Welcome to the SecAware blog

I spy with my beady eye ...

3 May 2020

COVID-19 is like infosec because ...

... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been

... Experts disagree on the details, sometimes even the fundamentals, and love their models

... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise

... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility

... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice 

... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too

... Controls against COVID-19 are imperfect, at best; some are purely for appearance sake; some are as much use as a bubble level in space; others are literally worse than useless (the cure really can be worse than the disease!); in most cases, we simply don't know how well they will work in practice

... Many people and organizations struggle to cope with a serious crisis, whereas some shine and thrive - but even the best may crumble at some point

... They are all about risk and risk management, not just protection, control, safety and security: we are where we are partly as a result of our prior decisions about priorities, resources etc. 

... We are mutually dependent and hence collectively vulnerable since total isolation is impracticable, costly or literally impossible

... Our myopic focus on the current situation takes attention from other matters that may be at least as important, and some are actively exploiting that  

... Hindsight is 20/20 but not terribly helpful right now, unless we truly acknowledge and address our failings going forward - but more likely this incident will gradually fade from our memories, task lists and strategies until the next incident, even if strenuous efforts are made to keep it on the agenda

... The metrics/statistics are complex and easily misunderstood or misused, and simple linear extrapolation isn't much use

... We were slow to recognise and respond to the incident, allowing the impacts to magnify and reducing our options

... Even now, in the thick of it, we're not entirely convinced of the value of preventive, detective and corrective measures, plus the economic damage limits further expenditure or investment

... The politicians, experts, news and social media all put their own spin on things, with everyone seemingly having an opinion

... Tactical responses vary with longer-term strategic implications that are not presently clear but may be substantial 

... Responses that buck the general trend are seen and portrayed as creative or innovative by some, crazy and ill-conceived by others, putting them under intense pressure to conform to the norm (group-think)

... The original source or root cause of the incident is difficult to establish with any certainty, leaving the door open for conspiracy theories about malicious intent and subterfuge

... While the details will undoubtedly vary (perhaps substantially) and our controls will hopefully have improved, this won't be the last such incident

... We will probably forget, discount or ignore as much as we learn

... There are cultural, national, local, familial and personal aspects, plus commercial, political, social, scientific, economic ...

... Some individuals and organizations are exploiting the situation for their own selfish benefit while some are selflessly working for the wider community, but the majority are feeling powerless

... Some people are determined to "do something", whether that actually helps or not 

... Stress levels are high, with implications on analytical capabilities, decision-making, productivity and mental health, on top of physical exhaustion for those in the front line 

... 'Management' is in the spotlight: our glorious leaders are expected not just to cope but to lead us successfully through this, while the serfs are expected to carry on slogging

... Policies and procedures are at least as important as technical and physical controls, while effective awareness is a vital part of the mix

... Compliance is critically important but tricky to achieve in practice

... The situation is changing dynamically and somewhat unpredictably

... Antivirus is not the golden bullet

Any more?  Comments welcome ... 

No comments:

Post a Comment