Question 85
Main Page
An executive questions why the CISO does not own organizational risk. What is the correct response?
A. Risk is too complex for CISOs
B. CISOs only work with hardware
C. Risk ownership lies with business asset/process owners
D. Legal teams own all organizational risk
Answer: C. Risk ownership lies with business asset/process owners
Risk must be managed where it arises—those responsible for assets are best placed to assess and respond to risk.