Cybersecurity strategy glossary

Play CISO Game free Free demo · no signup · plays in 30–45 min

A working glossary of the cybersecurity strategy concepts the game actually models — written for the player at the screen, not for a textbook.

Every term below either appears as an in-game mechanic or describes one. Where a term has a real-world cybersecurity industry meaning, the definition matches it; where the game uses the term as a specific mechanic, the mechanical definition wins. Cross-link to the live mechanics in How CISO Game Works, the full risk register, or the investment catalog.

Annual Audit: The end-of-year board review at quarters 4, 8, 12, 16, 20. Calculates an audit performance score, applies it to Board Confidence, and may unlock or block the next year's budget growth.
Architecture Decay: The gradual loss of effectiveness as point products bolted together at different times accumulate integration debt. Modeled in CISO Game as posture drift on aging stacks unconnected by an Architecture project.
Architecture Project: A multi-quarter investment (Zero Trust, Network Segmentation, Identity Overhaul) that costs quarterly during build, then permanently raises posture once complete. Cost stops; benefit persists. The biggest leverage points in mid-game.
Awareness: The posture pillar covering human-factor security: phishing simulation, security training, security champions, and culture. Cheap to fund, slow to compound, often under-credited until a click-rate stat changes.
Best-of-Breed Strategy: A program-shaping strategy that buys the leading point product in each category (best EDR, best SIEM, best email security). Higher posture ceiling, higher integration cost, higher operational burden, less vendor leverage.
Board Confidence: A 0–100 metric tracking how the board of directors feels about your security program. Moves on disclosed incidents, audit performance, regulator interaction, and visible spend discipline. Drops below 20 for three consecutive quarters and you are fired.
Business Friction: A 0–100 metric measuring how much your security controls slow the business down. Heavy DLP, restrictive proxies, and aggressive blocking raise it. The board notices when friction-induced revenue losses outpace risk reduction.
Composite Posture: The single 0–100 number that summarizes overall security posture. Computed as a weighted average of six subscores: Detection (0.20), Response (0.18), Prevention (0.18), Recovery (0.14), Identity (0.16), and Awareness (0.14). Win condition at Year 5 requires Composite Posture ≥ 60.
Continuous Control Monitoring (CCM): Tooling that automatically and continuously verifies security controls are in place and effective, replacing point-in-time audit evidence. Reduces audit prep cost and catches drift between formal audits.
Cumulative Overspend: The running total of every dollar spent above the annual budget across all years. Stays at 0 if you stay under budget; if it ever exceeds 1,000,000 you lose immediately.
Customer Trust: A 0–100 metric tracking customer-facing trust signals. Moves on breach disclosure quality, customer Trust Center transparency, certifications (SOC 2, ISO 27001), and public incident handling. Affects renewal and sales motion in late-game.
Deputy CISO: A senior leadership hire that reduces CISO bandwidth strain (modeled as a one-time Board Confidence and Morale boost) and unlocks the ability to delegate strategic decisions in late-game.
Detection: The posture pillar that measures how quickly your program notices that something bad is happening. SIEM, EDR, SOC services, and detection engineers move it. Without detection, every other capability fires too late.
Detection Engineer (DE): A specialist role that builds detection content (SIEM rules, EDR queries, threat-hunt playbooks). Required by mid-tier and enterprise SIEM. The single role with the most outsized effect on detection posture.
Disclosure Transparency: How clearly and quickly you communicate an incident publicly. High-transparency disclosures preserve Customer Trust even on bad incidents; low-transparency disclosures convert a controllable incident into a trust crisis.
GRC Analyst: A governance, risk, and compliance specialist required to operate compliance platforms, audit prep tools, and continuous control monitoring. Drives Awareness and audit performance.
Identity: The posture pillar covering authentication, authorization, and account lifecycle. SSO, MFA, IAM with PAM, and identity governance move it. The single highest-leverage area for most enterprise programs.
