What do sausage and cybersecurity have in common? The answer apparently is “October.” October is cybersecurity awareness month; it’s also national sausage month. One would assume that’s coincidence, but who knows what dark forces (with equally inexplicably motives) drive these things?
What the hell is national sausage month, you ask? Started by the National Hot Dog and Sausage Council, the description from the National Day Calendar is:
…an annual designation observed in October. This month, we celebrate everything people around the world love about this juicy, delicious meat! … Sausage dates all the way back to 8th century BC, when Homer wrote in “The Odyssey” about his characters eating an early variation of the meaty meal. Now, you can find some variation of sausage in millions of restaurants all over the world.
Now, before I begin my ranting, in the spirit of transparency I will confess to you that cybersecurity awareness month irritates me. Why? Because it seems like everybody saves up their hyper-pedantic “advice” about cybersecurity basics to dump on the world come October. The trade media becomes – for exactly one month – a steaming pile of unsolicited, one size fits all, “guidance” about how you should be comport yourself security-wise, oh my brethren. Which frankly, I find to be both trite and counterproductive.
Note that I’m not trying to paint any and all guidance with the same brush here. There absolutely is interesting and useful guidance that comes out in October; some of it might even have been initially funded, sponsored, or given resources specifically because it is October and hence Cyber Awareness Month. But this stuff would be useful regardless of when it came out. Instead, I’m talking about the stuff the captain-obvious, eat-your-vegetables stuff that lays out (sometimes in excruciating detail) what every 8th-grader should know about security. You know the kind of thing I mean because I’m sure you’ve read 20 or so in the last week: the “pick good passwords”, “don’t write passwords down on a sticky note”, “try not to post your bank account number on Facebook” kind of advice.
This stuff irritates me because fundamentally there are two possibilities for this advice is targeting: either the working security professional or the novice end user. Either one is problematic for it’s own special reason. If you’re in the business of securing an organization’s assets and the generic October advice is useful to you, you either need to rethink your career path or seriously bone up on the fundamentals. Like, it’s a bit scary if you’ve been in the business for twenty years and you walk away from an article like that going “damn, I guess I really should change the domain admin password to something other than 12345.” I guess it’s good that message is finally sinking it, but WTH have you been doing this whole time? Not to mention that guidance like that explicitly discounts risk-based decision-making. Meaning, maybe two factor auth is less important to a given organization because of what they do and how they do it; analyzing the risks involved and making an informed decision based on the threat scenarios and what’s important to the org is what the whole job is about. Anything else devices from normative standards of professional care (IMHO).
By contrast, if you’re a novice home user, there’s no shame in needing to be reminded (or told for the first time) about this stuff. But these basics are problematic when they’re time-constrained. Because attacks happen all year. If we’re keeping people waiting until October to tell them that you should “shore up your passwords” or “back stuff up”, that’s not good. Cramming it all into one month is, in fact, less useful than the alternative. Say for example you had $52,000 for publishing advice on how to secure one’s home PC. If costs are equal (say 1k per article), would it be better to: a) release one article per week or b) blow the whole wad on 52 articles in the month of October? You know the answer to this.
If these things are true, the questions become “who is this stuff for” and “what is the net effect”? And, in fact, the only effects I can posit are negative ones. For example, it dilutes resources that might be applied to something more useful for practitioners. It occupies space that would otherwise be earmarked for something more directly practical. It time-constrains for end users what would be more effective if cadenced. Ad it increases the “noise” that people need to weed through to find what useful stuff there is. None of that is helpful.
So how about this question? Would there be a positive impact on security efforts overall if October were only “sausage month” and we found a different, non-time-constrained way to advocate for security? I’m not sure it’s a clear “yes”, but the fact that it’s debatable means it’s worth discussing.