National Cybersecurity Awareness Month: Wait until next year!

I’m back in Washington DC for a series of meetings, so I’m reminded that the last time I was in town, I attended the National Cybersecurity Awareness Month kickoff event at the Ronald Reagan building. The event was sponsored by the National Cybersecurity Alliance and featured prominent speakers including Department of Homeland Security Secretary Janet Napolitano, Deputy Defense Secretary William Lynn, and the White House National Security Staff’s Acting Senior Director for Cybersecurity, Chris Painter.Now that it is well into November, I can honestly say that National Cybersecurity Awareness month was a paper tiger at best. I give credit to the folks here in Washington who rallied around this event but very few others did. Case in point, I met with security professionals in Boston, New York, and the Silicon Valley in October. Out of about 60 meetings, with over 100 security professionals, I’d say that no more than 4 knew that October was National Cybersecurity Awareness Month. If we can’t even promote this within the security community, what hope do we have elsewhere?Now I realize that cybersecurity is a 7 by 24 by 365 activity but we have to start somewhere. A large percentage of the population is online and hasn’t a clue about security best practices. This ignorance threatens us all.With this in mind, here is my wish list for next October. Yes, it is ambitious but I can’t think of one thing that is a luxury.1. Education. Every public school (K-12 and University level) should promote National Cybersecurity Awareness Month, offer frequent training sessions, post FAQs, and provide some level of free online support.2. Business. Businesses of all sizes should promote National Cybersecurity Awareness Month and use it as a catalyst for mandatory training.3. Media. Online and print media should publicize National Cybersecurity Awareness Month and provide links to resources. Television and radio should offer frequent public service ads.4. Tech industry. Tech companies should be at the forefront of promotion and education for National Cybersecurity Awareness Month. Leading firms should provide online resources, sponsor educational programs, provide resources to help in local communities, and actively work with other constituencies that need help. This effort must extend beyond the Beltway. 5. Government. Kudos to Federal, State, and local agencies who participated in this year’s event. That said, government should strive to do more next year. Individual agencies like the Dept. of Energy should promote National Cybersecurity Awareness Month to the Utilities, Coal, and Oil and Gas industries and then monitor (and report publicly) how these industries respond. Similarly, the SBA should be a go-to resource for small businesses. Finally, states should take a lead from the Federal government and do what they can as well.As the saying goes, “ignorance is no excuse.” If we suffer a power failure because a botnet of U.S.-based business and consumer PCs attack a network of SCADA systems, it is our own fault for not paying closer attention. The Federal government can and should do more but we shouldn’t expect the Feds to own this problem.National Cybersecurity Awareness Month is an opportunity for us to get collectively smarter and more secure. Shame on us if we drop the proverbial ball.