A security manager is preparing a report to obtain the commitment of executive management to a security program.
Inclusion of which of the following would be of MOST value?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Linking realistic threats to key business objectives will direct executive attention to them.
All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
The most valuable inclusion in a report aimed at obtaining the commitment of executive management to a security program depends on the specific context of the organization and the security program in question. However, of the options given, C. Associating realistic threats to corporate objectives, is likely the most valuable inclusion. Here's why:
Executive management is primarily concerned with the success and stability of the organization. Therefore, to gain their commitment to a security program, it is important to demonstrate how security threats could negatively impact corporate objectives. Associating realistic threats to corporate objectives can help executives understand the potential consequences of a security breach and the importance of investing in a security program. This approach can help the security manager speak to the interests and priorities of the executive team and make a compelling case for investing in security.
While providing examples of genuine incidents at similar organizations (Option A) can help illustrate the potential risks and impact of a security breach, it may not be as persuasive as associating those risks with specific corporate objectives. Similarly, a statement of generally accepted best practices (Option B) may be useful in helping executives understand the components of a security program but may not be as effective at demonstrating the impact of a security breach on corporate objectives. Finally, an analysis of current technological exposures (Option D) can provide valuable information about potential vulnerabilities, but may not be as persuasive as demonstrating the specific risks to corporate objectives.
In summary, to obtain the commitment of executive management to a security program, it is important to demonstrate how security threats could impact corporate objectives. Associating realistic threats to corporate objectives is likely the most valuable inclusion in a report aimed at obtaining this commitment.