CAS-003 · Question #481
A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of th
The correct answer is D. Risk assurance teams should be targeted to help identify key business unit security risks that. Risk assurance teams already have cross-organizational visibility and existing relationships with individual business units. Targeting them first lets the CISO rapidly surface known risks across all departments simultaneously, achieving the broadest coverage with the least time i
Question
A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization. Which of the following business areas should the CISO target FIRST to best meet the objective?
Options
- AProgrammers and developers should be targeted to ensure secure coding practices, including
- BHuman resources should be targeted to ensure all new employees undertake security
- CThe project management office should be targeted to ensure security is managed and included
- DRisk assurance teams should be targeted to help identify key business unit security risks that
How the community answered
(32 responses)- A22% (7)
- B6% (2)
- C6% (2)
- D66% (21)
Explanation
Risk assurance teams already have cross-organizational visibility and existing relationships with individual business units. Targeting them first lets the CISO rapidly surface known risks across all departments simultaneously, achieving the broadest coverage with the least time investment. This is the definition of 'quick wins across as many layers as possible.' Targeting developers (A) improves code security but has a narrow scope and a long feedback cycle. Targeting HR (B) improves onboarding security but is a long-term culture change. Targeting the PMO (C) helps future projects but does not immediately address existing risk exposure. Risk assurance teams act as internal multipliers-securing their cooperation enables the CISO to influence every business unit through them.
Topics
Community Discussion
No community discussion yet for this question.