712-50 Exam QuestionsBrowse all questions from this exam
Go to Exam

712-50 Exam - Question 114

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.

From an organizational perspective, which of the following is the LIKELY reason for this?

Show Answer
Correct Answer: A

The likely reason the CISO is unable to influence the rest of the organization is that the CISO reports to the IT organization. In many enterprises, when the CISO reports to the IT department, their influence and authority are usually restricted to IT-related matters. This structure often limits the CISO's ability to implement and enforce security policies across non-IT departments, as other departments may not view security as a broader organizational responsibility. Ideally, for a more effective and comprehensive approach to security, the CISO should have a reporting line that positions them to influence the entire organization, such as reporting directly to the CEO.

Discussion

6 comments
Sign in to comment
Rufus1Option: A
Oct 20, 2021

"A" means that CISO is in a non-executive role. There his transversal influence across the organization is limited. My opinion is that "A" is most objective choice.

Otto_AulicinoOption: A
Dec 16, 2021

It is "A" based on how the question is written: "...CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization..." The answer could be "not reporting to the CEO" too, but the fact that the CISO is able to influence the IT departments and not others, makes "A" a better answer.

e_karmaOption: C
Feb 18, 2021

How can this be "A" since nowhere in the question it says CISO reports to IT department, only that IT likes him. Most probably answer should be C.

ahmad_HammadOption: C
Apr 10, 2021

I think it’s C not A

BoatsOption: C
May 8, 2023

If A is true, then C would be true as well. It is basically the same answer to the question. If the question was turned around to how to remediate the issue then the CISO should report directly to the CEO. So the direct answer is that the CISO is reporting to IT when he should be reporting to the CEO.

Boats
May 8, 2023

I select A.

johndoe69Option: A
Jul 19, 2024

CISO Reporting Structure: When the CISO reports to the IT organization, their influence might be limited to the IT domain, making it challenging to implement and enforce security measures across other business units. This reporting structure can lead to a perception that security is just an IT issue rather than a critical enterprise-wide concern. To be effective, the CISO should ideally have a broader mandate and visibility across the organization, which is often achieved by reporting directly to the CEO or another high-level executive such as the COO.