Determine Risk Management Strategies

Once security risks have been identified and assigned a qualitative value such as high, medium and low risk, the next step for the CISO is to determine what to do with that risk. To decide “what to do with the risks” CISOs usually rely upon their organization’s risk management processes and risk mitigation strategy.
Risk management processes are usually different for each type of organization. At high level, risk management depends on the risk mitigation strategy that is adopted by the organization. High risks cannot be avoided because of business decisions requiring to mitigate them, and risks cannot be transferred to third parties through contractual agreements and cyber insurance, a possible risk strategy for the organization could be to mitigate all risks that are medium and high and accept (e.g. do nothing) only the ones whose residual risk (e.g. the risk left after either measures or compensating control are either applied or considered) are low. Risk mitigation strategies can also factor business risks using qualitative risk analysis that factor risks such as probability and economic impacts.
Once the risk has been determined, the next step is to decide which risk the organization is willing to accept, mitigate, and transfer or to avoid. For the risks that the organization is willing to accept it is important for CISOs to have a risk acceptance process that qualifies the low level of risk based upon the presence of compensating controls and that can be signed off by him and executive management.
For the risks that are chosen for risk mitigation, it is important to determine which security measures/corrective actions are deemed acceptable by the organization and to decide which of these measures are most effective in reducing risks by minimizing the costs (e.g. highest benefit vs. minimum security measure total costs). This is where the risk mitigation strategy needs to consider the cost of potential security incidents, such as data breaches, to decide how much is reasonable for the organization to budget for investments in application security measures.
An important aspect of the risk strategy for CISOs is to decide which security measures work best together as “pluribus unum” that includes applying preventive and detective controls to provide a defence in depth of the application’s assets. Finally, for the risks that are either transferred or shared with a third party, it is important for the CISO to work with legal to make sure risk-liability clauses are documented in the legal agreements and service license agreements are signed by the organization with the third party service provider/legal entity.
Source :
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf