Updated: Mar 24, 2020
Below are a few excerpts from previous Cylidify blog posts with the themes of this post emphasized:
Much has been said and written about gaps between cybersecurity and its "constituents": businesses, technology, and people. Bridging these gaps will increase the ROI of security and privacy investments, but this must be balanced with the functionality and capabilities that generate revenue for the business.
So, it's up to "us" (cybersecurity professionals), to make the first move and advance toward a common ground leading with information and guidance versus elbows. Get involved early in the process with a common ground and compromise in mind. Enter issue or incident discussions with all the details available but tailored and presented to make it approachable and consumable for the business, technology stack, and people involved.
Agility does have trade-offs and costs, but it has solid value and there are few downsides in a balanced approach. Agility is a requirement in (cyber)security or other aspects that manifest and evolve rapidly such as personal safety (healthcare), finance, infrastructure, or privacy.
The global COVID-19 pandemic has brought the concepts of agility, incident response, and triage, top-of-mind for everyone both professionally and personally. In the context of crisis or incidents, we must be agile, shifting priorities via triage to coordinate actions. This is not how most of us normally operate, but I think we all have the capability. For some professions, this is the norm, so the people are trained, and the processes are honed. [Heart-felt “thank you” to first responders and medical professionals for ALL you do day-to-day and in times of crisis!]
For cybersecurity professionals, we work with agility and are prepared to work in a triage mode, but it’s not the norm. We do consider what could happen and how we would Respond and Recover (ref. NIST’s Cybersecurity Framework). A colleague of mine once said something to the effect of “anyone can tell you that you need security, but it takes an expert to tell you when you don’t.” (I can’t think of a situation where I would say you “don’t need it”, but I will tell you where you can do “less”.) Cybersecurity professionals understand that nothing is completely secure, so zero risk is impossible. We know that, in the spirit of the above themes of agility and balance, we must help develop a shared understanding of the risk to make the difficult compromises and decisions as part of the normal risk versus reward balancing act (while maintaining trace-ability, visibility, and accountability).
During Respond and Recover activities, security and privacy may end up at a lower priority even if they were part of the root cause. It’s a given (I hope) that personal safety is the #1 priority but deciding the other high priorities can be delicate. (Market share and profit always swirl around the top.) Part of a cybersecurity professional’s job is to help determine the right compromises and balance between security/privacy and capabilities. Usually, the balance leans to capabilities which generally prioritize higher because they win deals and make money. I’m ok with that approach as long as it doesn’t lean too far and if those accountable understand and accept the risks (in writing please). I’ll advocate a leaning or deferred balance approach in cases where the #1 priority is directly impacted or in a crisis situation where triage approaches are warranted as lower priorities are put aside. Unfortunately, the global pandemic has brought us both!
The healthcare technology space is a great example. Technology’s purpose in that space is improved care and good outcomes – basically, personal safety extending to both patients and clinicians. There are technology processes and practices to fulfill the purposes and keep the priorities. However, technology must not become an impediment or contradict the clinical processes and practices. If technology is unavailable or just inefficient, clinicians will work around it, by design. A great example is “break glass” capabilities in healthcare software and services. If a clinician needs access to information or a feature to provide immediate or emergency care to a patient, they can “break glass” to bypass tier 2 controls such as authorization and consent. Tier 1 controls like authentication and logging/tracking remain intact so the software still knows who did what and when, but the impediments are removed, and the top priorities are preserved. (Note that “break glass” may apply to processes and practices versus tools, capabilities, or technologies.)
Working through the pandemic crisis in the health care systems and the ripples that social distancing and shutdowns will cause, we must apply extreme agility, triaging, and a “break glass” mindset. Keep triage groups small, limit the discussion and planning, make swift decisions, and act with urgency to preserve the top priorities. (Cybersecurity and privacy professionals, you should be included but may not be a top priority, so a ‘C’ or ‘I’ in the RACI.) This also applies to general business continuity (as part of BC/DR plans) for your customers and employees who must work remote or in altered manner during the crisis.
In the PANic epiDEMIC LinkedIn article, I explore a crisis approach to Telemedicine (or Telehealth) as part of the virtual meeting topic – please give it a read. Telemedicine is less of a “break glass” option and more that we suddenly have a forcing function to use an available technology that has seen slow adoption and limited investment. In the context of this crisis, the Telemedicine scenarios have shifted, demand is increased, and the rewards now significantly outweigh the risks.