CSOs often get asked "What keeps you up at night"? But the question should be "What *will* keep you up all night, every night for the next 6 months"? Ask the CSO of Sony or RSA. They know because they have already had an "Extreme Cyber Scenario". But what are your Extreme Cyber Scenarios? And have you planned for them? Here is a Bank's approach for analyzing seven Extreme Cyber Scenarios.