Post-COVID outlook for Cyber Security - New Normal … looking a lot like the Old

Post-COVID outlook for Cyber Security – New Normal … looking a lot like the Old

The COVID crisis has not changed the cyber security fundamentals: What will the new normal be like? Two recent reports highlight the current cyber security paradox: While the COVID pandemic has turned business and society upside down, well-established cyber security practices – some known for decades – remain the best way to protect yourself.

It might not be the message the authors of those reports wanted to convey, but it remains the dominant impression.

The first one, from the World Economic Forum, published in May (“Cybersecurity Leadership Principles: Lessons learnt during the COVID-19 pandemic to prepare for the new normal” – WEF – 26 May 2020) is once again a superlative summary of good practices, which in the end hardly moves the needle. We commented along the same lines on one of their earlier reports last year.

Using buzzwords like “resilience” instead of “security” or “continuity” does not disguise the fact that 80% or more of the “lessons learnt” highlighted in the report (e.g. “focus on critical services”, “implement meaningful metrics” or “practice crisis management plans”) can be summarised in three words: Follow Good Practice… More than ever, doing the right thing around cyber security, seems to consist of doing now what you should have done ten years ago

Obviously, if those are still valuable “lessons learnt” worth highlighting to world leaders, it implies they were not properly in place pre-COVID in spite of having been known as security good practices for decades, but the report stays well clear from discussing why…

The second report, from InfoSecurity Magazine, published in June (“State of Cybersecurity Report 2020” – InfoSecurity Magazine – 3 June 2020) offers – as expected – a more technical perspective but points in the same direction with regards to its key takeaways.

The key importance of human elements in cyber security or the fact that “the evolution of the cloud is driving innovation whilst also exposing organizations to new security and privacy challenges” are nothing new.

It is evident that the COVID pandemic has accented and accelerated those, but once again, the cloud was not born out of COVID and good practices in those areas should have been in place for decades.

As a matter of fact, our 2019 report on the “Language of Security” (built on the semantics analysis of the content of 17 annual “Global Information Security Surveys” from leading firm EY, spanning the period 2002-2018) shows without ambiguity cloud security considerations dominating the period 2010-2011-2012 before receding dramatically.

The shift of focus away from compliance is also something our 2019 report highlighted, but again this is a ten years old long-term trend starting around 2010 (and arguably one of the key findings of our research): The first decade of this century was the true “compliance” decade for cyber security; the last decade has been a “realisation” decade dominated by incidents and threats considerations, leading to the acceptance by many business leaders of a “when-not-if” paradigm around cyber-attacks.

The “when-not-if” paradigm creates completely new challenges for CISOs and CIOs: Old and well-established security basics still go a long way to ensure protection but the challenges are now firmly around execution, while roadblocks remain rooted in governance dysfunctions and short-termist business cultures.

The COVID crisis does not change any of that but it does aggravate short-termist business tendencies and will constrain budgetary resources dramatically in most industries.

If one thing is going to change (for some tech vendors at least), is that throwing money indiscriminately at the cyber security problems in the hope of making them disappear is going to stop: Spending and resources will have to be focused where they can have the most impact and that has to start with a sound appreciation of critical assets and their risk posture. But again, focusing on those “crown jewels” should be seen as one of the oldest and best-established good practices…

It looks like the “new normal” is definitely going to look a lot like the old.

Arrange a Conversation 

Profile Picture
by JC GAILLARD
Corix Partners

A senior executive and alternative thinker motivated by analysing and resolving Cyber Security Strategy, Organisation and Governance challenges

Browse

Article by channel:

Search

Everything you need to know about Digital Transformation

Read more articles tagged: Cyber Security, Featured

Cyber Security

Popular Now

The Case For Digital Transformation
An Executive Summary: Leading Digital by George Westerman, Didier Bonnet & Andrew McAfee
The Case For Digital Transformation
The Digital Transformation Pyramid: A Business-driven Approach for Corporate Initiatives
Strategy & Innovation
Target Operating Models & Roadmaps for Change
Delivery
Data Asset Management (DAM)
Strategy & Innovation
The Innovation Management Theory Evolution Map

Related Articles

People & Change
A guide to building Agile culture
Strategy & Innovation
Innovation at Scale: An interview with Dr. David Knott, HSBC Chief Architect
People & Change
Why the success of WFH could be dangerous for digital transformation
© Copyright The Digital Transformation People 2018