Gap-and-fill analysis

Aside from the conventional ‘gap analysis’, it is possible to do a ‘fill analysis’ to discover the things that the organization is doing successfully already – its strengths, foundations on which to build. The analytical processes are almost the same but a fill analysis aims to identify, learn from and expand upon the strengths - the positives - whereas a gap analysis involves hunting down and addressing the weaknesses - the negatives.

These are complementary not alternative approaches.

So, for instance, if the organization is poor at compliance, OK at policies and excellent at impact assessment:

• A gap analysis would focus on closing the compliance gaps;
• A fill analysis would focus on learning from and extending the successful approach to impact assessment;
• A gap-and-fill analysis would look to make the best of all three areas, bringing them all up to scratch, using the best of the policy and impact assessment areas to improve compliance, policies and other aspects, taking a broader perspective.

A typical example is a SWOT analysis to identify the organisation’s Strengths and Weaknesses (in the present situation resulting from its history to date) plus its Opportunities (for future improvement, usually, but more creative approaches may be appropriate e.g. novel methods, strategies and frameworks) and Threats (really, Risks – bad stuff that may occur in future if issues are ignored or not resolved effectively). Considering all four aspects in parallel leads to a more comprehensive, well-rounded or balanced approach.

In particular, the fill analysis and Strengths and Opportunities parts of SWOT are inherently motivational. We all like to know where we are doing well and we often respond energetically when shown we could do even better, whereas being told we are doing badly and must address problems can be disheartening or demotivating. We grudgingly accept the need to improve, responding to external pressure, as opposed to willingly and freely exploiting our inner strengths.

Adjusting to the new normal

According to alert AA20-133A from US-CERT:

"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:

• Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
• An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
• An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  
  
• March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  
  
• Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020."

Well whadyaknow?

• The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);
  
  
• "Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities;
  
  
• And finally, uneducated users (the great unwashed) receive a further gratuitous poke, along with the lack of planning on system recovery and contingency ... which is whose fault, exactly? Hmmm, I'll pick up that point another day.

Accountability and QA issues aside, the sudden en masse adoption of Working From Home has undoubtedly changed corporate information risks for all organizations - even those of us who were already routinely WFH, since we depend on ISPs, CSPs, telecomms companies, electricity suppliers, professional services companies and other third parties who are, now, WFH. COVID is another obvious, dramatic change with further implications for information and other risks (e.g. mental and physical health; fragile self-sufficiency; global economic shock; political fallout ...), and it's far from over yet.

WFH is now A Thing (not in the IoT sense!) for some of us anyway, although it's not possible or suitable for everyone. As COVID gradually fades from the headlines, some WFH workers will drift back to regular office work, others may continue WFH and a good proportion will do a bit of both (hybrid working as it's now known) according to circumstances and workloads. If COVID returns with a vengeance, or when the next pandemic turns up, we'll presumably be WFH en masse once more. So, have you reviewed and updated your corporate risk profile lately? Have the incident management, business continuity, IT, HR, business relationship management and other controls, processes and arrangements coped brilliantly with the present situation, or are adjustments called for? Do you even know how things are going out there, the workforce now scattered, hunkered down in their caves?

COVID is like infosec because ...

... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been

... Experts disagree on the details, sometimes even the fundamentals, and love their models

... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise

... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility

... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice 

... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too

... Controls against COVID-19 are imperfect, at best; some are purely for appearance sake; some are as much use as a bubble level in space; others are literally worse than useless (the cure really can be worse than the disease!); in most cases, we simply don't know how well they will work in practice

... Many people and organizations struggle to cope with a serious crisis, whereas some shine and thrive - but even the best may crumble at some point

... They are all about risk and risk management, not just protection, control, safety and security: we are where we are partly as a result of our prior decisions about priorities, resources etc. 

... We are mutually dependent and hence collectively vulnerable since total isolation is impracticable, costly or literally impossible

... Our myopic focus on the current situation takes attention from other matters that may be at least as important, and some are actively exploiting that  

... Hindsight is 20/20 but not terribly helpful right now, unless we truly acknowledge and address our failings going forward - but more likely this incident will gradually fade from our memories, task lists and strategies until the next incident, even if strenuous efforts are made to keep it on the agenda

... The metrics/statistics are complex and easily misunderstood or misused, and simple linear extrapolation isn't much use

... We were slow to recognise and respond to the incident, allowing the impacts to magnify and reducing our options

... Even now, in the thick of it, we're not entirely convinced of the value of preventive, detective and corrective measures, plus the economic damage limits further expenditure or investment

... The politicians, experts, news and social media all put their own spin on things, with everyone seemingly having an opinion

... Tactical responses vary with longer-term strategic implications that are not presently clear but may be substantial 

... Responses that buck the general trend are seen and portrayed as creative or innovative by some, crazy and ill-conceived by others, putting them under intense pressure to conform to the norm (group-think)

... The original source or root cause of the incident is difficult to establish with any certainty, leaving the door open for conspiracy theories about malicious intent and subterfuge

... While the details will undoubtedly vary (perhaps substantially) and our controls will hopefully have improved, this won't be the last such incident

... We will probably forget, discount or ignore as much as we learn

... There are cultural, national, local, familial and personal aspects, plus commercial, political, social, scientific, economic ...

... Some individuals and organizations are exploiting the situation for their own selfish benefit while some are selflessly working for the wider community, but the majority are feeling powerless

... Some people are determined to "do something", whether that actually helps or not 

... Stress levels are high, with implications on analytical capabilities, decision-making, productivity and mental health, on top of physical exhaustion for those in the front line 

... 'Management' is in the spotlight: our glorious leaders are expected not just to cope but to lead us successfully through this, while the serfs are expected to carry on slogging

... Policies and procedures are at least as important as technical and physical controls, while effective awareness is a vital part of the mix

... Compliance is critically important but tricky to achieve in practice

... The situation is changing dynamically and somewhat unpredictably

... Antivirus is not the silver bullet, the univeral cure