Time to Pivot: What the Pandemic Teaches Us About Security

As I sit in my home office, noticing how my ears sort of hurt from wearing a headset too long, three weeks into this new thing some of us call “social distancing”, I reflect on the impact of this event for Security teams everywhere.

It’s odd that some crisis is happening that doesn’t involve a cybersecurity event. We’re not, at this moment, the front lines, the pointy end of the spear, the canary in the coalmine. No — we are relegated to the support team! The “we’ll-call-you-if-we-need-anything” group. The “can-you-help-out-these-other-more-essential-folks-for-a-bit” substitutes. It’s all a bit unsettling, to be honest.

Security social media is having a bit of a melt down. They talk about how, during times of crisis, Security becomes even MORE of a concern (we’re all bigger targets than before!!). They talk about how pandemic scams will get us, and how companies who produce popular software used by remote users are FINALLY seeing how dangerous their security architectures really are. They chastise the non-Security community for failing to appreciate the threats of Cyber Security during this perilous time. And of course, Security vendors are out in force trying to convince us that their AI-ML-Quantum product would do wonders to help us respond to and recover from COVID-19.

Please. Sit. Down.

Let’s just take a moment, and enjoy the fact that, whatever else is happening, it is not being caused by our chronic lack of patching protocols, or failure of our security operations playbooks, or our inability to self-identify configuration weaknesses in obscure technologies. Let’s not make ourselves more important than we are. Let’s not inject ourselves in recovery processes unnecessarily. Let’s recognize that at this moment in our companies, and in society, security discretion is the better part of valor.

It’s interesting to be a spectator to this crisis. Better than any tabletop exercise, this is affording CISOs and Security teams the opportunity to observe how their organizations function under pressure. Some of us have witnessed this first hand, during a cyber security event. But it’s hard to be subjective when you’re in the middle of it. Now, you have an opportunity to be more analytical, more dispassionate about what you’re seeing in your organization. There is much to be learned by being close to, but not inside, the shark tank. For example:

• What is the primary driver for decision-making? Which values are important to the organization? How much do decision-makers pay attention to the needs of employees and the human element, versus the financial and the business element? How do they prioritize? How well do they collaborate when under pressure? Knowing how someone makes decisions is REALLY important to the CISO. Observe and learn.
• Which business functions are deemed critical? Now, I know this will vary a bit for a different kind of scenario, but a fair amount of functions in an organization will ALWAYS be critical. Which ones are they? How well are you, the security team, protecting those functions?
• How well does your organization deal with new things during a crisis? If they’re rolling with the changes without a lot of angst, this is an organization that can handle much more on-the-fly adaptation, and relies much less on policy and procedure. If the organization has analysis paralysis, or has to wait for that One Critical Person before they act, they might need a lot more structure to their security planning. Does this align with the way you have setup and run your security program? Do you really need that 100 page policy or playbook, or could you set some guidelines and rely on cheat sheets to fill in the blanks?
• How much of your organization’s ability to deal with this current crisis depends on factors internal to the company, and how much do you depend on vendors and other suppliers? There will always be some blend, but do you think the balance is correct? Have you aligned your security program to that blend, with appropriate ecosystem risk oversight? Are there supply chains you should have been paying more attention to?
• How is your own team handling this very strange situation? Who is getting mired in the drama, churning on anxiety, or struggling to cope? How can you help them now, but also how can you prepare them for future things? Who is otherwise handling this just fine? How do they do that? What can the rest of the team learn from them?

This pandemic is a masterclass for Security folk — are you appreciating the opportunity?

I’m finding it fascinating to observe how quickly issues of privacy and confidentiality are being downplayed during this event.

In Security circles, we talk about the Security Triangle of Confidentiality, Integrity and Availability (CIA) being the bedrock of All Security Things. But until now, it has really been CONFIDENTIALITY, with the I and the A trailing along behind like the ugly step-sisters. Not anymore.

Oh, there is the Zoombombing kerfuffle, and other minor things, but in this time of “we just need to keep working however we can” issues of confidentiality are taking a back seat. Even our regulators are allowing all kinds of security controls to be waived or relaxed, in order to support remote working and the sharing of medical information.

Forget doing security assessments — what are the best work-from-home tools, and how do we start using them now?! Damn the security controls around passwords and authentication — we need a seamless user experience easy enough for our pre-schooler to use! We know we required on-site/in-person processes before, but this is a brave new world!! In all industries, and in all countries.

Here is where we are NOT compromising: Integrity.

Our public health officials are under tremendous pressure to get the data right, know more faster, and be more accurate. Our tech platforms are being heavily criticized for “fake news” which interfere with our societal ability to tell the truth. Our medical tests better have close to zero false-positives and false-negatives. Now is NOT the time for us to doubt the accuracy of the information our society runs on.

Is this likely to change when things return to “normal”? Not completely. Oh sure, our regulators will go back to managing the things they can — which will be privacy focused. But here are some predictions:

• The public outcry of data breaches, which were already getting less and less attention, will decrease sharply (could Marriott have picked a better time to announce a big breach?).
• The reputational hit for losing credit cards and social security numbers will diminish to the point of no longer being a factor in our Enterprise Risk calculations.
• Getting the data WRONG, by allowing it to be manipulated in unauthorized ways or by unauthorized people, will become a criminal act.

So, Security Professionals, how does your program protect Integrity? How well do you know when changes are being made to systems and data, and what those changes do? How well does your organization govern the use of data?

As you sit at home, watching the rest of your organization scramble to stay afloat during this remarkable time, find some ways to think about the future that will focus more on Integrity than Confidentiality. Think about how you will respond to this change. Think about what you already have that will help. I promise you, it will be worth it.

And, wash your hands.