This Cybersecurity Month, ISC2 Insights is focusing on all aspects of the profession and asked our volunteers to answer a few questions. Today we look at answers to the question “What is the best form of security education organizations can provide to stakeholders?” Respondents offered a variety of suggestions, with particular emphasis on providing engaging content, customization, and hands-on, real-world simulations.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
Get Their Attention
It seems the first rule of delivering effective cybersecurity training is to grab users’ attention through engaging content. Respondents recommended methods like gamification, simulation and tabletop exercises.
Andreas Panayi, CISSP, made the case that gamified content, coupled with milestone targets, will get people talking about what they are learning. Ser Dyk Aldeza, CISSP, suggested interactive methods such as quizzes, group discussions, and real-life scenarios. “This active participation helps reinforce learning and makes the training more memorable,” Aldeza said.
(Eric) Vu Van Than, CISSP, SSCP, CC, talked about habit formation by integrating training into realistic business scenarios. “The most effective training approach is to use role-based methods combined with real-world simulations, such as phishing campaigns and incident response exercises.”
Than suggested launching Security Champion programs, with people from each department serving as internal advocates for secure practices. Participants who excel in gamified programs should get points or badges in recognition.
Make It Real
Respondents said simulating real-world scenarios through phishing campaigns, tabletop exercises and other methods is particularly effective. Joe Hawley, CISSP likes the tabletop exercises. “They engage stakeholders in realistic scenarios, encouraging active participation and critical thinking.”
Written cybersecurity policies and training modules are a good start, he said. “But walking through it, step by step, with a cross-functional team of business, IT, and security professionals creates lasting understanding. That’s how you build a security-first mindset that sticks.”
Nelson Hernandez, ISC2 Candidate, argued effective security education requires more than annual training programs. “They often become just another checkbox,” he said. “When stakeholders understand how phishing attempts, social engineering, or weak configurations could directly impact patient care, client data, or day-to-day operations, it makes the message more personal and impactful.”
Hernandez recommended delivering simulated phishing campaigns, brief refresher videos, and team-based exercises throughout the year to “reinforce good habits and keep security top of mind.”
Samuel M Tilling, CISSP, SSCP, CC, also stressed the importance of ongoing training. Content should be relevant, he said. “Everyone has seen the same slideshow telling you not to click suspicious links. If you want your stakeholders to be engaged, use real-world scenarios based on their roles. Show the HR team the risk of disclosure of PII. Show the CFO how a Business Email Compromise attack works. Show the leadership team the legal, financial, and strategic risks of a cyber-related incident.”
Tailor the Content
Training content needs to be customized to make it relevant. “There is no one-size-fits-all approach here,” said Cary Vidal, CISSP. It will be whatever drives the best engagement in your organization. Even within the organization, this may differ depending on the audience.”
Aldeza views tailored training as a starting point. Sessions should be designed for different roles and responsibilities in the organization with content “directly applicable to each stakeholder's daily tasks.” Continuous assessment helps keep it fresh, Aldeza added. Combining it with feedback on a regular basis lets you adjust training and improve the program’s effectiveness.
Follow along with us this Cybersecurity Month on LinkedIn as we showcase ISC2 member-driven articles from experience to guidance. If you are a small business or non-profit interested in support to drive a culture of cybersecurity, consider scheduling a free Cybersecurity Health Check, where you’ll receive a checklist to help you mitigate your cyber risk, available from ISC2’s charitable arm, the Center for Cyber Safety & Education and ISC2 volunteers.
