This document discusses how Chief Information Security Officers (CISOs) are moving from compliance-based cybersecurity programs to risk-based programs. It finds that CISOs are increasingly using customized frameworks to assess risk, prioritize threats, and communicate cybersecurity strategy to upper management. This allows them to focus investments on reducing real risks to the organization rather than just meeting compliance requirements. The document also examines challenges CISOs face in the transformation, such as communicating priorities and making strategy understandable. It provides examples of how frameworks have helped CISOs increase collaboration and support from executives to better implement security strategies.