Security awareness training has moved from the margins to the mainstream. As cyber threats grow more sophisticated and attack surfaces expand, organizations are placing a greater focus on equipping employees to recognize risks and respond effectively. However, delivering training that actually changes behavior remains a complex challenge. From content and delivery to executive buy-in and measurement, the way training is planned and perceived is evolving fast.
To understand how organizations are adapting, we leveraged AI-driven audience profiling to synthesize insights to a high statistical confidence level. This allowed us to gather responses from 58,984 senior technology leaders in the USA over the 12 months to April 14, 2025, offering a detailed view into what’s working, what’s stalling, and where the real pressure points lie.
How Is Cybersecurity Introduced During New Employee Onboarding?
There’s a 20% split in the way US senior technology leaders introduce cybersecurity during onboarding
How companies introduce cybersecurity varies just as much as the threats they face:
A recent study found that employees expect cybersecurity training to start on day one, and they see it as the company’s responsibility to provide it. Whether it comes through IT, HR, or an online module doesn’t matter as much as when and how it’s delivered. But there’s no single approach companies lean on. Our data shows an even split across five methods.
20% introduce cybersecurity via email or documentation, providing static resources for employees to read. Another 20% deliver it through team-specific sessions, embedding training within individual departments. 20% cover cybersecurity during general orientation, integrating it into the wider onboarding process. Another 20% take a formal approach, presenting policies in a structured session. Finally, 20% provide a dedicated training module, offering more comprehensive instruction.
The split shows that organizations are taking varied paths to the same goal. With human error driving the majority of breaches, the bigger question is whether these methods are effective enough to build real awareness from the start.
What Is The Current Frequency Of Training Delivery To Staff?
Monthly training is the most common approach, used by 38% of senior tech leaders
Cybersecurity training is on the agenda, but how often it happens reveals some clear gaps:
38% of senior tech leaders implement monthly staff training. This reflects a growing push for consistency, recognizing that one-off sessions aren’t enough in the face of ever-evolving threats. Still, 22% offer training without a set schedule, making it harder to ensure every employee stays informed.
Beyond that, 18% train annually, 12% twice a year, and 10% quarterly, meaning the majority of companies train less than once a month.
That’s where the bigger gap appears. According to a recent survey, only 7.5% of organizations use adaptive training that adjusts content based on regular security awareness tests and employee performance. These systems respond to real-world needs, helping employees stay sharp as threats evolve. Yet most organizations still rely on fixed, traditional schedules, missing out on the proven benefits of a more responsive, personalized approach.
How Do You Currently Deliver The Training Content?
43% of senior technology leaders favor in-person workshops for training
How cybersecurity training is delivered can shape how well it sticks:
In-person workshops come out on top, used by 43% of our audience. These sessions allow for real-time interaction and focused attention, but they can be resource-intensive and harder to scale. LMS and e-learning platforms follow at 24%, offering more flexibility and tracking, but often lacking the human element. Meanwhile, 16% deliver training without any formal method, which risks inconsistency. Email series are used by 13%, and just 4% rely on live virtual sessions, even though they could blend structure with accessibility.
A 2024 global survey by Statista largely corroborates this picture. Computer-based training led globally at 45%, and in-person sessions followed at 37%. Interestingly, 34% of respondents reported using virtual, instructor-led formats, suggesting this approach plays a much larger role globally than in our audience.
What Is Your Biggest Barrier To Employee Engagement?
77% of leaders feel a lack of accountability is the top barrier to employee engagement
Getting employees engaged in training takes more than just good content:
According to Gartner, 68% of security leaders say low engagement is one of the biggest challenges in designing effective programs. This aligns with our findings: 77% cite lack of accountability as the biggest barrier to employee participation. When no one is clearly responsible for taking the training or acting on it, it often becomes a box-ticking exercise.
Only 23% of our audience says the problem is a lack of tailored content, but that may be under-recognized. This ties in with the Gartner data, which also found that many programs are too technical (34%) or not relevant to employees’ roles (33%), limiting their impact.
This accountability gap highlights the disconnect between training completion and actual security outcomes. Andrew Evers shares a perspective on addressing this challenge:”Accountability becomes possible when security behaviors are observable. The organizations succeeding here aren’t just tracking completion rates—they’re establishing clear security expectations within performance metrics and celebrating positive security decisions. When we make good security practices visible, they become valued rather than viewed as obstacles.”
What Motivates Employees To Complete Training?
79% agree mandatory compliance is the key motivator for employees to complete training
Motivation depends on more than just making training available:
For most employees, the reason they complete cybersecurity training is simple: they’re required to. Mandatory compliance drives 79% of participation, while just 12% say real-world examples boost engagement. Internal recognition motivates 8%, and peer pressure only 1%.
