If you’ve felt like each month of 2020 has said “hold my beer” to the month before, you’re not alone. Far too many of the wrong things have been up-and-to-the-right this year. So, against that backdrop, we are happy to report that, when it comes to the self-administered Cybersecurity Report Cards, there are some bright spots in this annus horribilis. As you’ll see if you read the full report, which we recommend doing, many organizations have risen admirably to the challenges of COVID—particularly in the areas of the sudden and large-scale shift to remote work, and the COVID-related attacks that spiked along with the virus itself.
Taking a Rigorous Self-Inventory
We’ve been asking organizations to grade themselves on their security chops since 2017, and the results have been interesting. Part of what stands out is the candor and honesty that respondents have brought to the survey. In a way, that shouldn’t be surprising, because any company division that isn’t honestly, comprehensively introspective, isn’t doing it right. Nonetheless, the rates of participation, as well as the scores given and the reasoning behind them, lend real credibility to the answers that teams gave on this iteration of the Report Card and the impacts of the pandemic on security operations.
Hitting the PANdemIC Button
As soon as the seriousness of COVID-19 began to be widely understood, organizations moved surprisingly quickly to make profound changes to how they do business, with far-reaching effects on every part of the organization. Depending on the nature of the organization, IT and security departments may have been the hardest-hit of all. Having to roll out new technologies, expand and contract the use of existing ones, totally recalculate capacities, risk profiles, threat models, and user needs, to change network topologies, and deal with countless other changes, was hard enough. But on top of that, cybercriminals also lost no time capitalizing on the pandemic to roll out new attacks. Some of these preyed on the public’s hunger for information about COVID, such as CovidLock; others leveraged vulnerabilities in videoconferencing and other remote-access-related systems. All of them added to the already greatly increased burdens on IT and security folks.
No Grade Inflation Here
Given all of this, it would have been entirely reasonable for this year’s “GPA” on the Cybersecurity Report Card to be substantially lower. And yet, it wasn’t. There were some decreases—fewer organizations gave themselves A’s—but there were also some increases: the grades in the middle of the pack were collectively higher than in previous years. The breach prevention success rate also rose: the percentage reporting successful breaches held steady, rather than falling as it had in previous years; but the number of detected attacks increased. Security teams seem to be better, then, at both detecting and preventing breaches; they just had a lot more of them to detect and prevent in 2020 than they had in prior years. Increasing the rate of prevention is laudable in any year, but in light of the COVID challenges it is especially so.
You Made the Grade
A truism of information security as a career field is that most of us are in this for far more than just a paycheck. There is a deep commitment held by tens of thousands of people to making the Internet a safer place to work, learn, and play every day. This Report Card reflects that dedication, painting the picture of a technology world that’s far from perfect, but which has risen to an enormous challenge in ways that everyone in this community can be proud of.