January 2026 has rung in like most Januarys before it: with good-intentioned resolutions that likely won’t make it the full year. Unused gym memberships, PTO, and books will come to serve as relics of resolutions-past by this December. While it’s especially true in cybersecurity – particularly for state, local, and higher education leaders who are at the mercy of federal budget cuts and shifting support models – what January should be is a time to reset, getting clear about what to retire and how to make meaningful changes from what tools you have today.
Treat the rest of this month like a focused training block. Pick the few moves that change outcomes: a disciplined patch cadence against the Known Exploited Vulnerabilities list; phishing-resistant MFA for the people who could do the most damage if compromised; and restore tests that prove you can get back up fast. No slogans, just consistent reps that compound.
Use January and February as a clean slate to re-baseline risk, set must-wins, and restart the habit loops that carry you through the end of 2026 with momentum, not fatigue.
Better Habits > Lofty Goals
Good intentions don't reduce risk. Habits do. If your 2026 security planning is full of lofty but unachievable goals, you’ll unfortunately see zero curve change and simply add pressure to your team without meaningful impact. Frame your security goals instead as a fiscal style reset: re-baseline risk, refresh goals, and restart the routines that quietly compound over the next 12 months.
Start with intent. Pick three outcomes that matter to your FY26 plan and are small enough to land by March. Aim for discipline over drama: stand up a quarterly user access certification you can run without heroics; refresh your risk assessment and tie it to the controls you already track; schedule a timed restore for one crown-jewel system and set a simple KEV burndown you can report every Monday. Let February be the month you install routines, not announce moonshots. If you start the IAM replatform project, you’ll be working on it for the next year and your FY26 plan will lose its meaning.
Make the habits durable. Keep them small enough to survive Q1. Choose “half goals” you’ll actually finish over aspirational marathons you’ll abandon in three weeks. A 15-minute Monday risk huddle you never miss beats a two-hour meeting you always cancel. Three days a week of patch/identity/recovery reps beats aiming for seven and burning out before Q2. Pick the smallest version that still moves risk, then keep it.
Clarity Is Enough to Act
After months of “wait and see,” the picture is finally coming into focus. CISA confirmed it isn’t renewing federal support for MS-ISAC, signaling a pivot toward grants, no-cost services, and more direct engagement. For public sector leaders, that means fewer rumors and more choices: what to keep, what to sunset, and how to re-stack partnerships around the new model.
Zero-days are not new; they show up often. Supply chain risk is not new either; we have lived with it since Target and SolarWinds. The headline is not novelty. The headline is proximity and impact. Outages and data exposures are landing in places your constituents can see.
That is why this matters. When a county portal goes dark, permits stall and court calendars slip. When a university system is encrypted, students miss deadlines and financial aid gets delayed. When a state agency loses email, case workers fall behind, and the call center fills up. These are not abstract risks. People feel them by noon.
Now is your chance to push through. The environment is clearer, not calmer. Clarity is enough. Use it to set near-term actions that reduce visible risk now and position you to move faster through FY26 onward.
Make the Stakes Personal
People are still people, and attackers still want clout or cash. The real lever is not technical, it is behavioral, because people change when the stakes feel personal. Example, if you lose two iPhones, one personal and one issued by work, you already know which one makes your stomach drop. Work will replace the work phone, but the personal phone carries your photos, your banking apps, and your messages.
If you want lessons learned about failed projects, here is the headline: the campaigns that talked at people failed, and the big ambitious initiatives we launched in January turned into year-long slogs that taught everyone to dread the calendar. Do it differently by making the stakes personal and the work tangible. Run short clinics that help staff harden the accounts they actually care about, such as Facebook, Instagram, or personal email, and then show what happens when they do not. Connect those same actions to workplace security, so the translation feels natural. When someone has experienced a real win in their own life, they bring that habit to the office without being asked.
If you truly want to move the needle, you must put in the work to reach people where they live. It is harder than buying another training license, but it sticks because it matters to them. Teach them to protect what matters to them, and they will think twice when securing the systems that matter to you.
