We talk a lot in cybersecurity about shiny tools and the latest tech—zero trust, XDR, AI-driven threat detection. But let’s be real: none of it works well if your people aren’t trained.
I’ve seen firsthand that the human layer—the often-joked-about “8th layer” of the OSI model—is where things break down. So today, let’s talk about why training matters more than tech, how to build a culture of awareness, and how to track if it’s actually working.
The Two Sides of Training: Enablement and Prevention
There are two core reasons why training is vital to your cybersecurity program: enabling your team and preventing user mistakes.
🧠 Training to Enable
You can’t deploy frameworks like NIST CSF or manage SIEMs effectively without people who know what they’re doing. And truthfully, even your best hires won’t come in with every skill out of the gate—nor will their skills stay current forever.
That’s why I treat ongoing training as foundational. Whether it’s sending folks to conferences, providing licenses to cloud labs, or giving access to training platforms like Pluralsight or SANS, the goal is simple: empower the team to handle today’s threats and tomorrow’s unknowns.
🚫 Training to Prevent
Here’s the kicker: you can spend a million dollars on endpoint protection, but if Steve from Finance clicks a malicious link, your SOC is now busy for the next 48 hours. Human error is responsible for the majority of breaches, and I’ve reviewed incident reports from major orgs where the trigger was as simple as someone forwarding a phishing email to the wrong person.
While we can’t remove the human element, we can train users to recognize suspicious activity. This is why end-user awareness programs are some of the best ROI you’ll get in your program. Pair that with technical safeguards like link rewrites, attachment sandboxing, or spam filters, and you’ve given people a fighting chance.
Build a Security Champion Network
I used to think I could be everywhere at once—know every business system, attend every planning meeting, field every question. Turns out, I’m not omnipresent.
That’s where security champions come in.
👥 What is a Security Champion?
A champion is someone embedded in another team (engineering, HR, legal—you name it) who has just enough security know-how to act as a liaison. They aren’t the CISO-in-training, but they do know when to flag something, when to bring security in, and how to talk the talk.
You can train them up with security basics, provide access to your team’s Slack or Teams channel, and set regular touchpoints. The goal is to extend the reach of your security program into the business itself.
🎖️ Incentivize the Network
Recognition matters. Give champions special swag, early access to tools, or invite them to exclusive training and team-building sessions. You’re not just building coverage—you might be identifying your next hire.
Keep Training Simple and Effective
I’ve worked with teams who want to create Pixar-level training videos packed with plots, characters, and every security concept under the sun. Great ambition—but not always practical.
Instead, focus on:
✅ What’s Actually Needed
- Baseline security awareness (for everyone)
- Role-based training
- Developers → OWASP Top 10
- Execs → Incident response & phishing
- Customer service → Social engineering defenses
You can buy this type of training from vendors like KnowBe4, which offer customizable modules and integrate with learning management systems (LMS). Don’t try to reinvent the wheel if you don’t need to.
📅 Ongoing Touchpoints
Security awareness shouldn’t be an annual box-checking exercise. Consider:
- Micro-learnings pushed monthly via Slack or email
- Brown bag sessions to discuss new threats
- “Tip of the Month” campaigns that reinforce policies
These quick hits keep security top of mind without overwhelming your audience.
Run Phishing Simulations the Right Way
Phishing campaigns are tricky. I once clicked on a simulated phishing email while checking messages on my phone and had to explain myself to the CISO. (Yes, it was awkward.) But that experience led us to review how our mobile interface displayed links—an unexpected win.
🚫 What Not to Do
- Don’t use emotionally manipulative baits (e.g., “You won a bonus!”)
- Don’t shame employees or call them out publicly
- Don’t simulate only unrealistic scenarios
✅ What Works
- Track and reward good behavior—like correct reporting
- Use team-based metrics instead of individual callouts
- Allow managers to reinforce and support learning
Add incentives, like team lunches for top performers or recognition in town halls. It gamifies the process without making it punitive.
Show It’s Working: Metrics That Matter
If you want buy-in (and budget), you’ve got to prove impact. Here are a few key metrics I like:
- 📈 Click rate on simulated phishing emails
- 🛑 Report rate of phishing emails
- 👀 No action / ignored phishing emails
- 👩🏫 Training completion rates (especially by role)
- 🔁 Reduction in repeat offenders over time
- 🧠 Improved detection/reporting of real threats
Track your metrics over time and share them with leadership. If 40% of your staff reported the last phish campaign within an hour? That’s something to celebrate.
Final Thoughts
You can buy all the tools in the world, but they’re only as good as the people using them. Training—both to enable and to prevent—is the foundation that every cybersecurity program needs.
If you invest in your people first, you’ll build a program that scales, adapts, and defends—not just against today’s threats, but whatever comes next.
