Dear renegades, mavericks and deviants,
Everywhere I go, I see security teams working hard, rolling out campaigns, comms, and training.
But here’s the thing… We’ve all been sold a comforting story: do more awareness stuff, and the threats won’t stand a chance. It scratches our itch for simple fixes (or indeed just looking busy) and gives vendors an easy promise to sell.
But people don’t change because they were told, they change when their environment, incentives, and habits shift.
Awareness is a tactic, not an outcome.
So, if your job is to reduce risk, awareness on its own won’t get you there.
Human Risk Management (HRM) will. Awareness tells people things, but HRM (also referred to as Secure Behavior Management (SBM), depending on who you ask) actually changes what they do.
How do you know if you’re still stuck in awareness mode? Look for these seven traps:
1. Phishing is your team’s whole personality
If ‘behavior’ means phishing simulation email clicks and reports, you’re managing a tiny part of the problem. Breaches ride numerous things like data handling, passwords, unsafe sharing, AI misuse, patching, and oversharing, and you can’t afford to miss them.
2. You’re guessing what works
Campaigns go out and everyone hopes they raised awareness. Hope isn’t evidence, and it does nothing to prove that risk has reduced.
3. Training is the automatic answer
What would you say if you went to the ER with a broken leg and were handed a printout on broken bones and sent on your way? Exactly. So if your team throws more training at every issue, you’re treating symptoms with information. Knowledge helps, but information alone rarely shifts behavior at scale.
4. You can’t say what actually landed
Ask yourself which initiative changed behavior and why. If your answer consists of vague hand gestures, you’re running activities, and you’re not managing risk.
5. Your dashboard is vanity-first
Completions, click rates, and engagement show participation. The colorful graphs might be nice to look at, but they don’t show whether the organization’s any safer.
6. You count effort, not effect
Courses launched, messages sent, and employees engaged with security initiatives - these are inputs and outputs. They’re not outcomes. Outcomes are whether behavior changed, incidents reduced and risk dropped.
7. You’re doing what a system should do
Manual nudges, spreadsheet spirals, and chasing completions eat the time you need for strategy. If you’re still hand-cranking in the age of telemetry, it’s time for a long hard look at why it’s worth making changes.
What I find, is most teams currently sit somewhere between awareness and HRM. And if you want to move toward HRM, you need to change the question you ask yourself:
Stop asking: “How do we make people care?”
Start asking: “How do we make risk visible, measurable, and manageable?”
That’s the work. That’s why you’re here. And I’m right here with you.
If this hits a nerve, you’ll find my blog on awareness traps useful. And if a sounding board would help, book in time with me.
Keep going. It matters.
Oz A