PROACTIVE

CYBERSECURITY
BEYOND COVID-19
Understanding the Technical and Human Challenges
in an Interconnected World
It is exceedingly rare for a technology event to come along that affects the entire world at the same time –
one that threatens the livelihood of everyone on the planet. In fact, there have only been two. No war – not
even World War 2 – had such evenly distributed global reach. The most recent of these two events is the
ongoing COVID-19 pandemic. The other was the Millennium Bug, also known as Y2K.
From observing these two events, it becomes easier to extrapolate the theories as to why, in the world of IT
and commerce, significant yet preventable cybersecurity holes still exist – holes that allow viruses, breaches
and data loss to further threaten humanity in the same ways Y2K did and, COVID-19 continues to do. Bringing
qualified people on board, including certified specialists in cloud security, is a vital first step. But these
people, as well as the ones who hire them, must understand that an effective defense requires the capacity
not just to understand the technological threats of our interconnected world, but to be able to communicate
the threats and corresponding threat management strategies to everyone who needs to hear them, including
C-level decision makers and end users.
This white paper looks at a collection of problems that are common in general as part of human nature, and
which translate into significant threats to companies, economies, countries and individuals as they compound
and spread.

© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org 2

Problem 1:
COMPLACENCY AND DENIAL
Perhaps the only event that matched the current
COVID-19 outbreak in terms of universal global
reach was the Y2K threat of the late 1990s. The
anticipation of millions of digital devices worldwide,
including bank machines, nuclear power plants
and airplane control systems, suddenly resetting
or turning themselves off due to a two-digit date
software limitation required armies of IT specialists
and programmers, including many coaxed out of
retirement, to work against the most unforgiving
of deadlines. These programmers fixed it so
successfully that very few failures occurred worldwide,
leading people to remember Y2K as a somewhat
disappointing non-event.
The Y2K crisis revealed the degree to which our world
was already interconnected by the 1990s. It revealed
that “only 15% of senior managers were aware of
the myriad potential cascade effects that could
the (Y2K) problem.”1 It was only by 1998 that the
happen when, for example, a single power station
G8 and the United Nations started nudging global
goes offline, creating an imbalance that triggers
political will toward a timely fix. According to the Y2K
a surge and ultimately plunges entire cities into
Coordination Center the crisis was estimated to have
darkness. It revealed how much of the world already
cost between $300 billion and $500 billion globally,
relied on connected digital devices for transactions
and $100 billion in the U.S. alone.2
through point of sale devices and showed how
difficult paper money would be to access from faulty As the rapid spread of COVID-19 demonstrated 20
ATMs. Y2K revealed humanity’s global dependence years later, human beings are not particularly good,
on interconnected computers, but also reminded us collectively, at managing an unknown fear, whether it
that under the hood was a patchwork of legacy tools be a software bug or a biological virus. An instinctive
built up over time and held together by short-term and tangible resistance to change puts humans in a
economic priorities. The two-digit date limitation at state of either willful denial or abject confusion when
the heart of Y2K was the poster child for a world of faced with an abstract and invisible foe. This is in
rampant, uncontrolled technological expansion that stark contrast to the fight-or-flight reflex that causes
was seen as too valuable to lose, yet too expensive to us to run from a more visible, comprehensible danger
properly maintain. such as fire.
The diversity of attitudes displayed by people in Confusion leads to procrastination, inadequate
business and government in the three decades action or straight-up resistance. In the case of Y2K,
leading up to the Y2K deadline (January 1, 2000) IT specialists directly involved in its detection and
was typical of any population. Experts in computing elimination often needed persuasive powers and
saw the problem and its potential for widespread diplomacy to influence corporate and political
damage very clearly, yet they struggled to be heard. decision makers. A strikingly similar problem faced
Many were derided as alarmist. Corporate decision the statisticians and medical experts modeling the
makers procrastinated, fearing increased costs and anticipated outbreak curves of the 2020 coronavirus
disruption. A survey conducted in the UK in 1995, pandemic. Abstract notions face an uphill battle
less than five years away from the deadline, found against a profitable status quo.
https://www.theguardian.com/commentisfree/2019/dec/31/millennium-bug-face-fears-y2k-it-systems
1