What to Keep, Kill, and Build
A fresh start does not mean rewriting everything from scratch. It means pruning, sequencing, and putting first things first. Use the next few weeks to archive the wish list that never lands and shape a plan that delivers visible value in weeks while setting the stage for the next eleven months. Treat this quarter as your planning sprint and your first execution sprint at the same time. You also want to show the teams some early wins, so you can exit Q1 with high morale.
Set three constraints before you pick three projects. Keep time to value inside ninety days, so the team sees progress and stakeholders stay engaged. Tie each effort to a single line of outcome a leader can read, such as fewer known exploited vulnerabilities exposed to the internet or a proven four hour restore for a named system. Favor shared services and repeatable playbooks so the work lifts more than one organization. A state government might choose KEV burndown on internet-facing systems, a quarterly user access certification, and a tabletop for executives and communications. Higher education might choose phishing-resistant MFA for elevated roles, a restore test for the student information system, and a lightweight supply chain review for research apps. A public utility might choose segmentation around operational technology, a privileged access cleanup, and an immutable backup proof for outage response.
Use the momentum from your three projects to power the annual plan. Keep the year in clean quarters and aim for wins, not heroics. February to April should add practical supply-chain guardrails, assign owners for a small set of high-value detections, and run a short tabletop series with operations, communications, and executives. May to July should deliver joint exercises with counties, municipalities, and campuses while proving a critical vendor outage does not become your outage. August to September should close KEV burndown targets, renew the no-cost services you actually use, and package budget asks so grants can move quickly when the window opens.
Set the rhythm now while the slate is clean and the path is clearer even if the landscape is not calmer. If you lock the cadence in now and keep it simple enough to survive February, you will arrive at January ’27 with momentum rather than fatigue.
Momentum Beats Perfect Conditions
Start by braiding existing capacity with no-cost options. Scope projects for measurable outcomes and quick starts, then use SLCGP to fund identity, vulnerability reduction, and incident readiness. Enroll in CISA’s no-cost services for internet-facing scans, phishing assessments, and performance goal reviews, and show up to your SAA with shovel-ready one-pagers so they can move fast.
Build a partner bench so progress is not tied to one check. States can offer shared services that locals adopt in days. External scanning, baseline monitoring, a common incident playbook, and a monthly “what to do next” brief. Higher ed can pair a campus SOC with smaller institutions for identity upgrades and recovery guidance. Utilities can prioritize OT segmentation, privileged access cleanup, and immutable backup proofs, using cooperative purchasing to skip long procurements.
Trade speed for scope. Use statewide contracts or co-ops to cut cycle time, and favor 90-day grants you can execute over big awards that stall. If a no-cost service gives you a weekly scan or simple assessment, make it the anchor of your Monday risk huddle so it drives decisions, not another unread report.
Keep the human side funded. Run short clinics that help staff harden the accounts they care about, then connect those behaviors to work systems so habits carry over. Offer a lightweight starter pack (MFA checklist, KEV burndown template, restore test guide, and a two-page incident script) and publish adoption so leaders can see momentum without a slide deck.
Creativity beats complaint. Combine grants, no-cost services, shared services, and cooperative purchasing, and stack small wins until capacity grows even when budgets tighten.
The Goal Isn't a Massive Change, It's a Sustainable One
2026 is a clean slate, not a parade. Use it to set a rhythm you can keep when the spotlight moves on. Pick three projects that matter, ship them by March, and let that momentum power the next quarter. Keep the meetings short, the scorecard public, and the habits small enough to survive.
The landscape is clearer even if it is not calmer. That is enough. Reduce the exposed known-bad. Lock down identity where compromise hurts most. Prove you can restore what people rely on by lunch. Help staff protect what they care about at home so those habits show up at work. Time to turn the page and start the reps.
Need help creating a plan of action for your cybersecurity strategy in 2026? Connect with our experts.
Don't miss another article. Subscribe to our blog now.
