What keeps you awake at night?

I had an email from Charles Pask yesterday, asking me for my opinion on “What keeps CISOs awake at night?” It’s a good question. I thought for a bit and decided that “advanced persistent threat” was the most dangerous threat I could imagine. I was wrong. CISOs are more concerned with personal, immediate and certain problems such as building teams and running projects.

This illustrates two things. Firstly, human behaviour is mainly influenced by things that are personal, immediate and certain. (See my book Managing the Human Factor in Information Security for more on this point.) Secondly, it confirms the first of my laws of information security: The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents.  

Perhaps the question should have been “What should keep CISOs awake at night?”

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I like your thoughts on the priorities of the CISO. They resonate strongly with O-ISM3, a security framework published recently by The Open Group. The approach taken by O-ISM3 is for the business to define the level of security that fits their operating model, their incident tolerance, if you like. Once the CISO and business manager are clear about security requirements and responsibilities, the infosec program can be judged on its successes, as well as its failures (Law 1). O-ISM3 also addresses Law 3, the correlation between risk appetite and investment - if the business wants to take on more risk, all it need do is raise an incident threshold. O-ISM3 is lite on control tools, so Laws 4 and 5 look good (it actually states it is OK to put in a control without doing a risk assessment). On the other hand, it is big on team responsibilities, governance and communication, as it looks on security tasks as a set of definable processes. As far as "advanced persistent threats" go, there is a particular process obliquely called "Information Operations" that allows the CISO to spend quality time on mitigation strategies, so avoiding the need for sleepless nights.