EMEA-based CISOs call time on ‘tick-box’ cyber training

The study, which surveyed 200 CISOs across the UK, Sweden Germany and France, found that 81% of CISOs feel security awareness programmes fail because they treat human cyber risk as a training issue rather than a wider risk management challenge. At the same time, 68% of those businesses surveyed identify employees as their biggest security risk, highlighting a persistent and unresolved vulnerability at the heart of enterprise security.

Despite continued investment in awareness programmes – with organisations allocating, on average,15% of annual security budgets to awareness education and 79% delivering training at least every two weeks – outcomes remain inconsistent. 25% of organisations say they struggle to capture employee attention, while 24% fail to embed secure behaviour into daily work and a further 24% struggle to align stakeholders across functions. These outcomes reinforce the belief that the challenge is as much organisational in scope as it is behavioural.

This ‘disconnect’ is being driven by an outdated approach. While many CISOs believe their organisations have moved beyond ‘tick-box’ awareness – with some describing their approach as behaviour-led (33%) or based on integrating human risk management (24%) – the perceived progress doesn’t appear to be translating into meaningful change.

Human vulnerabilities

James Mackay, CEO at MetaCompliance (the human cyber risk management company transforming how organisations build resilient security cultures) said: “Confidence is rising, but that doesn’t mean risk is falling. Many businesses mistake completed security training for real security when the underlying human vulnerabilities haven’t changed.”

Mackay continued: “This creates a dangerous disconnect. Businesses feel more secure, yet employees remain the biggest source of risk. At the same time, threats are becoming more sophisticated, with Artificial Intelligence (AI) accelerating the scale and precision of social engineering attacks. This is leaving organisations increasingly exposed if that gap isn’t addressed.”  

As a direct result, CISOs are calling for a more strategic model. Nearly four in every five (79%) of them want to move towards human risk management: an approach that focuses on identifying high-risk individuals and tailoring interventions based on behaviour, as well as nurturing an organisation-wide collective security culture.

A further 83% of those CISOs surveyed believe targeted interventions would reduce risk on a faster footing, while 80% suggest that security messaging is most effective when delivered in the flow of work.

Increasing pressure

This shift emerges as organisations face increasing pressure to modernise their defences due to the evolving threat landscape. Across the next 12 months, organisations expect to focus on increasing engagement frequency (27%), demonstrating measurable Return on Investment (25%) and tailoring interventions to high-risk individuals (24%), particularly so in response to AI-enabled social engineering (24%).

James Mackay concluded: “Human cyber risk needs to be treated like any other business risk: measurable, targeted and continuously managed. That means moving beyond awareness towards genuine behaviour change. Organisations need to flip the script on how they’re managing cyber security, using real-time targeting and insight to reach the right people with the right message and at the right time. That’s how you reduce human cyber risk at scale.”

The research was conducted by Censuswide among a sample of CISOs in companies with 250-plus employees (aged 30-plus). The data was collected between 17 and 23 February.

*Further information is available online at www.metacompliance.com