Cyber Health: Lessons for Cybersecurity from COVID-19
Much has been written about how COVID-19 has impacted cybersecurity during 2020, from heightened cybersecurity threats to foundationally challenging business resiliency. However, there are other lessons for cybersecurity which are unnoticed or under-emphasized.
Swiss Cheese and Silver Bullets
In October 2020, The New York Times published the “The Swiss Cheese Model of Pandemic Defense.” The Swiss Cheese Model makes the case for applying a variety of imperfect interventions to prevent the spread of COVID-19, rather than hoping for a single, silver bullet mitigation. “No single intervention is perfect at preventing the spread of the coronavirus. Each intervention has holes.” When these imperfect defenses are layered upon each other though, effective prevention can be achieved by the collective approach.
To the seasoned cybersecurity professional, this approach is immediately recognizable as a “defense-in-depth” strategy. Defense-in-depth is hallmark concept of any cybersecurity program, and a search for defense-in-depth visualizations yields a myriad of eye-wateringly dull concentric circles, confusing multi-colored pyramids, and pretty but ultimately unhelpful pictures of castles. None of these, I would argue, are nearly as effective as conveying the purpose of defense-in-depth as the Swiss Cheese Model.
The Swiss Cheese Model is clear, concise, and applicable to any industry where failures and errors are of concern. Moreover, the model makes two important points clear: every intervention has flaws and that even imperfect interventions have value. The latter is particularly critical, as the cybersecurity industry is so quick to renounce any claims of being the silver bullet defense that decision makers often wonder “what is this even getting me?”
With the Swiss Cheese Model though, it is easy to make the case for selecting cybersecurity technologies which are more readily deployed throughout the organization over technologies which may be more effective but are harder to deploy. A good intervention is better than nothing. The best intervention is worthless if it is never used.
Health and Cyber Literacy
Unsurprisingly after over a year into the COVID-19 pandemic, health literacy has increased globally. Phrases which used to be familiar only to clinicians and public health administrators have become more common in everyday conversations: contact tracing, pandemic, transmission, incubation, asymptomatic, PPE, and so on. This improvement in health literacy may inadvertently be an improvement in cyber literacy as well.
It is no coincidence that cybersecurity has historically borrowed heavily from healthcare terminology; terms like virus, infection, outbreaks, and quarantine are familiar to healthcare and cybersecurity professionals alike because they generally describe the same concept in both fields. These healthcare terms were appropriated by the cybersecurity community because they enable individuals without technical backgrounds to quickly understand unfamiliar concepts using familiar words and descriptions.
Imagine explaining the danger of the WannaCry ransomware attack to a hospital administrator by detailing how an exploit of a default-enabled protocol in unsupported operating systems was running rampant through legacy systems which had not applied security bulletin MS17-010. Could we reasonably expect them, or anyone else, to keep their eyes open?
Now imagine describing WannaCry as a cyber parasite from the Internet spreading throughout the hospital network. There are vaccines and treatments for the cyber parasite, but they were not applied proactively to the oldest hospital equipment. Now the hospital network needs to be isolated, treated, and inoculated before normal operations resume. Does that not adequately explain the problem to a medical professional?
Even though health literacy has improved, many are still disadvantaged in accessing the information they need. Much in the same way, we must continue to improve the accessibility of cybersecurity information.
In a Forbes interview about the previously mentioned “The Swiss Cheese Model of Pandemic Defense”, Australian virologist Ian Mackay offered this advice: “Never expect that people will understand any single word that you are going to say. Break the language down into the simplest words you can use. Don’t just assume people have the background you have.”
What can the cybersecurity community learn from how medical professionals communicate complex concepts in simple ways that are accessible to individuals with varying degrees of health literacy? Do medical professionals speak of transmission vectors and viral loads to the average Joe, or do they encourage people to wear a mask, wash their hands, stop touching their face, and stay home whenever possible?
How do cybersecurity professionals communicate complex technical problems in simple ways that are accessible to individuals with varying degrees of technical literacy? Do we speak in terms of industry jargon and then complain when business units, senior leadership, and the board “don’t get it”, or do we make the effort to frame difficult cybersecurity concepts in familiar ways and drive meaningful conversations with decision makers?
Post-pandemic, how can cybersecurity professionals leverage improved health literacy to further promote cybersecurity literacy, especially in health delivery organizations (HDOs) and medical device manufacturers (MDMs)? How can we use this to better bolster the cyber health and well-being of our organizations?