Scenario

In this discussion board, you are the CISO for a publicly traded company. What protections would you implement to ensure availability of your systems (and why)?

My job as a CISO is to ensure that the information assets are protected. There are many different ways that I could protect the companies systems. For example, I would conduct regular risk assessments. This is important as it identifies potential risks to the company and can analyze ways to prevent those incidents or accidents from occurring. That way I could create a record and track the important data and have pre-incident planning in place. I would also monitor the companies network activities or traffics for suspicious behavior. It would be a huge risk to not monitor as if there are users that have gained access to unauthorized information, they could use that information for malicious intent which would categorize this as a data breach(s). Also, making sure that my employees have the best cybersecurity practices is also very important. Information security is not something to joke about as anything on the internet can be stored, copied, and sent to unauthorized individuals even if the information is personal. Maintaining that security is vital as it could completely crumble any business if their information was stolen. To prevent this, employees would be required to train and develop the necessary skills to combat the constant threats being thrown at the company. I would also update the training information as needed since new threats are arising and the old training might become mediocre. Multi-factor authentication would be required as well, the user requesting the information must prove its identity in order to gain access to the server or client. This is to make sure that the user whose accessing the information is actually a user and not a computer posing as a user. With that being said, Authorization is also a requirement as the server would need it in order to give the client permission to access the resources or file(s). Back-ups would be a main priority. This is to make sure that the information is stored and protected away from the main system in case of a data breach(s), cyber attacks, or possible power outages. If there is a power outage, getting those systems back up could take an inordinate amount of time, if the company doesn’t have that time, then the back-ups would be perfect as the company can continue it’s normal procedures until the main system is fixed or back online. AI could be used as well to maintain security in ways that either myself or my employees can’t do efficiently at that moment in time. This would be used as a back-up just in case if more training is needed. With all that stated, the last few important thing I would do is communicate with the leaders of the company and stakeholders. Communication is a key thing that in my opinion would make or break a company in ways not usually thought of. It is important to communicate with the leaders and stakeholders as to keep them up to date with the security being enforced in their company as well as to adhere to their regulations and standards related to protecting their data. There are more protections I would implement, but these are the ones that I personally find important, especially when it comes to regulating data protection in a publicly traded company.