So October is National Cybersecurity Awareness Month… again. It’s also Vegetarian Awareness Month (a nice counterpoint to it also being National Sausage Month). Now, fair warning that I griped about it last year, but I’ve never been one to stand on ceremony when it comes to a good complaining-fest so let’s revisit.

For those of us who have been in the business for a few years, we probably remember life before there was a dedicated “theme month” for security. For those that don’t, the tl;dr is that back in 2004, the National Cyber Security Alliance (NCSA) in conjunction with the U.S. Department of Homeland Security launched the very first National Cybersecurity Awareness Month in an effort to make sure that we all — businesses, government, and individuals alike – stay safe online.   Seems like a reasonable thing.

The reason why it was necessary in 2004 isn’t hard to understand. Back in the ancient days, not everybody realized that cybersecurity was important. Like… people just really didn’t realize it was a thing.  For example, I’d tell people what I did for a living (pentesting probably if I have the timeline right) and they’d look at me like I had two heads. To put it in a little context, on the first “awareness day” the PCI DSS didn’t exist yet (v1.0 was published in December of that year.)

Obviously complete ignorance of the cyberz was seriously problematic for anyone who had a vested interest in keeping their data protected — and organizations caring about security had a strong motivation to promulgate awareness about the topic. Having a specific time of the year to focus exclusively on it (or nearso once you get past the sausage and vegetarianism) where everyone can turn their attention toward the topic makes complete sense. So far, so good.

A lot has changed since 2004.  Now, cybersecurity is fully entrenched in the culture of the world. Most people know what it is, know why it’s important, and know that there’s bad folks out there who are just aching to hax0r them. They know this both as an intellectual matter, but also as a experiential one, since they’ve almost certainly been a victim of a breach by now.

So in light of the fact that people all know already what cybersecurity is and why it’s important, is there value in having there be a month? To answer this, I surfed over to the NICCS page hosted at US-CERT to see what the purpose is nowadays. The site tells me that the value is threefold:

  • “…raise awareness about the importance of cybersecurity…”
  • “…ensure that all Americans have the resources they need to be safer and more secure online…”
  • “…emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity…”

For the first bullet, I think we’re there. Awareness achieved. I’d argue in fact that we’re at peak awareness — after Equifax, DoorDash, Uber, Marriott, etc., I feel like you’d be hard-pressed to find someone out there who isn’t at least peripherally aware of the fact that security as “a thing” exists. The second one — the “resources they need” — I think is also covered. Are people creating new resources specifically for October? Other than generic guidance (we’ll get there in a minute), I seriously doubt it. Most useful resources are equally available regardless of whether it’s Halloween, Columbus Day, or Easter. So, we’re good on that one too I think.

Which leaves us with the last one, personal accountability and proactive steps. This is where I think the whole October thing falls down. Specifically, what happens in practice? Well meaning organizations, seeking to be helpful, decide to “put out something” (in this case, generic guidance) for October about security awareness. In fact, they’ll hold onto something by design to put it out in October to align with the theme. Say there are twelve guides scheduled to be released from various organizations that would ordinarily be sprinkled randomly throughout the year; because of the fact that there is an “awareness month”, what happens? They all come out in October rather than stretching out over time. Is that a useful outcome? I’m not sold.

Anyway, I’m sure I’m overthinking this… but shouldn’t every month be security awareness month nowadays?