201cup close and personal,\u201d so they have a hard time accounting for its impact or even its presence.Having the guidance of a qualified third party is gold, when given the time and ability to dive deep enough into the details to fully understand your company\u2019s risks. They lend a perspective that few internal organizations can match. The reality is that an outside opinion counts for a lot with C-suite executives and board members. After all, organizations routinely employ outside auditors to give their opinions on the accuracy and completeness of a company\u2019s financial statements\u2014it makes sense that this kind of assessment should be handled similarly.\u00a0\u00a0Admittedly, I\u2019m not going to tell you this kind of risk assessment outsourcing will be enthusiastically embraced by everyone in your organization. Line-of-business leaders often see these exercises as a waste of time, unconvinced that the likelihood of a cyber event is significant enough to warrant the effort. While this may feel like a narrow mindset, their perspectives are valuable to understand the true \u201cworst case\u201d scenario which may be limited by physical controls or manual overrides that reduce potential impact. Additionally, internal teams that are already familiar with the company\u2019s cyber risks may feel that they are untrusted by management or undervalued when one of these external engagements is announced, but their honest input is critical to a successful evaluation and must be captured and amplified for executives so that appropriate funding and priority is applied to address known risks.When framed correctly among all stakeholders, a qualified outside opinion can provide confidence, clarity, and consistency in identifying, assessing, and accounting for cybersecurity risk.\u00a0Assess risk with the vision of the possibleFinally, let\u2019s keep in mind the need for something that may seem whimsical, but is essential to cold, hard decision-making: Imagination. Most of us have read about NASA\u2019s Apollo 1 tragedy, where three astronauts died in a training exercise. A blue-ribbon commission was assembled to study the cause of the accident and to make recommendations to prevent future occurrences. Frank Borman, at that time one of the senior members of the astronaut corps and a member of the commission, was asked at a Congressional hearing his opinion why this tragedy took place. His succinct answer: \u201cA failure of imagination.\u201dHis point was well taken. Just because this kind of development had never occurred, considering the possibility of something that seemed so remote never entered the collective minds of NASA. Borman\u2019s answer served as a rallying cry from that day forward\u2014to not take anything for granted, however remote its chances or unprecedented it may have been.In cybersecurity, being imaginative is a core competency to properly understand risk. I encourage you to push your imagination to its boundaries in identifying, evaluating, measuring, and minimizing risk.Learn more in the four-part series on answering your board\u2019s top cybersecurity questions.Sherry Hunyadi is chief security architect at Chevron.