Professional Documents
Culture Documents
CYBERSECURITY
BEYOND COVID-19
Understanding the Technical and Human Challenges
in an Interconnected World
It is exceedingly rare for a technology event to come along that affects the entire world at the same time –
one that threatens the livelihood of everyone on the planet. In fact, there have only been two. No war – not
even World War 2 – had such evenly distributed global reach. The most recent of these two events is the
ongoing COVID-19 pandemic. The other was the Millennium Bug, also known as Y2K.
From observing these two events, it becomes easier to extrapolate the theories as to why, in the world of IT
and commerce, significant yet preventable cybersecurity holes still exist – holes that allow viruses, breaches
and data loss to further threaten humanity in the same ways Y2K did and, COVID-19 continues to do. Bringing
qualified people on board, including certified specialists in cloud security, is a vital first step. But these
people, as well as the ones who hire them, must understand that an effective defense requires the capacity
not just to understand the technological threats of our interconnected world, but to be able to communicate
the threats and corresponding threat management strategies to everyone who needs to hear them, including
C-level decision makers and end users.
This white paper looks at a collection of problems that are common in general as part of human nature, and
which translate into significant threats to companies, economies, countries and individuals as they compound
and spread.
https://www.washingtonpost.com/wp-srv/WPcap/1999-11/18/077r-111899-idx.html
2
Immediately prior to the COVID-19 outbreak, one of A growing backlash against globalization was starting
the biggest stories dominating world headlines was to pick up steam in the months leading up to January
Brexit. The United Kingdom was moving ahead with 2020, and technology, specifically cloud technology,
carrying out the mandate of its referendum which, by was at its heart. Kevin L. Jackson, CISSP, CCSP, is
the slimmest of margins (52%), had decided that as a CEO of GC GlobalNet and an Adjunct Professor at
nation, it would be better off alone than as part of the Tulane University. He points out that at this time,
European Union. Several other countries were poised “countries were retracting in terms of a nationalistic
to follow suit, threatening a complete dissolution of view. Cloud computing was one reason for this. It
became critical to the economics of IT. If you were
the European economic community.
a country that didn’t have the scope to support a
The desire to secede is typical of many populations, cloud industry, you were losing out.” Those that
especially in times of relative prosperity or lacking had the scope saw greater opportunities through
a tangible external threat. Numerous countries, technological self-sufficiency.3
including the United States, Canada, Spain and Had the COVID-19 pandemic not occurred in
Great Britain, have weathered internal separatist the early months of 2020, it is likely the world
movements, and established religions are filled with headlines would have included much more about
subsets and split-off groups. In the same way humans other countries following Britain’s lead and making
instinctively band together in the earliest phases of a their own plans to secede from the EU. But as Mr.
crisis, it is also natural for them to tribalize and split Jackson added, “COVID-19 made us realize how
off when the cost of being part of a community starts interconnected we were. At this moment you don’t
to appear too onerous. have a choice to not be global.”4
Interview with Kevin Jackson held April 15, 2020
3
governance, and the types of controls that are put “They want the CISO to come and talk to us.
in place. For example, a self-run data center means Executives get miffed by what was just explained
the organization installs and operates those controls. by a technologist.”
However, when a company goes to the cloud, all
cloud management decisions may have been made Ongoing Awareness and Proaction
years ago, and that particular cloud was not built A cybersecurity professional is someone who is not
or designed to meet a specific company’s business only fluent in the myriad cybersecurity terminologies
model or industry requirements. and threats, but intimately familiar with the
organization’s business case and operational goals.
Cybersecurity professionals understand the A cybersecurity professional can link them to the top
environment, they understand the challenges, and line, bottom line and to the security risk tolerance of
they understand the best practices and policies the organization, as well as the long-term employee
needed to effectively and efficiently manage the skill set strategies. Cybersecurity professionals know
organization’s data. They can evaluate the controls where the organization is going and why it is going in
that are there. that direction, in order to be able to recommend the
best options with respect to a traditional data center,
Educating the Executive
an MSP, a CSP and security options.
The most immediate assumption about cybersecurity
professionals is that they must be experts in For his part as a corporate leader, security expert and
cybersecurity. This is certainly correct, but it is not teacher, Mr. Jackson believes that any organization
the end of the story. According to Mr. Jackson, the of significant size will need a hybrid IT environment.
number one talent of the cybersecurity professional It’s not “everything into the cloud,” he says. “These
is the ability to educate the executives and their large companies are always going to have some data
colleagues on exactly what cloud is, the differences that is core to their differentiation in the marketplace,
between traditional data center, MSPs and CSPs as that they want to keep really close. There are going
well as the various risks and strategies involved in to be some operations that they can outsource to an
proactive protection. MSP, and there will still be others that they will be
able to do by leveraging services from a CSP.”19
Such a statement is not intended to diminish or
degrade the intelligence of a corporate leader. Most He points out that this will continually change as
C-suite executives today are very aware of the need the marketplace changes – not the IT marketplace,
for state-of-the art defenses and practices. But, as but the marketplace-industry that the organization
with every other branch of the organization, they are is operating in. “If an organization is in healthcare,
reliant on their senior officers from other departments automotive, transportation, distribution or finance,
to provide the context and detail needed to make the cybersecurity professionals have to know the
proper decisions. industry business model as well as IT. They have
to understand how IT contributes to the business
Dr. Andrews agrees. He recognizes that executives model, the business case, and the future goals of
are paying attention to cybersecurity, but they need that organization within their industry vertical.”20
to work with people who understand them.
Dr. Andrews adds: “From the standpoint of the
“The trend,” he says, “is for those at the C-suite to employee, certification is 100 percent essential.
have a business understanding which is sufficient. That is where organizations are going. It is not
It is the technologists who have the problem, and going to be sustainable to keep whatever model
who don’t understand the business.” The essence they currently have.”21 For existing security
of the relationship between a C-suite executive and professionals as well as those who want to crack
senior members of the IT team is one of pro-activity. into the business, Dr. Andrews encourages them to
Executives, Dr. Andrews emphasizes, do not want to pursue certifications in order to stay at the leading
have to go ask the CIO to ask the CISO. edge of employment today.
19
Interview with Kevin Jackson held April 15, 2020
20
Interview with Kevin Jackson held April 15, 2020
21
Interview with Lyron Andrews, Ph.D., held April 9, 2020