Cybersecurity Awareness Month may not be everyone’s favorite holiday, but for the cybersecurity industry, it can inspire the same love-hate relationship that most people have with their chosen festivities throughout the holiday season.


The month serves as an opportunity for cybersecurity companies around the world to gain extra exposure for their work in sectors beyond their typical customer base through pithy media comments and a heavy slate of conferences. But the celebrations also bring pressure for companies to sell new cybersecurity tools and services, drowning out more altruistic efforts to raise real awareness about the problems and causes in cybersecurity. Similarly, reaching an audience who actually needs to become more aware of the importance of cybersecurity has historically been a struggle for technical-minded practitioners during the month of October.


The security community needs Cybersecurity Awareness Month, but we need to do it better in order to advance our mission of keeping people safe online and helping them understand why that safety matters.


The first step to creating a more effective awareness campaign is improving the way industry people disseminate information to those who are not in the industry. Too often in October, I see colleagues online shaming or mocking outdated security practices, like keeping your passwords in a physical notebook, or insinuating that good-faith cybersecurity awareness campaigns are too elementary in their teachings to make a difference. Whether you think that you’re too knowledgeable to participate in Cybersecurity Awareness Month or not, it ultimately doesn’t matter if cyberattacks continue to rise every year, in virtually every sector.


It takes all of my Zen not to respond by telling these industry professionals that they are not, nor should they ever be, the intended audience for Cybersecurity Awareness Month. Our industry has a real problem with communicating in general with non-technical people, and nothing will slow our progress quite like inferring that the general public is too blockheaded to adopt proper security practices. For example, there’s no reason it should have taken 10 years, so far, to fail at convincing the general public to use unique passwords everywhere. Technology is available to help them, notebooks are available to help them, but they won’t know that if we as an industry continue to do a terrible job of communicating the benefits of basic cybersecurity hygiene.


Another drawback of Cybersecurity Awareness Month is the emphasis on selling, rather than educating, the market. The month could play a huge role in showcasing the benefits of adhering to basic measures like using unique passwords, password managers and multifactor authentication, but too often vendors use the month as a sales opportunity to push a new product instead of pushing better information about security practices. A more meaningful sales pitch might be if every security company gave away a service for free in October, enabling customers to learn for free why they should invest in cybersecurity before an attack happens rather than after.


But even absent an industry-wide freebie program, programming around the month is getting better, thanks to the celebration’s tremendous growth in popularity in the last five years. Government agencies in the United States and the United Kingdom are participating in exercises dedicated to this year’s theme, which is “See yourself in Cyber.” The Cybersecurity and Infrastructure Security Agency plans on doubling down on highlighting the importance of using MFA, strong passwords, recognizing phishing attempts and updating software regularly in order to empower the average person into taking ownership of their security posture. This is an admirable goal, and it’s one that I think we can run back next year, and the year after, and the year after that.


Until those basics are accomplished, we should probably call it password month.