As a remote employee and IT professional, the pandemic has only minimally affected my professional life. I wake up each day and go about my routine to provide for my family and, ideally, positively influence the cybersecurity career field, enabling those of you on the frontlines working hard to support your respective enterprises to survive another day in the midst of a dynamic threat environment. This is not to say that there have not been disruptions, but generally speaking, the norms I previously established in my residence to maximize my productivity—for example, when my kids have snow days and school breaks—were already in place when the pandemic hit. In this regard, I suspect many remote employees had an advantage when compared to those who suddenly found themselves working remotely—if they were fortunate enough to maintain employment.
Without a doubt, the COVID-19 pandemic brought to light our reliance on technology and amplified the digital divide that plagues much of the globe. We can only hope that 2020 goes down in history as the year that the world awoke and initiated widespread efforts to rectify longstanding digital inequities. This is not easy and, given our audience, I believe most readers at least have an appreciation for the magnitude and complexities involved. But, in the short-term, the divide grows wider for those who lack stable broadband access, do not have the luxury of managing personal and professional commitments from the comfort of their home or, worse, have no access to the Internet and computing devices at all.
Without a doubt, the COVID-19 pandemic brought to light our reliance on technology and amplified the digital divide that plagues much of the globe.
Living in a rural area of the United States, I encounter people who—through their words or actions—discount IT governance, risk and security professionals as being valuable contributors to public policy. This is both unfortunate and shortsighted. I would argue that cyberprofessionals are valuable assets to any public conversation—not just because of the technological dependencies of most things, but because we understand risk in ever-changing environments.
Just as no 2 enterprise networks are the same, no 2 geographic areas, municipalities or public bodies are identical. And here lies the issue for anyone accustomed to data-driven, evidence-based decision making: Far too many continue to operate with a top-down approach rather than from a bottom-up mentality. This top-down approach did not work well for early IT security efforts, nor does it bode well for a COVID response or society in general.
In my former profession in the US Navy, success was contingent upon those around me to include seniors and peers, but mostly those under my charge. Within the Navy, the senior enlisted ranks of E7 to E9 comprise what is referred to as the Chief’s Mess, and our collective success was dependent upon one another. Most good naval officers will tell you Chiefs run the Navy. They do this by leading by example, being visible where the work is done and, most important, by using their resources. It has been 8 years since I retired and, to this day, if I need something—regardless of scope or locale—the Mess stands ready to help.
I envision a similar calling for the cybersecurity profession. Cyberprofessionals must emerge as a critical cadre for creating actionable public policy and diminishing the digital divide. We can no longer remain in the shadows, as there is tremendous work to do to collectively increase digital competency and implement (or bolster) the necessary infrastructure to overcome the current digital divide. Large-scale projects are undoubtedly costly and difficult to manage, require tremendous resources and often result in cost overruns. Disparate projects can increase agility and cost savings, but may result in interoperability issues. While interoperability is a smaller risk given modern IT standards, it comes into play when communities within geographic areas are expected to share resources but have the challenge of each being built to different standards. For example, a county intermediate school district might offer shared services to surrounding municipalities, however, each has different access speeds and stability due to the required infrastructure (i.e., radio frequency (RF)-based for rural vs. optical fiber in cities). In these situations, rural school districts would remain disadvantaged due to limited bandwidth. These limitations extend to rural public bodies and small businesses as well.
There are many good efforts underway with fixed focus, but they go unnoticed when masked as workforce development, digital literacy and diversity efforts. While these efforts are noble and important, they have not scaled, therefore, COVID-19 must serve as the catalyst for urgently addressing and eliminating the digital divide or we undoubtedly will be talking about the same issues amidst the next pandemic.
Conclusion
Earlier this year, I was cautiously optimistic that COVID-19 could have some positive impacts (despite the obvious concerning health and financial impacts) as early reporting highlighted countless enterprises and individuals overcoming legacy thinking and increased resilience. Now, several months later, I find myself questioning decision-making more than ever. In many ways, COVID-19 has been analogous to a widespread cybersecurity incident. Looking beyond the sensationalism that plagues a large portion of the media, data is the ultimate scorecard for regions, nations and smaller communities. As tragic as they are, infections and loss of life are but 2 metrics—albeit short-term. Effective leaders understand decision-making requires thinking through second, third and fourth order effects (consequences). Failure to do so tends to result in poor decisions and may put a large spotlight on our biases. In any event, leaders of any kind routinely make decisions based on all available information at a moment in time. Ignoring changing conditions or using non-pertinent data increases the likelihood of poor decision-making. Fortunately, pandemics are not routine, but they do occur, and we must use the many lessons learned from 2020 to increase resilience and minimize disruption the next time around. In this regard, I assert that ISACA® constituents are well-equipped to step out of the shadows and take deliberate action on 2 fronts. First, take part in localized efforts to remedy the digital divide. Social media is a powerful tool to increase awareness and engagement. The lack of programs does not necessarily mean there are no gaps, but rather, no one has called attention to them yet. Second, engage community leaders and government officials. They need our assistance and counsel despite what they may say. After all, our collective years of experience battling an always changing threat environment offers powerful insights and lessons learned.
Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP
Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.