A good cyber security strategy should always start by defining what risk a business is willing to tolerate, and this is a task in which the IT security manager must involve their business colleagues.