ArchiveOODA Original

Want To Reduce Risk? It Is Time To End Cybersecurity Awareness Month

Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why Cybersecurity Awareness Month is such a bad idea.

For the 31 days of October, everyone in the world who is not involved in cybersecurity is going to be rendered deaf by the cacophony uttered by those who purport to want to improve cybersecurity. In truth, all this noise will drive people to tune out, unsubscribe, unfollow, or otherwise distance themselves from what some well-intentioned but misguided souls think is being useful.

The idea that a month of non-stop mentioning cybersecurity is going to actually improve the state of cybersecurity is like thinking you can declare “war” on poverty or drugs and come out the other side a winner. Doing more of a thing that isn’t working isn’t virtuous, its stupid. It becomes a thing you can’t not do because you’re more afraid of what people will say than the efficacy of the deed.

Come November 1st everyone will sit back to enjoy the silence and promptly forget whatever they might have heard or read. They will not remember a single vendor name or pitch or product name. They won’t forget about cybersecurity writ large, because in a day or two they’ll get notice that yet-again their personal data has been compromised via a breach at a company that … if they had just paid more attention in October…

This brings us to Drucker and the idea that people pay attention to what they’re evaluated on or against. We’ve all had jobs where on the first day you’re told company policy (don’t commit fraud, follow safety rules, don’t harass people, etc.), and every subsequent day after that you’re told what your quota or goals are. Is it a wonder then, that people do as sorts of things in violation of policy in order to maximize their reward? Every day its ‘earn, make, do’ and once a year its ‘don’t forget to be a decent human being.’ And we wonder why we have toxic workplaces and endless breaches.

What is the usual agenda for your Monday morning staff meeting? Operations update? Accounting and finance? Personnel? You talk about these things because they’re important. People know they are going to be held accountable for those issues, so they work on them. If you want to level up your cybersecurity posture you need to talk about it at least as frequently as you do everything else you care about. Treating it as something that only gets addressed occasionally, or when something bad happens, is a sure-fire way to get people to pay attention only for as long as they must.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Michael Tanji

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.