NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Downloadable Assets icon Downloadable Assets
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Industry Insights
    • Security Operations
    • Cybersecurity Technology
    • Advisory and Planning
    • Security Testing
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
October 6, 2025

Cybersecurity Awareness Month: A Reset, Not a Ritual

Justin Fimlaid Justin Fimlaid
Cybersecurity Awareness Month: A Reset, Not a Ritual

October 1 kicks off the 22nd Cybersecurity Awareness Month. It’s usually uneventful, and I’ll admit, in past years I’ve forgotten it entirely. This year feels different. After months of uncertainty, the federal dust around budget cuts and shifting support models is finally settling. We have clearer lines on what stays, what changes, and what we can count on for the next year. For state, local, and higher-ed leaders, that means fewer rumors and more decisions: where to double down, what to retire, and how to braid the resources you still have into something durable.

October 1 can be Groundhog Day, another unused gym membership, or it can be the quiet day you reset the program and show up. Choose the reset. Put your head down, block the noise, and build a routine you can keep. 

OCAM Quote Card 1 - Groundhog Day

Treat this month like a focused training block. Pick the few moves that change outcomes: a disciplined patch cadence against the Known Exploited Vulnerabilities list; phishing-resistant MFA for the people who could do the most damage if compromised; and restore tests that prove you can get back up fast. No slogans, just consistent reps that compound.

Use October as a clean slate to re-baseline risk, set must-wins, and restart the habit loops that carry you to October ’26 with momentum, not fatigue. 

Use your Slingshot to Make New Habits

Awareness month doesn’t reduce risk. Habits do. If October is just posters and a phishing quiz, you’ll get a yawn (from me), some polite smiles, and zero curve change. Use it instead as a fiscal-style reset: re-baseline risk, refresh goals, and restart the routines that quietly compound over the next 12 months.

Start with intent. Pick three outcomes that matter to your FY25/26 plan and are small enough to land by Thanksgiving. Aim for discipline over drama: stand up a quarterly user access certification you can run without heroics; refresh your risk assessment and tie it to the controls you already track; schedule a timed restore for one crown-jewel system and set a simple KEV burndown you can report every Monday. Let October be the month you install routines, not announce moonshots. If you start the IAM replatform project, you’ll be working on it for the next year and October will lose its meaning, other than the month painful projects are launched.

Make the habits durable. Keep them small enough to survive November. Choose “half goals” you’ll actually finish over aspirational marathons you’ll abandon in three weeks.   A 15-minute Monday risk huddle you never miss beats a two-hour meeting you always cancel. Three days a week of patch/identity/recovery reps beats aiming for seven and burning out by Halloween. Pick the smallest version that still moves risk, then keep it.

OCAM Quote Card 3 - Half goals

What’s Changed and Why You Should Care

After months of “wait and see,” the picture is finally coming into focus. CISA confirmed it isn’t renewing federal support for MS-ISAC, signaling a pivot toward grants, no-cost services, and more direct engagement. For public-sector leaders, that means fewer rumors and more choices: what to keep, what to sunset, and how to re-stack partnerships around the new model.

Zero-days are not new, they show up often. Supply chain risk is not new either, we have lived with it since Target and SolarWinds. The headline is not novelty. The headline is proximity and impact. Outages and data exposures are landing in places your constituents can see. 

That is why this matters. When a county portal goes dark, permits stall and court calendars slip. When a university system is encrypted, students miss deadlines and financial aid gets delayed. When a state agency loses email, case workers fall behind and the call center fills up. These are not abstract risks. People feel them by noon.

October is your chance to push through. The environment is clearer, not calmer. Clarity is enough. Use it to set near-term actions that reduce visible risk now and position you to move faster through FY25 and FY26. 

OCAM Quote Card 4 - Clarity is enough

Lessons Learned and the Personal Application

Twenty-two years of Cybersecurity Awareness Month mostly bought us more subscriptions to KnowBe4 or Wombat Security (now Proofpoint), along with a fresh round of posters, while risk barely budged. People are still people, and attackers still want clout or cash. The real lever is not technical, it is behavioral, because people change when the stakes feel personal. Example, if you lose two iPhones, one personal and one issued by work, you already know which one makes your stomach drop. Work will replace the work phone, but the personal phone carries your photos, your banking apps, and your messages.

If you want lessons learned about failed projects, here is the headline: the campaigns that talked at people failed, and the big ambitious initiatives we launched in October turned into year-long slogs that taught everyone to dread the calendar. Do it differently by making the stakes personal and the work tangible. Run short clinics that help staff harden the accounts they actually care about, such as Facebook, Instagram, or personal email, and then show what happens when they do not. Connect those same actions to workplace security so the translation feels natural. When someone has experienced a real win in their own life, they bring that habit to the office without being asked.

