Few People Know it's National Cybersecurity Awareness Month. That’s a Problem.

Calendar_tablet.jpgDid you know that it is National Cybersecurity Awareness Month (NCSAM)? Yup, every October. To remind US citizens of this fact, the White House issued its annual press release on September 30. In that document, President Trump states:

“This month, I encourage public and private sector organizations to work together to provide Americans with the information, guidance, and tools they need to improve their safety and security in the digital age. I also encourage every American to learn more about how to protect themselves and their businesses through the Department of Homeland Security's Stop. Think. Connect. campaign.”

NCSAM is nothing new, it’s been happening since 2004. In 2009, I attended an exciting kickoff event in Washington DC with hundreds of others. The event was highlighted by a speech by then DHS Secretary Janet Napolitano who became the highest-ranking government official to participate in the month’s activities. Secretary Napolitano gave an enthusiastic presentation, stating that DHS would hire 1,000 cybersecurity professionals to its staff by 2012. Napolitano said: “This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber-threats.”

Wow, great stuff that really had me proud to be an American and a cybersecurity professional. Unfortunately, my pride soon waned and I came to a stark realization – NCSAM plays well in DC (and yes, in state/local government and academia to some extent) but the rest of the country could care less. 

Want proof? Today, I visited the websites of many of the leading cybersecurity technology vendors on the planet to see what these companies were saying and planning for NCSAM. I looked for references to NCSAM on their homepages and if that didn’t work, I dug further into the websites to look for blogs, programs, events, anything that referenced NCSAM 2017. Mind you that many of these firms make millions of dollars each year selling products and services in the public sector. Here’s what I found:

  • Check Point Software. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • Cisco. No mention of NCSAM on the homepage, one reference to NCSAM 2017 in static content with no links or further information.
  • FireEye. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • ForcePoint. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website (note that Forcepoint is partially owned by Raytheon, a company with billions of dollars of government business).
  • Fortinet. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • IBM. No mention of NCSAM on the homepage, NCSAM 2017 is referenced in one blog I found on the website.
  • Kaspersky Lab. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • McAfee. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • Sophos. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • Splunk. No mention of NCSAM on the homepage, several blogs referring to NCSAM 2017 on the website (note that the public sector represents Splunk’s largest vertical industry).
  • Symantec. No mention of NCSAM on the homepage, no other references to NCSAM 2017 on the website.
  • Trend Micro. No mention of NCSAM on the homepage, NCSAM 2017 is referenced in one blog I found. 

These vendors represent over $10 billion in security revenue each year. In total, I found about 7 references to NCSAM in my search. Oh, and if you want further proof of the value around NCSAM, I’ve never found any proof that DHS hired 1,000 infosec pros by 2012. Nothing. 

To be fair, many cybersecurity vendors likely have NCSAM programs in progress that I didn’t see – my guess is that they are participating in events within the Beltway at the very least. I’m sure these are worthwhile efforts but from my cursory search, it doesn’t look like anyone is trying hard to promote NCSAM outside of DC, Maryland, and Fairfax County, VA.

Please understand that I’m not writing this blog to belittle anyone. I know that there is good work being done on behalf of NCSAM and individuals and organizations deserve kudos for the effort. Furthermore, I’m not calling out the vendors I cite here. Each contributes to cybersecurity education in its own way with University programs, training, support for STEM students, etc. They don’t support NCSAM more broadly because they’ve determined that it’s not worth the effort. 

I hate to keep saying this, but based upon what I’ve seen each year it appears to me that NCSAM is an abject failure. I hold this opinion because the N in NCSAM is an exaggeration at best, NCSAM has yet to provide cybersecurity awareness and education at a national level. If the biggest cybersecurity technology vendors who have a financial impetus for promoting cybersecurity awareness give NCSAM little more than lip service, it’s a sham plain and simple.

NCSAM makes some folks in Washington feel good each October but that’s about it. We need to either rally around NCSAM as an industry and community or put it out to pasture. Thirteen years of swings and misses is enough. 

Topics: Cybersecurity