Aside from the conventional ‘ gap analysis ’, it is possible to do a ‘fill analysis’ to discover the things that the organization is doing successfully already – its strengths, foundations on which to build.   The analytical processes are  almost the same but a fill analysis aims to identify, learn from and expand upon the strengths - the positives - whereas a gap analysis involves hunting down and addressing the weaknesses - the negatives. These are complementary not alternative approaches. So, for instance, if the organization is poor at compliance, OK at policies and excellent at impact assessment: A gap analysis would focus on closing the compliance gaps; A fill analysis would focus on learning from and extending the successful approach to impact assessment; A gap-and-fill analysis would look to make the best of all three areas, bringing them all up to scratch, using the best of the policy and impact assessment areas to improve compliance, policie...

According to alert AA20-133A from US-CERT : "The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020: Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack. ...

... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been ... Experts disagree on the details, sometimes even the fundamentals, and love their models ... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise ... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility ... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice  ... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too ... Controls against COVID-19 are imperfe...