If you truly want to move the needle, you must put in the work to reach people where they live. It is harder than buying another training license, but it sticks because it matters to them. Teach them to protect what matters to them, and they will think twice when securing the systems that matter to you.

Use the Fresh Start to Refresh Your Roadmap

A fresh start does not mean rewriting everything from scratch. It means pruning, sequencing, and putting first things first. Use October to archive the wish list that never lands, and shape a plan that delivers visible value in weeks while setting the stage for the next twelve months. Treat the month as your planning sprint and your first execution sprint at the same time. You also want to show the teams some early wins so you can exit October with high morale.

Set three constraints before you pick three projects. Keep time to value inside ninety days so the team sees progress and stakeholders stay engaged. Tie each effort to a single line of outcome a leader can read, such as fewer known exploited vulnerabilities exposed to the internet or a proven four hour restore for a named system. Favor shared services and repeatable playbooks so the work lifts more than one organization. A state government might choose KEV burndown on internet-facing systems, a quarterly user access certification, and a tabletop for executives and communications. Higher education might choose phishing-resistant MFA for elevated roles, a restore test for the student information system, and a lightweight supply chain review for research apps. A public utility might choose segmentation around operational technology, a privileged access cleanup, and an immutable backup proof for outage response.
Use the momentum from your three October projects to power the annual plan. Keep the year in clean quarters and aim for wins, not heroics. November to January should lock a baseline against recognized goals, retire a slice of end-of-support tech, and cement a sustainable patch and identity cadence. February to April should add practical supply-chain guardrails, assign owners for a small set of high-value detections, and run a short tabletop series with operations, communications, and executives. May to July should deliver joint exercises with counties, municipalities, and campuses while proving a critical vendor outage does not become your outage. August to September should close KEV burndown targets, renew the no-cost services you actually use, and package budget asks so grants can move quickly when the window opens.

Set the rhythm now while the slate is clean and the path is clearer even if the landscape is not calmer.  If you lock the cadence in October and keep it simple enough to survive November, you will arrive at October ’26 with momentum rather than fatigue.

OCAM Quote Card 5 - Clean slate, clear path

Use What You Have and Get Creative About the Rest

Start by braiding existing capacity with no-cost options. Scope projects for measurable outcomes and quick starts, then use SLCGP to fund identity, vulnerability reduction, and incident readiness. Enroll in CISA’s no-cost services for internet-facing scans, phishing assessments, and performance goal reviews, and show up to your SAA with shovel-ready one-pagers so they can move fast.

Build a partner bench so progress is not tied to one check. States can offer shared services that locals adopt in days. External scanning, baseline monitoring, a common incident playbook, and a monthly “what to do next” brief. Higher ed can pair a campus SOC with smaller institutions for identity upgrades and recovery guidance. Utilities can prioritize OT segmentation, privileged access cleanup, and immutable backup proofs, using cooperative purchasing to skip long procurements.

Trade speed for scope. Use statewide contracts or co-ops to cut cycle time, and favor 90-day grants you can execute over big awards that stall. If a no-cost service gives you a weekly scan or simple assessment, make it the anchor of your Monday risk huddle so it drives decisions, not another unread report.

Keep the human side funded. Run short clinics that help staff harden the accounts they care about, then connect those behaviors to work systems so habits carry over. Offer a lightweight starter pack (MFA checklist, KEV burndown template, restore test guide, and a two-page incident script) and publish adoption so leaders can see momentum without a slide deck.

Creativity beats complaint. Combine grants, no-cost services, shared services, and cooperative purchasing, and stack small wins until capacity grows even when budgets tighten.

New Leaf, Same Mission

October is a clean slate, not a parade. Use it to set a rhythm you can keep when the spotlight moves on.  Pick three projects that matter, ship them by Thanksgiving, and let that momentum power the next quarter. Keep the meetings short, the scorecard public, and the habits small enough to survive November.

OCAM Quote Card 6 - Not a parade

The landscape is clearer even if it is not calmer. That is enough. Reduce the exposed known-bad. Lock down identity where compromise hurts most. Prove you can restore what people rely on by lunch. Help staff protect what they care about at home so those habits show up at work.

Turn the page and start the reps. If we keep the cadence through winter and spring, October ’26 will not feel like a finish line. 

Need help creating a plan of action for your cybersecurity strategy this month? Connect with our experts.

Don't miss another article. Subscribe to our blog now. 

Subscribe Now

 

Included Topics

  • Industry Insights,
  • Advisory and Planning
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Compliance 4 min read
6 Requirements in PCI DSS 3.0 That You Should Plan For Read More
Compliance 5 min read
CJIS Compliance Requirements: The 2025 Checklist for State & Local Agencies
CJIS Compliance Requirements: The 2025 Checklist for State & Local Agencies
Read More
1 min read
Vermont's cybersecurity landscape Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.