Accomplishing a cyber-risk aware and motivated workforce is not something that can be achieved overnight. In most cases, it requires a multi-year program tailored to the organizational culture and the challenging external landscape. A powerful educational program is not just informative, or a tick-the box compliance exercise, but a series of initiatives, recurring activities, processes and metrics that ultimately translate into a positive cultural and behavioral shift in the workforce that is aligned with the information security objectives of the organization.
A successful information security training and awareness program is a highly engaging, motivating, call-for-action program, where employees see their training and awareness efforts paying off over time. Unfortunately, not all organizations are willing to go the required lengths to establish a program that is relevant to their people, their business context, and that makes a true difference to their information security posture. Also, not all organizations are willing to regularly challenge and reinvent long-established ways of operating when it comes to education.
In this blog post, I shed light on the common mistakes that I have personally observed while working in multiple organizations and industries across the globe. I also share recommendations, built upon best practice frameworks such as NIST SP 800-50r1, to help organizations avoid these mistakes while ensuring they build a program tailored to their context, needs and culture.
Lagging Investment and Preparedness
In today’s highly demanding and complex regulatory landscape, there is an increased national interest to ensure the cyber resilience of multinational corporations across the globe. Despite the regulatory compliance pressure, and the augmented sophistication of the various attack vectors (due to the rapid and easy AI adoption), it seems that not all organizations are stepping up their cyber readiness efforts just yet. According to the ISACA 2024 State of Cybersecurity report, only 56% of the respondent organizations believe that their board of directors adequately prioritizes enterprise cybersecurity, and 44% believe that the cybersecurity budget is somewhat underfunded.
The limited senior management support when it comes to strengthening information security posture translates into reduced efforts and budget to elevating the information security awareness of the workforce. The SANS 2024 Security Awareness Report expands upon this and reveals that most organizations are far from reaching a sustained cultural change with their current information security awareness programs, and that this mostly is due to three key challenges: 1) lack of time, 2) lack of staff, and 3) lack of budget.
Five Mistakes When Building a Security Training and Awareness Program
In addition to the above-mentioned facts, and regardless of whether an organization is adequately staffed and funded to establish a sound information security awareness program, there are five repeating mistakes I have personally observed in organizations, resulting in biased information security training and awareness programs:
- Solution or vendor focused rather than framework-oriented: Organizations tend to “go hunting” for the training platforms that are most popular in the marketplace, have outstanding reviews and tick all the boxes. The goal is to reduce the information security officer’s workload as much as possible, so that they can focus on other more pressing issues. However, a fancy tool has no value without a well-established and approved framework for education and awareness, and without clearly defined objectives, processes, and metrics that help achieve and measure the desired cultural shift and awareness target state.
- Ignorance of organizational and departmental culture: Due to a high volume of work, tight compliance deadlines, and the continuous “firefighting mode” that information security practitioners are subject to on a day-to-day basis, some key cultural questions might be forgotten while designing and implementing an information security training and awareness program: What is the culture like in my organization? Is it uptight or relaxed? What are the main communications channels and styles? What type of awareness initiatives will motivate my employees? How can we create a sense of program co-ownership rather than an authoritarian program that doesn’t resonate with the different departments? According to the SANS survey, most security awareness programs last year were blocked by mid-level managers who do not understand how information security adds value to their department goals and their customers. Ignoring the culture and objectives of our fellow departments, combined with the lack of framework and processes, can be detrimental to the reputation of information security officers. Similarly, pushing for a fancy tool with little to no human interaction, affects the departmental view toward the security efforts, and can be perceived as aggressive/dictatorial rather than something of value for the organization.
- Ignorance of the regulatory landscape: Information security training and awareness programs are largely based on industry best practices. Sometimes, after a job change, we (security practitioners) bring past experiences to new organizations without first gaining an understanding of the regulatory landscape and without evaluating the legal requirements or contractual commitments on training made to customers and business partners. As a result, we tend to deviate from what’s truly required and begin building up the program without a clear picture of whether we are “overdoing it” or “underdoing it.”
- Overlooking real threat data prior to defining the awareness goals: Information security officers regularly interact with the Security Operations or SOC teams during incidents or throughout security monitoring and threat detection projects. However, limited interaction occurs during the design of security training and awareness programs. Training and awareness initiatives are not commonly built upon real threat data provided by the SOC teams or from what the Cyber Threat Intelligence (CTI) team observes as most common techniques and procedures used by cyber criminals to target employees. For instance, the SOC team might have observed an increased number of users reporting suspicious calls from an agent that seems to be impersonating the Microsoft service desk. Such an example should be included in awareness initiatives such as posts or articles. The lack of visibility on real threat data results in a limited educational program, built on assumptions rather than real use cases that prepare our employees to act wisely upon suspicious events.
- Lack of a renewing perspective: Being responsible for the cybersecurity education of our people is not an easy task but a significant endeavor. It is, nonetheless, still perceived as one of the many “to-dos” in the wide spectrum of responsibilities of an information security officer. Often, there is too little time to “stop the show” and challenge ourselves on whether we are doing the right thing or just doing the tick-the-box exercise. Bringing a renewing perspective, or having a fresh start, is something that many information security officers can’t afford due to time and budget constraints. As a result, obsolete, user unfriendly or irrelevant security trainings get dragged along over the years without adding true value.
