Are you aware that October is national cybersecurity awareness month? If you aren’t, you’re not alone. There’s lots of cybersecurity awareness activities in DC, some states, and universities, but it’s all but ignored by the industry at large.
Want proof? Look at the homepages of the biggest cybersecurity vendors in the industry, and you’re not likely to find a cybersecurity awareness month word anywhere.
To me, this is a crying shame. Almost all US citizens interact with the internet every day and need to better understand the associated risks so they can make educated decisions online. This education could be a collective benefit for all of us.
Allow me to provide a few examples of the cybersecurity knowledge deficit with some observations, research, and suggestions:
- Business executives need cybersecurity awareness of cyber-risks. According to research from ESG and the Information Systems Security Association (ISSA), 23% of infosec pros say that one of their biggest challenges is that business managers don’t understand or support an appropriate level of cybersecurity at their organization. This is hard to believe in 2019, but too many CEOs and corporate boards still think that their organizations aren’t attractive targets, so they see no need to invest in strong cybersecurity. This is simply head-in-the-sand behavior. In my humble opinion, responsible executives owe it to their shareholders, customers, and employees to further educate themselves on cyber-risk and include cybersecurity as part of overall risk management strategies. Hey, October 2019 is a great time to start. Eventually, strong cybersecurity will be an organizational requirement. Laggards will be digital pariahs, mark my word.
- IT executives need to align cybersecurity awareness with new technology initiatives. Thirty-nine percent of cybersecurity professionals say that the most stressful aspect of their job is finding out about IT initiatives with no security oversight. In other words, IT teams go build and buy new applications for things like digital transformation and don’t get the cybersecurity team involved during design, planning, or development phases of these projects. This situation is ripe for change. During October, IT teams should bolster their cybersecurity awareness so that they understand new project risks and can bake security into development rather than bolt it on later. This can help improve security and decrease costs.
- Cybersecurity professionals need continuous cybersecurity awareness improvement. Ninety-three percent of cybersec pros agree that they need continuous training to keep up with the latest threats, yet 66% admit that they can’t keep up with training due to the demands of their day-to-day jobs. Wow, there’s a lot of cybersecurity awareness to go around here! CISOs must be aware of this training gap and find ways to free up staff from daily drudgery so they have ample time for continuous education. As for cybersecurity professionals themselves, they should be aware that without ongoing cybersecurity knowledge improvement, they risk becoming dinosaurs. For them, improved cybersecurity awareness should be a daily goal.
A long time ago, the tagline for my blog read: ‘cybersecurity: it’s way worse than you think.’ Unfortunately, this soundbite is truer today than it was in the past. It’s time we stopped treating cybersecurity awareness month like a federal boondoggle and started an honest concerted effort to truly educate the public and make measurable progress on cybersecurity awareness every October. The world would be a better place if we did.