With this year’s theme of ‘Do Your Part, #BeCyberSmart’, I really focused on the ‘do your part’ … part. It’s super easy for those of us who live and work in this space to forget why we do this: We’re here to make it easier and safer for everyone to fully participate in a technology-driven world. How do we do that? At the end of the day, our most fundamental obligation is to be teachers. We have a duty to welcome, include and educate newcomers.
For those of us who are people leaders, we have a responsibility to recruit, train and sustain a diverse workforce that is capable of enabling the business at speed. As attack methodologies evolve, so must our ability to educate our end users on their importance and impact. Our users are our first line of defense, and we must ensure they are fully equipped.
Employing technology is easy. Teaching is hard. It’s time consuming, requires a tailored approach for each audience and, more than anything, it requires vulnerability. But we can look to the past for hints. The phrase ‘Each One Teach One’ is an old proverb that originated during the period of slavery in the United States. At the time, Black Americans had been systematically denied opportunities to pursue any kind of formal education and were kept intentionally illiterate and ignorant as a means of control to prevent slaves from being made fully aware of their circumstances. When an enslaved person did have the opportunity to learn how to read, it became their duty to teach other enslaved persons as well—‘Each One Teach One’ was born as an imperative of change. They realized in their time that a critical element of improving, and eventually breaking out of, their circumstances was to build a highly educated populace, capable of making informed decisions based on facts and reality.
We can and should pull the ‘Each One Teach One’ philosophy into cybersecurity if we really hope to make gains toward our united purpose. Much has been said about the skills gap in this industry. I don’t think we suffer from a skills shortage. I think we suffer from a willingness to be relentless teachers. I know what you’re thinking: We’ve talked to end users. We’ve given them phishing training. They still keep clicking. They doze through Information Security Awareness Training. We mustn’t throw up our hands in resignation or roll our eyes at ‘eye-dee-ten-tee’ errors (write it down). One user, one student, one newcomer at a time, we must roll up our sleeves and teach them … and each other.
As we watch old techniques in new clothes, like ransomware, rip through the networks of schools, governments, corporations and, even more alarmingly, hospitals, it is easy to turn to technology thinking if we just enable one more feature or flip one more toggle that we’ll finally, finally be able to catch up; that we’ll be able to find RED on our networks; that we’ll be able to catch that malware and detonate it before it ever has a chance to propagate. I have some news for you: No technology you employ will ever, ever be better than an educated user.
You want to know where to spend your budget? Go spend it on training. And I don’t mean just buying some goofy videos and throwing it at your end users. If you’re hiring for the RED team, one of your interview questions needs to be, ‘How did you teach BLUE to find you?’; if you are buying technology, one of the questions to your vendors needs to be, ‘How will this help me train my end users to see this activity and either avoid it or report it?” Your IoAs aren’t just IP addresses and URLs—it’s your end users being able to spot and shut down a pretext and educate others about it.
National Cybersecurity Awareness Month affords those in the security community an opportunity to be in the spotlight. My challenge to each member of this community is to take this time to do your part. Teach. I don’t really care that you’re great at writing YARA rules. I want to know who else you taught to write detections and what steps you took to empower your end users to be part of the detection workflow. Measure your success this month not in all your cool tech, but rather in teaching people, even one person, to be cybersmart.