October 2, 2019

Larry Clinton

I expect virtually everyone who might be reading this blog knows that October is Cybersecurity Awareness month. But I doubt the total number of people in the Unites States who know October is “our” month rises above five figures. Of course, awareness that we have a cyber security problem is virtually unanimous.

To make things worse we share October Awareness month with the true champions.  October is also breast cancer awareness month. Everywhere you go this month you will be reminded by the ubiquitous pink – well everything — of the scourge of breast cancer which strikes hundreds of thousands of American women each year still kills more than 40,000 women a year. 

The breast cancer community has been tremendously successful in tying their program to the wearing of pink as a reminder of the extent of this terrible disease.  Everywhere you look this month you are going to see pink. Watch an NFL game? You will see refs in pink caps. Players with pink towels. The news will be flush with reports of various walk/runs with thousands and thousands of brave survivors wearing pink. Its not only a testament to marketing genius, it is in fact inspirational—which is what it should be. I dare say that there is not a commercial product for sale in the US this month that won’t be available in pink .

Much like cyber security the reality of the issue far outstrips the awareness program.
Just as the breast cancer awareness community is more sophisticated than the cybersecurity community in marketing, they are also superior in another crucial factor – self-awareness. Several years ago, one of the most prominent players in breast cancer awareness space, the Susan B Korman Fund, adopted a new slogan “More than Pink.”

This is what – well this is one – of the things we in cyber security can learn from our sisters managing the breast cancer programs.  Rather than feeling self-satisfied with the success they have achieved they have looked in the mirror and asked what more needs to be done – and they have answered — correctly in my view – lots more. We should do the same.

Back in ancient times, 20 years ago — BCA Before Cyber Awareness – I would go to the rare conferences on cybersecurity and the presentations would be all about the fact that there was a cyber security problem. Things are different now.  I go to a conference and virtually every presentation includes a laundry list of efforts to combat the cyber problem usually stated with great pride (I’m guilty here too). In those rare instances when the audience is not the proverbial choir, when we are really just talking to ourselves, I’ve made it a point to go out into the audience and ask what they think of the preventions. I get a disturbingly frequent reply of “looks like you guys have this problem in hand”.

Ah, no, that’s not true. Actually, we don’t. The reality is we are losing the cyber security fight—big time.  The bad guys are kicking our butts. Our cyber systems are not only insecure they are getting less secure all the time. Cyber crime is increasing at 100% a year. And we are not putting any of the criminals in jail. The nation state problem is only growing – and soon the real crazies may get truly dangerous abilities. Are we doing some good things? Yeah. Are we winning? Hell no.

We need more than awareness. We need more than what we are doing. We have known for decades that our law enforcement community is underfunded and lacking the international structure to properly do their job.  Where are the hearings and commissions on that? We have said for decades that we need to develop an incentive program to close the gap between commercial level security and national security in critical infrastructure. Where are the hearings and commissions on that? We have known for decades that our policy makers, outside of a select few, really don’t understand what we are talking about. Where is the education program for them? I could go on and on, but everyone reading this blog is already aware of all this. 

I wonder if in our eagerness to show we are working on the issue — waving our own pink flag if you will — that our messaging in cyber security awareness month is misdirected. I wonder if we might not learn from our sisters in pink and be aware if we are overselling our activities as success. 

Maybe cybersecurity awareness month should include a healthy dose of cyber security self-awareness.