Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why October – Cybersecurity Awareness Month – is such a bad idea.
For the 31 days of October, everyone in the world who is not involved in cybersecurity is going to be rendered deaf by the cacophony uttered by those who purport to want to improve cybersecurity. In truth, all this noise will drive people to tune out, unsubscribe, unfollow, or otherwise distance themselves from what some well-intentioned but misguided souls think is being useful.
The idea that a month of non-stop mentioning cybersecurity is going to actually improve the state of cybersecurity is like thinking you can declare “war” on poverty or drugs and come out the other side a winner. Doing more of a thing that isn’t working isn’t virtuous, its stupid. It becomes a thing you can’t not do because you’re more afraid of what people will say than the efficacy of the deed.
Come November 1st everyone will sit back to enjoy the silence and promptly forget whatever they might have heard or read. They will not remember a single vendor name or pitch or product name. They won’t forget about cybersecurity writ large, because in a day or two they’ll get notice that yet-again their personal data has been compromised via a breach at a company that … if they had just paid more attention in October…
This brings us to Drucker and the idea that people pay attention to what they’re evaluated on or against. We’ve all had jobs where on the first day you’re told company policy (don’t commit fraud, follow safety rules, don’t harass people, etc.), and every subsequent day after that you’re told what your quota or goals are. Is it a wonder then, that people do as sorts of things in violation of policy in order to maximize their reward? Every day its ‘earn, make, do’ and once a year its ‘don’t forget to be a decent human being.’ And we wonder why we have toxic workplaces and endless breaches.
What is the usual agenda for your Monday morning staff meeting? Operations update? Accounting and finance? Personnel? You talk about these things because they’re important. People know they are going to be held accountable for those issues, so they work on them. If you want to level up your cybersecurity posture you need to talk about it at least as frequently as you do everything else you care about. Treating it as something that only gets addressed occasionally, or when something bad happens, is a sure-fire way to get people to pay attention only for as long as they must.