https://www.washingtonpost.com/wp-srv/WPcap/1999-11/18/077r-111899-idx.html
2

© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org 3

Problem 2:
PROSPERITY AND PAROCHIALISM
Immediately prior to the COVID-19 outbreak, one of
the biggest stories dominating world headlines was
Brexit. The United Kingdom was moving ahead with
carrying out the mandate of its referendum which, by
the slimmest of margins (52%), had decided that as a
nation, it would be better off alone than as part of the
European Union. Several other countries were poised
to follow suit, threatening a complete dissolution of
the European economic community.
The desire to secede is typical of many populations,
especially in times of relative prosperity or lacking
a tangible external threat. Numerous countries,
including the United States, Canada, Spain and
Great Britain, have weathered internal separatist
movements, and established religions are filled with
subsets and split-off groups. In the same way humans
instinctively band together in the earliest phases of a
crisis, it is also natural for them to tribalize and split
off when the cost of being part of a community starts
to appear too onerous.
Interview with Kevin Jackson held April 15, 2020
3
Interview with Kevin Jackson held April 15, 2020
4
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
A growing backlash against globalization was starting
to pick up steam in the months leading up to January
2020, and technology, specifically cloud technology,
was at its heart. Kevin L. Jackson, CISSP, CCSP, is
CEO of GC GlobalNet and an Adjunct Professor at
Tulane University. He points out that at this time,
“countries were retracting in terms of a nationalistic
view. Cloud computing was one reason for this. It
became critical to the economics of IT. If you were
a country that didn’t have the scope to support a
cloud industry, you were losing out.” Those that
had the scope saw greater opportunities through
technological self-sufficiency.3
Had the COVID-19 pandemic not occurred in
the early months of 2020, it is likely the world
headlines would have included much more about
other countries following Britain’s lead and making
their own plans to secede from the EU. But as Mr.
Jackson added, “COVID-19 made us realize how
interconnected we were. At this moment you don’t
have a choice to not be global.”4
4
Problem 3:
RESISTANCE TO PROACTIVE CYBERSECURITY
The two components of the human mindset
described above, denial and parochialism, have
been cybersecurity roadblocks for decades. Despite
relentless, increasingly sophisticated threats from
cybercriminals, and despite regular warnings from
security specialists the world over, companies and
countries have approached cybersecurity and
cyberhygiene as undefined and costly additions
at odds with their longer-term visions and profit
forecasts. Breaches involving millions of personal
records have occurred at some of the world’s largest
and most influential companies. But even these have
failed to sufficiently move the needle.
Mr. Jackson highlights that among specialists and IT Within a company’s own walls, layers of legacy
managers there are clear recommendations and best systems, patches and non-uniform adoption of apps
practices when it comes to cybersecurity. In many and devices continue to make universal protection
cases it is not a lack of security definitions that has led physically impossible. As Mr. Jackson stated: “From
to breaches and compromise, but instead that “too an organizational policy point of view, it’s expensive
many companies lack the desire to adhere to policies to consistently enforce data privacy and data
due to their cost-value calculation not favoring the protection policies on newly created data and legacy
required data security investments.”5 He continues, data that’s been in an organization for years and was
“the cost of failing to protect the data did not exceed created under a completely different environment.
the cost of taking the required steps to properly Implementing data privacy and protection
protect the data. GDPR started to move the needle, technologies over new data and legacy data became
out of the fear of (its) huge fines. GDPR was starting intractable. The effort required to categorize and
to change that equation, but the global COVID-19 properly classify legacy data and the implementation
pandemic stopped that movement cold.”6 There needed for the protection of data is huge. That might
suddenly were more important things to worry about have been driving the retraction.”7
as countries were going into lockdown.
It is an ongoing challenge for cybersecurity
In effect, despite universal physical connectivity, specialists, IT managers and CISOs to make sense of
companies were also receding from each other, an ever-mutating threat landscape and to implement
devising their own strategies for data management sufficient response. It has been achieved to a degree,
through public, private and hybrid cloud, as well as yet ongoing incidences of breaches demonstrate that
on-premise. They were also defining their own rules it remains a struggle. Some of the specific areas of
regarding cyberhygiene. Training in password best deficiency include:
practices, for example, varies between companies,
as do their policies of employing shadow IT, including Password Hygiene
third-party apps like DropBox and unsecured video Constantly changing passwords and thinking up new
communication technologies for work-from-home ones is an annoyance for most people.
scenarios. A survey conducted by the National Cyber Security
5
Interview with Kevin Jackson held April 15, 2020
6
Interview with Kevin Jackson held April 15, 2020
7
Interview with Kevin Jackson held April 15, 2020

© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org 5

Problem 3 continued
Centre (NCSC) in 2019 revealed passwords such as
123456, qwerty and password, along with famous
names like Liverpool or Superman to be in use by
millions of respondents worldwide.8 As just one
example, the survey showed that 23 million people
currently use the password 123456 for at least one of
their log-ons. Such passwords are easily guessable
or brute-forceable, and once broken, they allow
access to millions of other connected accounts in an
exponential fashion completely in parallel with the
pandemic spread of a biological virus.
A general reluctance to train people on the use of
password management applications and multifactor
authentication techniques further weakens an
organization’s defenses. Similarly training in soft skills
such as time management and critical thinking, which
are vital in helping people identify and resist phishing
and spearphishing messages by allowing time to
think before reacting, still goes underdeveloped.
Working from Home
Prior to April 2020, remote activities such as sharing
documents and patching into video meetings were
gaining popularity, especially among younger and
more mobile-friendly professionals. They were
tapping into a trend that took full advantage of high-
speed Wi-Fi and portable devices to turn work into
something that could be done from anywhere and
on a flexible schedule. Work itself was becoming
fractionalized, with greater focus being placed on
virtual teams and the “gig economy.” Analysis from
organizations including the World Economic Forum,
8
https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
9
https://www.weforum.org/agenda/2017/12/predictions-for-freelance-work-education
10
Interview with Lyron Andrews, Ph.D., held April 9, 2020
11
https://blog.endpointsecurity.ca/2019/12/03/a-better-alternative-to-turning-off-the-firewall/
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
conducted well before COVID-19, predicted that
by 2027, the “majority of the U.S. workforce will be
freelancers.”9 It was starting to happen in such large
numbers that companies began calculating cost
savings through reduction of physical space.
Dr. Lyron Andrews, CISSP, CCSP, SSCP agrees. As
founder of Profabula, a cybersecurity professional,
trainer and consultant with a concentration on
cloud computing, he recognizes how larger scale
companies have been looking at ways to move
from capital expenditure (CAPEX) to operational
expenditure (OPEX), by reducing physical properties,
selling off buildings and floor space, and reducing
their physical and energy consumption footprints.
Those companies that have developed capabilities
for working online and offering shared “hoteling
spaces” are not necessarily doing this for the quality
of their employees’ lives. They are seeking a reduced
cost of ownership, reduced liability and reduced
maintenance costs. This they see as a real world
parallel to moving to the cloud – a transfer from
CAPEX to OPEX.10
This trend will likely receive a boost from the hands-
on experience that many professionals received
during the COVID-19-related lockdowns, and
possibly too, from the incredibly high number of
jobs lost due to record closures. But as financially
convenient as they may be, home-based work
presents new challenges to security professionals.
The focus has been, and continues to be, more on
convenience and novelty, and less on security:
• Home Wi-Fi routers and IoT devices are seldom
properly secured
• Most employees have never heard of a VPN and
have no idea how to configure one or why they
even need to
• Millions of online video meetings have been
conducted without any form of training regarding
security or agreement as to where the data of
these video meetings would be stored
• In many cases, small-business firewalls established
to ensure safe transit or blockage of files are
manually turned off or bypassed in the name
of convenience11
6
Problem 3 continued
Ransomware and Siegeware
Cyberattacks that delivered even more tangible,
physical outcomes, like ransomware and siegeware,
continue to bring companies and facilities like
hospitals to their knees. To date, the primary
entry point for ransomware attacks has always
been phishing emails – a human weakness, not a
technological one. Thieves are extremely good at
capitalizing on the chaos of a crisis, and consequently
during the pandemic of 2020, COVID-19-related
emails and text messages made to look like bulletins
from official sources became just the latest in a
long string of fake messages that were successful in
propagating cyber-viruses.
In most cases, the root cause of a ransomware attack
is that inadequate time, attention and budget has
been given over to the following tasks:
• Mapping the attack surface
• Maintaining and upgrading vulnerable devices
• Maintaining and upgrading security systems
• Segmenting the network
• Securing the extended network including
operational technology (OT) networks, cloud
