Experts have written much in the last couple of months about COVID-19 and its impact on cybersecurity. From ensuring colleagues can work from home securely to defending geopolitically fueled cyber exchanges, dealing with COVID-19 has dominated the consciousness of the cybersecurity industry.
All of this is important to deal with but is largely reactionary — that is, the issue is in front of us today. But what about the long-term view? Is it time to think about what COVID-19 means for cyber in the years to come?
I believe the answer is "yes" — but not in the way you might expect. In my mind, the long-term view of cybersecurity can be boiled down into a single word: flexibility.
The Big Picture: Cyber Defense Is One Piece of the Puzzle
Let's take a step back from cyber and look at the world around us. COVID-19 is changing the way in which we do business and the way in which we live our lives. It is affecting the way we interact with the environment and with each other. For example, in our day-to-day lives, we have seen cash transactions disappear while online deliveries are booming. Even when shops open, they are set to be little more than window dressing, while restaurants have become well-appointed delivery kitchens. Transportation may never be the same again. Entertainment and sports are now consumed digitally almost exclusively.
From a business perspective, this means some industries are struggling and may even disappear, while entire new sectors are being created from scratch. Offices are closing, in some cases permanently, while IT departments scramble to transition their centralized key assets to a more accessible cloud delivery model. Communication and teamwork now require a completely new set of skills and technologies. In terms of the workforce, record levels of government intervention and furlough schemes have shifted the fabric of society beneath our feet.
A Unique Opportunity
For those of us in cybersecurity, this maelstrom of change presents a unique opportunity to tear up the "security-as-a-blocker" stigma, and instead become enablers. The world has been hit with an evolutionary event — and if we think about businesses it is no longer survival of the fittest, but survival of those who can adapt the fastest — and also the most securely.
When a company is facing existential decisions over its business model to adapt to a post-COVID world, cybersecurity should not — indeed cannot —afford to get in the way. Instead, we need to ensure we can operate in an agile way, and adapt to whatever the world and its new ways of life entail. In practical terms this may mean several changes — for example, forging stronger relationships across the organization. This will help us to better understand what may be a rapidly changing business as a result of COVID-19, and to make sense of the critical assets and risks that underpin it. On the technical front, as another example, adopting a DevSecOps approach can introduce security at an earlier stage of the application development life cycle. Again, this serves to bring security closer to the business objectives.
Cybersecurity as a Business Enabler
But this isn't just about taking the opportunity to reposition cyber away from being a "blocker." There is also an important message here to deliver to our organizations about cybersecurity as an active enabler. Yes, it's true — those businesses that adapt to a post-COVID world may thrive… for a short time. However, those that can adapt securely will be well positioned for sustainable competitive advantage, leading to long-term success.
To achieve this, there are practical steps that cyber teams can take now. COVID-19 represents an opportunity to reach out across the organization, such as setting one-on-one time with stakeholders in different business functions, outside the usual risk reporting lines. Ask about their world and how it is changing, and what they expect the major trends and business moves to look like post-COVID. While building relationships is always beneficial, this should also be an opportunity to ensure that cybersecurity can contribute from the outset.
Next, security teams should be ready to add flexibility into their assessments. The rapid pace of change brought about by COVID-19 will introduce vulnerabilities into the business logic, the technology, and the people that work within the organization. We can't stop the business while we fix everything — so we must be ready to adapt.
In summary, while the long-term COVID-19 outlook and what it means for the world is unpredictable, this, in fact, leads to clear security advice that we can all start with today: Be more flexible.
- What Usability Means to Security Pros
- The Hitchhiker's Guide to Web App Pen Testing
- What COVID-19 Teaches Us About Social Engineering
- How Cybersecurity Incident Response Programs Work (and Why Some Don't)