This narrative is from a discussion board that brought up a hypothetical: If you were the CISO of a publicly traded company, what protections would you implement to ensure availability of your systems (and why)?

The first thing I would do is instill a cybersecurity framework if there isn’t one already. It’s important for everyone in the organization to understand their roles when it comes the safety of our systems, especially if they work under IT. It’s also important for other executive positions to know their roles in protecting the organizations systems, and to ensure that the cybersecurity sector of the organization gets proper funding so our systems stay available and working for every employee. It will also be important for me as the CISO to communicate with the CEO and other possible higher positions to make sure that transparency about the state of our security and software stays intact. Edits on the framework will be diligently and carefully made throughout the organization’s growth and changes.

Another thing I would do as CISO would be properly managing technological training for new employees. Of course employees who will work in the IT department will have in depth training, but I think it will be extremely important to give every newly hired employee training on internet safety and security awareness to avoid information breaches that could have been easily avoided. Although lots of people may be technically literate, there are still people who aren’t and may easily fall for scams that target company employees. Risking the chance of having any of our employees fall for phishing, email, or other scams, isn’t worth the money and possible informational breach, so that is why it would be important to update and regulate a brief training course about security awareness and internet safety.

The last specific example I would like to mention is the overseeing of business relationships outside the organization. As a company, it would be natural to work with other businesses for supplies or services needed that the company itself cannot gain, but working with outside companies come with a risk. Although there may be mutual benefits, it is always better to be safe than sorry since the intentions of companies are not always crystal clear, so making sure that vendor relationships stay secure and non-suspicious are a vital part of helping my organization’s success. I would not be directly managing vendor/supply chain relationships, but I would be advising employees that do manage and work with these relationships to ensure that our company’s information and systems stay secure.