CISO Executive Scenario Challenge Quiz

1
Name* This field is required.
First Name
Last Name
2
Email* This field is required.
example@example.com
3
Phone number* This field is required.
4
At 10:45 AM on a Tuesday morning, the SOC of a Lagos-based financial institution begins receiving multiple EDR alerts showing suspicious PowerShell execution across several finance department endpoints. Minutes later, two users report that files on their systems can no longer be opened. While the incident response team investigates, unusual authentication attempts are observed moving laterally toward a server environment hosting payroll applications and internal finance records. The core banking platform remains operational, customer transactions are still processing normally, and the CEO is concerned that any major interruption could trigger customer panic and social media backlash. At the same time, the Head of Infrastructure warns that the malware appears to be spreading faster than expected. As the CISO, what is the MOST appropriate immediate course of action?* This field is required.
Immediately shut down the institution’s entire network infrastructure, including customer-facing systems, to guarantee containment.
Isolate confirmed affected systems and high-risk network segments while maintaining critical business operations where safely possible.
Wait until the forensic investigation fully confirms the malware variant and attack scope before taking containment actions.
Prioritize communication with law enforcement and regulators before making operational containment decisions.
5
A multinational fintech operating in Nigeria discovers suspicious outbound traffic from a database environment containing customer onboarding records, including BVN data, phone numbers, and account information. Preliminary analysis suggests that attackers may have successfully exfiltrated portions of the database over several days using compromised administrative credentials. The legal department advises caution, arguing that the investigation is still ongoing and there is not yet complete certainty regarding the total volume of affected data. Meanwhile, senior management is worried about reputational damage and possible regulatory scrutiny if disclosure becomes public too early. As the organization’s CISO, what should be your BEST next step?* This field is required.
Delay all regulatory and executive communication until every affected customer record is conclusively identified.
Begin preparing regulatory notifications and executive briefings while the technical investigation continues.
Wait to see whether the attackers publicly leak any stolen information before deciding on disclosure obligations.
Quietly negotiate with the attackers to recover or delete the stolen information before involving regulators.
Other
6
During a routine security review, your cloud security team discovers that a storage bucket used by an internal analytics application was accidentally configured for public access. The bucket contains internal reports, API documentation, and limited customer transaction exports used for testing purposes. At this stage, there is no confirmed evidence that malicious actors accessed the bucket. However, the logs show several unknown external IP addresses interacting with the environment over the last month. The Head of Compliance is concerned about potential NDPA implications, while the engineering team warns that taking the environment offline could affect several reporting dashboards used by executives. What is the MOST appropriate immediate response?* This field is required.
Immediately secure or isolate the exposed storage, review access logs, and determine the scope of potential exposure.
Publicly notify customers immediately before validating whether any malicious access actually occurred.
Delete all potentially exposed files from the storage bucket to reduce organizational risk.
Wait for the cloud service provider to complete its own independent investigation before taking action.
7
During an Incident Your SOC confirms active lateral movement within parts of your organization’s production environment late on a Friday evening. Several servers handling internal processing functions show indicators of compromise, but customer-facing services are still operational. During an emergency meeting, the CEO insists that systems must remain online because the company is approaching a major commercial launch and downtime would result in significant financial and reputational consequences. The Head of IT argues that immediate containment measures may require temporary disruption to some services. As CISO, what is the BEST strategic approach?* This field is required.
Fully comply with the CEO’s request and avoid any containment actions that could interrupt operations.
Unilaterally shut down all production systems immediately without further executive discussion.
Clearly communicate the business risks, potential consequences, and recommended containment options to leadership for informed decision-making.
Delay major containment actions until an external consulting firm independently validates the threat.
8
A senior systems administrator at a telecommunications company recently submitted a resignation notice and is scheduled to leave in three days. During a periodic review, the SOC identifies unusual after-hours access involving sensitive internal repositories and large data transfers to external storage services associated with the administrator’s account. There is currently no conclusive evidence that intellectual property or customer information was stolen. Human Resources advises caution to avoid potential legal disputes, while several executives are pushing for immediate termination due to the sensitivity of the administrator’s privileges. What is the MOST appropriate initial response?* This field is required.
Publicly terminate the employee immediately and notify all staff about the suspected insider threat activity.
Quietly preserve evidence, increase monitoring, and restrict non-essential privileged access while the investigation continues.
Delete sensitive logs and revoke access records to prevent the employee from understanding the investigation scope.
Ignore the activity until clear proof of malicious intent is established to avoid overreacting.
9
Calculation
Should be Empty: