The COVID crisis has not changed the cybersecurity fundamentals: What will the new normal be like?
Two recent reports highlight the current cyber security paradox: While the COVID pandemic has turned business and society upside down, well-established cyber security practices – some known for decades – remain the best way to protect yourself.
It might not be the message the authors of those reports wanted to convey, but it remains the dominant impression.
The first one, from the World Economic Forum, published in May (“Cybersecurity Leadership Principles: Lessons learnt during the COVID-19 pandemic to prepare for the new normal” – WEF – 26 May 2020) is once again a superlative summary of good practices, which in the end hardly moves the needle. We commented along the same lines on one of their earlier reports last year.
Using buzzwords like “resilience” instead of “security” or “continuity” does not disguise the fact that 80% or more of the “lessons learnt” highlighted in the report (e.g. “focus on critical services”, “implement meaningful metrics” or “practice crisis management plans”) can be summarised in three words: Follow Good Practice… More than ever, doing the right thing around cybersecurity, seems to consist of doing now what you should have done ten years ago…
Obviously, if those are still valuable “lessons learnt” worth highlighting to world leaders, it implies they were not properly in place pre-COVID in spite of having been known as security good practices for decades, but the report stays well clear from discussing why…
The second report, from InfoSecurity Magazine, published in June (“State of Cybersecurity Report 2020” – InfoSecurity Magazine – 3 June 2020) offers – as expected – a more technical perspective but points in the same direction with regards to its key takeaways.
The key importance of human elements in cybersecurity or the fact that “the evolution of the cloud is driving innovation whilst also exposing organizations to new security and privacy challenges” are nothing new.
It is evident that the COVID pandemic has accented and accelerated those, but once again, the cloud was not born out of COVID and good practices in those areas should have been in place for decades.
As a matter of fact, our 2019 report on the “Language of Security” (built on the semantics analysis of the content of 17 annual “Global Information Security Surveys” from leading firm EY, spanning the period 2002-2018) shows without ambiguity cloud security considerations dominating the period 2010-2011-2012 before receding dramatically.
The shift of focus away from compliance is also something our 2019 report highlighted, but again this is a ten years old long-term trend starting around 2010 (and arguably one of the key findings of our research): The first decade of this century was the true “compliance” decade for cyber security; the last decade has been a “realisation” decade dominated by incidents and threats considerations, leading to the acceptance by many business leaders of a “when-not-if” paradigm around cyber-attacks.
The “when-not-if” paradigm creates completely new challenges for CISOs and CIOs: Old and well-established security basics still go a long way to ensure protection but the challenges are now firmly around execution, while roadblocks remain rooted in governance dysfunctions and short-termist business cultures.
The COVID crisis does not change any of that but it does aggravate short-termist business tendencies and will constrain budgetary resources dramatically in most industries.
If one thing is going to change (for some tech vendors at least), is that throwing money indiscriminately at the cyber security problems in the hope of making them disappear is going to stop: Spending and resources will have to be focused where they can have the most impact and that has to start with a sound appreciation of critical assets and their risk posture. But again, focusing on those “crown jewels” should be seen as one of the oldest and best-established good practices…
It looks like the “new normal” is definitely going to look a lot like the old.