CISSP · Question #480
Which of the following is the MOST important activity an organization performs to ensure that securiy is part of the overall organization culture?
The correct answer is D. Work with senior management to meet business goals.. Embedding security into organizational culture requires top-down commitment from senior leadership, as culture is driven by the priorities and tone set at the executive level.
Question
Options
- AEnsue security policies are issued to all employees
- BPerform formal reviews of security Incidents.
- CManage a program of security audits.
- DWork with senior management to meet business goals.
How the community answered
(33 responses)- A24% (8)
- B12% (4)
- C6% (2)
- D58% (19)
Why each option
Embedding security into organizational culture requires top-down commitment from senior leadership, as culture is driven by the priorities and tone set at the executive level.
Issuing security policies to employees is a foundational administrative control, but distributing documents alone does not create a security-aware culture without leadership support and enforcement mechanisms.
Formal reviews of security incidents are a reactive, operational activity focused on lessons learned after events occur, rather than proactively embedding security into the organizational culture.
Managing security audits is a compliance and assurance activity that measures adherence to controls, but audits are periodic and do not by themselves instill security as a cultural value throughout the organization.
Working with senior management to align security with business goals is the most impactful activity because organizational culture is shaped by leadership priorities and tone-at-the-top. When senior management actively champions security as a business enabler rather than a compliance checkbox, it permeates decision-making, resource allocation, and employee behavior across the entire organization. Without executive buy-in and integration with business objectives, all other security activities lack the authority and cultural weight needed to be truly effective.
Concept tested: Security governance and senior management role in culture
Source: https://www.nist.gov/cyberframework
Topics
Community Discussion
No community discussion yet for this question.