environments and branch offices
• Isolating recovery systems
• Backing up data
12
Manky, Derek, 10 Steps for Ransomware Protection, ThreatPost, (October 16, 2019). Retrieved from:
12
https://threatpost.com/10-steps-ransomware-protection/149259/
13
Interview with Kevin Jackson held April 15, 2020
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
• Running recovery drills
• Leveraging outside experts
• Keeping up to speed on ransomware events
• Training and educating employees12
In too many cases, the affected company simply
chooses to pay the ransom as the lesser of two evils.
Although this might unlock the affected data – it also
might not – it also further incentivizes cybercriminals.
Given that most of these cybercriminals are not
sophisticated hackers but simply copy-and-pasters
of dark web code, quick capitulation through
payment of a ransom may save the moment but helps
guarantee more of the same.
Just like the Y2K scenario, Mr. Jackson points out
that this sequence of reluctance, denial, inertia and
legacy means that “companies are being thrown
into the fire. The COVID-19 crisis has demanded
huge and unexpected investments into remote
worker infrastructure. Earlier reluctance into data
classification and enhanced data protection policies
in the cloud have put organizations and their
executives into a panic. The executives are praying
they won’t suffer significant data breaches, and they
realize they do not really have the ability to track
and monitor who has access to the data. Meanwhile,
hackers have ramped up because they sense these
vulnerabilities on a global scale.”13
7
Problem 4:
IMPLEMENTATION OPTIONS FOR IT OPERATIONS
Of vital importance to every organization currently is
the placement and storage of data, both moment-by-
moment mission critical, and that which needs to be
stored. This requires that decision makers be made
aware of the important differences among three
implementation options for IT operations.
Own Data Center
A traditional data center is where the organization
builds the data center, makes all the policies, and
hires the people to run it. The organization has
complete control of the data and knows where the
data physically is. As Mr. Jackson states, “they can go
down and hug the server every day.”14
A Managed Service Provider (MSP)
A managed service provider involves paying
someone else to run the data – someone who will
14
Interview with Kevin Jackson held April 15, 2020
15
Interview with Kevin Jackson held April 15, 2020
16
Interview with David Friend held March 16, 2020
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
do what the client demands, through a contractual
commitment. The MSP’s value comes from having the
skills and technology to look after and run the data
center efficiently.
A Cloud Service Provider (CSP)
The cloud service provider exists at 180 degrees from
MSPs and self-run data centers. The organization
and the enterprise dictate how the cloud service will
be built, run and governed, and also dictates the
type of data and risk tolerance to be employed. Use
of a CSP means turning over the decision-making
power and IT governance to the CSP itself. The CSP
makes decisions on how its customers can protect
their data. The organization then has to accept what
the CSP provides as part of their service catalog.
Unfortunately, Mr. Jackson states, many organizations
don’t understand that. They think a CSP is going to
do what they tell them to do, because that’s what
they are used to.15
Each of these implementation scenarios carries great
weight. Data that is the lifeblood of any organization
must remain safe, accessible and reliable. Decision
makers will be concerned not only for its accessibility
day-to-day but will always be mindful of the costs
of storage. This, according to David Friend, CEO of
Wasabi Technologies, can be problematic when the
decision is made to dump stored data that has lain
idle for a few years. The future value of data, he says,
will be based on access to data across many years.
As an example of a human failing, when the
immediate cost of storing data appears to be larger
than the perceived value of the data stored, the
tendency is to delete. This includes prompt deletion
of security camera footage and police bodycam
footage, which may be vital for court proceedings
that take years to transpire. This action, he says,
is premature, since new technologies in AI are likely
to appear that will give new value to old data and
deliver huge benefits. Foresight of this type is not
always abundant.16
8
Problem 5:
TRUST IN AN AGE OF ZERO TRUST
The increased use of connected technologies,
including the work-from-home environment that was
kicked into high gear as a result of the COVID-19
lockdown period, vastly increases an organization’s
attack surface. Dr. Andrews states: “We need to think
about how to protect that ubiquity – systemically,
not one-on-one, through least privilege, zero trust
