nerdexam
CompTIA

CAS-003 · Question #481

A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of th

The correct answer is D. Risk assurance teams should be targeted to help identify key business unit security risks that. Risk assurance teams already have cross-organizational visibility and existing relationships with individual business units. Targeting them first lets the CISO rapidly surface known risks across all departments simultaneously, achieving the broadest coverage with the least time i

Risk Management

Question

A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization. Which of the following business areas should the CISO target FIRST to best meet the objective?

Options

  • AProgrammers and developers should be targeted to ensure secure coding practices, including
  • BHuman resources should be targeted to ensure all new employees undertake security
  • CThe project management office should be targeted to ensure security is managed and included
  • DRisk assurance teams should be targeted to help identify key business unit security risks that

How the community answered

(32 responses)
  • A
    22% (7)
  • B
    6% (2)
  • C
    6% (2)
  • D
    66% (21)

Explanation

Risk assurance teams already have cross-organizational visibility and existing relationships with individual business units. Targeting them first lets the CISO rapidly surface known risks across all departments simultaneously, achieving the broadest coverage with the least time investment. This is the definition of 'quick wins across as many layers as possible.' Targeting developers (A) improves code security but has a narrow scope and a long feedback cycle. Targeting HR (B) improves onboarding security but is a long-term culture change. Targeting the PMO (C) helps future projects but does not immediately address existing risk exposure. Risk assurance teams act as internal multipliers-securing their cooperation enables the CISO to influence every business unit through them.

Topics

#security governance#risk program strategy#organizational security#quick wins

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice