During Cybersecurity Awareness Month, we’ll see a lot of headlines about hackers, ransomware, and high-profile security breaches. But Avery Moore, Chief Information Security Officer at Jazz Solutions, says that the real story is a lot less flashy. We fired up a Teams chat with Avery to talk about threats that keep resurfacing, the unglamorous grind that holds programs together, and why he sounds so darn cheerful about the future of federal cybersecurity.

Why does Cybersecurity Awareness Month still matter for companies and government agencies in 2025?

This month gives us a chance to push through the routine and remind people why this type of work matters. Everyone’s busy, we’ve all got deadlines and priorities all over the place, and the dog is at the door waiting to be walked. But unfortunately, a breach doesn’t wait until you have time to deal with it. Taking some time every year to talk about cyber helps us pause and pay attention for a few minutes.

What makes social engineering such a stubborn problem for federal cybersecurity programs?

Because it preys on human behavior, not just technology. You can solve a server problem, you can upgrade a firewall, but you can’t stop someone’s emotions. Attackers know this. They’ll make an email seem super urgent, or spoof your boss’s phone number, or act like they’re your friendly IT support. It works more often than we’d like, and that’s why it hasn’t gone away.

If you had to give one simple piece of advice to federal employees for spotting social engineering, what would it be?

Slow down. You may have heard of “Stop, drop, and roll”. With social engineering it’s “Stop. Think. Verify.” When a good social engineer knows how to push the right buttons, your emotional buttons, you will naturally be panicked and start making bad decisions. Take a moment to breathe. Contact the sender with a known, good contact number. Check the official site for your agency. That little pause, that extra minute can stop a potentially serious attack.

The other thing is this: know you are vulnerable. Anyone who thinks they could never fall for a social engineering attack is simply fooling themselves.

You’ve talked about the “grind” behind cybersecurity. What kind of work falls into that category, and why is it so critical?

The grind is the day-to-day work that doesn’t make headlines but actually can make or break a program. This type of work isn’t the most exciting stuff in the world … it’s documenting controls, answering evidence requests, keeping scans up to date, and making these routine activities your standard practices. None of that is going to set the world on fire, but it’s what turns “we think we’re OK” into “yep, we know we’re secure.”

How do agencies benefit when that behind-the-scenes work — the documentation, the evidence, the playbooks — is done really well?

When you’ve got that paper trail behind you, you feel confident. If an assessor walks in and you’ve got all the documentation, the conversation shifts. Instead of scrambling to explain or defend yourself, you’re showing them proof that all is well. That builds trust with leadership, regulators, and customers that your systems will hold up. And it gives you peace of mind.

On the flip side, what happens when leaders don’t prioritize that grind?

The problems can start piling up pretty quickly. Controls don’t map properly, audits turn into fire drills, and findings can start multiplying. I’ve seen teams spend ten times more effort trying to fix things reactively than they would have spent doing it right the first place. Once you lose credibility with auditors or partners or god forbid customers, it’s very hard to get it back.

How do you help your teams balance the demand for shiny new tools with the less glamorous but essential compliance work?

I try to remind that that those two things are not separate. A great tool doesn’t help if you can’t show evidence it’s configured correctly or tied to a control. We always want to be innovative, but we also have to ask, “Can we defend this decision to an auditor? Can we prove it works the way we say it does?” It’s worth the time it takes to find out.

What’s one area of cyber hygiene that you wish agencies would take more seriously?

Evidence management. Agencies collect mountains of data, but it can be scattered, inconsistent, or just not tied back to specific controls. If you invest in getting evidence right and stay consistent, you will avoid a lot of headaches for everybody.

Looking ahead, what worries you most about the next wave of cybersecurity challenges, and what gives you optimism?

What worries me probably the most is just the sheer speed that our industry is moving at. New technologies, and now a lot of them involve AI, are being adopted faster than many security frameworks can adapt. That is where attackers can really thrive.

What gives me optimism is the people doing this work. Great teams can pull together, even under enormous pressure, and get it right. Their work ethic, their commitment to learning, is why I think we’ll be able to make it through the (probably) rocky road ahead.