CISA Launches Secure Our World Cyber Awareness Campaign — September 19, 2023
CISA’s Secure Our World awareness campaign, launched 19 September 2023, sets four behavioural pillars that boards must fold into governance metrics while security, HR, and privacy teams execute training, technology, and DSAR-supporting processes aligned to the new programme.
Executive briefing: On 19 September 2023 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched Secure Our World, a year-round public awareness campaign distilled into four core behaviours: use strong passwords, enable multifactor authentication (MFA), recognize phishing, and update software. The initiative replaces the limited-duration Cybersecurity Awareness Month model with ongoing outreach, toolkits, and partnerships. For enterprises, the campaign provides authoritative messaging that boards can incorporate into governance scorecards, while operations teams align employee education, technical controls, and DSAR support processes with CISA’s guidance.
Governance implications
CISA is positioning Secure Our World as a standard set of cyber hygiene expectations for businesses, governments, and individuals. Corporate boards and risk committees should map the four behaviours to their cybersecurity oversight frameworks, embedding them within key risk indicators. For example, monthly dashboards can report MFA adoption rates, privileged account password rotation, phishing simulation performance, and patch cadence. Linking these metrics to incentive plans or risk appetite statements signals leadership commitment and demonstrates due diligence to regulators and insurers.
The campaign also emphasises community engagement. Governance charters may assign responsibility to CSR or public affairs teams to share Secure Our World messaging with customers and partners, reinforcing ecosystem resilience. Legal counsel reviews marketing and privacy policies to ensure awareness content distributed to consumers accurately reflects security capabilities without overstating protection.
Implementation roadmap
Phase 1 – Messaging alignment: Within 30 days, communications teams integrate CISA’s branding and key phrases into internal and external channels (intranet banners, email signatures, social media posts). Security awareness leads download the official toolkit and adapt posters, checklists, and videos to the organisation’s style guide. Leadership communications—town halls, board updates, CEO memos—reference the campaign to demonstrate tone from the top.
Phase 2 – Technical control validation: Identity and access management teams verify MFA coverage across all critical applications, prioritising DSAR portals, HR systems, and customer support tools that process personal data. They document exceptions, establish timelines to close gaps, and implement phishing-resistant authentication (FIDO2, WebAuthn) for privileged access. Endpoint management groups assess patch management SLAs, ensuring operating system and application updates meet or exceed CISA’s recommendations. Email security teams refine phishing detection, sandboxing, and DMARC enforcement, aligning detection and response metrics with campaign objectives.
Phase 3 – Behavioural reinforcement: Security awareness programmes schedule quarterly campaigns aligned with the four behaviours. Microlearning modules demonstrate how to create strong passphrases, recognise phishing cues, and enable automatic updates. Phishing simulations test employees on real-world lures (e.g., fake DSAR notifications or software update prompts), providing targeted coaching to repeat offenders. HR integrates cybersecurity expectations into performance reviews and onboarding checklists.
DSAR and privacy operations
Secure Our World intersects with privacy obligations by emphasising protection of personal data handled during DSAR fulfilment. Privacy teams review DSAR workflows to ensure MFA is enforced for staff accessing subject data, particularly when exporting sensitive information. They also confirm that DSAR portals use strong password policies, rate limiting, and phishing-resistant login pages to prevent account takeover. Templates for DSAR response emails incorporate anti-phishing tips, helping data subjects distinguish legitimate communications from scams.
Incident response plans for DSAR systems incorporate CISA’s messaging. For example, if a phishing campaign targets DSAR case managers, the response playbook outlines immediate password resets, MFA verification, and breach assessment. Privacy notices and consent forms can reference the organisation’s alignment with Secure Our World behaviours, building customer trust by demonstrating adherence to nationally endorsed best practices.
