Learning lessons from the COVID-19 pandemic is vital to growing resiliency in the cybersecurity industry, according to Juliette Kayyem, former assistant secretary at the Department of Homeland Security, speaking during a keynote session at the virtual (ISC)2 Security Congress.
She began by outlining the five stages of crises management, noting that COVID-19 bears many similarities with other crises. These consist of two prior to the “boom,” which are protection and prevention, and three after: response, adaptive recovery and resiliency.
What differentiates COVID-19 from other crises, however, is the sustained focus on “adaptive recovery” with minimized contact intensity set to be in place for the foreseeable future. This is opposed to other crises which generally allow life to return to normal quickly. “This period is going to exist until further notice,” said Kayyem.
This adaptive stage does provide a unique opportunity for lasting resiliency to be achieved. This means that through learning the lessons of the pandemic, in many ways, life will not simply return to normal. In the context of the workplace, she anticipated that the experiences of the pandemic will lead to numerous permanent changes including much more remote working, a greater focus on employee health, including the rise of the chief health officer and better protections for gig and contract workers.
Kayyem stated: “COVID-19 has laid bare some necessary conversations that we’ve only been whispering about in the last couple of years, and just like so many other major crises that have happened in our past, they open up an important conversation about what kind of nations and what kind of world we want to be.”
This new landscape is going to heavily affect the cybersecurity sector and industry leaders need to now plan ahead rather than constantly introduce patchwork solutions, according to Kayyem. “Do you accept that you need to think about what it’s like to manage a security team through to the end of 2021?” she asked.
This includes anticipating early investments needed in technology systems, the kinds of security threats that may exist going forward and ways of communicating in this “new normal.” To do so, she advised: “You need to set an implementation plan that gets you to the end of 2021 in terms of needs, employees, workforce development, hiring and budget, and you need to make that case loud and clear.”
Another area Kayyem highlighted the importance of is working out how security teams can maintain some form of physical contact, which is likely to be a challenge in the current adaptive phase. “What combination of your security team will need to meet, who within the security team, how will you on-board and how employees will learn what the corporate culture is” she outlined.
Ensuring security stays a key focus throughout their organization over the coming 18 months also must be a key focus of security leaders, with complacency easy to set in. Kayyem commented: “It may be that you need to build new resources, do retraining and remind people… you’ve got to reiterate those security needs.”
She concluded: “We are in a time in which we are going to have to adapt and learn to live in the now normal and that means protecting yourselves, your family and continuing to protect your employees, teams and institutions through 2021.”