← Back to all briefings
Cybersecurity 6 min read Published Updated Credibility 90/100

CISA Launches Secure Our World Cyber Awareness Campaign — September 19, 2023

CISA’s Secure Our World awareness campaign, launched 19 September 2023, sets four behavioral pillars that boards must fold into governance metrics while security, HR, and privacy teams execute training, technology, and DSAR-supporting processes aligned to the new program.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

On 19 September 2023 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched Secure Our World, a year-round public awareness campaign distilled into four core behaviors: use strong passwords, enable multifactor authentication (MFA), recognize phishing, and update software. The initiative replaces the limited-duration Cybersecurity Awareness Month model with ongoing outreach, toolkits, and partnerships. For enterprises, the campaign provides authoritative messaging that boards can incorporate into governance scorecards, while operations teams align employee education, technical controls, and DSAR support processes with CISA’s guidance.

Policy implications

CISA is positioning Secure Our World as a standard set of cyber hygiene expectations for businesses, governments, and individuals. Corporate boards and risk committees should map the four behaviors to their cybersecurity oversight frameworks, embedding them within key risk indicators. For example, monthly dashboards can report MFA adoption rates, privileged account password rotation, phishing simulation performance, and patch cadence. Linking these metrics to incentive plans or risk appetite statements signals leadership commitment and shows due diligence to regulators and insurers.

The campaign also emphasizes community engagement. Governance charters may assign responsibility to CSR or public affairs teams to share Secure Our World messaging with customers and partners, reinforcing ecosystem resilience. Legal counsel reviews marketing and privacy policies to ensure awareness content distributed to consumers accurately reflects security capabilities without overstating protection.

Adoption timeline

Phase 1 – Messaging alignment: Within 30 days, communications teams integrate CISA’s branding and key phrases into internal and external channels (intranet banners, email signatures, social media posts). Security awareness leads download the official toolkit and adapt posters, checklists, and videos to the organization’s style guide. Leadership communications—town halls, board updates, CEO memos—reference the campaign to show tone from the top.

Phase 2 – Technical control validation: Identity and access management teams verify MFA coverage across all critical applications, prioritizing DSAR portals, HR systems, and customer support tools that process personal data. They document exceptions, establish timelines to close gaps, and implement phishing-resistant authentication (FIDO2, WebAuthn) for privileged access. Endpoint management groups assess patch management SLAs, ensuring operating system and application updates meet or exceed CISA’s recommendations. Email security teams refine phishing detection, sandboxing, and DMARC enforcement, aligning detection and response metrics with campaign objectives.

Phase 3 – behavioral reinforcement: Security awareness programs schedule quarterly campaigns aligned with the four behaviors. Microlearning modules show how to create strong passphrases, recognize phishing cues, and enable automatic updates. Phishing simulations test employees on real-world lures (for example, fake DSAR notifications or software update prompts), providing targeted coaching to repeat offenders. HR integrates cybersecurity expectations into performance reviews and onboarding checklists.

DSAR and privacy operations

Secure Our World intersects with privacy obligations by emphasizing protection of personal data handled during DSAR fulfillment. Privacy teams review DSAR workflows to ensure MFA is enforced for staff accessing subject data, particularly when exporting sensitive information. They also confirm that DSAR portals use strong password policies, rate limiting, and phishing-resistant login pages to prevent account takeover. Templates for DSAR response emails incorporate anti-phishing tips, helping data subjects distinguish legitimate communications from scams.

Incident response plans for DSAR systems incorporate CISA’s messaging. For example, if a phishing campaign targets DSAR case managers, the response playbook outlines immediate password resets, MFA verification, and breach assessment. Privacy notices and consent forms can reference the organization’s alignment with Secure Our World behaviors, building customer trust by demonstrating adherence to nationally endorsed good practices.

Third-party and vendor management

Many DSAR and customer data processes rely on vendors. Procurement teams update security questionnaires to reference Secure Our World expectations: vendors must document MFA coverage, password policies, phishing training, and patch management processes. Contracts include clauses requiring adherence to these behaviors and notification obligations if controls lapse. Vendor scorecards incorporate CISA-aligned metrics, and periodic audits test compliance through evidence reviews and simulated phishing campaigns.