access methodology. The specificity of it should be
micro segmentation, zero trust development and
zero trust architecture.” He highlights the relatively
new phenomenon of “zoombombing,” named after
the most popular of the online videoconference
technologies, in which bad actors easily joined
meetings thanks to unprotected log-in data. Once
there, they were able to post offensive images
and disrupt the meetings and exploit the potential
for even worse activity. Although Zoom and other
providers of meeting technologies were quick to
point out and improve their security, two key
factors remain:
• the average end user trusts the technology to work
in the way it is supposed to, and is ignorant of
every possibility of exploitation; and
• bad actors will always go where the ubiquity is.
Email and Windows have been the ubiquitous
technologies for 20 years. Once new platforms
become popular, they too, get attacked.
https://cisoseries.com/defense-in-depth-internet-of-things/ April 2, 2020
17
https://cisoseries.com/defense-in-depth-internet-of-things/ April 2, 2020
18
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
Adoption of a zero trust philosophy is vital to
ensuring that humans and connected technologies
continue to function with minimized vandalism
from bad actors. Scott Gordon, CISSP-ISSMP, Chief
Marketing Officer for Pulse Secure, states: “A mobile
workforce, virtualization dynamics, the adoption
of cloud, and multicloud applications with IoT and
everything else being introduced to what is now
a perimeterless environment means organizations
must be much more vigilant on verification and
authorization, whether someone’s connecting within
the network or outside the network. That’s really what
zero trust is all about.”17
Mr. Gordon highlights recent developments in access
security threats in which hackers are pursuing new
attack vendors such as imitating known popular
applications and even corporate suppliers to obtain
credentials. These, he says, are not casual. He
emphasizes that for zero trust to be an effective
ally alongside trusting, human end users, “the core
principle of verifying everything before granting
trust will become even more vital in the months
to come.”18 This will demand greater adoption of
techniques such as multifactor authentication and
blockchain-based certification.
The Need for Certified Security
Professionals
In all of these circumstances – cybersecurity
awareness, cloud adoption, data center strategy
and overall IT awareness, Mr. Jackson says: “When
management finally looks up and looks around,
hopefully they will see their security professional. This
person might be either a CISSP or CCSP, but when
it comes to the person who has a strategy for cloud,
for proper data classification and data protection
and who has the ability to track and monitor who
has access to the data, it’s going to be this certified
professional.”
He points out that cybersecurity professionals
understand the difference between implementation
options. They understand the differences in IT
9
Problem 5 continued
governance, and the types of controls that are put
in place. For example, a self-run data center means
the organization installs and operates those controls.
However, when a company goes to the cloud, all
cloud management decisions may have been made
years ago, and that particular cloud was not built
or designed to meet a specific company’s business
model or industry requirements.
Cybersecurity professionals understand the
environment, they understand the challenges, and
they understand the best practices and policies
needed to effectively and efficiently manage the
organization’s data. They can evaluate the controls
that are there.
Educating the Executive
The most immediate assumption about cybersecurity
professionals is that they must be experts in
cybersecurity. This is certainly correct, but it is not
the end of the story. According to Mr. Jackson, the
number one talent of the cybersecurity professional
is the ability to educate the executives and their
colleagues on exactly what cloud is, the differences
between traditional data center, MSPs and CSPs as
well as the various risks and strategies involved in
proactive protection.
Such a statement is not intended to diminish or
degrade the intelligence of a corporate leader. Most
C-suite executives today are very aware of the need
for state-of-the art defenses and practices. But, as
with every other branch of the organization, they are
reliant on their senior officers from other departments
to provide the context and detail needed to make
proper decisions.
Dr. Andrews agrees. He recognizes that executives
are paying attention to cybersecurity, but they need
to work with people who understand them.
“The trend,” he says, “is for those at the C-suite to
have a business understanding which is sufficient.
It is the technologists who have the problem, and
who don’t understand the business.” The essence
of the relationship between a C-suite executive and
