[1970-01-01]

Meh. This opinion highlights the fact that availability is the least understood pillar in security. The Right Way to Think About It is having good security analysis and doing proper Risk Management. This means it is their job to do business impact analysis, 3rd party assessments, and run tabletop exercises on all your critical systems to tell you what is rock solid and what is a house of cards.

[toddgardner]

How you approach this is very different depending on the size of organization. We're a small shop (3), but we deliver big services to lots of people.

We do this by owning everything we can, and using simple vendors for what we can't.

[1970-01-01]

Understanding exactly who does what and how they can be reached to work an emergency is all part of the availability pillar. Size matters not. Your security team needs to vet your team, your critical systems, your code, and your 3rd and 4th party dependencies constantly.

[iso1631]

Depends on what your goal is -- minimal downtime or minimal blame

A 5 hour outage when headlines say "the internet is broken" may well be preferable to a 5 minute outage related to your far simpler and far more resilient setup