Recently, I remembered watching an experienced trapeze troupe rehearse with a small-town circus. They flew through the air with perfect form, but what caught my eye was what wasn’t there: the safety net. They’d spent the winter learning to work without it—”because the hardest part of opening night isn’t the trick; it’s the knowledge that no one will catch you if you miss.”
That image has haunted me since the recent RSA Conference. For years, American enterprises believed we had a cybersecurity safety net. CISA hunt teams, FBI takedowns, a full alphabet of federal programs—ready to intervene before disaster. But in San Francisco, the ground shifted. DHS Secretary Kristi Noem’s back-to-basics speech made it plain: Washington is trimming the net, narrowing CISA’s role to critical-infrastructure triage and handing the rest of us the rope. Meanwhile, fresh intelligence on China’s Volt Typhoon showed adversaries moving from laptops to dusty edge devices that keep our factories, hospitals, and energy grids running.
Boards, CEOs, CIOs—this is the one idea you need to sit with this week: resilience at the edge is now an executive—not governmental—obligation. If you treat routers, gateways, and controllers as plumbing, you’re doing exactly what adversaries count on.
What changed in the last few weeks
A thinner safety net
Leaked budget docs in May show proposed cuts of up to 50% in CISA’s workforce, a pause on its headquarters, and “right-sizing” of state grants. The message is clear: we’ll share intel and set guard-rails, but the private sector owns first-line defense.
[RELATED: CISA Cuts: What They Might Mean for Cyber Defense for All]
A new attack surface narrative
At RSAC, the FBI’s Cynthia Kaiser revealed fresh Volt Typhoon forensics: hundreds of end-of-life home routers repurposed as covert command nodes; OT-centric lateral movement; pre-positioned scripts for pumps, valves, and breakers. CrowdStrike data showed a 150% YoY spike in adversarial activity against U.S. infrastructure—71% traced to abandoned edge hardware.
Governance pressure joining technology risk
Capitol Hill is circulating a draft “Cyber Hygiene Safe Harbor” bill: firms demonstrating secure-by-design practices would gain liability shields after nation-state incidents. Translation: regulators, and insurers, are shifting the burden of proof to corporate directors, not federal responders.
This is a board-level priority
Edge devices are where digital trust meets kinetic impact. If Volt Typhoon can manipulate a chlorine mix at a water plant or knock a regional ISP offline, supply chains will freeze before Washington can marshal response teams. The new doctrine assumes you are your own first responder.
Legacy edge risk is invisible in classic dashboards. Most companies track patch rates on laptops and servers; but not firmware age, credential hygiene, or end-of-life status on routers, protocol converters, or building controllers. Yet those forgotten assets represent the highest-probability pivot point for nation-state actors.
Legal and operational risk are converging. Under the SEC’s cyber disclosure rule, a router-enabled outage that halts production is presumptively “material.” If your board minutes and risk register don’t show active oversight of edge resilience, plaintiff’s counsel will frame it as negligence—especially once a safe-harbor standard exists for those who did act.
A practical blueprint: 90 days to edge resilience
1. Start with the un-sexy asset census
Ask infrastructure and production technology leads to build a literal wall-size chart: every router, firewall, VPN head-end, cellular gateway, serial-over-IP box, and programmable-logic controller. Note firmware version, last patch date, vendor support status. If you can’t see it, you can’t defend it—and you certainly can’t explain it to investors when the 8-K is due.
2. Erase end-of-life blind spots
Build a kill list of anything past vendor support or running default credentials. Replace or segment those devices behind true zero-trust controls. This is critical technical debt. Audit committees shouldn’t flinch at spending to avoid being the next Colonial Pipeline headline.
3. Instrument the production floor like the Security Operations Center
Deploy passive sensors—your choice (Zeek, Corelight, Dragos, and many more)—on the production network at one high-consequence facility this quarter. You don’t need full coverage overnight; create visibility so your team can find the “slow lateral creep” conference speakers highlighted. Expand in later quarters.
4. Fusion-team your threat hunting
Volt Typhoon skips malware; it reuses built-in tools. Teach security analysts to look for specific behaviors (such as persistent SSH from consumer ASNs, new AD-objects with no HR record, and sudden ARP scans from IT jump boxes to OT segments) associated with malicious activity. Pair analysts with plant engineers to confirm what “normal” traffic looks like.
5. Table-top “first 72 hours without the net”
Run an executive exercise where edge devices fail during geopolitical tension. Assume federal help is delayed while CISA triages critical infrastructure. Ask: Can we operate manually? Who owns customer communication? Do we have an approved statement for the 8-K? Repeat these types of exercises until the answers feel boring—they won’t be in real life.
The strategic conversation for executives and boards
Use the next board session to pose three questions:
-
Do we have a living inventory of every edge device that could impact revenue or safety?
-
Can management show evidence that those devices are patched, segmented, and monitored?
-
If an adversary (like Volt Typhoon) triggered localized outages tomorrow, what is our plan for business continuity and regulatory disclosure before federal help arrives?
If the answers are shallow, redirect capital. Edge resilience lacks the flashy headlines of AI, but it underpins every digital transformation.
Closing thought
The circus director was right: the hardest part isn’t the flip; it’s knowing no one will catch you. In cybersecurity, the net hasn’t disappeared, but it is smaller, lower, and thinner than we thought. Washington will still share threat intel and chase down criminals. The first safety line around your edge infrastructure must be woven by your own teams—funded by your budgets, championed by your board.
Lean in now. Replace the rusting routers, light up the dark corners of your network, build the muscle memory of operating without digital autopilot. The adversary has already demonstrated the edge is the fastest path to strategic leverage. The only question is whether your leadership understands it, too—and acts before gravity does its work.
This article originally appeared on LinkedIn here.