October 1 kicks off the 22nd Cybersecurity Awareness Month. It’s usually uneventful, and I’ll admit, in past years I’ve forgotten it entirely. This year feels different. After months of uncertainty, the federal dust around budget cuts and shifting support models is finally settling. We have clearer lines on what stays, what changes, and what we can count on for the next year. For state, local, and higher-ed leaders, that means fewer rumors and more decisions: where to double down, what to retire, and how to braid the resources you still have into something durable.
October 1 can be Groundhog Day, another unused gym membership, or it can be the quiet day you reset the program and show up. Choose the reset. Put your head down, block the noise, and build a routine you can keep.
Treat this month like a focused training block. Pick the few moves that change outcomes: a disciplined patch cadence against the Known Exploited Vulnerabilities list; phishing-resistant MFA for the people who could do the most damage if compromised; and restore tests that prove you can get back up fast. No slogans, just consistent reps that compound.
Use October as a clean slate to re-baseline risk, set must-wins, and restart the habit loops that carry you to October ’26 with momentum, not fatigue.
Use your Slingshot to Make New Habits
Awareness month doesn’t reduce risk. Habits do. If October is just posters and a phishing quiz, you’ll get a yawn (from me), some polite smiles, and zero curve change. Use it instead as a fiscal-style reset: re-baseline risk, refresh goals, and restart the routines that quietly compound over the next 12 months.
Start with intent. Pick three outcomes that matter to your FY25/26 plan and are small enough to land by Thanksgiving. Aim for discipline over drama: stand up a quarterly user access certification you can run without heroics; refresh your risk assessment and tie it to the controls you already track; schedule a timed restore for one crown-jewel system and set a simple KEV burndown you can report every Monday. Let October be the month you install routines, not announce moonshots. If you start the IAM replatform project, you’ll be working on it for the next year and October will lose its meaning, other than the month painful projects are launched.
Make the habits durable. Keep them small enough to survive November. Choose “half goals” you’ll actually finish over aspirational marathons you’ll abandon in three weeks. A 15-minute Monday risk huddle you never miss beats a two-hour meeting you always cancel. Three days a week of patch/identity/recovery reps beats aiming for seven and burning out by Halloween. Pick the smallest version that still moves risk, then keep it.
What’s Changed and Why You Should Care
After months of “wait and see,” the picture is finally coming into focus. CISA confirmed it isn’t renewing federal support for MS-ISAC, signaling a pivot toward grants, no-cost services, and more direct engagement. For public-sector leaders, that means fewer rumors and more choices: what to keep, what to sunset, and how to re-stack partnerships around the new model.
Zero-days are not new, they show up often. Supply chain risk is not new either, we have lived with it since Target and SolarWinds. The headline is not novelty. The headline is proximity and impact. Outages and data exposures are landing in places your constituents can see.
That is why this matters. When a county portal goes dark, permits stall and court calendars slip. When a university system is encrypted, students miss deadlines and financial aid gets delayed. When a state agency loses email, case workers fall behind and the call center fills up. These are not abstract risks. People feel them by noon.
October is your chance to push through. The environment is clearer, not calmer. Clarity is enough. Use it to set near-term actions that reduce visible risk now and position you to move faster through FY25 and FY26.
Lessons Learned and the Personal Application
Twenty-two years of Cybersecurity Awareness Month mostly bought us more subscriptions to KnowBe4 or Wombat Security (now Proofpoint), along with a fresh round of posters, while risk barely budged. People are still people, and attackers still want clout or cash. The real lever is not technical, it is behavioral, because people change when the stakes feel personal. Example, if you lose two iPhones, one personal and one issued by work, you already know which one makes your stomach drop. Work will replace the work phone, but the personal phone carries your photos, your banking apps, and your messages.
If you want lessons learned about failed projects, here is the headline: the campaigns that talked at people failed, and the big ambitious initiatives we launched in October turned into year-long slogs that taught everyone to dread the calendar. Do it differently by making the stakes personal and the work tangible. Run short clinics that help staff harden the accounts they actually care about, such as Facebook, Instagram, or personal email, and then show what happens when they do not. Connect those same actions to workplace security so the translation feels natural. When someone has experienced a real win in their own life, they bring that habit to the office without being asked.
