Certified Chief Information Security Officer (CCISO) — Question 11

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.
From an organizational perspective, which of the following is the LIKELY reason for this?

Answer options

• A. The CISO reports to the IT organization
• B. The CISO has not implemented a policy management framework
• C. The CISO does not report directly to the CEO of the organization
• D. The CISO has not implemented a security awareness program

Correct answer: A

Explanation

The correct answer is A, as reporting to the IT organization typically limits the CISO's influence across the entire enterprise, making it challenging to advocate for security initiatives organization-wide. Options B, C, and D, while potentially relevant, do not directly address the structural limitations on the CISO's authority and influence in the organization.