As October begins, we in New England look forward to fall foliage, warm days and cool nights. Aside from orange and bright red leaves here in Massachusetts, everyone will see a prominent display of the color pink as October is also breast cancer awareness month. Finally, if you are a dedicated cybersecurity professional, you may (that’s right, may) know that October is also national cybersecurity awareness month.
Now there’s nothing wrong with cybersecurity awareness month and those participating deserve credit for their efforts. The National Cyber Security Alliance website, staysafeonline.org, is especially useful. The problem I see (and I’ve written about for years) is that national cybersecurity awareness month is really a token gesture with most of the effort coming from the public sector and those few companies (mostly in Washington) that profit from working with the public sector. Want proof? Surf to the websites of all of the top cybersecurity vendors you can think of: Check Point, FireEye, Fortinet, Intel Security (McAfee), Kaspersky Lab, Palo Alto Networks, Symantec, Trend Micro, etc. You aren’t likely to see anything substantial (if at all) about national cybersecurity awareness month anywhere.
To be clear, cybersecurity education is extremely important. In fact, the lack of cybersecurity knowledge is a big part of the overall issue here – most people wouldn’t follow a stranger down a dark alley in Manhattan, but many of the same cautious folks will willingly click on a link in an email or open an attachment from someone they just met at a conference. Unfortunately, a single month dedicated to cybersecurity awareness and led by a small group of public sector agencies and their private sector business partners won’t do.
So what’s needed? Here are a few suggestions for Washington, educators, and the cybersecurity industry at large:
1. A visible public service campaign. Think Smokey the Bear and McGruff the crime dog-type stuff. I would suggest a similar cartoon character-based approach for children and a more sober set of messages for adults. I’m not reserving this campaign for October, rather it should be ongoing throughout the year – in perpetuity.
2. K through 12 education. We teach our kids about crime, drugs, and sex, so why not teach them about cybersecurity as part of their K through 12 education? This seems especially worthwhile since many of our kids live online these days. The U.S. is well behind other countries in this type of education. For example, South Korean children are provided with basic education about the Internet and cybersecurity around the first grade.
3. Cybersecurity career awareness. While presidential candidates bellyache about the lack of high paying jobs for the middle class, there is an acute shortage of cybersecurity talent available for hire across the globe. In fact, ESG research indicates that 28% of organizations claim to have a “problematic” shortage of cybersecurity skills today (note: I am an ESG employee). In order to begin to fill these jobs, we first have to do a better job of telling people that these jobs actually exist and are available. Oh and while we are at it, let’s make a special effort to deliver this message to women as the cybersecurity field is dominated (I would estimate 80% to 90%) by men.
4. Funding for cybersecurity training. The Hatfields and McCoys in congress have feuded over cybersecurity for years. Some believe we need additional legislation while others want the market to sort it out itself. Okay, I get the public disdain for more regulations but Democrats and Republicans should certainly recognize the cybersecurity skills shortage and agree to throw additional funds at cybersecurity education. Done right, this type of funding could be beneficial in multiple areas: Funding for cybersecurity education for veterans, funding for community colleges, specific cybersecurity programs and incentives for women, regional funding, etc. Frankly, I really don’t understand why programs like these aren’t more mature and strategic today.
While the federal government should assume the role of cybersecurity education leader, it shouldn’t be asked to do this on its own. With the current sorry state of affairs, a lot of cybersecurity vendors, service providers, and phat-cat VCs are making tons of dough by selling infosec solutions and chasing ambulances. Other irresponsible companies are simply ignoring cybersecurity, producing highly-insecure products, collecting/selling private data, and exacerbating problems. Someone in Washington (a new cybersecurity czar?) should be beating this crew with carrots and sticks, encouraging them to participate in a collective cybersecurity education effort.
Done right, a public/private partnership for national full-time cybersecurity education could be extremely beneficial. As a famous Jack Black character once said, “let’s get rockin.”