The Problem with National Cybersecurity Awareness Month

Every October, the cybersecurity world ramps up its outreach. Banners go up. Webinars flood inboxes. Awareness posters multiply. The message is loud and clear: it’s National Cybersecurity Awareness Month, and it’s time to educate, engage, and empower users to make safer decisions.

The reality is that we don’t just need a louder October. We need a smarter year.

Before I go further, though, let me pause and give some credit where it’s due.

To my fellow security professionals who are planning events, hosting webinars, creating innovative training campaigns, and striving to make cybersecurity engaging this month, hats off to you. I know how hard it is to make security resonate with users who are already stretched thin. Your efforts are helping shape more resilient organizations, even if it doesn’t always feel that way.

But here's a challenge for you. Let’s not let all this energy end on October 31st.

As someone who has participated in numerous cybersecurity awareness events and activities over the past two decades in this field, I support the intent behind National Cybersecurity Awareness Month. Raising awareness is vital. But I believe we’ve reached a point where the annual push can feel more performative than productive. When we frontload cybersecurity messaging into 30 intense days, only to let it fizzle for the other 335, we’re not solving the problem. We’re spotlighting it.

And worse, we might be contributing to one of the very things we should be trying to fight: cyber fatigue.

In a previous article, "The Insider Threat You’re Ignoring: Employee Cyber Fatigue," I discussed the concept of cyber fatigue, emphasizing that employees sometimes aren’t ignoring cybersecurity because they don’t care. They’re exhausted. Too many alerts. Too many hoops. Too many one-size-fits-all policies that don't match real-world workflows. And now, here comes October with a firehose of well-meaning, but often overwhelming, messaging.

Yes, it's important to reinforce good behaviors. Yes, we want employees to be aware of the risks. But when we condense all that communication into a single month, it’s like cramming for a test and hoping the knowledge sticks. Spoiler alert, it doesn’t. I can attest to this as both a one-time student and current professor.

You know what does stick? Burnout. Resentment. Eye rolls at yet another training email or video.

We assume that more awareness equals better security. But if we’re not careful, Cybersecurity Awareness Month can turn into a yet more compliance theater. We check the box without moving the needle.

And when users feel like they're being "cyber-preached at" nonstop in October, only to hear nothing the rest of the year, it sends a conflicting message. This stuff matters… but only once a year.

We need to stop treating cybersecurity awareness like an event and start treating it like an ecosystem. Security is not seasonal. Cybercriminals don’t take breaks. Ransomware doesn’t care about your campaign calendar. Our defense strategy shouldn’t hinge on whether it’s October.

If we want real resilience, we need a consistent, measured, and empathetic approach to awareness. I also discussed empathy in cybersecurity in my article on Cyber Fatigue, referenced above.

Here’s how we strike that balance:

• Microlearning over marathons: Don’t wait for October to deliver bloated 60-minute modules. Break content into digestible, 1- to 2-minute segments, delivered monthly or as needed. Repetition and relevance are key.
• Celebrate year-round wins: Highlight when someone catches a phishing email. Share anonymized success stories. Keep security top of mind without overwhelming.
• Empower the champions: Every department has someone passionate about doing things right. Recruit them. Let them be the voice of security outside IT.
• Measure impact, not activity: It’s easy to count how many users attended a webinar. It’s harder, but more valuable, to measure behavioral change over time.
• Design for humans, not checklists: As I wrote before, empathy isn’t soft or woke. It’s strategic. Involve users in shaping policies. Ask them what works. Let security support the business, not stifle it.

The real goal of Cybersecurity Awareness Month shouldn't be just to raise awareness. It’s should be to build culture, which in turn influences behavior. That takes time. That takes trust. That takes more than a flurry of messages every fall.

We should absolutely use October as a catalyst. A successful awareness program doesn’t peak in one month. It weaves security into the organization's DNA.

So yes, it’s another National Cybersecurity Awareness Month. But this year, let’s shift the question from “What can we cram into October?” to “What habits are we nurturing year-round?” Because the most secure organizations aren’t the ones who talk about cybersecurity once a year, they are the ones who live it, model it, and evolve it every month.

Thanks for reading. If this sparked an idea, challenged your thinking, or taught you something new—hit that 'subscribe' button and bring a colleague along for the ride. - William