Cybersecurity Awareness and Rocket ScienceSimple Approaches Often Prove to Be the Hardest
That half-century-old saw is usually employed to explain why what many people would consider as far less demanding in skill and knowledge should be easily accomplished. But think about it: rocket scientists usually achieve what they set out to do. The more mundane stuff isn't always simple to realize.
Like rocket science, much of the effort to secure information and information technology requires sophisticated technical know-how, especially when creating tools to prevent unwanted intrusions. Producing such tools could be as challenging as building rockets that launch satellites to the far reaches of our solar system.
Think about it: rocket scientists usually achieve what the set out to do. The more mundane stuff isn't always simple to achieve.
But one of the more straightforward approaches to IT security is the farthest removed from the rocket-science-like skills: cybersecurity awareness.
There's sort of a do-gooder feel to cybersecurity awareness. The tough stuff is coming up with the technologies to prevent breaches, right? But, like street smarts is the way to protect those venturing down a dark alley at 3 a.m., cybersecurity awareness is its virtual equivalent.
It's not just my opinion, but one of IT security leaders within the federal government. Networking vendor Cisco Systems recently surveyed some 200 government IT managers, and two-thirds of the respondents said education and training provide the most useful "technologies" to address cybersecurity challenges.
Knowledge is good. And too many people involved in cybersecurity, either as practitioners or users, don't have the knowledge, or don't put it to good use.
Take, for instance, the hack of certificate authority DigiNotar (see Certificate Breach: 3 Lessons), in which the breach resulted in the issuance of more than 500 counterfeit digital certificates. As my colleague Tracy Kitten reports:
"A 13-page audit of DigiNotar conducted by IT security firm Fox-IT notes lax monitoring controls and breach-reporting delays that magnified the compromise."
That's the kind of stuff people in the know - the cybersecurity experts at DigiNotar - should have acted upon.
But most cybersecurity awareness initiatives are aimed at employees and individuals to improve their computing hygiene, of which we're reminded every October by National Cybersecurity Awareness Month.
The Multi-State Information Sharing and Analysis Center, a forum where states collaborate to promote information security, this year is asking individuals to take a pledge to practice safe computing. MS-ISAC sees the pledge as a way to encourage users to take action by spreading the message of good cybersecurity practices to their friends, co-workers, neighbors and community. I'm not sure if the pledge will accomplish much; as of late Thursday, MS-ISAC reports it has received over 2,400 pledges. Still, as one rocket scientist said 42 years ago, "One small step for man ..." Every little bit helps, I guess.
Granted, cybersecurity awareness isn't as sexy as developing intrusion prevention or biometric systems, but it's what many of those who manage IT security in government believe to be among the best ways to defend ourselves against those who would do us harm. And those responsible for securing IT should boost their efforts to educate their staffs and communities. Protecting IT is everyone's responsibility.