It’s time to shift from basic security awareness training to influence programs

This article is part of our Opinions section.

According to last year’s cyber security skills in the UK labour market report, approximately 50% of UK businesses face a fundamental cybersecurity skills gap. This persistent issue is driven by a range of factors, including rapidly evolving cyberattacks, economic pressures, and stress-induced burnout among cybersecurity professionals.

CISOs are at the forefront of addressing these challenges, needing to balance the improvement of organisational resilience and employee wellbeing. To achieve this, CISOs must foster a collaborative culture and shared accountability beyond the security team through to the entire organisation. While traditional cybersecurity training methods have laid important groundwork, there’s an opportunity to build upon this foundation to create more lasting behavioural changes.

As the threat landscape continues to evolve, it’s time for CISOs to consider adopting influence programs to further embed a culture of security throughout organisations.

But why are security teams burning out in the first place?

The threat landscape and burnout

The relentless growth of the threat landscape is pushing cybersecurity teams to their limits. More devices, data points and an increasing number of threat actors demand constant vigilance and adaptation from security professionals. The complex and unpredictable landscape is placing unprecedented pressure on security practitioners.

Recent research paints a stark picture of the toll this is taking, with an alarming 84% of workers within the cybersecurity field suggesting they are affected by mental fatigue, stress and burnout, and 8% considering quitting because of these issues. 65% of cybersecurity professionals say they have experienced this stress, fatigue or burnout due to skill gaps and pressure to perform beyond their capabilities.

Employee mental health is more than just a cultural issue; it’s a significant business concern. 74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, which could result in coverage gaps for adversaries to exploit. Now is the time for CISOs to address employee burnout.

While CISOs can’t halt or slow down the rate of cyber attacks and threats, they can work towards fostering a more collaborative culture that makes cybersecurity a shared responsibility across the entire organisation, not just within security teams.

Recasting awareness training

Cybersecurity awareness programs have successfully raised the profile of digital safety, but as the threat landscape grows more complex, more must now be done to change employee behaviour. While awareness training has worked well in some areas – for example, 77% of business leaders now acknowledge that GenAI is likely to increase cybersecurity concerns – this recognition alone isn’t enough in today’s increasingly unpredictable threat landscape.

The end goal is fostering a mindset of cybersecurity as a shared responsibility. What’s crucial is that employees know how to respond to specific challenges and are motivated to do so. They need to understand what actions to take in their roles when faced with a potential security incident.

Internal security awareness has highlighted the importance of cybersecurity resilience but now it’s time to go beyond that to help employees internalise these practices. Awareness alone isn’t cutting it anymore, especially with the rise of AI-powered threats.

To truly embed a security culture and address the human factor, CISOs need to recast awareness programs as influence programs. This shift involves moving beyond theoretical knowledge to practical, actionable skills. It’s about creating initiatives that inspire and empower employees to become active participants in the organisation’s security posture.

The shift from basic security awareness training to influence programs

Influence programs differ from awareness training in several key ways. They are continuous and tailored, embedding behavioural responses into the cybersecurity culture through ongoing, customised initiatives. By focusing on real-world scenarios, these programs help employees develop practical skills and shift behaviours more effectively.

To design influence programs CISOs must consider the following:

Compliance

What kinds of actions or behaviours lead to negative outcomes that must shape compliance policies? Consider actions like using personal devices for work, neglecting password updates, or introducing untested tools to company networks.

Reputation

How effectively is security advice communicated internally? Security teams should craft an engaging narrative, considering both content and messenger. This might involve messages from higher-ranking individuals or other departments, but it’s also about meeting employees where they’re most likely to be engaged by a message.

Internalisation

Aren’t people more likely to change behaviour when they truly believe in the message? By emphasising security’s importance in various life aspects, these practices become more relatable and inherently valuable to employees.

While 84% of security awareness programs currently aim to bring about measurable changes in employee behaviour, only 43% consistently track these shifts. For influence programs to succeed, CISOs need to monitor changes which will allow them to identify gaps, demonstrate ROI, and make the case for continued investment in security culture across different departments in an organisation.

Basic security awareness training – the way forward

With the cybersecurity skills gap widening and threats evolving rapidly, the need to combat stress and burnout among security professionals has never been more critical. The industry recognises the importance of a positive security culture, and many teams are already focusing on people-centric programs.

However, transitioning from awareness to lasting behavioural change remains a significant challenge. To succeed, CISOs must develop and recruit new skills in communications and behavioural change to create a resilient security culture throughout an organisation. Otherwise, they risk overwhelming their existing staff and limiting their ability to tackle threats as they evolve.