As the CISO of a mid-sized retail company, you're tasked with developing a governance framework. What should be your first step to align security with business needs?
A. Implement role-based access control across departments
B. Define a risk appetite statement for all divisions
C. Understand the organization’s business objectives and operations
D. Draft and publish information security policies immediately