Who is BEST positioned to take ownership of critical IT security risks identified in an...

The business application owner (C) is best positioned to own application-related security risks because they are accountable for the business outcomes, value, and operational impact of the application. CISM consistently assigns risk ownership to business roles, not technical implementers. The CISO (B) advises on security posture, the CIO (A) oversees IT strategy, and developers (D) implement controls—but none are accountable for accepting or prioritizing business risk. Assigning ownership to the application owner ensures that risk decisions reflect business priorities and align with risk appetite.