Waking Up to Cybersecurity’s New COVID-19 Reality
The COVID-19 pandemic is creating emergent risks and cybersecurity challenges. Chief Information Security Officers (CISOs) and other security organization leaders are on the firing line, finding themselves responsible for everything from remote access security to business continuity management (BCM) to third party assessments for hurriedly onboarding new suppliers. Constantly increasing security budgets could become a thing of the past.
This Pandemic is Making Amateur Epidemiologists of Us All
We’re living in trying times and it’s clear that the coronavirus (aka COVID-19) will be a landmark event for us all including yourself, your business, and your security team.
Last week I was busy trying to get in touch with CISOs and other business or security leaders. I was attempting to complete 100 interviews before my book Rational Cybersecurity for the Business publishes in May. But nobody was getting back to me. I noticed that just about every conversation seemed to start with the Coronavirus.
Half the time we wouldn’t even say “coronavirus” but just refer to “it.” We’d each know exactly what the other was talking about. We’ve been re-examining our lives as individuals, families, teams, and businesses in the light of the new reality.
As in the 2008-2009 period, we’ll see cuts. Unfortunately, those cuts will be of the budget, not of cyberattacks. We’ll need to get smarter about risk management. We’ll have to align information risk concerns with executives’ concerns and their planning for the business.
Did we Disregard Early Cybersecurity Warnings of Emergent Pandemic Risk?
I got an early warning around February 3 that the coronavirus would become a high concern outside of China whilst reading about:
- Undercounting due to shortfalls in testing: Hubbard Research Decisions’ Reasons for Potentially Massive Underreporting article (Feb 3)
- Work that can be done to prepare: Erez Shtang’s Business Continuity Planning & Coronavirus (Feb 3)
- Other articles on supply chain and the economic implications
You could say the writing was on the wall. I shared both the above articles on Linked In. However, security folks seemed to treat this like a theoretical exercise. It seems as though most of the world was lulled to sleep in February as so many politicians from President Trump on down practiced spin control. The RSA Conference proceeded as planned and none of the speakers that I saw there had modified their pre-built slides and talk track to warn about the pandemic to come. It’s human nature, after all: No one wants this! But then the coronavirus metastasized in South Korea and Italy. All bets were off.
Like many security leaders in February, I tried to stay focused on business as usual (BAU). Reading as much as I did about the coronavirus felt like a waste of time. After all, I had objectives like attending the RSA conference, writing my Fifty Keys to Alignment posts for my Rational Cybersecurity book project, and performing the many other day to day tasks of an Author and a Consultant.
But it turns out that studying the coronavirus wasn’t a waste of time. Lesson learned: As security leaders, any time we get early warning of something impactful to the business that we know is (or should be) keeping the CEO awake at night we can take the opportunity to:
- Get conversant with the topic: Become an amateur epidemiologist or an amateur [next big topic]. Understand the business risk impact.
- Weave cybersecurity risks into discussions: Pick out the top relevant security considerations and select a few that are guaranteed to interest business leaders (such as business continuity or telecommuting for the coronavirus).
Lesson Learned: Be Proactive With Cybersecurity Contingency Planning
Make keeping an eye on the burning issues of the business one of your new security leadership habits. Few will prove as disruptive as COVID-19 and, normally, one should not let every fleeting concern take enough time to derail schedules. However, any or all business issues with cybersecurity implications that make it into the enterprise risk map present an opportunity to engage the business and proactively prepare security measures. Take a look at my Rational Cybersecurity business alignment Key #3.
Being on top of COVID-19 and the other issues de jour helps CISOs stay relevant to executives, gets them on agendas for meetings, and affords an opportunity to find fixable business pain points.
In some cases, the CISO might even be able to alert executives to business risks that aren’t on their radar screen. For example, many CEOs were probably still complacent about COVID-19 in February. One might ask: Would it have been too early for a CISO to reach out on the coronavirus to an apparently unconcerned executive? Absolutely not. As long as CISOs keep the discussion level-headed and don’t pretend to be professional epidemiologists, they can’t go wrong by demonstrating knowledge about the topic and planning security measures just in case.
How Can Security Organizations Operate Through New COVID-19 Reality?
COVID-19 is shuttering events and business operations across the globe. We don’t know how deep the trough will go or how long the pain will last. Social distancing and urban lock down may protect most of the population from infection (as, apparently, in China), but at a high economic cost.
Major economies are going into recession. Many businesses face bankruptcy. Expect layoffs, rising unemployment, a negative economic multiplier effect, and security budget cuts.
Some pandemic scenario simulations suggest the pandemic peaks and recedes by Q3 2020, but economic recovery may take longer. Become knowledgeable about COVID-19 and its business impacts.
Don’t try to become an expert epidemiologist or an economist in just a few weeks. Align with business leaders and the experts they retain. Incorporate their scenario assumptions for your business into security planning.
Our challenge is to address COVID-19 Security Concerns while still complying with regulations and protecting operational business systems. I’ll write more about that in my next post. But here’s a brief spoiler alert: We can:
- Bring the security industry’s information risk analysis expertise to the table and offer methodologies like Factor Analysis of Information Risk (FAIR) to the enterprise risk management (ERM) program.
- Use quantitative risk management to help refactor security programs for potential budget cuts. As Jack Jones, the FAIR Institute Chairman likes to say: “Security spending is like advertising. We know we’re wasting half of it, we just don’t know which half.” Time to find out! Through a Rapid Information Risk Assessment, identify your least productive (or risk-reducing) spend and activities. Cutting some of these will ease the strain on security staff already stressed by an industry skills shortage.
- Work closely with IT organizations(s), which will have the same budget problems as the security department, to reduce technical debt. Find opportunities to cut security operations resource requirements for systems becoming less important during the pandemic.
Bottom Line: Cybersecurity & Business Alignment
How well a security organization comes out of COVID-19 depends on how well it can stay focused on self-care, team care, risk-informing its work efforts, and aligning with the business to keep security programs on the rails.
You may need to sacrifice some projects, meetings, or activities once considered important. But don’t compromise getting a clearer perspective on risks and protecting what matters. Beyond that, take the opportunity to align with your business executives and their risk assumptions. Try to understand their concerns and how cybersecurity can be part of the solution.
Finally, if you have questions about cybersecurity-business alignment, rapid information risk assessments, coronavirus security concerns, or other topics in this post let me know. If you have experiences you can share about running security systems under austerity conditions, we’d love to hear from you.