It’s cybersecurity awareness month. Are you going through the motions?

Wonderful renegades, mavericks, and deviants,

Chances are that if you’re reading this, you’re always striving for something bigger. I’d guess you’re not the type of person who’s just here to warm the bench. You want to make a real impact rather than simply making your workforce feel good or say nice things about your security initiatives. You want real changes in behavior and risk, did I get that right?

So, let’s talk. It’s October. Cybersecurity Awareness Month. Be honest: are your CAM initiatives having an impact beyond sentiment? Or, as someone once said to me: “Are you moving risk, or are you moving merch?”.

If you are going through the motions, I get how bloody hard it is. CAM’s a beast that can run away with itself. It comes with expectations from leadership, security colleagues, and end users. Some people in your organization will throw themselves in enthusiastically. Others will roll their eyes and think it’s “peak cringe”.

For some of you, the spotlight’s welcome. Even if parts feel more superficial than you’d like, at least executive leadership and the workforce are talking about security and thinking about your work, right?

I get it.

This next bit may come as a surprise: I sometimes think October is one of the saddest months of the year. But I know for many, it’s one of the most important and impactful times.

Now, it’s not that visibility doesn’t matter. To be truly valued, your work needs to be visible and clearly linked to business priorities. If you’re not visible, it’s hard to be taken seriously. And if you’re not taken seriously, you won’t be valued in the same way that other  functions are.

But be careful. CAM often gravitates more toward the experiential than the analytical. Escape rooms. Quizzes. Games. Posters. Webinars. Email campaigns. Branded merch…. These all raise visibility, and they  help increase awareness of cybersecurity issues, with the hope that security behaviors improve and security culture strengthens. (Too many people rely too much on hope as a strategy. Others have started to realize that awareness doesn’t equal behavior change).

But deep down, we all know it’s a double-edged sword. The same activities that raise visibility can teach people to see your role as communication, training, and events.  Now, I don’t care who you are—that brief will never be taken as seriously as the rest of the security and risk function.

And of course, you know your role is about far more than making security fun, or “making security stick.” If you’re not careful, October’s activities (no matter how epic they were to organize) can harden the idea that you’re in the business of edutainment. You’re not.

So stay true to your path. Remember to distinguish between inputs, outputs, and outcomes, in your own mind and in your briefings. Focus on impact and outcomes. And don’t forget that there are so many ways you can increase the perceived value of what you do to manage human cyber risk.

Then as soon as CAM’s over, get back ASAP to talking about the impact you’re having across the widest range of security behaviors (not just simulated phishing 😉). Help your organization manage human risk intelligently, using data and evidence to drive decisions.

This is what you’re called to do. This is your personal legend.

If you ever want to talk, or if I can help, let me know: Book some time with me.

I know you’ve got this.

Ps. I’m not dissing CAM. Far from it. It matters, and we love the work the National Cybersecurity Alliance (the founders of CAM) have done to elevate cybersecurity issues. I just want fewer human risk managers to find themselves pigeonholed in the “fun and posters” camp come November 1, that’s all.

— Oz A

Oz Alashe

CEO and Founder, CybSafe

What did you think of today's email?

Your feedback helps me create better emails for you!

Was this email forwarded to you? Sign up here.