What CISOs can learn from Covid-19
More than three months into the global Covid-19 coronavirus pandemic, we have all become familiar with the advice on how not to catch this mysterious and horrible disease, which some people seem to be able to shake off with ease, but for thousands of other survivors now appears to have life-changing consequences.
Much of the guidance is self-explanatory and understandable, the same precautions you might take to avoid a mild cold: wash your hands, don’t touch your eyes or mouth, keep some distance from others, avoid crowded indoor spaces, wear a face mask.
To a security professional, this advice might seem a little familiar to some degree: change your password, don’t click on unsolicited links in your email, don’t plug USB drives into your PC – all basic and easy-to-understand advice that it seems to be very hard to get people to pay attention to.
But then, after all, there is a reason why computer viruses are called computer viruses. Helpfully, at the intersection of biological virology and computer virology sits Mike Lloyd, who as CTO of cyber risk services provider Redseal and a doctor of epidemiology, has a unique view of both fields.
“Good security is about the basics, it’s about hygiene, it’s about washing your hands,” he says as we chat via video-conferencing app Zoom across eight time zones, Lloyd in his kitchen at home in California, me in my south London flat. “That’s why there are such strong analogies with the virus. Basic hygiene, not some high-tech super pill, is the main way we have of combating Covid-19.
“Often in security we have the same role as dentists talking to people about flossing. We have to keep going over the same advice, over and over again, because people find behaviour modification difficult.”
Before the arrival of Covid-19 at the start of 2020, the biggest killers in the Western world were preventable diseases caused by choices related to poor diet, lack of exercise, or excessive use of alcohol or tobacco, all of which are fixable with behavioural modification.
“But we just don’t do that – we’re terrible at behaviour modification,” says Lloyd. “Then along came this disease that threatened grandma and suddenly it turns out that hundreds of millions of people can change their behaviour.
“I think there’s something in there that is a useful human story. We are far, far better at behaviour modification when it’s not about us, when it’s about some greater mission, such as care for the elderly or care for the community, or however you want to frame it.
“Humans change their behaviour when they see a mission greater than themselves”
Mike Lloyd, Redseal
“If I map that into something more CISO-specific, of course we’ve all been trying to get people to do behaviour modification by training them about clicking on links and so on, and it really hasn’t worked very well. So you can see a glimmer of hope for security there, I think.
“The point is that humans change their behaviour when they see a mission greater than themselves and I think that’s an interesting point.”
But it is abundantly clear from the constant stream of data breaches and security incidents that even if humans do change their basic behaviours, there is no guarantee that the network will remain free of infection – just as washing your hands does not guarantee protection from Covid-19.
“Viruses are extremely efficient little machines for making more viruses and while the threats security professionals face are people, not biological viruses, cyber criminals are also super-efficient, and they go for the easiest and biggest payoff,” says Lloyd. “When they see very fragile infrastructure, they use very simple attacks.”
The way cyber criminals move laterally through their target networks is also very similar to how a virus like Covid-19 moves through the human body. In the case of the coronavirus, governments tried to stop lateral movement through their networks of humans by isolating humans in their homes. Lloyd thinks security professionals can learn a thing or two about how cyber threats propagate from this.
“It is very clear that we can’t patch humans,” he says. “Humans depend critically on trust, and that trust can be exploited, so you can continue to get people to click on links no matter how many training classes we put them through.”
This means there will still be breaches and points of infection in networks, just as in people, and what security professionals need to do is accept this and focus on stopping subsequent lateral movement, just as doctors try to limit the damage Covid-19 causes in the body, says Lloyd.
From a technical perspective, nobody has got the solution quite figured out yet, he says. “You still see a lot of organisations where once you get deep enough inside, it’s all free and clear for lateral movement. That creates a playground for an attacker – or a biological virus. The analogies are so close that it’s difficult to tease apart when we’re talking about lateral movement of a disease and when we’re talking about lateral movement of attackers. They really do behave in the same way.”
