What COVID-19 taught me about cybersecurity
How COVID-19 risks are mitigated parallels how to approach cybersecurity and there's a lesson to be learned there about communications, specifically how effective cybersecurity conversations go beyond network administrators and other technology experts.
I’ve struggled at times to wrap my mind around some of the trendy cybersecurity concepts, particularly things such as zero trust.
But two things converged in my mind the other day on my way to pick up my son from school. I was behind a bus that featured an ad on the back for an IT company talking about its layered approach to cybersecurity and that’s when things started to click in place for me.
I’m on the board of Pinecrest School. For the last two years, COVID has dominated board activities and discussions. Our goals have been to protect the health and safety of students and staff and to keep the school open for kids to attend and learn in person.
We adopted a multi-layered approach to give us the best chance at protecting students and staff and continue in-person education. One layer has been wearing masks, something that is now voluntary given recent changes in guidance from the Centers for Disease Control and Prevention.
We also had families sign a pledge acknowledging their responsibilities. We took daily temperature checks. Parents had to wear masks at drop off and pick up. Students are divided into social pods, so the mixing of classes is very limited. We have daily reminders that if your child is sick, you should keep them home.
We have policies in place as well in case a child or teacher contracts COVID. It includes when they should be tested, how long to isolate and how to notify other families of a case. Our policies have paid off. While there have been individual cases, we’ve had no transmission of COVID among students and staff.
All of that flashed through my mind as I looked at the ad on the back of the bus. It dawned on me for the first time how similar COVID protocols and cybersecurity are. Each requires a basic assumption of risk.
Pinecrest could have gone all virtual, but that would hurt our educational mission. Similarly, a government office or contractor can’t disconnect their systems from the outside world because that would make it nearly impossible to work with partners and customers. Their mission would be hurt.
There is no wall that you can build that will protect you from all cybersecurity threats or COVID exposure.
So, what do you do? You have policies and procedures in place that govern behavior. It’s a layered approach, such as mask wearing and pods at Pinecrest for example.
But even in knowing the risk is there, you need policies and procedures that dictate how you respond when your defenses are breached. Or in Pinecrest’s case what to do when a student or staff contracts COVID.
I know many people might read this and say -- "Of course Nick, the parallels between COVID and cybersecurity were obvious from the start."
They probably were, but they weren’t to me. That might say a lot about how insightful I am, or maybe not.
But there is a lesson here for marketers, sales teams and others pushing cybersecurity products and services. Responsibilities for safeguarding systems aren't just for the network administrators and cybersecurity experts, but of every person who access a system or network
What non-technologists like me do on the network has an impact on everyone else on the network as well. Just like with COVID, it’s not just doctors and nurses who keep us healthy. We all have a role and responsibility to each other to keep us all healthy.
Keep all that in mind when you talk about cybersecurity. Make sure you aren’t just talking to the technologists, but to the people who touch and use the technology. Understand what they do and how they use the technology and then make sure your message resonates.
It must be real to them, or they are just words that are lost.