Sign up to save your podcasts
Or
Share How To Get Your Staff to Actually Care About Cybersecurity
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How To Get Your Staff to Actually Care About Cybersecurity
Welcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.
In this episode, James Rees is joined by security awareness specialists Amy Stokes-Waters and Jemma to dismantle outdated approaches to security training. From click-through fatigue to the critical importance of culture change, our experts explore why traditional computer-based training fails to make organisations truly secure.
Listen as Amy and Jemma share their expertise on transforming security awareness from a box-ticking exercise into meaningful behaviour change. Their refreshingly honest assessment of the "80% compliance myth" and why focusing on business impact rather than personal consequences undermines effectiveness will have security professionals nodding in recognition.
Whether you're a CISO struggling with training completion rates, an IT professional tired of being ignored, or someone who's repeatedly clicked "next" through mandatory security modules wondering if there's a better way, this conversation offers practical alternatives to the stale CBT approach that dominates the industry.
Tune in for a candid discussion that feels like eavesdropping on three security professionals brainstorming how to fix what's broken in security awareness while acknowledging the realities of human behaviour.
3 Key Talking Points:
- Why Traditional Security Training Fails Everyone Discover the fundamental flaws in conventional security awareness approaches that waste both time and budgets. When Amy reveals that "less than 1% [of IT budgets] is spent on humans" while "95% of incidents are caused by humans," you'll understand why throwing money at technical solutions while neglecting human factors is a losing strategy. Listen for actionable insights on avoiding the compliance trap that leaves organisations vulnerable despite ticking all the regulatory boxes.
- The McDonald's Approach to Security Awareness Learn why successful security awareness should mirror effective marketing campaigns rather than dreaded annual training sessions. Our experts break down how security teams should adopt McDonald's persistent, multi-channel strategy instead of expecting one-off sessions to change behaviour. You'll gain practical strategies for implementing "security by osmosis" that keeps protective measures visible and top-of-mind without creating training fatigue or resistance.
- Measuring What Actually Matters Transform how you evaluate security awareness effectiveness with metrics that genuinely reflect improved security. When Jemma dismantles the "80% of people scored 80%" myth, you'll understand why completion rates and phishing test results fail to indicate real security improvements. Listen for concrete guidance on tracking meaningful engagement metrics like security team contact, proactive reporting, and actual incident reduction that demonstrate true cultural change rather than superficial compliance.
"What a lot of people are doing is security training for compliance, but they're not actually doing anything around the culture. They're hitting the compliance metrics. Brilliant. But the actual culture of the organization is still inherently insecure."
- Amy Stokes-Waters, on the difference between compliance and cultural change
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Budget Reality Check: Learn why organisations spending less than 1% of IT budgets on human factors whilst 95% of incidents are human-caused represents a critical strategic error
- Bite-sized Learning: Understand why continuous micro-learning beats annual training blocks for better retention and genuine security improvements
- Marketing Mindset: Adopt proven principles from successful marketing campaigns to make security awareness omnipresent and effective rather than a dreaded annual chore
- Personalisation Power: Discover how offering people choices in how they learn dramatically increases engagement and knowledge retention across diverse workforces
- Role-Based Approach: Implement targeted security training for different departments (developers, finance, executives) that addresses their specific risk profiles
- Phishing Test Pitfalls: Recognise how traditional phishing simulations may inadvertently discourage collaboration and reporting – exactly the behaviours good security requires
- Meaningful Metrics: Shift from completion statistics to tracking genuine engagement indicators like security team contact and incident reduction rates
- Security Champions Network: Identify and nurture internal advocates who can amplify security messaging and create positive peer influence
- Personal Relevance: Transform employee apathy by connecting security practices to personal benefits rather than abstract organisational consequences
- Culture Over Compliance: Build genuine security culture that withstands evolving threats rather than merely satisfying point-in-time compliance requirements
- Mobile-first Training: Engage the "TikTok generation" with security awareness delivered through the devices and formats they already prefer
Other episodes you'll enjoy
- Security vs Privacy: The Ethics of Data Collection
YouTube: https://youtu.be/iIRv0qVXmWM
Spotify: https://open.spotify.com/episode/0wbWKF9zyxkHMY5kKMZyx5
- The Business of Biometrics: Data Protection and Ethical Standards in Cyber Security
YouTube: https://youtu.be/eWfRalOk0E8
Spotify: https://open.spotify.com/episode/1QJPHcVRkKIIht3zsJWqWq
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cybersecurity professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email [email protected].
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
Linkedin: Razorthorn Security
YouTube: Razorthorn Security
Twitter: @RazorThornLTD
Website: www.razorthorn.com
Loved this episode? Leave us a review and rating here
All rights reserved. © Razorthorn Security LTD 2025
View all episodes
By Razorthorn SecurityWelcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.
