CompTIA CASP+ (CAS-003) — Question 149

A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization. Which of the following business areas should the CISO target FIRST to best meet the objective?

Answer options

• A. Programmers and developers should be targeted to ensure secure coding practices, including automated code reviews with remediation processes, are implemented immediately.
• B. Human resources should be targeted to ensure all new employees undertake security awareness and compliance training to reduce the impact of phishing and ransomware attacks.
• C. The project management office should be targeted to ensure security is managed and included at all levels of the project management cycle for new and in- flight projects.
• D. Risk assurance teams should be targeted to help identify key business unit security risks that can be aggregated across the organization to produce a risk posture dashboard for executive management.

Correct answer: D

Explanation

The correct answer is D because targeting risk assurance teams allows for a comprehensive overview of security risks across the organization, enabling informed decision-making at the executive level. Options A, B, and C, while important, focus on specific areas and do not provide the broad organizational insight needed to effectively reduce risk across multiple layers of the business.