Exam CISM topic 1 question 35 discussion

Best answer is A, cost-benefit. It would be B if the wording was written better, I believe the question may have been more like "the organization was not engaged". But the current way B reads is "there was an external business negotiation, and they were not engaged", but there's no mention of an agreement outside the company

since teh CISO is looking for budget to get it approved...he must present the cost/benefit relationship as a mean to convince the Management.

According to the CISM Review Manual, 15th Edition, Page 437, Paragraph 3, the MOST likely reason for the struggle of the chief information security officer (CISO) to obtain senior management commitment for funds to implement the information security strategy is There was a lack of engagement with the business during development.

Answer is B To address this issue, the CISO should work on enhancing business engagement, involving key stakeholders in the strategy's development, and clearly demonstrating how the security strategy aligns with and supports the organization's business objectives and risk mitigation.

Going with D here. The keyword here is "BEST" so we're looking for an answer that offers the most comprehensive approach. Tabletop exercises are just one way to test BCP/DRP/IR.

The lack of engagement with the business during the development of the information security strategy can lead to a situation where senior management may not fully understand the strategic alignment of security initiatives with business goals. Effective communication and collaboration with key stakeholders in the business are crucial to ensure that the security strategy is seen as integral to the organization's overall objectives and priorities. While the absence of a cost-benefit analysis (option A), non-compliance with security standards (option C), and reporting structure (option D) can be contributing factors, a lack of engagement with the business is often a primary reason for challenges in obtaining commitment and funding for security initiatives.

I go with B. ..............A lack of engagement with the business or a perception that the strategy doesn't align with the organization's goals can have a more significant impact on senior management's decision-making process compared to the absence of a cost-benefit analysis. This one is tricky but you have to think like a CISM.

A- struggling to obtain senior management commitment for "fund". Cost benefit analysis

Come on people in what world will a project get approved without a Cost benefit analysis. Its not going to happen therefore the obvious answer here is B.

I see the keyword as "Fund". Without a cost benefit analysis how can the spending be approved?

The scenario - CISO develops a strategy, Senior management (they are from the Business, not executives) resistance, eluding that was done in isolation.

Answer is B To address this issue, the CISO should work on enhancing business engagement, involving key stakeholders in the strategy's development, and clearly demonstrating how the security strategy aligns with and supports the organization's business objectives and risk mitigation.

B. This is the CISM exam and you need to give CISM answers. In the CISM senior management support and engagement trumps everything else and is the ultimate choice.

Cost benefit analysis

I think A. Regardless if you involve the business or not, they won't buy it if you provided them with a solution without the possible benefits/impact and the relative costs.

Cost benefit analysis since the funds are not approved

Cost benefit analysis since the funds are not approved