October is Cybersecurity Awareness Month (CSAM), created 17 years ago as a public-private partnership to ensure individuals have the proper resources for online safety. CSAM 2020’s overarching theme is “Do Your Part. #BeCyberSmart” aimed at empowering “Individuals and organizations to own their role in protecting their part of cyberspace” anchored by the key message “If you connect it, protect it.”1 My response to this year’s message is similar to last year’s theme—it is well-intentioned, but remains hollow as a call to action. We are long overdue for a strategy change. I can appreciate the allure of catchy messaging, but I feel it is my duty to routinely force difficult conversations aimed at moving the needle.
Cybersecurity awareness is often addressed separately from the widely reported shortage of skilled talent. Despite advances in tactics, techniques, procedures and technology, significant strides still need to be made. Humans are fallible, and any technological advancements merely serve to mitigate human behavior. Failure to properly educate people of all ages has long placed the burden on enterprises. Historically, information security managers owned security awareness—perhaps under the guidance of some executive. The emergence of the chief information security officer (CISO) undoubtedly gives the information security function a stronger advocate, but I fear too many have not elicited the help of professionals trained in andragogy (adult education).
This is not to say the ever-growing number of cybersecurity awareness training products are worthless, because many have merit. I am simply advocating that the industry pursue a more structured approach, based on established methods which entail identifying the right need and/or desired performance by employees. The truth of the situation is that each of us are potential liabilities to our respective enterprises or home networks and one-size-fits-all elearning modules have enabled little progress.
My passion remains focused on cybersecurity workforce issues, which require an understanding of training and education and our respective governmental constructs. Personally, that led me to near completion of a master’s degree in workforce education and development and the desire for greater insights of the inner workings of the US government to include federal, state and local levels. What I have learned to date has been equally rewarding and frustrating.
All too often, citizens of free nations become hyperfocused on politics, but lack an understanding of public administration which is defined as “The process of translating public policies into results.”2 This obviously varies by country, but generally speaking, there will always be gaps between what lawmakers intended, the associated implementation and net results. I assert that this is compounded significantly when lawmakers and implementers lack sufficient knowledge of the subject area on which they are legislating and implementing, respectively. In the United States, this is most evident with anything pertaining to cybersecurity.
The effectiveness of administration is partially influenced by organizational theory, which is a whole topic in and of itself, and well beyond this month’s purposeful message. The major takeaway is that like private industry, public organizations are not immune to change. In fact, public entities have historically tried to leverage successful practices from private industry, however, distinctions in purpose, strategy and customers often produces mixed results. The result is a loop of various reform movements to include downsizing, reengineering and continuous improvement.3 Of the 3, reengineering is the most disruptive and, although many can justify this approach, the likelihood of success without major employee turnover or unintended consequences is low.
In a previous article, I opined how the COVID-19 pandemic has brought to light our reliance on technology and amplified the digital divide that plagues much of the globe. I further stressed the need for cyberprofessionals to help create actionable public policy and although it was in the context of diminishing the digital divide, it also serves to increase our collective safety.4
Enterprises continue to do their part to educate employees and mitigate risk, however, this approach is disjointed and inefficient.
Enterprises continue to do their part to educate employees and mitigate risk, however, this approach is disjointed and inefficient. It is imperative that we start cyber education much earlier in life. It is a complex task highly dependent upon how countries fund and deliver education. For instance, in the United States, education is funded from federal, state and local sources (most funds come from local property taxes) while each state bears responsibility for its own academic standards. In the United States (and perhaps beyond), the enduring question is what should be the federal government’s role in cyber education. While I firmly believe local control offers agility and flexibility for most matters, the lack of national cybersecurity education standards and strategy puts nations at risk. This is further compounded in the United States by the lack of national substantive privacy laws.
From a workforce perspective, there are glimmers of hope. Some of these reside in the Cyberspace Solarium Commission’s report which has fueled derivative products including white papers, recommendations and early legislative action.5 Nonetheless, workforce efforts will continue to be hampered by a society that largely lacks digital literacy, which surely increases the success of misinformation campaigns. I assert that the United States requires a significant shift in education policy, which, historically, has drawn political resistance. Any resistance to long overdue strategic shifts would be a shame considering 90% of K-12 teachers know little about digital issues.6 Further, nonuniform access to cybersecurity education resources across communities and settings should not be a partisan issue.7
Conclusion
I began this column criticizing another largely passive attempt to increase US security on the web and found I am not alone. A former top US Department of Homeland Security (DHS) cybersecurity official recently stated “We depend too much on awareness.”8 The argument to continue these business-as-usual awareness campaigns is weak and I find it appalling that it took 17 years to figure out we have long overlooked changing human behavior.9, 10 Cybersecurity incidents are not new and I would be extremely surprised to find any large segments of the population that have never received a breach notification. Recognizing that the media sensationalizes everything, how is the US public to discern the tipping point? The Solarium Commission report is promising. However, partisan battles, governmental agency structure, and low numbers of individuals qualified and willing to lead these complex matters leaves me skeptical. After all, interagency cooperation is difficult at best, and progress is highly susceptible to what some refer to as the iron triangle—a tight network of special interest groups, US congressional committees and public administrators united to protect long standing relationships.11 No amount of government reengineering is likely to overcome these challenges without strong accountability measures. It seems fitting to remind anyone involved—directly or indirectly—of a quote by former US President Harry S. Truman: “It is amazing what you can accomplish if you do not care who gets the credit.”12
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CSA+, CPI, PMP
Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA®’s constituents. He serves ISACA departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.
Endnotes
1 Stay Safe Online—National Cybersecurity Alliance, Cybersecurity Awareness Month 2020 Theme
2 Kettl, D.; Politics of the Administrative Process, 7th Edition, CQ Press, USA, 2017, p. 776
3 Ibid., p. 318
4 Brandt, J.; “Stepping Out From the Shadows,” The Nexus, 10 August 2020
5 Cybersecurity Solarium Commission, Cybersecurity Solarium Commission Report, USA, March 2020
6 EdWeek Research Center, The State of Cybersecurity in K-12 Schools, 23 June 2020
7 Ibid.
8 Marks, J.; The Cybersecurity 202: Americans Are as Insecure as Ever on the 17th Annual Cybersecurity Awareness Month, The Washington Post, 1 October 2020
9 Ibid.
10 Ibid.
11 Op cit, Kettl, p. 298
12 Truman Library Institute, Truman Quotes