"Security feels technical, until you show it happens in your own pocket every day." In many organisations the idea arises almost automatically that security is a technical domain. That it is about firewalls, encryption, password policy and systems, and therefore mainly about IT. Employees see it as something outside themselves. To be fair: we as security professionals fed that image ourselves for years.
People do not learn from technology, but from recognition
When security is presented as technology, something very predictable happens: employees disengage. Not because they do not want to contribute, but because they do not recognise themselves in the examples. A scenario about a zero-day exploit says little to people. An explanation about hashes and tokens even less. It does not land. It slips away.
Awareness only works when you tie it to human experiences. To situations employees recognise, preferably from their own lives. When you explain how someone was approached on WhatsApp by a "family member", or how a colleague nearly paid for a parcel that was never ordered, you immediately see a different kind of attention. People nod. Sometimes laugh. Tell their own story. Those are exactly the moments when awareness begins.
Security becomes everyone's the moment employees recognise themselves in it
The shift in organisations does not come from more policy or technical presentations, but from examples so recognisable that employees think: "This could have happened to me too." When you tie security to private behaviour — passwords, phones, apps, parcels, social engineering in daily life — recognition arises. And recognition is the engine of behaviour change.
From that moment the responsibility shifts: security is no longer something IT "arranges", but something employees themselves recognise, understand and can influence. The moment people see themselves in the examples, they also see themselves in the solution.
Related articles
- Why employees turn out to be more digitally skilled
- Awareness does not work without management involvement
FAQ
How do you avoid techno-jargon in awareness?
Test every module with a non-IT colleague: 'Do you understand this without googling?' If no, rewrite. Simplicity is a choice, not a coincidence.
Which private themes work best?
WhatsApp fraud, parcel-delivery scams, 'family in distress' messages, social media impersonation. Everyone has experience with these.
So can IT no longer be involved in awareness at all?
Yes it can, as sponsor and technology owner. But the message must come from HR, communications or management, not from 'IT reports:' emails.
What about technical roles that do need jargon?
A separate track for IT staff with deeper technology. But that is not a replacement for general awareness, it is an addition.