Time to Embrace or Terminate National Cybersecurity Awareness Month

Most people know that October is National Breast Cancer Awareness Month. Far fewer people know that October is also American Achieves Month, National Book Month, and Pastors Appreciation Month. 

Oh yeah, October is also National Cybersecurity Awareness Month, and unfortunately few security professionals or industry leaders know about it or pay much attention to this designation. 

Now, dissing National Cybersecurity Awareness Month isn’t a universal problem. In fact, it’s sort of a big deal in Washington, D.C., where the month actually begins with a Presidential proclamation. In his proclamation issued on September 30, President Obama declared, “I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and training that will enhance our national security and resilience.”

The presidential proclamation is usually followed by a DHS-led event attended by Washington-based industry groups, federal sales teams, lobbyists, and various government cybersecurity wonks. I actually attended the National Cybersecurity Awareness Month kickoff back in 2009. At this event, Janet Napolitano, the Secretary of DHS, announced that the agency would be adding 1,000 cybersecurity professionals to its staff by 2012. Napolitano said: “This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyber-threats.” 

I remember leaving Washington with a sense of pride about National Cybersecurity Awareness Month and Secretary Napolitano’s bold statement. In 2009 and 2010, I tried to monitor DHS’s progress on this hiring commitment but in spite of my efforts, I never found another published word about how DHS was progressing in its cybersecurity hiring effort. Given the cybersecurity skills shortage, bureaucratic federal hiring procedures, and low federal salaries, I doubt whether DHS fulfilled the Secretary’s promise. But then again, I’ll never know. 

Aside from this personal experience, there are a few other reasons why I’ve become so cynical about National Cybersecurity Awareness Month:

• Most cybersecurity technology comes from the Silicon Valley, not the Beltway but unfortunately, National Cybersecurity Awareness Month is a pretty much a non-entity on the Peninsula. Don’t believe me? Check out the websites of leading cybersecurity technology firms like Check Point, Cisco, FireEye, Fortinet, HP, IBM, McAfee, RSA, Symantec, or Trend Micro. These 10 companies account for billions of dollars in infosec revenue but you’d never know about NCSAM based upon the marketing rhetoric on their sites. Heck, NCSAM was even absent from Washington insiders like Booz Allen, Leidos, Lockheed-Martin, and Raytheon when I checked their websites at the beginning of the month. How can NSCAM be successful if industry leaders aren’t interested enough to participate? 
• The “Stop, Think, Connect” message isn’t enough. NCSM has featured this message (or similar messages) for years. I understand that we need a foundation of basic infosec hygiene but given the alarming attacks at Home Depot, JP Morgan Chase, and Target, elementary cybersecurity education is no longer enough. We need wide-ranging programs to educate business leaders, federal/state/local legislators, and critical infrastructure providers. Yes, consumers need to have the right knowledge to protect themselves, but we need to educate the folks who are responsible for protecting all of us.
• Few leaders are stepping up. When October comes around, an impressive group of breast cancer survivors make sure to pepper the media with interviews, campaigns, and live appearances to get the message to the masses. In my many years in cybersecurity, I’ve yet to see a similar PR effort around cybersecurity awareness. Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel, should be making the rounds to CNN, Fox News, Good Morning America, etc. Where is he? Beats me. Come to think of it, can anyone point to a person who represents NCSAM or cybersecurity in general? 

To be clear, I’m am not criticizing the worthwhile programs and organizations that actually promote cybersecurity education and deliver value. That said, these efforts would still be meaningful if they were done independently of a half-hearted awareness month that few pay attention to.

So here’s where I stand on NCSAM: Before next October 1^st, Washington supporters like the National Cyber Security Alliance need to enlist grassroots participation (and money) from the infosec industry and work with ISC2, SANS, ISACA, and others to get security professional organizations more engaged. At the same time, we need our elected officials to increase funding for cybersecurity programs and take these programs to their constituents. Finally, let’s try and get some international participation since there are no borders on the Internet. 

In lieu of these changes, I suggest we stop pretending that National Cyber Security Awareness Month matters and let other, more committed groups enjoy their month in the spotlight.