Cloud service providers hosting DSAR applications are asked to share Secure Our World-aligned training resources with their support staff. Joint incident response exercises confirm that vendor teams can recognize phishing attempts affecting shared environments and coordinate updates promptly.

Measurement and reporting

Secure Our World encourages teams to track progress over time. Security operations centers (SOCs) implement dashboards capturing:

  • MFA adoption percentages by user segment and application criticality.
  • Average password strength scores (entropy) for privileged and standard accounts.
  • Phishing simulation click rates, report rates, and time to report.
  • Patch compliance: percentage of devices patched within policy-defined windows, broken down by operating system and critical applications.

Boards review these metrics quarterly, linking them to enterprise risk appetite. Privacy committees receive DSAR-specific metrics: MFA enforcement, number of DSAR-related phishing attempts detected, and time to remediate vulnerabilities in DSAR tooling. Where metrics lag, remediation plans specify technology upgrades, additional training, or process changes.

Training and culture change

The Secure Our World toolkit includes bilingual (English/Spanish) materials, making it easier to reach diverse workforces. HR and learning teams adapt materials for global audiences, translating content where necessary and ensuring cultural relevance. Gamified challenges—such as password construction contests or phishing-spotting leaderboards—reinforce behaviors. Executives participate in awareness events to signal priority.

Customer-facing staff receive specialized training: call center agents learn to guide customers through account security checks, DSAR agents practice verifying requestors without disclosing sensitive data, and marketing teams coordinate awareness campaigns timed with Cybersecurity Awareness Month (October) and Data Privacy Week (January). Partnerships with community teams, schools, or local governments extend the campaign beyond the enterprise, fulfilling corporate social responsibility goals.

Technology enablement

Implementing CISA’s behaviors often requires technology investments. Identity platforms (Azure AD, Okta, Ping) are configured to enforce passwordless authentication, conditional access policies, and MFA device hygiene checks. Password managers (1Password, LastPass, Bitwarden) provide enterprise vaults that encourage passphrase adoption while maintaining audit trails. Endpoint management solutions enable automated patch deployment and compliance reporting, with exception workflows for legacy systems.

Email security tools incorporate machine learning to flag phishing attempts, while security orchestration platforms automate response steps (ticket creation, user isolation). Logging and SIEM solutions record authentication events, patch status, and phishing alerts, feeding compliance reports and supporting DSAR audit trails.

Communications and stakeholder engagement

Corporate communications teams craft narratives linking Secure Our World to organizational values. External messaging emphasizes how strong password practices and MFA protect customer data, including DSAR requests. Internal newsletters highlight success stories—teams achieving 100% MFA adoption or employees reporting phishing attempts. Feedback channels allow staff to request additional training or raise concerns about cumbersome controls.

Engagement extends to regulators and industry groups. Teams share adoption progress with sector-specific agencies (for example, financial regulators, health authorities) and incorporate Secure Our World metrics into regulatory filings when discussing cybersecurity programs. Participation in CISA events, webinars, and partner networks showcases commitment to national cybersecurity goals.

Follow-up actions

Teams should appoint a Secure Our World program owner—often the CISO or security awareness leader—to coordinate activities across security, HR, privacy, and communications. Within 60 days, they deliver an setup plan summarizing current state, target metrics, resource needs, and reporting cadence. Quarterly reviews assess progress and adjust tactics based on threat intelligence or regulatory updates.

By embedding CISA’s Secure Our World behaviors into governance, setup, and DSAR operations, teams strengthen resilience, protect personal data, and align with federal guidance that regulators, insurers, and customers now expect to see.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
90/100 — high confidence
Topics
CISA · Security awareness · Multi-factor authentication · Phishing
Sources cited
3 sources (cisa.gov, iso.org)
Reading time
6 min

References

  1. CISA Launches Secure Our World — CISA
  2. Secure Our World Campaign Toolkit — CISA
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • CISA
  • Security awareness
  • Multi-factor authentication
  • Phishing
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.