This post is the justification of the Business Mindset Sample Question. The recommended answer is D.
Decisions shouldn’t be biased, and shouldn’t be made without the risk or any other assessment. In other words, managers should conduct a risk assessment or appropriate analysis and evaluation to make informed decisions. Doing so demonstrates their due diligence as well.
Policies are documented management intent; they are relatively stable compared with standards or procedures. However, exceptions to policies are not uncommon to cope with the business. They are subject to change with the external context (e.g., threats, and opportunities). As security is a business enabler, the security policy should adapt to the business context and be aligned with business goals, strategy, and objectives.
Any action or initiative should be justified. Alternatives with cost/benefit analysis documented in a business case are the most persuasive. The suggested security controls with cost/benefit consideration are the result of risk assessment. Doing nothing (an implicit rejection in nature) is one of the alternatives in the business case.
The position and authority of the security function (the role and responsibility of a CISO) depend on the organizational structure and security requirements, that determine the CISO’s reporting line, power, and job description.
The board of directors and the senior management (especially CEO and CFO) are usually held accountable for the business and legal result. Since customer privacy is related to legal compliance, submitting a business case for the CEO’s final approval is a good practice.