BLUF: As Chief Information Security Officer, it is important to think about the way my resources are
allocated. With that said, conducting a risk assessment using the NIST framework that we learned about,
and allocating limited resources accordingly to address higher-priority threats.
Using the NIST framework to conduct a risk assessment to help me assess the likelihood and
impact of certain risks to my company will be a great first step in how I should be allocating my
resources. One example of risks include employee’s unknowingly opening malware or phishing by not
having the appropriate education on how to detect these threats to prevent them from causing harm to
the company’s network. I could use about 15% of my budget to really hone in on training my employees
and ensuring they become a capable first layer of defense in recognizing suspicious online behavior or
actions.
Utilizing the NIST framework, another realized threat is unauthorized access from both within
and outside of the organization. Every company has sensitive information they strive to safeguard from
falling into the wrong hands. Whether it be a hidden formula or client information that is used to propel
the company, it needs to get stored somewhere. I’d allocate a good amount of my resources into cloud
security which would provide a secure platform for businesses to store data and protect against cyber
threats. I’d continue to invest heavily into other cyber technology such as network security to create a
multi-layered defense solution that is capable of detecting cyber-attacks and responding appropriately
so there is no interruption in service to the company’s clients.
In conclusion, with the help of the NIST framework, as a Chief Information Security Officer, I’ve
assessed certain high-priority risks that would endanger the continuity and compliance requirements of
my business and allocated my resources accordingly. Firstly, with a properly educated first layer of
defense in the employees of the company, and following with a cloud security solution to safeguard
information along with a robust multi-layered network security defense.