What are examples of risk that affect the information infrastructure, but are not IT based in origin? How does a CISO determine which threats are realistic threats and which are probably not going to be an issue? What characteristics are necessary for a successful CISO and why? Which of these characteristics do you have? Which of these characteristics are you working on developing?
Risks that may not be considered by your typical network administrator may include infrastructural damage outside the realm of a widescale natural disaster, like a fire, or plumbing flood due to frozen pipes, structural damage due to pests like termites, or even a breach in the building from a car crashing into the load bearing wall outside of the server room. The CISO must determine which threats are realistic by assessing the environment and deciding which low probability event is remotely practical, and keeping aware of the surrounding environment to maintain a bearing on these potential catastrophes. For example, if they are felling trees on the property, or if traffic from a main thoroughfare were to be diverted to your sleepy side street, or making sure preventative measures concerning pest control, maintenance and inspections are up to date, even if it’s “another department’s department”.
A successful CISO is involved in all aspect of the business, and when there’s no prevalent or apparent threat, is unobtrusively ensuring all other departments are operating safely and correctly. By maintaining a wide angled situational awareness, a good CISO can ensure that no threat, internal or external, can interrupt operations. Moreover, a successful CISO is able to assert themselves, and make the hard calls, and ask people to stay late or go the extra mile in order to tighten up their department.
Personally, I believe I am able to see the big picture, and have enough rounded interest in wanting to learn more about all aspects of operations, in order to ensure there are no data leaks, or possibilities for failure. I also am able to hold my cards, and ensure that specific departments don’t get more information than necessary, compartmentalizing data, so if one aspect is compromised, everything isn’t compromised.
I am trying to toughen up, and have a firmer hand in asking a little extra out of people, whether it be to change their password to something stronger, or to delve from the beaten path to try a method that is unfamiliar or intimidating, yet beneficial to our mission.