Question 15
Main Page
Which of the following most accurately describes a CISO's role in risk ownership?
A. The CISO owns all cybersecurity risks
B. The CISO defines the risk appetite for the board
C. The CISO supports risk analysis but does not own risk
D. The CISO decides which risks are accepted or rejected
Answer: C. The CISO supports risk analysis but does not own risk
Risk ownership resides with the asset or business process owner. The CISO facilitates the process but doesn’t make acceptance decisions.