.webp)
Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.
Building a Culture of Cybersecurity Awareness
Many organizations treat security awareness as a compliance requirement, but David believes awareness is most effective when it’s woven into daily operations.
“We spend a lot of time reinforcing the context—what we’re protecting, why it matters—before we even talk about threats,” he explains. Employees are more likely to care about security when they understand how it connects to their work, their customers, and their own privacy.
Why Expensive Awareness Programs Miss the Mark
Companies often spend big on cybersecurity awareness training, but David suggests that awareness should be built organically through conversation rather than outsourcing to generic training providers.
- Awareness isn’t a one-time event – It’s an ongoing conversation, not an annual training video.
- Formal training isn’t always effective – Generic security training often feels detached from employees’ actual work.
- Cultural integration is key – “When employees start sharing phishing attempts with each other, that’s when you know security has become part of the company culture.”
Instead of investing in expensive programs, organizations should invest time in open discussions, lightweight security check-ins, and real-world examples employees can relate to.
Avoiding the ‘Tinfoil Hat’ Approach to Security
Security leaders often struggle to balance protecting the organization with maintaining operational agility. “If you sound like you’re constantly shouting about the next big threat, people start tuning you out,” David says. Instead, he recommends:
- Keeping security practical – Instead of overwhelming teams with worst-case scenarios, focus on clear, business-relevant risks.
- Minimizing friction – Security controls should align with business workflows, not hinder productivity.
- Empowering employees – Security teams should act as enablers rather than gatekeepers, helping teams work securely without slowing them down.
Where to Start: Security Awareness for Small Businesses
For organizations without dedicated security teams, David advises starting with two key steps:
- Inventory what you’re protecting – Identify critical business data and assets before worrying about specific threats.
- Join security communities – Engaging with security professionals via Reddit, LinkedIn, or industry forums can provide valuable insights without the cost of consultants.
Final Takeaways
- Cybersecurity awareness is a cultural effort, not a checklist. Real awareness happens through ongoing conversations, not annual training.
- Meet employees where they are. If security messages don’t resonate, they won’t stick—make it relevant, engaging, and accessible.
Listen to the CyberWatch podcast on Spotify and Apple Podcasts, or watch the episode on YouTube.