senior members of the IT team is one of pro-activity.
Executives, Dr. Andrews emphasizes, do not want to
have to go ask the CIO to ask the CISO.
19
Interview with Kevin Jackson held April 15, 2020
20
Interview with Kevin Jackson held April 15, 2020
21
Interview with Lyron Andrews, Ph.D., held April 9, 2020
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org
“They want the CISO to come and talk to us.
Executives get miffed by what was just explained
by a technologist.”
Ongoing Awareness and Proaction
A cybersecurity professional is someone who is not
only fluent in the myriad cybersecurity terminologies
and threats, but intimately familiar with the
organization’s business case and operational goals.
A cybersecurity professional can link them to the top
line, bottom line and to the security risk tolerance of
the organization, as well as the long-term employee
skill set strategies. Cybersecurity professionals know
where the organization is going and why it is going in
that direction, in order to be able to recommend the
best options with respect to a traditional data center,
an MSP, a CSP and security options.
For his part as a corporate leader, security expert and
teacher, Mr. Jackson believes that any organization
of significant size will need a hybrid IT environment.
It’s not “everything into the cloud,” he says. “These
large companies are always going to have some data
that is core to their differentiation in the marketplace,
that they want to keep really close. There are going
to be some operations that they can outsource to an
MSP, and there will still be others that they will be
able to do by leveraging services from a CSP.”19
He points out that this will continually change as
the marketplace changes – not the IT marketplace,
but the marketplace-industry that the organization
is operating in. “If an organization is in healthcare,
automotive, transportation, distribution or finance,
the cybersecurity professionals have to know the
industry business model as well as IT. They have
to understand how IT contributes to the business
model, the business case, and the future goals of
that organization within their industry vertical.”20
Dr. Andrews adds: “From the standpoint of the
employee, certification is 100 percent essential.
That is where organizations are going. It is not
going to be sustainable to keep whatever model
they currently have.”21 For existing security
professionals as well as those who want to crack
into the business, Dr. Andrews encourages them to
pursue certifications in order to stay at the leading
edge of employment today.
10
The year 2020 has forced every area of human life to change, due to the COVID-19 pandemic. Traditional
models of employment and commerce have been turned upside-down and the likelihood remains that
humanity will not be able to return to the old normal.
But business must go on in some form or another, and increasingly the expertise will be delivered by an
evolving brand of professional that is embracing the as-a-service mindset currently in use in many areas of
business. Cybersecurity professionals make it their responsibility to continually upgrade their skills and deliver
leading-edge solutions to the challenges of a workplace that remains increasingly connected through data.
It will need to be more so as many of the traditional human-oriented activities dissolve into shadows of their
former selves. Although this is not welcome news to most people, it reinforces one of the constants of life:
that change is ever-present.
Working with cybersecurity professionals who understand change and know how to communicate across every
level of an organization means staying on top of problems on par with Y2K, and viruses of biological or digital
origin before they happen, whether their source is technical in nature, or more likely, human.

To learn more about (ISC)2 certification and

which credentials align with your goals,
explore our Ultimate Guides to Certification.

© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org 11

 About (ISC)2
(ISC)² ® is an international nonprofit membership association focused on
inspiring a safe and secure cyber world. Best known for the acclaimed
Certified Information Systems Security Professional (CISSP®) certification,
(ISC)² offers a portfolio of credentials that are part of a holistic,
programmatic approach to security. Our membership, more than 150,000
strong, is made up of certified cyber, information, software and infrastructure
security professionals who are making a difference and helping to advance
the industry. Our vision is supported by our commitment to educate and
reach the general public through our charitable foundation –
The Center for Cyber Safety and Education™.

For more information on (ISC)²,

visit www.isc2.org, follow us on Twitter or connect with
us on Facebook and LinkedIn.

Understanding the Technical and Human Challenges

in an Interconnected World
© 2020 (ISC)2, Inc. All rights reserved. | www.isc2.org