Adaptability and evolution
But the lessons that security professionals can take away from the pandemic do not just relate to changing behaviours. Lloyd says the coronavirus crisis could spark a period of evolutionary change in cyber security, and he turns to the history of human biology to make the point.
“One of the questions around how humans came about is what force was there in evolutionary terms that made humans the way we are?” he says.
“One of the better explanations I’ve seen is that it was variability itself – the climate’s gone through many periods of change, but in the last million years or so, variability went up and when variability goes up, that means the climate changes a lot.
“That means there’s an evolutionary advantage, not to the fittest, but to the most adaptable, which may be what makes humans so successful because we are uniquely adaptable creatures.”
This is reflected in the world of cyber security in this way: pre-pandemic, CISOs tended to think of security in terms of best practices to fit a specific need and then bought the security solutions that would best adhere to those practices – firewalls, endpoint protection agents, SIEM services, or whatever.
Mike Lloyd, Redseal
But in a post-pandemic world, where every business will have to respond differently because of the vastly differing requirements across sectors in terms of social distancing, remote working and so on, the ability to adapt will be key.
“It feels very easy for those of us who have laptops and have figured out how to make our work mobile, but really there are quite a lot of industries for which that is difficult,” says Lloyd. “There’s a long list of examples where we can’t just flick a switch and put everything in the cloud.”
This will lead to something of a division in the security world, he says, as CISOs will no longer be able to adopt someone else’s playbook on the assumption that what worked well for someone else will work for their organisation.
Perhaps more concerningly, it may force many down the hybrid route, securing on-premise and cloud-based services with cumbersome, increasingly fragile security stacks.
“The chain is only as strong as its weakest link and if you add more and more links to the chain, if you have more and more ways of doing business, as everything becomes more and more hybrid, then you have an increasing security problem,” says Lloyd.
“This is quite an abstract point, but I think it matters because CISOs still have to make networks as flexible, as adaptable, as resilient as possible, and the pursuit of digital resilience is the most important thing when we’re heading into a world where we know the rules are going to continue to change.”
How to achieve digital resilience
For Lloyd, the most important step towards achieving a digital resilience that can deal with the fact that the world we all thought we knew has changed so radically – and by the way, he adds, other novel security issues around artificial intelligence (AI), the internet of things (IoT) or 5G aren’t going away – is to know your organisation inside and out at both the organisational, business process level, and at the infrastructure level. That is a big ask.
“It’s actually really surprising how difficult both of those things can be,” he says. “It’s very hard for an organisation to capture how it really works. But resilience is the ability to take a punch and then to be able to recover function, so you need to understand how your organisation works.”
The first step is to audit the processes that are intrinsic to your organisation. Appropriately, Lloyd uses a medical example here – an ophthalmologist would struggle to examine a patient’s eyeball over Zoom, but for a basic GP consultation, telemedicine is probably fine. The second step is to map those factors onto the IT infrastructure and figure out how it helps achieve those processes.
Mike Lloyd, Redseal
“Until you have done that, you can’t possibly achieve resilience or adaptability, and I think for people who don’t do this every day, it can be really hard to appreciate how hard it is to know how the organisation really works,” he says. “That’s why I emphasise something so fundamental.”
The adage that security leaders need to make themselves indispensable to the organisation’s board, and if possible fight for a seat at the top table, has been repeated so often that it has become something of a cliché.
However, a true understanding of how the business works requires security leaders to show up to board meetings, and to make sure they are not just there as a scapegoat when something has gone wrong.
“There clearly have been organisations that wanted a CISO to attend board meetings so they knew who to fire when something went wrong,” says Lloyd. “How do you prevent that dynamic? You have to actually be achieving something in terms of resilience – that means not educating the board on how you will perfectly protect everything, but educating the board on how you will help recovery when shocks occur.”
Perhaps, he muses, the wider shock of the Covid-19 crisis will be the spur that convinces wider organisational leadership to listen to their security teams. “Right now, it’s not hard to get a board member to appreciate that there can be extrinsic shocks to a business outside of your control,” he says.