Blog

Until Further Notice: #ISC2Congress Keynote Prescribes Adaptive Recovery and Resilience in Cybersecurity to Deal With Ongoing Pandemic

Nov 18, 2020

Kayyem_Juliette For anyone hoping the COVD-19 crisis will come to a quick end, former Homeland Security Assistant Secretary Juliette Kayyem offered some sobering words today: The virus will be with us for the foreseeable future.

I have to be blunt and tell you this period is going to exist until further notice. We are going to have to learn to live with the virus. Once you get your head around that, then the solution becomes clear,” Kayyem said.

She delivered her remarks virtually as the third and final keynote speaker at (ISC)2 Security Congress 2020 . Kayyem focused her talk on what cybersecurity teams need to do through the pandemic to ensure safe operations of their teams and the employees they support. Her message about the importance of cybersecurity at such a time couldn’t have been clearer: “If what you do falters, the company won’t exist.” It was a reminder of the critical role that cybersecurity plays during a crisis.

During a previous keynote address , security expert Graham Cluley spoke of the need to follow security best practices and educate staff to combat efforts by cybercriminals trying to take advantage of the crisis to deliver attacks. On Monday, another security expert, Bruce Schneier , spoke of the intricate link between technology and society. He advocated for the creation of a public interest technologist role that participates in the development of technology at every stage to help ensure technologies are created with social, economic and political interests in mind.

Crisis Mitigation

Kayyem, who currently teaches at Harvard University’s Kennedy School, is a frequent guest on CNN as a national security, intelligence and terrorism analyst. Despite her sobering tone about the likely length of the pandemic, she stressed there are steps everyone can take to manage and mitigate the situation.

For employers specifically, she encouraged companies to assess how many people they need to have in the office and how often. She acknowledged there are times when it’s necessary to have a physical presence in the office even through a pandemic, but it must be managed correctly. She recommended creating protective pods to limit contact between employees and prevent the spreading of “respiratory fluids” that transmit the virus.

Whether at the office or elsewhere, managing the number of contacts is very important, Kayyem said. “If you are around five people, your chance of getting sick is much less than if you’re around 50 people or 500 people.” She also stressed the importance of mitigation policies such as social distancing and masking. “I see no reason not to wear a mask all the time indoors if you are with people who are not your family members or have not been equally protected in a protective pod,” she said.

Cybersecurity Parallels

Kayyem drew parallels between the response to the virus and cybersecurity responsibilities. In both situations, you need protection and prevention before what she calls a “boom” event – a slow-roll crisis such as the current pandemic. After the event, you need a response, adaptive recovery and resilience to deal with the event. Currently we are in the adaptive recovery phase, which will likely last through 2021, according to Kayyem. Even with the prospect of a vaccine being approved by the end this year, mass distribution likely will not happen until the third quarter of 2021, she said.

Cybersecurity teams, Kayyem noted, need to focus on what she called “extending the runway” of the pandemic. That involves assessing the kinds of security threats that might emerge and taking steps to protect against them while working from home remains the default model. “You need an implementation plan that gets you through 2021.”

Teams also need to consider how to retain a security focus among all employees through the next 18 months. It’s possible that non-security employees may become negligent about security precautions, which puts pressure on cybersecurity teams to continue to train and remind people to follow security practices.

The pandemic, Kayyem said, has laid bare a number of issues with which our society has struggled. Specifically, she mentioned the need to make accommodations for mothers in the workforce who need to simultaneously watch their children because of COVID-9 and focus on their jobs, and the need for access to healthcare.

Kayyem predicted the rise of a new role in the C-suite – the Chief Health Officer, who will advise leadership about how to set policies for health-related matters, not only during but after the pandemic.

Despite her somber guidance, Kayyem struck positive notes about our ability to adapt, learn and build resiliency as a result of our response to the pandemic. “The only way this is in any way a beneficial thing or has a silver lining is if we build stronger.”

In the meantime, she said, “we are going to have to adapt and learn to live in the ‘now normal’. And that means, for all of you, protecting yourself, protecting your families, and continuing to protect your employees and teams and your institutions.”