Brian Villanueva, CISSP, CC shares his experiences of trying to make security awareness programs work, along with explaining how he approached building a security culture to support a lasting defensive posture.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
When I first stepped into a security leadership role, I heard the same refrain that many in our field have grown accustomed to: “Security awareness doesn’t work.” At the time, even I believed it. I’d inherited a program built around once-a-year training and predictable phishing simulations. The results looked exactly like you’d expect: people clicked, reported inconsistently and treated security as something abstract and distant from their daily work. The longer I worked in the environment, the more convinced I became that the real problem wasn’t awareness training itself, but how we approached it.
Over the past three years, I have helped an entire organization shift its security behavior without flashy platforms or fear-driven messaging. The turning point had nothing to do with new technology. It came from something far less talked about in cybersecurity: “psychological safety”.
The first time I realized how powerful psychological safety could be was after a near-miss social engineering incident. An employee had received a well-crafted impersonation message but hesitated to report it. The hesitation wasn’t caused by a lack of knowledge, but from a fear of appearing uninformed. That moment stayed with me. We weren’t failing because employees didn’t recognize threats; we were failing because they didn’t feel free to speak up.
I made one change that day. I told the entire organization: “Reporting something suspicious, even if it turns out to be nothing, is a win.”
Over time, this simple statement shifted the dynamic. Employees began forwarding questionable messages without fear, asked more questions and pushed back on unusual requests. They trusted us to treat every report as a learning opportunity rather than a reprimand. I was able to stop thinking of our staff as passive risks and to begin seeing them as active defenders.
Transforming Awareness from Task to Culture
One of the most effective initiatives I introduced was our annual Phishing Derby, in which employees earn recognition not for perfection but for participation, curiosity and improvement. I’ve seen people go from clicking nearly everything to becoming some of our strongest sentries, simply because they knew their efforts mattered.
I also learned that developing small habits can shift culture faster than large, infrequent training events. Whenever someone reports a suspicious message, I take a moment to thank them, explain what they caught and share what we learned. These micro-interactions amount to a disproportionately large feedback loop where both sides improve.
It works: two recent social engineering attempts were stopped because employees acted quickly and confidently. Their success had nothing to do with technical skill; it was because they felt supported enough to speak up before damage occurred. These kinds of outcomes have convinced me that awareness does work when an organization creates the conditions for it to work.
How We Did It
When I first evaluated our awareness efforts, it became clear that the existing approach didn’t support the behavior we wanted. We employed the familiar components that many organizations rely on: annual training, click-through modules and standard phishing tests. Such activities create activity but not engagement: employees were completing the material yet weren’t consistently applying what they learned.
I also noticed that the program emphasized completion and performance metrics over confidence and communication. That pattern is common across the industry – but it can unintentionally create hesitation. Employees may second-guess themselves or hold back from reporting for fear of making a mistake.
The insight that changed my approach was straightforward: awareness programs succeed when employees feel supported, not evaluated. Awareness was not the problem; the surrounding cultural signals were.
What Actually Works
Improved practices have strengthened our posture more than any new tool I have implemented. For my colleagues in cybersecurity, here are the practices that I’ve found have consistently strengthened our culture and improved security behavior:
- Making reporting safe and celebrated has had the greatest impact. When people know their report will be met with appreciation rather than criticism, they respond more quickly and with greater confidence. A positive reporting experience has often been the moment someone truly began to see themselves as part of the security team. I end every response to a phishing report with a simple note of gratitude, and that consistency has made a measurable difference.
- Using real interactions as learning moments has also proved to be far more effective than relying on formal modules alone. A short conversation about a suspicious email or an unusual request has often taught more than any structured training session. These day-to-day exchanges have made security feel practical and relevant.
- Teaching the “why,” not just the “what” has helped employees across the organization understand the purpose behind policies and safeguards. Once people grasped the reasoning, secure behavior became intuitive rather than imposed. They began to recognize risks on their own instead of waiting for instructions.
- Focusing on consistency instead of intensity has created lasting habits. Regular reminders and light touch engagements have done more to shape behavior than any single annual training event. Habit formation has come from repetition, not volume.
- Positioning employees as partners in defense shifted mindsets in a way tools cannot. Once our people felt valued and trusted, they took ownership of protecting the organization, transitioning from passive participants in a training program to active contributors to resilience.
- Recognizing successful reports reinforces behaviors of the sort that we want to see more of. Highlighting good catches sends a message that attentiveness matters and that individual actions have impact. Positive reinforcement spread quickly across our workforce.
Awareness Isn’t Dying; It’s Maturing
Some claim that security awareness is outdated or ineffective. But this has not aligned with what I have seen in practice. Awareness is far from dying; it’s maturing into something more human-centered and culturally grounded.
Leading awareness efforts has reinforced one lesson above all: you cannot create perfect behavior through training alone; the older model of fear-based messaging, lengthy modules and public shaming has reached its limits. But, as I’ve found, you can cultivate an environment where people are motivated to stay alert and engaged. When organizations embrace trust, transparency and psychological safety, awareness becomes something employees participate in rather than endure.
Brian Villanueva, CISSP, CC, has 15 years of experience in cybersecurity, physical security and emergency response. He has held technical and leadership roles, with responsibility for security culture, awareness programs and workforce engagement initiatives. His cybersecurity work spans psychological safety, human risk and behavior informed security practices.
