Today, every citizen is on the front lines of the epidemic. We are flooded with information about staying safe, keeping an eye out, and left to process unfamiliar language. We are all suddenly doctors and epidemiologists analyzing information and predicting how the world is changing. With countless health professionals, scientists, and officials publishing cautionary tales, it may sound like when your organization’s CISO tells you that Cybersecurity is everyone’s job, and perhaps throws some cyber-jargon at you.
Watching the initial response to COVID-19 has been a surreal experience, not only because of how we have been iterating through the responses, but in its striking similarity to what Cybersecurity professionals see in their everyday lives. Cybersecurity’s overall goal is to help business understand risk, so they can make informed decisions, and ensure the organization can detect, investigate, contain, and remediate issues rapidly. It’s easy to draw a parallel between a human virus and a computer virus, but the similarities are far more nuanced.
Cybersecurity professionals work daily to understand organizational cyber risks and help leaders make risk-informed decisions. We present graphs and charts showing maturity level, identify Cybersecurity investment opportunities, and install tools anywhere we can. When all else fails, some ultimately and regrettably resort to leveraging Fear, Uncertainty, and Doubt (FUD). Whatever the communication mechanism, many organizations view Cybersecurity as a “nice-to-have”, a necessary response to compliance, and often viewing their CISO as “Chicken Little”.
Cybersecurity’s lot sounds familiar to the pandemic planning’s predicament over the last few years.
First, the National Security Council had a pandemic playbook available to them, much in the same way that an organization’s CISO has a Business Continuity Plan (BCP). However, when it came time, the plan was not put to use in favor of finding a custom approach to the problem. Organizations often have regulatory or customer obligations to have a BCP in place, but it is often relegated to a shelf where it is brushed off for a cursory annual test. Our experience here is similar, in that testing of the pandemic plan was not real enough to result in an automatic use of the plan.
Second, the pandemic unit was removed from the National Security council, likely because a pandemic was not seen as an imminent threat to the nation. The corollary to Cybersecurity is striking because many organizations don’t have the CISO as part of the leadership team or present for strategic executive and board discussions. Sometimes the CISO is elevated to this level of visibility during a time of crisis, but memories are short and organizations often revert in the absence of a clear immediate threat. The value the pandemic unit and the CISO bring to the larger group is not just expertise in their area but a different perspective to larger issues. Their perspectives and contributions outside a time of crisis should not be discounted.
You can’t measure or respond to something you can’t see
Rapid response to a crisis not only requires a well-practiced plan, but also the visibility to target the response. In the case of the United States response to COVID-19, we were caught flat-footed without the data needed to make strategic decisions. Instead, responders and officials were forced to use anecdotal evidence or data from small regionalized sample sets. Assumptions had to be made about the illness’ prevalence, spread, impact, and mortality rate which have proven incorrect over time. Responding to the emergency without data-driven visibility has led to broadly implemented restrictions, overwhelmed health systems, and shortages of supplies.
The similarity of the response compared to Cybersecurity incidents becomes interesting when we think about visibility. The response to COVID-19 strongly mimics how organizations perform breach or ransomware response. Organizations that followed the direction of Cybersecurity leaders for instrumentation, centralized logging, and response exercises are like doctors who have had access to rapid testing. South Korea is the strongest corollary to a successful Cybersecurity program resulting from the amount of testing they performed early on, which enabled data-driven decisions focusing restrictions on affected citizens.
Instead, the United States Government’s response was the equivalent of a partially implemented Cybersecurity program. Sick patients are similar to users calling the helpdesk to report their computer is acting “weird”. The only visibility the response team has is to examine reported ‘weirdness’ and systems on the network. The best we can do is respond to the reports we receive, investigate the systems in question, and remediate. The incident responders can perform additional investigations around the proximity of the affected system, but it is resource and time prohibitive to examine the entire enterprise. The only other option is to shut down the business until every system can be examined or rebuilt.
The decision on when to call the all-clear becomes even more challenging. When does the Cybersecurity team think that the threat has been contained? If you don’t have visibility then you can take the stance that if no one is complaining then the problem must have been addressed, but it could just as easily recur elsewhere. Much is the same with a country and figuring out how to strategically lift restrictions without ending up worse off. In short… Data is king.
Where do we go from here?
Our collective experience from this pandemic is wasted if we don’t put lessons learned into forward planning more broadly. Going forward we should be prepared with information, data collection, and the ability to spot trends. It’s not to say that we can prevent all the ills of the world, whether that’s physical, health, or cyber, but we can be better prepared to respond to minimize the impact.
Encourage your Cybersecurity organizations to acquire the data needed to make informed decisions, allow it and the business to act quickly, and preserve the organization. Ask questions, rehearse in earnest, and make investments that provide insights.
Benjamin Franklin’s saying of “if you fail to plan, you are planning to fail” could not ring truer.