A Chief Information Security Officer (CISO) of a large financial institution undergoing an IT transformation program wants to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization.
Which of the following business areas should the CISO target FIRST to best meet the objective?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The Chief Information Security Officer (CISO) of a large financial institution is tasked with embedding security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization. To achieve this objective, the CISO should target the business area that would yield the greatest results in terms of embedding security quickly and across many layers of the business.
A. Programmers and developers should be targeted to ensure secure coding practices, including automated code reviews with remediation processes, are implemented immediately. This option aims to improve the security of the software that the company uses, which is a critical area to focus on. Implementing secure coding practices would help reduce the likelihood of software vulnerabilities and could prevent attackers from exploiting them. However, this approach only addresses a single layer of the business and would require significant effort to implement across multiple layers.
B. Human resources should be targeted to ensure all new employees undertake security awareness and compliance training to reduce the impact of phishing and ransomware attacks. This option is focused on improving the awareness and compliance of employees to reduce the risk of phishing and ransomware attacks. Educating employees on how to identify and report suspicious emails or messages can help prevent them from inadvertently providing attackers with sensitive information. However, this approach is also limited to a single layer of the business.
C. The project management office should be targeted to ensure security is managed and included at all levels of the project management cycle for new and in-flight projects. This option aims to embed security into project management processes to ensure that security is considered at every stage of a project's life cycle. This approach can help ensure that security is integrated across multiple layers of the business, as projects typically involve multiple departments and stakeholders. However, the implementation of this option may take some time.
D. Risk assurance teams should be targeted to help identify key business unit security risks that can be aggregated across the organization to produce a risk posture dashboard for executive management. This option aims to identify and assess security risks across the entire organization, which can help the CISO prioritize security efforts across all layers of the business. By producing a risk posture dashboard for executive management, the CISO can also help ensure that security is integrated into the decision-making process at the highest levels of the organization. This approach is likely to yield the greatest results in terms of embedding security quickly and across many layers of the business.
In conclusion, while all of the options have their merits, targeting the risk assurance teams to identify key business unit security risks that can be aggregated across the organization to produce a risk posture dashboard for executive management is the most effective option to embed security across the business rapidly and across as many layers of the business as possible to achieve quick wins and reduce risk to the organization.