Overall, the above mistakes also represent examples of how organizations continue to underestimate the importance of their information security training and awareness programs, and in particular, during the early stages when designing the program and determining the efforts required to realize an effective program.
How to Prevent These Biases from Becoming Real Issues
The following recommendations will prevent us (information security officers) from falling into the above-mentioned biases while designing an information security training and awareness program.
- Adopt a solid framework to build your program upon. You might want to follow the below steps while building your framework:
- Gap Assessment and Target state: Identify the organization’s learning gaps and needs by analyzing the applicable regulatory landscape (e.g., DORA, GDPR, CCPA, NIS2, etc), evaluating the legal and contractual commitments (e.g., with customers), and the industry best practice frameworks your organization wishes to adopt (NIST, ISO 27002, COBIT, CIS, etc). Define the strategic goal for training and awareness and a target state (action plan) that describes how to achieve the goal.
- Design the program: Like an umbrella, cascade the strategic goal and target state to an information security training and awareness program. Define the program key objectives and what training and awareness activities should take place to achieve the target state, including experimental or simulated exercises. Define various building blocks such as target audiences or roles-specific trainings, frequency, key processes such as follow-up and management reporting, and lastly, core technologies used for realizing the program. While determining what activities will be in scope, connect with your SOC or CTI teams to access real threat data and use these in your awareness initiatives as examples of attacks employees might face and should report. The NIST SP 800-50r1 provides the necessary guidance for organizations to create a strategic program plan and ensure that there are appropriate resources to meet the organization’s learning goals.
- Senior management endorsement: Seek senior management acknowledgement and, if required, approval of the information security training and awareness program. This will facilitate the program’s implementation and prioritization among stakeholders.
- Establish a relationship with other departments based on trust. To prevent an authoritarian approach to training and awareness, ensure that other departmental leaders are informed of the program design efforts prior to the program implementation.
- Socialize the program with other departments: In an early stage, request other departmental leaders across IT and the business for feedback regarding the programs scope of activities, the proposed frequency and target audiences. Explain why the program is necessary and how this helps them accomplish the minimum compliance baseline, while helping their departments/teams to prevent different scenarios of data loss or theft, unauthorized data access and other security incidents.
- Tailor training to departmental use cases: Define courses and other forms of trainings tailored to specific business processes (e.g., HR training on how to prevent and handle a personal data breach), or IT departments (e.g., OWASP top 10 courses for software developers). Tailored training increases the chances of users understanding the added value of information security and the role they play in the organization when it comes to protecting data.
- Appoint a training champion per department or entity: On every team, there is almost always a colleague who is eager and highly interested in cybersecurity topics. By appointing these individuals as security training champions, they can help ensure your message is effectively communicated and reaches every corner of the organization.
- Challenge the current ways of doing/use new technologies.
- Measure program maturity and drive improvements: Designing a picture-perfect program might be possible. However, implementing and executing it may become a challenge as we can encounter deeper organizational, cultural, even political issues that might prevent us from achieving the desired future state in the defined timeframe. It is also likely that the desired state becomes a moving target, due to the discovery of new gaps we were not able to identify in the initial gap assessment stage. The most important lesson here is to be aware that establishing an effective information security training and awareness program doesn’t end with the initial design and roll-out; instead, this is the beginning of the journey. To measure progress and maturity, the SANS Security Awareness Maturity Model, defined in 2011, provides a clear guideline on how to measure the maturity of your program, with the following stages: 1. Non-existent, 2. Compliance-focused, 3. Promoting awareness & Behavioral change, 4. Long-term sustainment & culture change, 5. Strategic metrics framework. Based on this guidance, organizations can streamline their programs and drive improvement initiatives.
- The role of AI in the program: Challenging the status quo also means revising current technologies. The surge in Artificial Intelligence (AI) adoption has happened for various reasons, mostly to drive productivity and innovation. Learning and awareness is one of those areas in which we underestimate the power and support AI represents. An example of powerful AI capabilities is the ability to customize training courses to specific needs without relying on expensive third-party vendors. It also enables the use of human-like avatars, including those of your own team members, to enhance empathy and connection, with multilingual support in over 40 languages. Furthermore, AI can generate tailored phishing simulations based on employees’ awareness levels or risk scores, among other valuable features. By embracing AI-driven solutions, organizations can transform security training from a routine task into a dynamic, personalized and highly effective experience.
Overall, creating an effective information security training and awareness program is a journey that demands intention, investment and a willingness to evolve, both from senior management and information security officers. The organizations that succeed in this journey are those that treat security awareness not as a checkbox, but as a strategic enabler—deeply embedded into culture, leadership and daily business. By learning from common mistakes and professional biases, and applying proven frameworks with flexibility and relevance, companies can turn awareness into action, and employees into active defenders of the business. The goal isn't perfection—it's progress, resilience and a workforce that is both informed and inspired to protect what matters most – our data.
