I’ve made my thoughts on the value of cybersecurity awareness month pretty clear. Cybersecurity doesn’t actually improve come 1 November. Cybersecurity awareness month has become one of those things we have to do because to stop is to expose yourself to the digital equivalent of “when did you stop beating your spouse?”
Our impact on the end-user community has been questionable. So many variables. But a subset of humanity that we might be able to influence to improve the state of things is ourselves. And since I hate people who complain but bring nothing to the table, herewith a couple of ideas on how we might fix ourselves.
Answer the Question. **** like this is disturbingly frequent in security, and really irritating:
You’re not being clever; you’re pointing out your reading comprehension problem. “X is more secure than Y because…” what is this? 1998? You understand context is a thing, right? Constraints? “You’re in charge of IT, just change OSes” might as well be “You’re descended from primates, just grow a prehensile tail.” We’re all in this INFOSEC life raft together, so maybe don’t p*** in the fresh water.
Spread the Love. Bad things are going to happen during cybersecurity month. If you’re an expert on the thing that happens, by all means sound off. If you’re not, immediately and loudly point out those who are. If you’re someone the media goes to for quote and commentary, pass them on to the person you know who has the most credibility and can be the most helpful. I’m not saying to do otherwise is you perpetuating false authority syndrome, but if you’ve ever ragged on someone for talking out their fourth point of contact, well…
STFU. The only thing we like doing more than humble-bragging on ourselves is running down and talking **** about others. In some cases, its warranted because those people are legitimately bad people or demonstrably wrong. But a whole lot of our disagreements with people are differences of opinion or the sharing of just how much one’s mileage may have varied. And you know what? Its OK that your experience was different from mine, and vice versa. Everything isn’t a debate. Go one month holding your tongue and checking your hot take button. Forget elevating the discussion, just don’t have one if it isn’t necessary. You literally have nothing to lose.
Cybersecurity awareness month isn’t going to change anything as-is. There are probably a dozen things we could do differently that would produce meaningful results. Go out on a limb and try something new and lets see if we can’t make ’23 the last year of the old way of leveling up our individual and collective security posture.