Availability is a difficult concept in cybersecurity. Is it in the scope of the cybersecurity team or not? Always? If the web site is loading slow, should the cybersecurity team be contacted?
Availability is one of the three cybersecurity pillars together with confidentiality and integrity. With the three we can have this debate, but it is even less clear with availability. Should the investments needed to improve availability, like high availability costs, be paid by the cybersecurity budget? Are cybersecurity architects the most skilled people to design high availability software and hardware architectures?
When doing a threat model of a system, should the cybersecurity team take into account if there is a single point of failure that can be a bottleneck for availability?
On the other hand, we agree that if we are suffering a denial of service attack, it is in the cybersecurity purview to react and it is in the cybersecurity purview to define security controls to avoid this kind of attacks.
Where is the line?
Availability should be in the purview of cybersecurity only when the potential lack of availability is associated with an attacker. If there is no attacker, availability is an IT issue.
Let’s come back to the question about whether to call the cybersecurity team or not when the site is loading slow. This is a very edge case. The first level of reaction should not be the cybersecurity team if there are no indicators that the reason is an attack. If the root cause is not determined, and the slowness persists, the organization may think that a cyberattack might be the cause. Then is when the cybersecurity team should enter the scene.
Should cybersecurity invest in improving the availability? Only if the reason is to implement a security control that will reduce the risk of an attacker causing a denial of service, but no in other cases.
Availability is an information security pillar, but the cybersecurity team should focus only on a part of the availability: the one related to threats whose origin is an attacker. If not, precious cybersecurity time and effort is invested in areas that are not its specialization nor its purview, and at the end the reduced efficiency affects the company.