A while back I wrote up a piece on the lessons that ice hockey brings to risk management. Today some lessons from hockey for CoVID-19 management, and thence to security.

BC Premier John Horgan has already provided the initial sports analogy. He pointed out that, when running a marathon race, and the final tape comes in site, you don't relax. You dig down and put all your reserves into one final sprint. The CoVID-19 point being that we now have a vaccine. In fact, more than one, with more showing promise of coming on stream shortly. But, as the sports analogy suggests, just because we have a vaccine doesn't mean we stop isolating at home, or physical distancing when out, or handwashing at every turn, or wearing a mask.

The equivalent hockey analogy is "the final minute." Hockey periods are twenty minutes long. (With some exceptions that we don't need to go into, now.) For nineteen minutes, the clock just shows the remaining time in minutes and seconds. But, for the final minute of each period, the clock counts down seconds and tenths of seconds.. Because hockey scores are so low, people forget how fast hockey is, as a game. The whole play can go from end to end, in six seconds (and, in a breakaway, even less). This means that, theoretically, in the final minute of a period or a game, the play can go end to end ten times over. And I've seen an Olympic gold medal game decided in the final three seconds. So, when the final minute comes, you put everything you've got into the game.

CoVID-19 can be equally fast moving. Let the Rt number go above one, and you start getting exponential growth. As human beings, we only barely understand linear growth, so we don't automatically see the implications of exponential growth, but it's what leads to chain reactions and explosions. So you can have case numbers in single digits and think that you have everything under control. And then it gets a little higher, and you think case numbers in the 30s are OK. And then you think case numbers in the hundreds are OK, and then 300s, and then thousands, and all of a sudden your whole medical system is overwhelmed. And, at that point, a vaccine becomes problematic. Because we don't know how well the vaccine will work on people already infected. And gathering people for vaccines might be a problem if there is high community transmission. Also, the vaccines we've got aren't "one and done." So far the vaccines that have been approved require two shots, with time between and after, so the "final minute" stretches to possibly two and a half months even after you get your first shot. Plus the fact that the vaccine production is only starting, and the fact that 95% effective is not 100% effective, so nobody is safe until everybody in the world is safe, and ...

The first security lesson to take from this is that there is only so much we can learn from attacking systems. Many teachers think that teaching security students to attack systems will teach them valuable lessons. That is true, but only so far. There is one lesson that attacking cannot teach you, and that is that, when attacking, you only have to be right once. When you are defencing, you have to be right ALL THE TIME. In security, you can never let your guard down. Not even when you are looking forward to homomorphic encryption or differential privacy or blockchain or cloud or whatever new technology you think is going to be the "magic bullet" "vaccine" that will render security obsolete. (Spoiler alert: security will never be obsolete.)

While I was thinking of this, I was also watching the World Juniors. And the Canada versus Slovakia game presented another "last minute" lesson. Something else that tends to happen in the last minute of the game is "pulling the goalie." In hockey you are only allowed to have six men on the ice at any one time. One of these is generally the goalie. But in certain situations, where your team is down by a single goal, and the last minute is coming up, you sometimes take the goalie off the ice so that you can add an extra attacker. This is a desperation move, which is why you only do it when you are going to lose anyway. In the Canada/Slovakia game, Canada was leading two to nothing when they got a penalty in the last few minutes. This means Canada has to take a man off the ice for a time, and the Slovaks had a five-to-four man advantage. Being two goals down, and a man up, the Slovaks decided it was worth the risk to pull the goalie, give themselves a six-to-four two man advantage, and it paid off: they got a goal. Then they got overconfident. With the teams back at even strength, they pulled the goalie again, to give themselves a man advantage. They put the pressure on in the Canadian zone, but one pass back to their point man at the blue line hopped over his stick. As he turned to get it, a Canadian player got past him and picked up the puck. Well, when you have the puck and are ahead of the race, and are facing an empty net, the only question remaining is whether you will panic, shoot too soon, and miss. The Canadian player didn't panic, and the game ended three to one. (Yet another risk management lesson from hockey.)

In regard to the pandemic, we are relying on the benefits of the vaccine. But we can't rely on that too much, or too soon. As with security, we need to think of defence in depth. The vaccine is one layer, but relying solely on the vaccine is a desperation move, and it carries enormous risks. We need to keep using our protections of isolation, handwashing, distancing, and so forth, right to the end of the game.