After suffering from an attack of ransomware, the board of directors is concerned with the effectiveness of security function. If the CEO’s time is tied up, which of the following is the best reporting line of the information security head to enforce security? (Wentz QOTD)
A. Report to the CEO to get full commitment and support
B. Report to the CIO to take advantages of cutting edge technologies
C. Report to the COO to fully integrate security into business processes
D. Report to the CAE (chief audit executive) to eradicate uncompliant findings
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Report to the COO to fully integrate security into business processes.
As the CEO’s time is tied up, it’s not ideal for the CISO to report to the CEO. It’s rare for the CISO to report to the CAE because that injures the audit function’s independence. It seems to be an appropriate arrangement to report to the CIO to take advantage of cutting-edge technologies. However, it may encounter a conflict of interest. Moreover, it’s not enough to enforce security just from the perspective of technologies.
Security is not only a technical but also a business issue that entails the synergy of people, processes, and technologies. Reporting to the COO is ideal because he or she has insights into the business operations and sufficient authority (ranking second only to the CEO) to make final decisions and collaborate between functions or departments.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
遭受勒索軟件攻擊後，董事會關注安全功能(security function)的有效性。 如果首席執行官的時間很緊，那麼以下哪項是資安主管最好的報告對象以強化安全性？ (Wentz QOTD)