Certified Information Security Manager (CISM) — Question 509

Which of the following is an information security manager's BEST course of action upon discovering an organization with budget constraints lacks several important security capabilities?

Answer options

• A. Suggest the deployment of open-source security tools to mitigate identified risks.
• B. Establish a business case to demonstrate return on investment (ROI) of a security tool.
• C. Recommend that the organization avoid the most severe risks.
• D. Review the most recent audit report and request funding to address the most serious finding.

Correct answer: B

Explanation

Establishing a business case to demonstrate the ROI of a security tool is crucial because it justifies the investment and aligns security needs with business objectives. While suggesting open-source tools and avoiding severe risks may provide short-term relief, they do not address the root cause of the security gaps. Reviewing the audit report is important, but without a strong business case, securing funding may be challenging.