As we see medical experts and government authorities around the world figuring out how to control and eventually eliminate the Corona virus threat, one aphorism that seems to be winning consensus from many in the scientific and government communities is “Tracing, Testing and Treatment”.

It is very insightful and can be applied to many walks of life, both professional and personal. I will extrapolate this to one field – information security.

Let us start in reverse order. We have become quite good at treatment over the past two decades. The recent mega attack on Microsoft email discovered in March of this year affected over 30,000 organizations in US alone (count for individuals and other countries is still not known) was one of the biggest and most sophisticated in memory. Bold and aggressive as it was, the response by Microsoft, the US government, and even Microsoft’s competitors, attracted more attention and helped restore confidence among users of not just Microsoft but all other systems. While we all know this war will be endless, it can be said we are getting better with the treatment.

Next comes Testing – we are probably not as good as we should be but testing has gone mainstream at least in the corporate world and from vulnerability assessments to penetration tests to continuous monitoring to many more mechanisms, we can say vendors and users understand the importance of testing and are willing to absorb it into their cost of doing business. Taking a very practical view that an individual user cannot be expected to be savvy about digital security, most vendors are baking security into their products and that seems to be a sustainable way for the individual market.

That leaves us with the final (in reverse order) frontier, the tracing. This is clearly the Achille’s heel! Simply because for most part, this is not a problem created by technology but by people – lack of knowledge, discipline, and resources. With APIs, Open Source, and SaaS, and other modern digital consumption models, most users – from individuals to the most sophisticated organizations – do not have the complete picture of the touch points, the interfaces, the intermediaries and the brokers they have in their digital ecosystem. And hence, tracing is where we are at our weakest.

And it takes us right back to the pandemic – tracing is the weakest link there too!