In this episode, James Rees is joined by security awareness specialists Amy Stokes-Waters and Jemma to dismantle outdated approaches to security training. From click-through fatigue to the critical importance of culture change, our experts explore why traditional computer-based training fails to make organisations truly secure.
Listen as Amy and Jemma share their expertise on transforming security awareness from a box-ticking exercise into meaningful behaviour change. Their refreshingly honest assessment of the "80% compliance myth" and why focusing on business impact rather than personal consequences undermines effectiveness will have security professionals nodding in recognition.
Whether you're a CISO struggling with training completion rates, an IT professional tired of being ignored, or someone who's repeatedly clicked "next" through mandatory security modules wondering if there's a better way, this conversation offers practical alternatives to the stale CBT approach that dominates the industry.
Tune in for a candid discussion that feels like eavesdropping on three security professionals brainstorming how to fix what's broken in security awareness while acknowledging the realities of human behaviour.
3 Key Talking Points:
- Why Traditional Security Training Fails Everyone Discover the fundamental flaws in conventional security awareness approaches that waste both time and budgets. When Amy reveals that "less than 1% [of IT budgets] is spent on humans" while "95% of incidents are caused by humans," you'll understand why throwing money at technical solutions while neglecting human factors is a losing strategy. Listen for actionable insights on avoiding the compliance trap that leaves organisations vulnerable despite ticking all the regulatory boxes.
- The McDonald's Approach to Security Awareness Learn why successful security awareness should mirror effective marketing campaigns rather than dreaded annual training sessions. Our experts break down how security teams should adopt McDonald's persistent, multi-channel strategy instead of expecting one-off sessions to change behaviour. You'll gain practical strategies for implementing "security by osmosis" that keeps protective measures visible and top-of-mind without creating training fatigue or resistance.
- Measuring What Actually Matters Transform how you evaluate security awareness effectiveness with metrics that genuinely reflect improved security. When Jemma dismantles the "80% of people scored 80%" myth, you'll understand why completion rates and phishing test results fail to indicate real security improvements. Listen for concrete guidance on tracking meaningful engagement metrics like security team contact, proactive reporting, and actual incident reduction that demonstrate true cultural change rather than superficial compliance.
"What a lot of people are doing is security training for compliance, but they're not actually doing anything around the culture. They're hitting the compliance metrics. Brilliant. But the actual culture of the organization is still inherently insecure."
- Amy Stokes-Waters, on the difference between compliance and cultural change
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:- Budget Reality Check: Learn why organisations spending less than 1% of IT budgets on human factors whilst 95% of incidents are human-caused represents a critical strategic error
- Bite-sized Learning: Understand why continuous micro-learning beats annual training blocks for better retention and genuine security improvements
- Marketing Mindset: Adopt proven principles from successful marketing campaigns to make security awareness omnipresent and effective rather than a dreaded annual chore
- Personalisation Power: Discover how offering people choices in how they learn dramatically increases engagement and knowledge retention across diverse workforces
- Role-Based Approach: Implement targeted security training for different departments (developers, finance, executives) that addresses their specific risk profiles
- Phishing Test Pitfalls: Recognise how traditional phishing simulations may inadvertently discourage collaboration and reporting – exactly the behaviours good security requires
- Meaningful Metrics: Shift from completion statistics to tracking genuine engagement indicators like security team contact and incident reduction rates
- Security Champions Network: Identify and nurture internal advocates who can amplify security messaging and create positive peer influence
- Personal Relevance: Transform employee apathy by connecting security practices to personal benefits rather than abstract organisational consequences
- Culture Over Compliance: Build genuine security culture that withstands evolving threats rather than merely satisfying point-in-time compliance requirements
- Mobile-first Training: Engage the "TikTok generation" with security awareness delivered through the devices and formats they already prefer
Other episodes you'll enjoy
- Security vs Privacy: The Ethics of Data Collection
YouTube: https://youtu.be/iIRv0qVXmWM
Spotify: https://open.spotify.com/episode/0wbWKF9zyxkHMY5kKMZyx5
- The Business of Biometrics: Data Protection and Ethical Standards in Cyber Security
YouTube: https://youtu.be/eWfRalOk0E8
Spotify: https://open.spotify.com/episode/1QJPHcVRkKIIht3zsJWqWq
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cybersecurity professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email [email protected].
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
Linkedin: Razorthorn Security
YouTube: Razorthorn Security
Twitter: @RazorThornLTD
Website: www.razorthorn.com
Loved this episode? Leave us a review and rating here
All rights reserved. © Razorthorn Security LTD 2025