Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.
From an organizational perspective, which of the following is the LIKELY reason for this?
A . The CISO reports to the IT organization
B . The CISO has not implemented a policy management framework
C . The CISO does not report directly to the CEO of the organization
D . The CISO has not implemented a security awareness program
Answer: A
Leave a Reply