IR Engineer: An incident response specialist required to operate IR retainers and run real investigations end-to-end. Without one, IR retainers and tabletops contribute reduced posture.
Platform Consolidation: A program-shaping strategy that buys a single-vendor platform covering many categories. Lower posture ceiling per category, less integration work, single throat to choke, vendor lock-in risk (R19).
Posture Subscore: One of the six pillars that compose security posture in CISO Game: Detection, Response, Prevention, Recovery, Identity, Awareness. Each investment contributes to specific subscores; subscores feed the composite.
Prevention: The posture pillar covering controls that stop attacks before they land. Email security, EDR blocking, web filtering, hardening, and patching move it. Strong on its own; weak when over-emphasized at the expense of Detection and Response.
Quarterly Burn Rate: The recurring cost of all active subscriptions in a given quarter. Buying a tool with a 50k oneTime + 20k quarterly cost adds 20k/quarter to burn for as long as you own it.
Quarterly Inbox: The 3 small per-quarter decisions presented by named NPCs (CFO, CTO, Board Chair, Senior Analyst, Comms, Recruiter) that compound into program direction. Minor individually, dominant in aggregate.
Recovery: The posture pillar measuring how fast you can restore business operations after a destructive event. Backups, immutable storage, BCP/DR rehearsals, and recovery automation move it. The lever ransomware actually punishes.
Regulator Clock: Disclosure deadlines that start counting down the moment you confirm a material incident. SEC Item 1.05 (8-K) = 4 business days. GDPR Art. 33 = 72 hours. NYDFS Part 500 = 72 hours. Missing the clock is a separate, larger event than the breach itself.
Residual Offset: A per-risk constant added to exposure that represents irreducible risk from the threat itself (e.g., R07 Zero-Day = 30, R19 Vendor Lock-in = 50). You can never drive these to zero — only manage.
Response: The posture pillar that measures how decisively your team contains and remediates an incident. IR retainers, playbooks, tabletop exercises, and a dedicated IR engineer move it. High Detection without Response just means you watch breaches in real time.
Risk Exposure: A 0–100 number per tracked risk indicating residual likelihood × impact after current mitigations. Computed as 100 − Σ(subscore × mitigation weight) + offset, clamped to [0,100]. Bands: LOW (0–24), MEDIUM (25–49), HIGH (50–74), CRITICAL (75–100).
Sector Wire: The in-universe ticker showing fictional industry headlines that contextualize threats and trends. Doesn't directly drive game state — provides narrative texture and occasional event seeding.
Senior Analyst: A senior security team role required to operate enterprise-tier tools (Enterprise SIEM, EDR, etc.). Without one, those tools run at 30% effectiveness regardless of cost. The bottleneck most strategies underestimate.
Tabletop Exercise: A discussion-based incident simulation walking the team through a hypothetical attack. Cheap, high-leverage on Response and team coordination. Catches gaps that real incidents would expose at much higher cost.
Team Morale: A 0–100 metric tracking team well-being. Drops from understaffed tools (each missing required role per quarter), incidents handled badly, and overwork. Drives turnover events and effectiveness penalties when low.
Tool Without Team Effectiveness: The 30% effectiveness multiplier applied when you own a security tool but lack the staff to operate it (e.g., SIEM with no Detection Engineer). The biggest reason a $300k tool reads as a $90k tool on the posture chart.
TPRM (Third-Party Risk Management): The discipline of evaluating and continuously monitoring vendors that touch your data or systems. A TPRM Platform automates questionnaires, evidence collection, and continuous control monitoring across your vendor inventory.
Vendor Lock-in: Risk R19 in CISO Game. The cost and disruption of replacing a deeply-integrated vendor. Mitigated by dual-sourcing critical categories, contract terms, and architectural decoupling. Offset of 50 — never goes away.

How to use the glossary while playing

If a tooltip in the game references a term you're unsure about — Composite Posture, Residual Offset, Architecture Decay — the entry above is the canonical definition. Start a free demo run to see each term in action across a 5-year program.

Play CISO Game free →