I had an email from Charles Pask yesterday, asking me for my opinion on “What keeps CISOs awake at night?” It’s a good question. I thought for a bit and decided that “advanced persistent threat” was the most dangerous threat I could imagine. I was wrong. CISOs are more concerned with personal, immediate and certain problems such as building teams and running projects.
This illustrates two things. Firstly, human behaviour is mainly influenced by things that are personal, immediate and certain. (See my book Managing the Human Factor in Information Security for more on this point.) Secondly, it confirms the first of my laws of information security: The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents.
Perhaps the question should have been “What should keep CISOs awake at night?”