A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because
money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The
business recently funded a patch management product and SOE hardening initiative. A third party auditor
reported findings against the business because some systems were missing patches. Which of the following
statements BEST describes this situation?

A.
The CFO is at fault because they are responsible for patching the systems and have already been given
patch management and SOE hardening products.

B.
The audit findings are invalid because remedial steps have already been applied to patch servers and the
remediation takes time to complete.

C.
The CISO has not selected the correct controls and the audit findings should be assigned to them instead of
the CFO.

D.
Security controls are generally never 100% effective and gaps should be explained to stakeholders and
managed accordingly.