nerdexam
(ISC)2

CISSP · Question #935

When developing a business case for updating a security program, the security program owner MUST do which of the following?

The correct answer is A. Identify relevant metrics. When developing a business case for updating a security program, the security program owner needs to clearly demonstrate how the updated program will improve security, mitigate risks, and align with organizational goals. To do this, the identification of relevant metrics is cruci

Submitted by yuriko_h· Mar 5, 2026Security and Risk Management

Question

When developing a business case for updating a security program, the security program owner MUST do which of the following?

Options

  • AIdentify relevant metrics
  • BPrepare performance test reports
  • CObtain resources for the security program
  • DInterview executive management

How the community answered

(38 responses)
  • A
    79% (30)
  • B
    13% (5)
  • C
    3% (1)
  • D
    5% (2)

Explanation

When developing a business case for updating a security program, the security program owner needs to clearly demonstrate how the updated program will improve security, mitigate risks, and align with organizational goals. To do this, the identification of relevant metrics is crucial. These metrics help quantify the effectiveness of the current program and illustrate the potential improvements that an updated program can deliver. Metrics might include things like the number of security incidents, response times, compliance levels, or risk assessments.

Topics

#security program management#business case#security metrics

Community Discussion

No community discussion yet for this question.

Full CISSP Practice