Did you know that it is National Cybersecurity Awareness Month (NCSAM)? Yup, every October. To remind U.S. citizens of this fact, the White House issued its annual press release on Sept. 30. In that document, President Trump states:
“This month, I encourage public and private sector organizations to work together to provide Americans with the information, guidance, and tools they need to improve their safety and security in the digital age. I also encourage every American to learn more about how to protect themselves and their businesses through the Department of Homeland Security's Stop. Think. Connect. campaign.”
NCSAM is nothing new; it’s been happening since 2004. In 2009, I attended an exciting kickoff event in Washington, D.C., with hundreds of others. The event was highlighted by a speech by then DHS Secretary Janet Napolitano, who became the highest-ranking government official to participate in the month’s activities. Secretary Napolitano gave an enthusiastic presentation, stating that DHS would hire 1,000 cybersecurity professionals to its staff by 2012.
Napolitano said, “This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber-threats.”
Wow, great stuff that really had me proud to be an American and a cybersecurity professional. Unfortunately, my pride soon waned, and I came to a stark realization — NCSAM plays well in D.C. (and yes, in state/local government and academia to some extent), but the rest of the country could care less.
Little acknowledgement of National Cybersecurity Awareness Month
Want proof? Today, I visited the websites of many of the leading cybersecurity technology vendors on the planet to see what these companies were saying and planning for NCSAM. I looked for references to NCSAM on their home pages, and if that didn’t work, I dug further into the websites to look for blogs, programs, events, anything that referenced NCSAM 2017. Mind you that many of these firms make millions of dollars each year selling products and services in the public sector. Here’s what I found:
- Check Point Software. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- Cisco. No mention of NCSAM on the homepage, one reference to NCSAM 2017 in static content with no links or further information.
- FireEye. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- Forcepoint. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website (note that Forcepoint is partially owned by Raytheon, a company with billions of dollars of government business).
- Fortinet. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- IBM. No mention of NCSAM on the homepage; NCSAM 2017 is referenced in one blog I found on the website.
- Kaspersky Lab. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- McAfee. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- Sophos. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- Splunk. No mention of NCSAM on the homepage; several blogs referring to NCSAM 2017 on the website (note that the public sector represents Splunk’s largest vertical industry).
- Symantec. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
- Trend Micro. No mention of NCSAM on the homepage; NCSAM 2017 is referenced in one blog I found.
Those vendors represent over $10 billion in security revenue each year. In total, I found about seven references to NCSAM in my search. Oh, and if you want further evidence of the value around NCSAM, I’ve never found any proof that DHS hired 1,000 infosec pros by 2012. Nothing.
Remember the N in National Cybersecurity Awareness Month
To be fair, many cybersecurity vendors likely have NCSAM programs in progress that I didn’t see — my guess is they are participating in events within the Beltway at the very least. I’m sure these are worthwhile efforts, but from my cursory search, it doesn’t look like anyone is trying hard to promote NCSAM outside of D.C., Maryland, and Fairfax County, Va.
Please understand that I’m not writing this blog to belittle anyone. I know good work is being done on behalf of NCSAM, and individuals and organizations deserve kudos for the effort. Furthermore, I’m not calling out the vendors I cite here. Each contributes to cybersecurity education in its own way with university programs, training, support for STEM students, etc. They don’t support NCSAM more broadly because they’ve determined it’s not worth the effort.
I hate to keep saying this, but based upon what I’ve seen each year, it appears to me that NCSAM is an abject failure. I hold this opinion because the N in NCSAM is an exaggeration at best; NCSAM has yet to provide cybersecurity awareness and education at a national level. If the biggest cybersecurity technology vendors who have a financial impetus for promoting cybersecurity awareness give NCSAM little more than lip service, it’s a sham plain and simple.
NCSAM makes some folks in Washington feel good each October, but that’s about it. We need to either rally around NCSAM as an industry and community or put it out to pasture. Thirteen years of swings and misses is enough.