Select Page

Why security awareness still isn’t taken seriously (and how to fix it)

CYBSAFE-SebDB Webinar-preblog-221011MS-36

2 April 2025

Let’s start with a painful truth:
Security awareness, culture, and human risk professionals are often undervalued.

Despite the rising threat of human-enabled cyber attacks, many organizations still treat addressing the human aspect as a checkbox. A communications initiative. A nice-to-have.

Meanwhile, those doing the work – you – are trying to change behavior, reduce risk, and protect the business from the inside out.

So why the disconnect?

Awareness is not an outcome

Here’s the thing:
Most execs and security leaders don’t get excited about “raising awareness.”

Because awareness doesn’t reduce risk on its own.
Awareness doesn’t stop breaches.
And awareness doesn’t automatically lead to behavior change.

(If you don’t believe me – enrol yourself in some training and education courses about eating more healthily and see how that works out for you. Or talk to anyone that has done a driving speed awareness course and then tell me that they don’t speed anymore).

What leaders care about is risk.
They care about impact.
They care about outcomes.

And if your work is framed in terms of training completions, phishing report rates, or “getting the message out” – you’ll keep getting treated like a support act, not a business critical partner.

The awareness perception trap

This is the heart of the problem.

Security awareness is too often seen as:

  • A training & education program

  • A compliance obligation

  • A comms initiative

And not:

  • A risk mitigation strategy

  • A business enabler

  • A core part of the security function

The result?
Limited budget.
Minimal influence.
And a seat that’s always just out of reach at the leadership table.

It’s time to reframe the role

The best awareness and human risk professionals aren’t just educators or communicators.
They’re influencers. Enablers. Strategists. Risk Managers.

They go beyond training to:

  • Identify and mitigate risky behaviors

  • Align with organizational risk priorities

  • Track and report on real outcomes

  • Drive measurable behavior change

In short, they speak the language of security and business leadership – and it makes all the difference.

Want to reposition your work as a risk function?

We’ve written a guide to help you do just that.

📘 It’s called “Beyond awareness: How to (finally) get taken seriously as a security awareness/HRM professional”

Inside, we cover: 

✅ Why awareness is undervalued – and how to change the narrative
✅ How to align with leadership priorities like risk, safety, and efficiency
✅ Better metrics to prove impact and secure buy-in
✅ A step-by-step roadmap to reframe your role (and get noticed)

Ready to elevate your impact and influence?

Final thought:
Your work is too important to be seen as second-tier.
With a few small shifts – in language, in measurement, in mindset – you can transform how your role is perceived and valued.

Let’s move security awareness beyond awareness.

 

Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter:

You may also like

Security metrics reboot: Less input, better output, real outcomes

Security metrics reboot: Less input, better output, real outcomes

Unfortunately, most security awareness professionals don’t really understand the difference between: ✅ Inputs✅ Outputs✅ Outcomes But they don’t want to admit it. And honestly? We get it. It’s like pretending to know the plot of Inception when deep down, you’re just as confused as everyone else. No...

The dogma of security awareness: Exposing cybersecurity’s biggest blind spot

The dogma of security awareness: Exposing cybersecurity’s biggest blind spot

“Humans are the weakest link.”“Security Awareness training = better behaviour”"If we can nail engagement, we’ll nail risk reduction.""Security Awareness is *actually* about so much more than awareness.”“Security culture is the golden ticket to risk reduction.”“Good communication, messaging,...

Can BS make SA&T stick? Hot takes from the experts…

Can BS make SA&T stick? Hot takes from the experts…

Using insights from “Oh, Behave!” to strengthen security training and drive lasting behavioral change Security training. It’s as commonplace in an organization as writing “see attached” and forgetting to attach anything. It can help to tackle cybersecurity risks—but only when done well. Simply...

Maximizing security awareness engagement: How the pros do it

Maximizing security awareness engagement: How the pros do it

Ditch mandatory training, starting riiiight…now!Want to boost security awareness? Talk about something else entirelyGet serious about funThe top mic-drop insights from our Cybersecurity Awareness Month engagement webinar We know people whose organizations make a big deal of CAM are much more...