As the CISO of a mid-sized retail company, you're tasked with developing a governance framework. What should be your first step to align security with business needs?
A. Implement role-based access control across departments
B. Define a risk appetite statement for all divisions
C. Understand the organization’s business objectives and operations
D. Draft and publish information security policies immediately
Answer: C. Understand the organization’s business objectives and operations
Governance must be anchored in the organization’s goals and operational realities. Without this alignment, security initiatives risk being disconnected or ineffective.