Being a CISO is the perceived pinnacle of a cybersecurity career. They are the executive in charge of a program and champion the program to executive management and the board of directors. To do so, they have to be able to design optimal programs and be able to sell that program. For these reasons, the majority of CISOs seem to be seasoned executives who previously ran programs and have proven knowledge, skills, and abilities. Experienced CISOs rely upon their experiences to make decisions. They determine the required data, gather data, and make the best possible decisions given all variables. This makes CISOs artists, who essentially make different decisions on gut feelings. Other disciplines don’t work this way. Their executives begin by gathering data, but as opposed to relying on their gut, they let data science drive or significantly influence most of their decisions. This is a science. There is a justifiable decision making process. The reason CISOs have been more of an artist than a scientist is the lack of data science that previously applied to our discipline. While data science has been applied to improve tools, it has just begun to be applied to the strategy. This presentation focuses on applying data science to the strategy of cybersecurity programs. To do so, this presentation will begin with the role of the CISO. What are the primary responsibilities? What are the requirements of the roles? How is this currently being accomplished? While some functions are clearly interpersonal in nature, most decisions can be made through the application of data science. I will then work through the areas where data science can be applied, and how it can be applied. Example areas include: • Budgeting • Cyber Risk Quantification • Staffing • Allocation of resources • Project management • Security operations • Security architecture • Optimal implementation of countermeasures • Metrics and reporting This presentation discusses data science tools and techniques, including AI, decision science, etc. and how they can be applied to those areas. CISOs that can make mathematically informed decisions are more effective and can make decisions that are not intuitively obvious. This presentation will close by showing how “gut” decisions were wrong where data driven decisions could have prevented disaster.