Is a lack of leadership the reason why Canada isn’t at the forefront in the fight to make organizations more secure?  The thought crossed my mind because in the U.S. this is National Cyber Security Awareness Month again in that country.
Declared in 2010 by the President, no less, it’s “designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.”
We don’t have a similar awareness-raising event in this country. It’s time we did.
Arguably, five years of holding security awareness events in the U.S has done little to improve its security — although some might argue it could be worse. The daily list of data breaches isn’t getting shorter. The most recent: St. Louis-based online trader Scottrade Inc. admitted it only learned from federal agents that between late 2013 and early 2014 the names and addresses of some 4.6 million clients was lifted; a laptop and EMG machine containing the unencrypted names and birth dates of 1,000 people were stolen from a vehicle in Illinois belonging to an orthopedic clinic; and a Kentucky school district is notifying 2,800 current and former high school students their names, dates of birth and Social Security numbers may have been exposed after someone running a nutrition services computer fell for a phishing scheme.
What good would a cyber security awareness month do? This month U.S. organizers have dedicated a theme  to each week, sometimes timed around conferences. For example, this week’s theme is cybersecurity as a shared responsibility and saw the Organization of  American States — of which Canada is a member — hold a cybersecurity workshop in over the weekend  in Washington, D.C. Next week’s theme is creating a culture of cybersecurity at work, held in conjunction with the U.S. Chamber’s Fourth Annual Cybersecurity Summit in Washington.
Vendors are on the bandwagon: IBM, for example, published this blog on three things CISOs can do to improve security: Make sure there are no default passwords on network devices; Do an up to date audit of all Wi-Fi access points; and demand the smart phones of all staff be password or PIN enabled.
Easy to dismiss this month as a bunch of talking heads. A cybersecurity panel is part of almost every trade association regional and annual meeting these days. The federal government is pushing 10 critical infrastructure sectors across the country to stiffen their defences and engage in risk management to face ongoing attacks.
One could argue that big and small C-level executives get enough advice on cyber security. Perhaps that’s the trouble — they don’t know which way to turn. (If so, they should heed this advice.)
But it would help to have some leadership from the top. How about a one-day (one week?) campaign where the Prime Minister, the ministers of Public Safety, Industry, Justice, Defence, the head of CSIS, a few senior deputy ministers, perhaps the head of the Canadian Federation of Independent Business appeared together with provincial premiers, solicitor generals and counterparts that have a security mandate at events across the country to hammer home the message to organizations.
Yes, Conservatives appearing on the same stage with Liberals, NDPers and other parties. That’s a definition of leadership.
Their message: Business has to get more focused on the basics, for one. And their goal? To make Canada a leader in cyber security.
It should be an issue in the federal election.
