Why Cyber Awareness Programs Get Stuck—and How to Break Through

Cyber awareness programs have long been recognized as a critical part of any organization’s defense strategy, yet many remain stuck in neutral—struggling to progress from compliance-driven training to impactful, behavior-changing programs. The challenges aren’t new, but as cyber risk grows more sophisticated and targeted, the stakes are higher than ever.

It’s not for lack of shocking figures and data points: breaches are on the rise, costs related to incidents and ransomware are soaring, and humans remain the most targeted link in the security chain. Human Risk Management and Cyber Awareness programs are being asked to deliver more, from shaping digital risk culture to driving measurable behavior change. Yet too often, progress stalls. Why? And more importantly, how can you, as a practitioner, leader, or CISO, get the support you need to evolve your program?

Where Awareness Programs Get Stuck

The 2024 SANS Security Awareness Report reveals a clear distribution of maturity levels among awareness programs. While some organizations are advancing toward integrated, data-driven programs, many remain stuck in foundational phases, focused solely on compliance. This underscores a systemic issue—one that goes beyond individual organizations.

Here are the most common patterns of stagnation:

1. Lack of Budget to Change

Even when the appetite for transformation exists on the team itself, departmental or company wide budget constraints can stifle progress. Many organizations are locked into outdated vendor contracts or lack the resources to hire additional staff, making it difficult to innovate or scale.

2. Lack of Executive Buy-In

For some, the problem starts at the top. When leadership views cybersecurity as an IT issue rather than a business-critical risk, awareness programs often struggle to secure the funding and attention they need.

3. Lack of CISO Buy-In

Some CISOs remain skeptical about the effectiveness of awareness training, dismissing it as futile: “Humans don’t change; let’s just throw more technology in their way.” This mindset can undermine even the most well-designed programs.

4. Understaffed Teams

Many practitioners are stuck doing it all—writing training content, sending phishing simulations, chasing compliance deadlines. These tasks, while necessary, prevent teams from focusing on strategy, metrics, or high-value initiatives.

5. Doing Too Much

In an effort to tailor every element to their organization, some teams stretch themselves too thin. This “perfectionist” approach often leads to poor execution across the board, with little impact on overall risk reduction.

Strategies to Break Free and Accelerate Progress

So how can organizations overcome these barriers? Obviously you need to secure executive sponsorship, get the resources needed, and foster a security culture. But how? Well, we pride ourselves on being different than other Human Risk Management providers out there, so here are a few ideas to help in your thinking about different ways to get your awareness program unstuck:

1. Flip the Narrative with Metrics That Matter

Instead of leading with compliance stats (e.g., training completion rates), focus on metrics that resonate with executives:

• Reduction in phishing susceptibility over time.
• Percentage of high-risk employees who improved post-training.
• Cost savings tied to risk reduction (e.g., fewer incidents, faster recovery).

Tie your metrics to business outcomes, and use storytelling to connect the dots between human risk and organizational resilience. 

2. Pilot High-Impact Initiatives

Identify one high-value area of risk—like executive-targeted phishing or AI-driven social engineering—and pilot a tailored program. Use the results to build a case for broader investment.

3. Outsource Low-Value Tasks

Consider managed services to handle routine tasks like phishing simulations or compliance reminders. Free up your internal team to focus on strategy, measurement, and engagement.

4. Focus on Culture, Not Just Training

Engage HR and communications teams to integrate cybersecurity into the fabric of your organization’s culture. Regular, informal touchpoints—like newsletters, gamified challenges, or social media-style posts—can reinforce key messages without adding to employees’ workload.

5. Emphasize the Human ROI

Reframe awareness programs as investments in your people, not just your defenses. Position training as a tool for empowering employees to protect themselves, their families, and their organization.

6. Challenge the Status Quo

If budget or executive buy-in is a barrier, consider bringing in external experts to conduct a human risk baseline or program review. A fresh perspective can help you identify gaps, prioritize efforts, and make a compelling case for change.

The Cost of Staying Stuck

Failing to evolve your awareness program isn’t just a missed opportunity—it’s a growing liability. With cyber threats advancing at an unprecedented pace, the risks of inaction are significant:

• Increased vulnerability: Stagnant programs leave your people—and your organization—exposed to emerging threats.
• Higher costs: Recovering from incidents caused by human error is far more expensive than investing in prevention.
• Eroded trust: Repeated breaches can damage employee confidence and organizational reputation.

A Call to Action

If your awareness program feels stuck, it’s time to shift gears. Start with small, high-impact changes, build a foundation of measurable success, and advocate for the resources you need to scale. The road to maturity isn’t easy, but with the right strategy, tools, and support, it’s achievable.