Cybersecurity Awareness: A Perpetual Requirement

For the entirety of October, everyone in the world who is not involved in cybersecurity was threatened with hearing loss from the cacophony from those who purported to want to improve awareness of the issue of cybersecurity. In reality, the noise generated during “Cybersecurity Awareness Month” tends to drive people to tune out, unsubscribe, unfollow, or otherwise distance themselves from what the well-intentioned think is being useful.

The idea that a month of non-stop mentioning cybersecurity is going to actually improve the state of cybersecurity is like thinking you can declare “war” on poverty or drugs and come out the other side a winner. We have promoted Cybersecurity Awareness Month for 17 years, yet we have no data that indicates it is making a difference. Doing more of a thing that isn’t working isn’t virtuous. It becomes a thing you can’t not do because you’re more afraid of what people will say than the efficacy of the deed.

We are now in sweet, quiet November, and if you quizzed a random stranger about the advertising antics of the previous month it is doubtful that they would remember a single vendor pitch or product, much less any basic security principle that might have been promulgated. They won’t have forget about cybersecurity writ large, because in a day or two they’ll get notice that yet-again their personal data has been compromised via a breach at a company that … if they had just paid more attention in October…

We could do worse than to remember the words of management guru Peter Drucker, who said, “what gets measured gets managed.” Which is an argument to stop making cybersecurity awareness “special” by giving it its own month and incorporating it into our day-to-day. 

We’ve all had jobs where on the first day you’re told company policy (don’t commit fraud, follow safety rules, etc.), and every subsequent day after that you’re told what your quota or goals are, the rewards for exceeding them, and the consequences of coming up short. Is it a wonder then, that people do all sorts of things in violation of policy in order to achieve their goals? Every day it’s ‘earn, make, do’ and once a year it’s “don’t forget to be a decent human being” and “beware of phishing.” And we wonder why we have toxic workplaces and endless breaches.

As an executive or leader you spend some part of every day talking about personnel, finance, operations, legal, etc. You talk about these things because they’re important to the viability of your organization. People know they are going to be held accountable for these issues. If you want to level up your cybersecurity posture you need to talk about security at least as frequently as you do everything else you care about. Make it a part of the everyday routine. Addressing it only occasionally, or when something bad happens, is a sure-fire way to get people to pay attention only for as long as they have to, which is not how you build the culture you need to reduce cyber risk.