If you truly want to move the needle, you must put in the work to reach people where they live. It is harder than buying another training license, but it sticks because it matters to them. Teach them to protect what matters to them, and they will think twice when securing the systems that matter to you.
Use the Fresh Start to Refresh Your Roadmap
A fresh start does not mean rewriting everything from scratch. It means pruning, sequencing, and putting first things first. Use October to archive the wish list that never lands, and shape a plan that delivers visible value in weeks while setting the stage for the next twelve months. Treat the month as your planning sprint and your first execution sprint at the same time. You also want to show the teams some early wins so you can exit October with high morale.
Set three constraints before you pick three projects. Keep time to value inside ninety days so the team sees progress and stakeholders stay engaged. Tie each effort to a single line of outcome a leader can read, such as fewer known exploited vulnerabilities exposed to the internet or a proven four hour restore for a named system. Favor shared services and repeatable playbooks so the work lifts more than one organization. A state government might choose KEV burndown on internet-facing systems, a quarterly user access certification, and a tabletop for executives and communications. Higher education might choose phishing-resistant MFA for elevated roles, a restore test for the student information system, and a lightweight supply chain review for research apps. A public utility might choose segmentation around operational technology, a privileged access cleanup, and an immutable backup proof for outage response.
Use the momentum from your three October projects to power the annual plan. Keep the year in clean quarters and aim for wins, not heroics. November to January should lock a baseline against recognized goals, retire a slice of end-of-support tech, and cement a sustainable patch and identity cadence. February to April should add practical supply-chain guardrails, assign owners for a small set of high-value detections, and run a short tabletop series with operations, communications, and executives. May to July should deliver joint exercises with counties, municipalities, and campuses while proving a critical vendor outage does not become your outage. August to September should close KEV burndown targets, renew the no-cost services you actually use, and package budget asks so grants can move quickly when the window opens.
Set the rhythm now while the slate is clean and the path is clearer even if the landscape is not calmer. If you lock the cadence in October and keep it simple enough to survive November, you will arrive at October ’26 with momentum rather than fatigue.
Use What You Have and Get Creative About the Rest
Start by braiding existing capacity with no-cost options. Scope projects for measurable outcomes and quick starts, then use SLCGP to fund identity, vulnerability reduction, and incident readiness. Enroll in CISA’s no-cost services for internet-facing scans, phishing assessments, and performance goal reviews, and show up to your SAA with shovel-ready one-pagers so they can move fast.
Build a partner bench so progress is not tied to one check. States can offer shared services that locals adopt in days. External scanning, baseline monitoring, a common incident playbook, and a monthly “what to do next” brief. Higher ed can pair a campus SOC with smaller institutions for identity upgrades and recovery guidance. Utilities can prioritize OT segmentation, privileged access cleanup, and immutable backup proofs, using cooperative purchasing to skip long procurements.
Trade speed for scope. Use statewide contracts or co-ops to cut cycle time, and favor 90-day grants you can execute over big awards that stall. If a no-cost service gives you a weekly scan or simple assessment, make it the anchor of your Monday risk huddle so it drives decisions, not another unread report.
Keep the human side funded. Run short clinics that help staff harden the accounts they care about, then connect those behaviors to work systems so habits carry over. Offer a lightweight starter pack (MFA checklist, KEV burndown template, restore test guide, and a two-page incident script) and publish adoption so leaders can see momentum without a slide deck.
Creativity beats complaint. Combine grants, no-cost services, shared services, and cooperative purchasing, and stack small wins until capacity grows even when budgets tighten.
New Leaf, Same Mission
October is a clean slate, not a parade. Use it to set a rhythm you can keep when the spotlight moves on. Pick three projects that matter, ship them by Thanksgiving, and let that momentum power the next quarter. Keep the meetings short, the scorecard public, and the habits small enough to survive November.
The landscape is clearer even if it is not calmer. That is enough. Reduce the exposed known-bad. Lock down identity where compromise hurts most. Prove you can restore what people rely on by lunch. Help staff protect what they care about at home so those habits show up at work.
Turn the page and start the reps. If we keep the cadence through winter and spring, October ’26 will not feel like a finish line.
Need help creating a plan of action for your cybersecurity strategy this month? Connect with our experts.
Don't miss another article. Subscribe to our blog now.
Included Topics
