Turning Security Awareness into Security Culture!

“They were phished. Did they do awareness training? They did? Well, somebody still clicked, so that obviously failed.” Then they continue: “Oh well, humans are awful; awareness training is worthless; we need to double down on technology.”

Often, when companies face breaches, the blame falls on phishing incidents, leading to doubts about the effectiveness of awareness training. What people fail to understand in these conversations, is that several technology layers had to be breached for a phishing campaign to be effective.

Still even after a single click occurs, how many layers of technology had been breached to allow the threat to be persistent in the environment? Would they fire the firewall for not doing its job properly? What about the endpoint detection that failed as well? Secure email gateway?

So, how do we shift from blaming humans and reevaluate security-awareness training? We should consider humans as a critical layer - one of the first lines of defense in any company, in the security stack—one that has been underinvested in for YEARS.

The key is leveraging the human layer to enhance resilience! Smart security leaders invest in this layer, analyze it, fortify it, and learn from its mistakes, just as they would with any tech layer. Awareness is crucial, but it’s not enough. Security culture goes beyond awareness—it’s about nurturing a community where security is everyone’s responsibility. Again, security awareness vs. Security Culture.

Evolve the Complete Security Stack: Just like technology layers, the human layer must adapt to evolving threats. Learn from failures, fortify, and foster a culture of security. Every layer, including the human one, plays a vital role in protecting organizations. It’s not about blame; it’s about building resilience.