It's Halloween, which not only means costumes, parties, candy, and trick-or-treaters, but also the close of the annual Cybersecurity Awareness Month (among other things to be aware of). So... are you more aware today than you were on October 1st? :)
I find this notion of an awareness month for security to be somewhat odd... it's not like we have non-profit research groups trying to save lives... rather, we're trying to raise awareness for something that, quite frankly, is suffering from a generational and human evolutionary problem. Plain and simple, we're still in a transitional (pre-equilibrium) period... mid-flight in this "digital industrial revolution"... and until we reach some reasonable stasis point, humans simply won't all be able to keep up, let alone evolve.
At the same time, human risk factors represent one our biggest, most under-addressed exposures today, as highlighted by social engineering and spearphishing attacks, confusion around cloud computing and cloud security, and the exacerbating effects of BYOD/BYON/BYOA. Fundamentally, people are not making good quality risk decisions. Technologies (which are lagging well behind in the defensive categories, as I noted here) are not going to "solve" this problem anytime soon, if ever. This means that "awareness" needs to be amped up.
And here, then, is where I take issue with holding an awareness month. What we really need is an awareness year or decade. Moreover, we need aggressive awareness campaigns that invest heavily in educating business leaders, the legal industry, and... well... everyone about various "cyber" risks.
For business leaders, we need to clearly outline the place of operational risk management in their overall risk portfolio/dashboard (along with financial, hazard, strategic, and compliance risk). We need to educate them on IT's disproportionate influence on oprisk these days, and help them understand how to set a reasonable climate for making sound decisions, backed-up by a culture of accountability.
For legal advisors, we need to undertake aggressive efforts to ensure that they not only understand technologies at a high level, but that they understand the importance and necessity of various security-oriented terms on contracts and agreements. If your organization does not currently have a legal advisor who is demonstrably savvy/competent in infosec/cyber law, then it's time to supplement or hire for those skills. It may even be worthwhile to bring in a law student or send a staff lawyer back to school just to get these skills in-house, in a manner that brings with it the ability to nominally understand the IT component of op risk and how that translates to various legal agreements and situations.
Lastly, standard awareness training cannot be relied upon. Instead, it's time to up the ante. All personnel must be informed of their duty to make good risk decisions, given the tools to make good risk decisions, and held accountable for those decisions. Aggressive awareness training must be conducted to continually remind people of what good and bad decisions are, what common threats and vulnerabilities look like, and how their decisions directly impact the core functions of the business. This program must include ensuring that managers are not making arbitrary decisions to outsource without involving the right parties from legal, risk and compliance, and IT. Consequences must be clearly stated... and then enforced! Corporate cultures too often fall out of a culture of accountability ("freedom & responsibility" as Netflix terms it)... we need a reversal on this course if there's any hope of making progress.
So... perhaps you're not really much more aware today than you were on October 1st, but maybe this little post will give you a few ideas for how to solve that going forward. Maybe by this time next year you can start seeing the benefits of affected change. In the meantime, let's hope your monitoring, detection, and response capabilities are tuned-up and working well!
Happy Halloween!
