CISOs are moving from compliance-based cybersecurity programs to risk-based programs focused on the organization's strategic needs. Frameworks help CISOs assess risks, prioritize threats, develop strategies, and communicate priorities to gain support. While compliance is still important, frameworks drive strategic investments in reducing the highest risks. CISOs customize frameworks and use third-party skills and data to implement risk-based programs.