Protecting Availability in Critical Infrastructure

As the CISO of a publicly traded company, I would follow the NIST framework: Identify, protect, detect, respond, and recover. I would direct my department to inventory all of their equipment and ensure security updates and hardware replacement occur on a regular schedule. I would also assemble a team to perform risk assessments and classify each risk on its severity so we could work together as a team to mitigate liability as much as possible. 

Other methods of limiting liability that would be utilized include policy changes to require at a minimum two factor authentication as well as least privilege practices for all employees interacting with the system. Redundancies would be utilized such as automatic data backups to physical servers stored in a safe location, and I would recommend having extra hardware available on the system to handle high traffic demands. I would recommend a migration strategy be developed for in the event of a denial-of-service attack, traffic overflow, or other outage to be able to still provide services to the users while responding to the incident to restore services to normal.  

No conversation about ensuring availability and protecting resources could be completed without mentioning a company’s most valuable and often most vulnerable asset, its employees. Employees should be well educated on the risks associated with their role technologically within the company including things they may not initially think of such as the risks associated with accessing network resources on a bring your own device, the likelihood of a stale password being broken/leaked, or even being socially engineered to surrendering your password. By adhering to the NIST framework and implementing industry-specific best practices, I would lead a collaborative effort to ensure the resilience and availability of our systems. Our team would safeguard critical infrastructure and maintain continuity in an ever-evolving threat environment through proactive security measures and a strong cybersecurity culture. 

Leave a Reply

Your email address will not be published. Required fields are marked *