Cybersecurity Awareness Month 2023 recently concluded, and as part of its efforts during the month, the Security Industry Association (SIA) Cybersecurity Advisory Board created a series of helpful content, tips and guidance on key cybersecurity topics. In this blog from SIA Cybersecurity Advisory Board chair John Deskurakis – chief product security officer at Carrier – learn how you can prioritize cybersecurity awareness not just in October, but all year round.
In the wake of this year’s Cybersecurity Awareness Month, it occurs to me around this time every year, that awareness of cybersecurity is warranted every month, not just in October. But is awareness, in and of itself, actually enough? Persistent vigilance and continual improvement are minimum requirements for cybersecurity readiness and are fundamental for mission success. One thing we should always be aware of is the self-evident concept that cybersecurity defenses must be dynamic and continually evolving. But why? Attack methods and advancements are always developing. And as information and insights that reduce attack complexity and increase likelihood of exploitation proliferate, today’s defenses will not be sufficient in the world of tomorrow. And that world might be as close as next year, month or week. It’s therefore worth reiterating, and many others have done so before me, that we should be cyber-aware every month if we are going to be successful. It is certainly a start.
One of the best ways to continue to be aware is to look back and really ensure lessons are truly learned. Just a few months ago, some of our valued partners and collaborators at Bishop Fox published a Tech Blog entry focusing on a few weaknesses they proactively identified in the SIA Open Supervised Device Protocol (OSDP). At the time, an industry colleague reached out to me, a bit troubled about the title of that blog, which started with the words “Badge of Shame.” His concern was simple. Considering the content, findings and context of the blog; he thought the use of those particular words seemed “a bit sensational” as an introduction. And he wasn’t the only person who shared this view. To be clear, I cannot say I wholeheartedly disagreed.
The blog title was indeed eye-catching. And for me, those words conjured the idea that someone or some group did something wrong. It compelled me to read on and immediately set certain expectations in terms of findings. There was an anticipation of identifying “bad actors” or blatant problems. The word shame is strong and really means something specific. My expectation was a revelation about something possibly embarrassing or alarming.
Instead, what I quickly processed was five value-add insights that would lead to necessary protocol improvements. This is rather common for any protocol worth its salt. A “wrongdoer” was never actually identified because there is nothing wrong with improvement. Nothing “shameful” occurred. Just a little business as usual for almost any protocol. While there was no real earth-shattering discovery to be found within, I was locked in to the content, and it was certainly of value. And I realized quickly that my colleague was focused on the wrong thing.
It struck me that the title achieved its goal. It ensured folks like me would read the article, likely remember the blog and probably share it. The title created cognizance of a topic that is important but could have been easily overlooked without some tactical and creative strategy applied. The title helped spread awareness, and that is of value. And the outcome of that awareness was clear. The OSDP user community is served because knowledge of some possible weaknesses has been widely shared. As a result, understanding of and application of the protocol is being improved. The protocol itself is being enhanced. And like all good protocols, OSDP will continue that process of regular analysis, progression and evolution, in perpetuity.
Shedding light on weaknesses is healthy. That’s the awareness part. It’s necessary and fundamental. In the case of OSDP, we are talking about a protocol, which is a tool. Protocols serve as one of many tools in a good arsenal of a layered defense strategy. We should never expect protocols to “stand alone.” And all tools can and should evolve. Evolution doesn’t happen without awareness. Which brings us back to my original question. Can awareness, in and of itself, be enough?
If we are going to ensure lessons are truly learned in this case (and others), the takeaway is clear. Consider it a model for all cybersecurity tools in your arsenal because the same rules will apply. Continual and critical analysis, testing and refinement of defenses are minimum requirements. No tool is above improvement. Cyberattacks are always evolving. And if we are not persistently evaluating our tools and advancing upon solid foundations, our defenses become stale and ineffective. Value-add intel from all sources is critical if we are to ensure the effectiveness and longevity of any protocol, method or defense layer.
Are we open to and listening to the intel, learning from it and responding appropriately? In the case of the OSDP intel, we were all encouraged and proud to see the partnership and collaboration between Bishop Fox and SIA to achieve the best outcomes possible for the OSDP user community. Awareness was provided, listened to and understood. But more importantly, action was taken. And that is the key.
Following Cybersecurity Awareness Month, my call to action to the community is to continue to be aware and alert. Go beyond awareness and take action. Be vocal and proactive. But awareness without action is a loss for all of us. Rather than only pointing out the flaws, be part of the solution. It often takes a village, and in the OSDP case, multiple groups came together for the betterment of all. The outcome of cybersecurity awareness that is coupled with action is obvious; a safer and more secure user community.