It’s almost the end of October, which means another national cybersecurity awareness month (NCSAM) is about to end. What? You didn’t know it was national cybersecurity awareness month? You’re not alone and that’s the problem I have with this annual October “celebration.”
Now I wasn’t always this much of a Debbie Downer about NCSAM. In 2008, I attended the NCSAM kickoff event at the Ronald Reagan Center in Washington DC. The event was sponsored by the National Cybersecurity Alliance and featured prominent speakers including Department of Homeland Security Secretary Janet Napolitano, Deputy Defense Secretary William Lynn, and the White House National Security Staff's Acting Senior Director for Cybersecurity, Chris Painter. I remember Ms. Napolitano’s presentation, as she announced that cybersecurity was such a high priority that DHS planned to hire an additional 3,000 cybersecurity personnel as soon as possible. Great stuff, I was all in!
Unfortunately, my enthusiasm for the event waned by early November of that year. Why? I realized that despite Beltway gaga, NCSAM isn’t a national event, it’s really a public sector and academic event.
To be clear, I believe that NCSAM is a worthwhile cause, and organizations like SANS, NCSA, some federal agencies (i.e. CISA), and a few Universities do a great job with their promotions and programs. These folks deserve gratitude for their efforts like this year’s campaigns: “Do your part: #BeCyberSmart.”
Where we fall short
For starters, the multi-billion-dollar cybersecurity industry has never embraced NCSAM to drive the visibility it deserves. I’m sure that vendors allocate a bit of dough to fund an NCSAM program in support of their federal salesforce but nothing more.
If you want further proof of this, just peruse the homepages of major cybersecurity technology vendors and look for anything related to national cybersecurity awareness month. I looked at a dozen websites of cybersecurity technology leaders this morning representing well over $20 billion in revenue. Only Proofpoint even mentioned NCSAM.
And it's not just cybersecurity vendors who should do more. In a recent research report from ESG and the Information Systems Security Association (ISSA), 79% of infosec pros said they believe that government agencies should be doing more to keep up with cybersecurity challenges and 84% say that public education should be doing more to keep up with cybersecurity challenges. The “more” here could translate into more public education and support for NCSAM.
3 actions to take now
What else is needed? Here are a few suggestions for Washington, educators, and the cybersecurity industry at large. Note that my suggestions have remain constant for years:
- A visible public service campaign. Think Smokey the Bear or other similar public service icons. I’m not reserving this campaign for October, rather it should be ongoing throughout the year – in perpetuity.
- K-12 education. We teach our kids about crime, drugs, and sex, so why not teach them about cybersecurity as part of their K through 12 education? This seems especially worthwhile since many of our kids live online these days. The U.S. is well behind other countries like Korea in this type of education, but there are some good models in states like North Dakota. Other states and the Dept. of Education should emulate programs like these.
- Cybersecurity career awareness. With a pandemic-driven global recession and high unemployment, there continues to be more cybersecurity jobs than qualified people to fill them. The US government, academic institutions, and the cybersecurity industry must do a better job or funding, recruiting, and training a 21st century cybersecurity workforce. Yes, some programs exist but not nearly what’s needed.
Before next year’s national cybersecurity awareness month, I’m going to see what small part I can play to move these things along. Until then, kudos to those who’ve contributed to NCSAM in this difficult year.
Gloss