Effective CISSP Questions

After suffering from an attack of ransomware, the board of directors is concerned with the effectiveness of security function. If the CEO’s time is tied up, which of the following is the best reporting line of the information security head to enforce security? (Wentz QOTD)
A. Report to the CEO to get full commitment and support
B. Report to the CIO to take advantages of cutting edge technologies
C. Report to the COO to fully integrate security into business processes
D. Report to the CAE (chief audit executive) to eradicate uncompliant findings

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Report to the COO to fully integrate security into business processes.

Governance Structure
Governance Structure

As the CEO’s time is tied up, it’s not ideal for the CISO to report to the CEO. It’s rare for the CISO to report to the CAE because that injures the audit function’s independence. It seems to be an appropriate arrangement to report to the CIO to take advantage of cutting-edge technologies. However, it may encounter a conflict of interest. Moreover, it’s not enough to enforce security just from the perspective of technologies.

Security is not only a technical but also a business issue that entails the synergy of people, processes, and technologies. Reporting to the COO is ideal because he or she has insights into the business operations and sufficient authority (ranking second only to the CEO) to make final decisions and collaborate between functions or departments.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

遭受勒索軟件攻擊後,董事會關注安全功能(security function)的有效性。 如果首席執行官的時間很緊,那麼以下哪項是資安主管最好的報告對象以強化安全性? (Wentz QOTD)
A. 向首席執行官(CEO)匯報以獲得充分的承諾與支持
B. 向首席信息官(CIO)報告以利用尖端技術
C. 向首席運營官(COO)報告以將安全性整合到業務流程
D. 向首席審計執行官(CEO)匯報,以消除不合規的調查結果

Leave a Reply