It’s Cybersecurity Awareness Month. Again. And the question comes up as it does every year, as to whether more awareness is needed or is a good thing. For example, studies have shown that after a certain point, there are diminishing returns with the same anti-phishing training.
The Gi-Joe “knowing is half the battle” seems to not be true any longer. Except in the case where we are going back with the exact same message to the same glossy eyed audience, Cybersecurity Awareness Month is still highly relevant and maybe even more important than ever before.
This is not the time to bludgeon the rest of our company’s with reminders to use AV and keep it up to date or to “think before you click.” Instead, it’s a time to push the boundaries of cyber awareness in three ways: new audiences, deeper messages, and innovation, especially around emerging technology.
Not everyone has heard the message even in this day and age. Yes, we all live in a Connected World; but we need to get out of our comfort zones and speak to new audiences. From nursing homes to Town Hall meetings, we can raise our collective heads from our cubes, offices, and now home offices and have new talks with new constituents.
For that matter, we can be more interesting in how we engage. Gone are the days of a pro forma powerpoint and dry training like the (absolutely essential) new hire, basic compliance, or FCPA training. Don’t get me wrong, we should still do cyber training in at the beginning or end of the fiscal year; but Cyber Awareness Month is the chance for a short fireside chat, a small series of videos, #askusanything sessions, trivia competitions, and for that matter gamifying awareness.
Let’s teach something other than the dry content of the annual cycle, which isn’t going anywhere and make cyber an interesting and involving subject for all. Let’s challenge ourselves to explore the topics we don’t dive into enough, like cloud security, what to do with home automation (news flash: with COVID-19 the “keep IoT out of the enterprise” strategies have failed because the enterprise has gone to IOT!). Anyone can do this cyber thing and should do it, not just the men and women in the SOC or chasing audit findings.
This raises the question of deeper messages, both domain specific like deeper secure coding training or perhaps unpacking the old policies and making sure they are still relevant (I’m looking at you, stale password policies!). Making things immersive and gamifying is a good idea in October. Why not stage the tabletop exercises for instance?
For that matter, let’s teach something other than the dry content of the annual cycle, which isn’t going anywhere and make cyber an interesting and involving subject for all.
Anyone can do this, not just the men and women in the SOC or chasing audit findings. Maybe most importantly, we can challenge our own assumptions within security. Bring in fresh blood to problem solving think tanks, hold an actual hack-a-thon, or perhaps take the time to find out with a survey or two what people want to know or are confused by.
If the men and women of cyber want to not be known as Dr. No, to have people roll their eyes at the same old hackneyed phrases and learnings, or want people to get excited about Cyber Awareness Month, hold a (virtual for now) viewing night to go over favorite Mr. Robot movies or perhaps a documentary or Hollywood movie that you will then do a fact-or-fiction talk about afterward?
In short, let’s make Cyber Awareness Month as fresh as it should be and not just an excuse for yet another powerpoint at the company all-hands! The biggest problem in security is lack of alignment and integration with the rest of the business. So let’s put a dent in that problem this October.