As we've been discussing now for a few weeks, it seems likely that we may see a significant cyber attack on a global level. Most people in the cybersecurity business seem to feel it, and so do many business and world leaders.
I have often heard it said that we would only do something about improving security in a big way once “something bad happens.” In reality, that isn't true. We have seen plenty of bad things happen due to insufficient security measures. As a species, we tend to wait for those truly significant “black swan” events before making substantial changes. As an American, the 9/11 incident was one such event for me. COVID-19 was another.
These black swan events trigger an entirely different response on a global level. Only then do local, state, and national governments seem to take action. Healthcare provides a fitting parallel. The COVID-19 pandemic permanently changed how we do things, work, and treat illness. I would say that on balance, these are mostly good changes. Some may be less good, but a move in the right direction regarding how we look at illness and things that cause infection.
So what does this change potentially look like when the digital black swan event happens? My prediction is that governments at all levels will likely allocate needed resources and funding to fight back and attempt to fix the problem. Financial resources will likely be provided to organizations to implement mandated security fixes and policies, which will also be regulated.
Now, while it's true that many organizations have done a lot towards improving security over the last decade, many more simply have not, and it comes down to budget and any lack of oversight from regulatory agencies. Any security professional out there today is well aware of this.
It will probably cause an outcry and a lot of resentment among those opposed to regulation, which is a lot of people and organizations. However, the organizations that take a moment to realize that this is the likely outcome can get ahead of the regulations by taking action. In this way, you're less likely to feel the sting of being regulated and have more options on what approach to take. You're also less likely to feel as much of a sting of a global black swan cybersecurity event.
Now would be an excellent time to take a closer look at your organization and consider prioritizing what has been postponed or even ignored. After black swan events happen, we often realize that most of what happened could have been prevented with some common sense.
Draw your own conclusions, but I'm sure many of you will likely come up with a similar outlook.