Cyber Awareness Month always lands in the middle of budget cycles and board reviews, right when everyone’s trying to explain risk in simple terms and justify what “secure enough” really means.

We’ve all said it: people are the weakest link. But that’s lazy thinking. People are also the only flexible part of our defence model, the part that can sense, adapt, and recover faster than any system we’ll ever build. If you train that muscle well, it will outperform any tool.

The real challenge isn’t awareness… it’s fatigue. Everyone’s been told to stop clicking links, to use MFA, to report the phishing simulation they just failed. The gap now isn’t knowledge, it’s belief. Do people genuinely think their actions matter? Because when they do, they behave differently.

Here’s what makes awareness real, and what turns it into background noise:

1. Make awareness measurable and real.
   Stop measuring completion and start measuring readiness. How fast did teams respond to the last incident? How many risks were spotted before they triggered controls? The best awareness initiatives track behaviour change the way finance tracks cost, as a leading indicator of risk reduction.
   
2. Make identity everyone’s responsibility.
   Access is the new currency of risk. Every role, system, and contractor extends the blast radius. Awareness means people understand that identities don’t just grant access, they define trust. When that message lands, you start seeing fewer exceptions, faster removals, and less drift.
   
3. Link awareness to culture, not compliance.
   If you need a policy to get people to care, you’ve already lost them. Awareness that sticks comes from leaders who model it. How the CFO treats a security review tells the organization more than any training ever will. Culture is built in meetings, not modules.
   
4. Use simulation, not slides.
   People learn by doing, under pressure, with stakes that feel real. Incident exercises, red team social tests, shared post-mortems, that’s where awareness becomes muscle memory. The best CISOs I know treat rehearsal like infrastructure.
   
5. Treat awareness as intelligence.
   Every interaction is a data point. Every “almost mistake” someone catches is a leading signal. Feed that back into monitoring, tuning, and human risk analytics. The line between behavioural insight and security telemetry is fading fast, use it to your advantage.

Looking ahead, the pattern is clear

We’re seeing more business-driven CISOs, fewer command-and-control models. Awareness programs that act like part of the operating system, not an annual campaign. Risk teams borrowing from marketing, psychology, and crisis management, not to scare people, but to make them capable.

2026 will test how well we’ve built awareness into the rhythm of our organizations. It’s not about another toolkit or training cycle. It’s about knowing whether we’ve built a culture that knows how to act when the playbook isn’t enough.

That’s what still actually works.

By Karl-Fredrik “Kalle” Larsson, CISO at ID North
October 2025