Darwin’s observation about survival of the fittest seems especially apt as we work through this COVID-19 time. “Fittest” doesn’t mean fastest, strongest, wealthiest. Some of the world’s most advanced economies—the United States included—have proved highly vulnerable to cascading failures experienced from disruptions in supply chains, reliance on inadequate inventory, insufficient preparation, short-term profiteering, and bureaucratic obstacles. During this real-time social experiment, the challenge is to be more fit, that is, more adapted to this new context, our new normal. Flattening the curve, social distancing, self-quarantine, better hygiene are necessary adaptations for individuals, companies, and society. Such protective measures align with the NIST cybersecurity framework (CSF), a model for how we can proceed more safely.
The practices recommended in the CSF line up with what we are learning about managing public health risk: prepare, identify, protect, detect, respond, recover.
Prepare: System Security Plan. The Boy Scouts and Girl Scouts had it right in the simple slogan “Be prepared.” Acknowledging that we are vulnerable is the first step to resilience. Develop a system security plan (SSP). The SSP should describe your organizational practices and priorities for protecting system assets. Practices should be based on customer requirements, supply chain profile, and business strategy. Priorities should be based on an analysis of threats, vulnerabilities, probabilities, and business impact. What loss or compromise would cause the most damage? Can and should the risk be avoided, mitigated, controlled, transferred, or accepted? As with the risk of falling ill to Covid-19, there will always be some residual risk. How much is acceptable?
Identify: Standard Operating Procedures, Policies, and System Asset Inventory. Whether addressing production floor, back-office, or front-office operations, it is essential to understand the organizational environment by documenting all company assets, roles and responsibilities, and performance metrics. If we understand what is normal, we can recognize what is not normal. Minor changes in normal behavior—whether it is a person’s temperature or equipment performance—can be an early indicator of more significant underlying problems.
Protect: Safety Equipment and Best Practices. In a short period of time, donning a mask before leaving the house has become second nature. Corollaries in the digital world would be using a virtual private network (VPN) to connect to organizational resources remotely; relying on two-factor authentication (and robust, unique passwords) for logging onto all accounts (business and personal); and fine-tuning privacy settings, user credentials, and access control lists. As a personal hygiene practice, I just checked through www.haveibeenpwned.com whether any of the email accounts I use most frequently had been compromised in recent data breaches. Two of them had been. I immediately changed the passwords on both accounts.
Detect: System Activity Logs. Many third-party IT service providers use automated tools that capture system activity data on behalf of their customers. These tools generate reports that help speed detection about unwelcome or unexpected use of information resources can—and should—be requested and reviewed. They are often free for the asking, at least from service providers who truly act as partners. Just as early detection of possible Covid-19 infection (by taking one’s temperature daily, for example) can help reduce its spread through self-quarantine and other practices, containing unacceptable use of company resources can avert larger problems.
Respond: Incident Response/Recovery Plan (IRRP). The best response is, of course, responsible preparation. (Hint: Develop your plan along with your SSP). The IRRP contains emergency/incident contact information, procedures for taking down and bringing up equipment safely, and continuity of operation guidelines. It should also describe a few high-probability scenarios and their immediate, short-term, and long-term treatment. IRRPs explore remediation measures for failures from multiple causes: physical (e.g., burglary, power outage), environmental (e.g., flood, wildfire), personnel (e.g., illness, keyman/keywoman absence), technical (e.g., ransomware, equipment breakdown), and business process disruption (e.g., supply chain, client loss).
Recover: Lessons Learned and Continuous Improvement. The risk of a “W” Covid-19 spread pattern—that we experience a second peak infection rate when controls are lifted after an initial decline—is that we do not learn from this experience and stop all protective measures. We have learned that many of us can work remotely, for example, which could help prevent seasonal transmission of colds and flu, or even unnecessary commuter traffic congestion. We can continue to improve and strengthen our systems on a personal, IT, or production level. The threat environment, after all, will continue to evolve.
I believe that we can demonstrate the validity of another 19th-century scholar’s impression of the United States:
The greatness of America lies not in being more enlightened than any other nation, but rather in her ability to repair her faults.
Alexis de Tocqueville, 1805–1859 (French diplomat, political scientist and historian)