The First Step to Create an Internal Culture That Focuses on Information Security

D.

Endorsement of executive management in the form of policies provides direction and awareness.

The implementation of stronger controls may lead to circumvention.

Awareness training is important, but must be based on policies.

Actively monitoring operations will not affect culture at all levels.

The correct answer is D. gain the endorsement of executive management.

Creating an internal culture that focuses on information security is a long-term and multi-step process that involves many different aspects of an organization. However, the FIRST step in this process is to gain the endorsement of executive management.

Executive management is responsible for setting the tone at the top and establishing the organization's priorities and goals. If they prioritize information security and demonstrate their commitment to it, the rest of the organization is more likely to follow suit.

Gaining executive management's endorsement involves making a business case for information security, highlighting the risks that the organization faces, and explaining how effective information security practices can mitigate those risks. This can involve presenting data on the cost of data breaches or other security incidents, outlining regulatory requirements, and demonstrating the value of investing in security controls.

Once executive management has endorsed information security as a priority, they can then allocate resources, establish policies and procedures, and provide direction to the rest of the organization. The other steps listed in the answer choices, such as implementing stronger controls, conducting periodic awareness training, and actively monitoring operations, are all important components of an effective information security program. However, they cannot be effectively implemented without the endorsement and support of executive management.