Third-party and vendor management
Many DSAR and customer data processes rely on vendors. Procurement teams update security questionnaires to reference Secure Our World expectations: vendors must document MFA coverage, password policies, phishing training, and patch management processes. Contracts include clauses requiring adherence to these behaviours and notification obligations if controls lapse. Vendor scorecards incorporate CISA-aligned metrics, and periodic audits test compliance through evidence reviews and simulated phishing campaigns.
Cloud service providers hosting DSAR applications are asked to share Secure Our World-aligned training resources with their support staff. Joint incident response exercises confirm that vendor teams can recognise phishing attempts affecting shared environments and coordinate updates promptly.
Measurement and reporting
Secure Our World encourages organisations to track progress over time. Security operations centres (SOCs) implement dashboards capturing:
- MFA adoption percentages by user segment and application criticality.
- Average password strength scores (entropy) for privileged and standard accounts.
- Phishing simulation click rates, report rates, and time to report.
- Patch compliance: percentage of devices patched within policy-defined windows, broken down by operating system and critical applications.
Boards review these metrics quarterly, linking them to enterprise risk appetite. Privacy committees receive DSAR-specific metrics: MFA enforcement, number of DSAR-related phishing attempts detected, and time to remediate vulnerabilities in DSAR tooling. Where metrics lag, remediation plans specify technology upgrades, additional training, or process changes.
Training and culture change
The Secure Our World toolkit includes bilingual (English/Spanish) materials, making it easier to reach diverse workforces. HR and learning teams adapt materials for global audiences, translating content where necessary and ensuring cultural relevance. Gamified challenges—such as password construction contests or phishing-spotting leaderboards—reinforce behaviours. Executives participate in awareness events to signal priority.
Customer-facing staff receive specialised training: call centre agents learn to guide customers through account security checks, DSAR agents practice verifying requestors without disclosing sensitive data, and marketing teams coordinate awareness campaigns timed with Cybersecurity Awareness Month (October) and Data Privacy Week (January). Partnerships with community organisations, schools, or local governments extend the campaign beyond the enterprise, fulfilling corporate social responsibility goals.
Technology enablement
Implementing CISA’s behaviours often requires technology investments. Identity platforms (Azure AD, Okta, Ping) are configured to enforce passwordless authentication, conditional access policies, and MFA device hygiene checks. Password managers (1Password, LastPass, Bitwarden) provide enterprise vaults that encourage passphrase adoption while maintaining audit trails. Endpoint management solutions enable automated patch deployment and compliance reporting, with exception workflows for legacy systems.
Email security tools incorporate machine learning to flag phishing attempts, while security orchestration platforms automate response steps (ticket creation, user isolation). Logging and SIEM solutions record authentication events, patch status, and phishing alerts, feeding compliance reports and supporting DSAR audit trails.
Communications and stakeholder engagement
Corporate communications teams craft narratives linking Secure Our World to organisational values. External messaging emphasises how robust password practices and MFA protect customer data, including DSAR requests. Internal newsletters highlight success stories—teams achieving 100% MFA adoption or employees reporting phishing attempts. Feedback channels allow staff to request additional training or raise concerns about cumbersome controls.
Engagement extends to regulators and industry groups. Organisations share adoption progress with sector-specific agencies (e.g., financial regulators, health authorities) and incorporate Secure Our World metrics into regulatory filings when discussing cybersecurity programmes. Participation in CISA events, webinars, and partner networks showcases commitment to national cybersecurity goals.
Next steps
Enterprises should appoint a Secure Our World programme owner—often the CISO or security awareness leader—to coordinate activities across security, HR, privacy, and communications. Within 60 days, they deliver an implementation plan summarising current state, target metrics, resource needs, and reporting cadence. Quarterly reviews assess progress and adjust tactics based on threat intelligence or regulatory updates.
By embedding CISA’s Secure Our World behaviours into governance, implementation, and DSAR operations, organisations strengthen resilience, protect personal data, and align with federal guidance that regulators, insurers, and customers increasingly expect to see.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.