For those of you living in the United States, you may have noticed recent announcements about National Cyber Security Awareness Month. Sponsored by the Department of Homeland Security and the National Cyber Security Alliance, this is a month long event that happens every October.  The goal is to raise awareness ... well about awareness.  I'll be honest, I have mixed feelings about awareness month.
  1. THE GOOD: Anything that attempts to raise awareness about security issues is in my mind a good thing.  This is not just for people in general, but for management also.  October can also be the perfect month for presenting your business justification to management and get your awareness training budget, as awareness is all the news.  But to be honest I also have some concerns.
  2. THE BAD: Awareness is a continuous life-cycle, not a one time annual event.  Once a year power point presentations may be enough for compliance, but if you want to have an impact and change behavior, you have to be continuously training and educating people.  Just like computers have to be constantly patched and updated, so to does the HumanOS.  Management tends to forget this as soon as awareness month is over.
  3.  THE UGLY: I know people are trying to do good things, but the execution of #NCSAM is pretty boring.  If you go to the DHS main site, you can understand that when it comes to communicating, government could use some Marketing 101.  The site is very busy and its hard to find information. This is a common failing of not just DHS but many awareness programs.  You can have the greatest product in the world, but if you do not market it well no one will listen. Instead, an example of a good, online resource for families and kids is the government site  OnGuard Online.  I feel this is well organized, user friendly, has a wealth of valuable information and even in Spanish.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and