Why a Centralized Holistic View of Risk is Vital for Corporate CISO

B.

The correct answer is B. risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness.

As the head of the organization's information security, the CISO must have a comprehensive understanding of the company's risk landscape. Risks may arise from various sources, including cyber attacks, system failures, regulatory compliance failures, or natural disasters. The risk subcommittee of a corporate board is responsible for identifying and managing risks that could have significant impacts on the organization's financial health, reputation, and operations.

While IT systems may be maintained in silos to minimize interconnected risks and provide clear risk boundaries used to implement compensating controls (Option A), the CISO needs to see the bigger picture of how risks from different systems or business units may interact with one another.

Corporate general counsel may require a single system boundary to determine overall corporate risk exposure (Option C), but the CISO needs to know how risks in different parts of the organization may impact the confidentiality, integrity, and availability of the company's information assets.

Finally, while major risks identified by the subcommittee may merit the prioritized allocation of scarce funding to address cybersecurity concerns (Option D), the CISO must understand how these risks fit into the overall risk landscape and how the allocation of resources for cybersecurity can help mitigate risks that may arise from other sources.

Therefore, having a centralized holistic view of risk, as maintained by the risk subcommittee of a corporate board, is particularly important to the corporate Chief Information Security Officer (CISO) because risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness.