Even an organization with a highly mature cybersecurity risk management program needs to keep pace with the changing legal and business landscape, and staying on top of this challenge starts at the top. Using a hypothetical scenario, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, offered advice on how to develop an information-security risk-management program; which key stakeholders are involved in governance of the program; and how the CISO should interact with the program. In this first part of a two-part article series, we present the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and the strategy. In part two, we will hear from the chief risk officer and general counsel on the subject as well as the takeaways of all four stakeholders. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).