Yesterday, I attended an industry event in Washington to kickoff October as National Cybersecurity Awareness Month. The event was sponsored by the National Cybersecurity Alliance and featured prominent speakers including Department of Homeland Security Secretary Janet Napolitano, Deputy Defense Secretary William Lynn, and the White House National Security Staff's Acting Senior Director for Cybersecurity, Chris Painter.

All the speakers at the event articulated a few common messages:

1. The Federal Government must work in a coordinated fashion to protect the digital assets of civilian and defense agencies.

2. Cybersecurity awareness is a shared responsibility. The government will do its part but it needs the private sector's help.

3. There are some common sense rules that everyone should follow to practice safe computing. These rules are well presented at the National Cyber Security Alliance website (www.staysafeonline.org) and on the DHS website:

(http://www.dhs.gov/files/programs/gc_1158611596104.shtm)

President Obama also provided his support with an official declaration making October National Cybersecurity Awareness Month.

I was impressed by the event and caught up in the Washington buzz, so I decided to see just what the security community and industry outside the Beltway planned to do in support of this effort. Unfortunately, I got little in return. I called 10 people — security contacts — CISOs, academics, industry beacons, etc.– that I know and respect. Not one of them knew it was National Cybersecurity Awareness Month. I then went to the websites of leading security technology vendors to see if they were promoting National Cybersecurity Awareness Month in any way. I was sorry to see that major security companies like Cisco, McAfee, and Websense didn't seem to recognize the event at all. This is shameful and embarrassing.

Okay, I realize that October is only 2-days old but if National Cybersecurity Awareness month is nothing but a Washington schmooze-fest and PR event, shame on us as a security community. The Feds are running interference so it is imperative that we do our part. Here is what I propose:

1. Security and business professionals should hold security training events in October to promote education. Make it an informal beers-after-work event but add real content. Security communication is imperative but it shouldn't be intimidating.

2. Security vendors should volunteer their time and resources. For example, each and every security vendor should recognize National Cybersecurity Awareness Month on their websites, offer whiteboard sessions on video, discuss "lessons learned," etc. Take these messages public to anyone willing to listen.

3. We analysts, journalists, and pundits should offer advice this month in addition to product descriptions and industry reports. We should also be willing to make some of our stuff free (Note: I will be doing this starting next week).

Security professionals often say that, 'people are the weakest link in the security chain.' We as an industry have an opportunity to strengthen this link. The Federal Government and industry groups like the National Cyber Security Alliance are willing to do their part. Let's pitch in and do ours.

Related posts:

1. National Cybersecurity Awareness Month. Nothing but PR so far.
2. October is National Cybersecurity Awareness Month (Who Knew!)
3. National Cybersecurity Awareness Month: Wait until next year!
4. Can The New House Cybersecurity Caucus Website Actually Raise Cybersecurity Awareness?
5. Scary Security Statistics — Just In Time for Halloween