Reality ≠ Desired situation
Hey there,
You live in two realities at once.
You know human risk is real.
You see how behavior drives incidents, how culture shapes risk exposure.
You know what’s at stake.
But security leaders?
They see "the phishing training person."
Your technical colleagues?
They see "the comms person with the posters."
Same work. Different realities.
And the gap between them is where you're stuck — for now.
It’s tempting to think it’s just a communication problem.
If only you explained the metrics better.
If only you proved your value more clearly.
If only you made leadership care.
But it's not just a communication problem.
It's a perception problem — and a positioning problem.
Because right now, whether you like it or not, your work looks like compliance noise.
It looks like nice-to-have.
It looks like security’s side project.
And no amount of enthusiasm will change that.
This isn’t a love letter to you being misunderstood.
It’s a wake-up call:
Perception is the reality you have to operate in.
Security and risk leaders rarely doubt the value of a strong security culture, but they struggle with the opaque investment into it.
Security leaders aren’t ignoring you because they don’t care.
They’re ignoring you because they don't believe you’re driving material risk reduction.
And honestly?
In most programs today… they're not wrong.
"Security awareness" — as it’s been practiced — doesn’t change behavior at scale.
It doesn’t reduce incidents.
It doesn’t move risk metrics.
It teaches. It reminds. It hopes.
But it doesn't engineer change.
And in a world of real risk and real stakes, hope is a terrible strategy.
You’re not just fighting for attention.
You’re fighting to be seen as essential.
And essential means proving behavior can be measured, influenced, and tied directly to risk outcomes.
It means building systems, not just content.
Interventions, not just training.
Automations, not just newsletters.
Data-driven impact, not just good intentions.
It means stepping out of the role you were handed — educator, explainer, messenger — and stepping into the role your organization desperately needs but doesn’t even know how to ask for yet — human risk strategist, behavior architect, outcome driver. We wrote a guide on how to get there.
The cognitive dissonance will hurt.
You’ll have to believe in your vision — that human risk matters —
while tearing apart your old assumptions about how change actually happens.
You’ll have to hold two competing truths:
- You’re right that human behavior is the biggest vulnerability.
- You’re wrong if you think traditional awareness models will fix it.
Bridging that gap is your real job now.
And yes — it’s unfair.
Yes — it’s hard.
Yes — it’s lonely sometimes.
But it’s also your hidden advantage.
Because while most will stay stuck designing posters, you’ll be building interventions.
While others measure phishing report rates and training completion rates, you’ll be measuring behavior shifts.
While others talk about culture, you’ll be engineering it.
And the few who make that leap?
They don’t just get heard.
They get funded.
They get promoted.
They get to lead the next era of security.
If this is you, share this open letter to your CISO or security leader.
If this is you, we can probably help you build that path and change your situation within the hour.
