A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap

analysis reviewed all procedural and technical controls and found the following:

High-impact controls implemented: 6 out of 10

Medium-impact controls implemented: 409 out of 472

Low-impact controls implemented: 97 out of 1000

The report includes a cost-be

nefit analysis for each control gap. The analysis yielded the following information:

Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000

Average medium-impact control implementation cost: $6,250;

Probable ALE for each medium-impact control gap: $11,000

Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement. Which of the following c

onclusions could the CISO draw from the analysis?

A. Too much emphasis has been placed on eliminating low-risk vulnerabilities in the past

B. The enterprise security team has focused exclusively on mitigating high-level risks

C. Because of the significant

ALE for each high-risk vulnerability, efforts should be focused on those controls

D. The cybersecurity team has balanced residual risk for both high and medium controls