If we had developed and properly funded systems resilient for pandemic response over the past decade, then 2020 might have unfolded very differently.
Now… what do these musings have to do with cybersecurity? There are several useful parallels between public health and infosec. It's easy to find shared vocabulary — virus, infection, hygiene, prevention — but the more interesting similarities are a bit deeper. In particular, the most resilient public health and infosec institutions tend to make three similar assumptions.
1. Prevention and Detection Inevitably Fail As much as we'd like to believe that a healthy diet, regular exercise, and good hygiene will keep us from getting sick, we know that isn't true. Prevention is important, we can't abandon good habits, but it's not enough. If our public health system depended only on prevention as a strategy, it would offer nothing to people who get sick despite their good habits. That's true in the world of infosec, also. Prevention (including patching, asset management, and other basic blocking and tackling) is necessary but not sufficient.
When prevention fails in public health, we turn to detection. Consider the abundance of lab tests available for identifying common and rare diseases. Or the dazzling range of imaging technologies doctors use to distinguish between a stress headache, a migraine, and a brain tumor. Technology for diagnosis and detection has evolved dramatically in our lifetimes, but even detection as a strategy is not always enough. Sometimes a rare but serious disease frustrates all attempts at prevention and detection, or — as happened last year — a new pathogen emerges and leaves a huge imprint on our history.