American View: Sick of dreary and condescending security training? So am I. Consider this instead.

Risk Management20 Jan 2026

I have to admit, I was surprised how popular my retrospective about my time running a security human risk management team was last week. So far, I’ve received more comments on that column than I ever got for – I think – any of the pieces I wrote for American View last year. Thanks to everyone who chimed in; I appreciate all of you.

One specific element of my story seemed to resonate with folks in our field. More than any other part, this section has (so far) inspired the most questions this week:

“We knew that our colleagues’ trust was the essential commodity required for [our] security programs to be effective. … Effective human risk management wasn’t a commodity that one could buy off-the-rack. … all our training content was bespoke and optimized for our culture. … We changed the tone of our communications to reflect … irrepressible positivity and encouraged everyone … to maintain a running dialogue with [us].” ^[1]

To ensure I’m not confusing the issue, I want to stress that I’m not arguing against all uses of third-party content and services. I’ve used several effectively and none of them degraded the effectiveness of my program because of how I employed them. I probably should have phrased my comment something like this:

“Effective human risk management isn’t something that can be delivered entirely though off-the-rack third-party content. Third-party content supplements your core program, but can’t be your entire program, since no third party understands your organisation, mission, culture, and history like only you can.”

There has never been a generic training course that could resonate with an employee as effectively as a personal story shared by another, more seasoned colleague.

That would have been a much more cumbersome way to phrase it, but it is what I believe. I’m fine using other people’s for phishing sims, tracking behavioural analytics, providing quality stock photos for training decks, and so much else. That said, I am staunchly opposed to using third-party content for delivering organisation-specific core training. Supplemental content? Yes. Absolutely. Just not the “here’s how we do it” material.

As an excellent solution of this is content from the cheekily named small business Greatest Training Ever. This team of award-winning writers, actors, and production folks produce very short and extremely catchy cybersecurity microlearning videos. To see what I mean, visit their company home page at gtever.com and watch the 60 second video clip that takes up most of the screen. Go do that. Now. Seriously.

[Keil stops, sips coffee, pets dog, and resumes typing]

See what I mean? That’s exactly what all their content is like. They’ve made something like 200 of these episodes. The way it works is that your company buys a subscription for X amount of time and gets the entire library, plus all the new stuff that gets generated each season. You can upload the video modules to your LMS and assign them out like traditional SCORM packages, or embed them in PPTX decks to spice up presos, or post them to internal social media … or any combination thereof. ^[2]

The head honcho at GTEver – Pat Shannon – has been a pal of mine since we first started working together. I first heard about his outfit at one of the SANS Security Awareness & Culture Summits; people in the chat there raved about how much they liked GTEver’s work, so I reached out to Pat to find out what all the fuss was about. We hit it off and have stayed in touch ever since, which is why he and I reconnected following the posting of my last column.

I have this fabulous couch in my living room that I should take Zoom calls from, but I’m still in the habit of doing everything at my desk and my dog is getting fed up with me.

“I’ve used other companies’ generated training material,” he mused, “and it was so … sterile. So dry and boring. So condescending. Sure, cartoons can be fun, but I find myself wanting to ask these vendors ‘do you realise that you’re teaching adults?’ … These people need to feel that they’re respected by their company in general and by its security apparatus in particular.”

That was exactly my thinking. I’ve browsed various training content providers’ catalogues looking for stuff I could use and found very little that I’d actually be proud to assign to my users. Catering to them like they’re children is a fast way to burn all your bridges before you start building them. Like inception, but for process failure.

I told Pat that his stable of comedians that play the newsreader role in the Cyber Security Entertainment News Network shorts are funny without insulting the viewer’s intelligence. They’re presenting real security issues and tips in each episode, but in a relaxed fashion that bullseyes the middle ground between sanctimonious and silly. The CSEN scripts are precisely penned to hit the mark where users can be comfortable embracing the episode’s message and amused enough to remember it.

“I agree, but it’s more than just that,” Pat said, after I got down off my soapbox. “We’re also respecting the users’ time. All our episodes are 60 seconds long or less. Far too much ‘mandatory’ training blocks that I’ve taken or evaluated have been dreary slogs. 30-, 45-, or 60-minutes of mind-numbing pedantic lectures. Look! I want to shout, People have stuff to do. You need – I believe – to get in, make your point, and get off the stage. People are far more likely to listen to your message when they know it’s never going to waste their time.”

As chance would have it, three hours after Pat told me that, I got a call from my mate Wayne. He recently came out of retirement to help his former employer catch up on high-priority hiring. He couldn’t start work, though, until he completed all his mandatory on-boarding content. Wayne’s new-hire security training module was one of those hour-long slogs. Worse, it didn’t have a real human narrating it; instead, it featured a text-to-speech agent reading every word that appeared on every screen in the course without any emotion, nuance, context, or explanation. Wayne was ready to crack his own skull open on his new desk before he got halfway through the bloody course.

Wayne’s company employs ~200k people. Honestly, if I discovered that my training had demoralized and infuriated that many people, I’d flee the country, change my name to “Alfie” and avoid all human contact for the rest of my miserable and haunted existence.

That trust-destroying, demoralising, and exhausting user experience is what Pat and I want to change in our industry. The security courses I design for my users are short, punchy, a little funny (where appropriate), and most importantly, laser-focused on what’s unique to our environment. Then, to keep people engaged, we deploy content like CSEN Cyber Tips on a predictable schedule though internal social media. Everyone knows when to drop by the virtual café every week to get a guaranteed laugh and maybe – just maybe – learn something useful.

This, I’ve found, is the optimal way to build trust with your users: make it clear from their first day that their new security element respects them, wants to help them succeed, and will treat them decently. Help new users get their training knocked out efficiently and in such a way that never get bored or feel condescended to. Keep them engaged with lively interaction, fun optional content, and a vigorous community of other users – not just security boffins – that also want to help them. From that point on, you want your security human risk training, communications, and engagement to cultivate confidence, conviction, and esprit de corps.

So, yeah. I do use off-the-rack, third-party content … but I use it strategically. Remember that I spent over 25 years in the military, so that’s where most of my analogies originate. Since it’s late and I’m tired, let’s go with this one: For me, it’s like calling on air cavalry to support your engaged infantry. Chopper jocks can’t seize or hold ground and they’re not meant to. They’re a precise and effective support element that will decisively tip the balance of a conflict, thereby allowing you to take and hold the ground you need (so to speak).

Put another way, use your third-party content wisely, where it’ll do the most good. Don’t ask it to attempt tasks that it’s neither designed for nor capable of delivering. The warmer and more engaging it is, the more goodwill you’ll cultivate in your users. And the less of the users’ time you take away, the more they’ll appreciate you.

Ask Pat if you don’t believe me.

^[1] Yeah, I know. I feel weird quoting myself.

^[2] To be absolutely clear on this, I’m not getting anything at all from Pat or anyone else to talk about this subject. I asked Pat if I could quote him because I see the value proposition of his CSEN material pretty danged clearly: a couple hundred quid for a huge library for a couple of years? That’s a pittance compared to the remediation cost of single breach. All you need to break even is have one user learn and remember one lesson and employ it one time to block an attack.