Examice

Exam 712-50 All QuestionsBrowse all questions from this exam

Question 114

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.

From an organizational perspective, which of the following is the LIKELY reason for this?

The CISO reports to the IT organization

The CISO has not implemented a policy management framework

The CISO does not report directly to the CEO of the organization

The CISO has not implemented a security awareness program

Correct Answer: A

The likely reason the CISO is unable to influence the rest of the organization is that the CISO reports to the IT organization. In many enterprises, when the CISO reports to the IT department, their influence and authority are usually restricted to IT-related matters. This structure often limits the CISO's ability to implement and enforce security policies across non-IT departments, as other departments may not view security as a broader organizational responsibility. Ideally, for a more effective and comprehensive approach to security, the CISO should have a reporting line that positions them to influence the entire organization, such as reporting directly to the CEO.

Discussion

Otto_AulicinoOption: A

It is "A" based on how the question is written: "...CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization..." The answer could be "not reporting to the CEO" too, but the fact that the CISO is able to influence the IT departments and not others, makes "A" a better answer.

Rufus1Option: A

"A" means that CISO is in a non-executive role. There his transversal influence across the organization is limited. My opinion is that "A" is most objective choice.

johndoe69Option: A

CISO Reporting Structure: When the CISO reports to the IT organization, their influence might be limited to the IT domain, making it challenging to implement and enforce security measures across other business units. This reporting structure can lead to a perception that security is just an IT issue rather than a critical enterprise-wide concern. To be effective, the CISO should ideally have a broader mandate and visibility across the organization, which is often achieved by reporting directly to the CEO or another high-level executive such as the COO.

BoatsOption: C

If A is true, then C would be true as well. It is basically the same answer to the question. If the question was turned around to how to remediate the issue then the CISO should report directly to the CEO. So the direct answer is that the CISO is reporting to IT when he should be reporting to the CEO.

Boats

I select A.

ahmad_HammadOption: C

I think it’s C not A

e_karmaOption: C

How can this be "A" since nowhere in the question it says CISO reports to IT department, only that IT likes him. Most probably answer should be C.