This lines up with broader industry data. A 2025 Bitwarden report found that 68% of IT managers see employee motivation as the biggest challenge in implementing security protocols, even in high-risk scenarios like updating compromised passwords. Over half say employees don’t take security seriously.
How Do You Currently Measure Training Effectiveness?
49% rely on employee quiz results to measure training effectiveness
Understanding the impact of training starts with knowing how it’s measured:
For our audience, quizzes are the most common tool and are used by 49% to check understanding. While useful for reinforcing knowledge, the CDC notes that quizzes mainly assess short-term recall, not long-term behavior change. Another 33% say they measure effectiveness, though methods vary. Only 18% use feedback surveys, missing valuable insight from learners.
The CDC recommends pairing quizzes with post-training surveys, delayed assessments, and real-world performance metrics for a more accurate picture of impact.
How Confident Are You In Employees' Ability To Recognize Suspicious Emails Or Links?
100% US senior technology leaders are confident in employees' ability to spot cyber risks
Confidence in their employees is unanimous with our audience:
A full 100% of our audience expressed confidence in their employees’ ability to spot suspicious emails or links. That’s a remarkable show of trust. However, it raises questions when compared to broader industry data. In 2024, 68% of security breaches involved the human element. Confidence may be high, but if it’s not backed by regular testing and reinforcement, it can turn into complacency, and that’s when mistakes slip through.
Which Threat Do You Believe Employees Are Least Prepared For?
53% say employees are least prepared for the threat of phishing
Some threats stand out as persistent gaps in employee readiness:
Phishing leads, with 53% of senior technology leaders saying employees are least prepared to deal with it. That concern is well-founded. In the second half of 2024, credential phishing attacks surged by 703%, and phishing message volume rose by 202%. The scale and sophistication of these attacks continue to grow rapidly.
Password reuse follows closely at 45%, highlighting an ongoing challenge with basic security behavior. Meanwhile, only 2% cite sensitive data handling, and less than 1% mention mobile device misuse, placing the sharpest focus on social engineering and password hygiene.
How Would You Describe Leadership's Involvement In Promoting Security Training?
70% feel leadership is supportive but not vocal when promoting security training
Leadership plays a key role in shaping how security is prioritized, but their involvement varies:
According to the World Economic Forum, 96% of executives believe that more organization-wide training and awareness would help reduce cyberattacks. That level of consensus shows how important leadership is in driving a strong security culture. Yet, when we look at how involved leaders actually are, the picture is more reserved.
70% of our audience say leadership is supportive but not vocal, another 19% describe leadership as confident in their support, while only 10% say leaders are actively involved, championing the message from the top. Just under 1% say leadership is not unsupportive, suggesting resistance is rare, but visibility remains a challenge.
How Involved Is IT In Developing Or Selecting Training Materials?
41% say IT is occasionally involved in creating or managing training material
Training content often draws on technical expertise, though IT’s level of involvement isn’t always consistent:
When it comes to how involved IT is in developing or selecting training material, 41% of senior technology leaders say IT provides occasional input, likely advising when needed but not owning the process. Another 41% say IT is involved more consistently, suggesting closer collaboration with those responsible for training delivery.
Beyond that, 11% say IT collaborates with HR, pointing to a cross-functional approach, while just 8% describe IT as fully involved, shaping or selecting training content from start to finish. This distribution suggests that while IT has a seat at the table in most cases, few organizations rely on them as the primary drivers of training design.
What Is The Most Important Factor When Selecting A Training Vendor?
74% say industry-specific content matters most in selecting a training vendor
Choosing the right training partner involves weighing several priorities:
Industry-specific content is the clear front-runner, with 74% of senior technology leaders saying it’s the key factor when selecting a vendor. Tailored training helps employees connect with the material and apply it to real-world scenarios in their specific sector, making it more effective than generic content.
Integration with internal tools ranks next at 12%, suggesting some emphasis on technical compatibility. Slightly over 7% focus on reporting and analytics, while just under 7% highlight user-friendly interfaces as a significant factor. The data suggests that while ease of use and integration are part of the decision-making process, organizations place the greatest value on relevance, focusing on training that speaks directly to the risks they face.
What Would You Most Like To Improve In Your Current Program?
70% agree that role-specific content would improve current training programs
Even well-established programs still have room to grow:
Role-specific content is the top priority for improvement in current training programs, with 70% saying it’s what they most want to enhance. Generic training can fall flat if it doesn’t reflect the risks and responsibilities of different roles, which explains the demand for more targeted material. Training programs that incorporate role-based content have seen phishing threat detection improve by as much as 90% within six months, making it a clear area of opportunity.
Executive support follows at 13%, indicating that while leadership isn’t seen as a major blocker, more vocal advocacy could help boost visibility. Accurate reporting ranks third at 10%, a reminder that measuring impact remains a challenge for many.
At 4% and 2% respectively, participation rates and delivery frequency rank lowest, suggesting the real gap lies in relevance, not reach.
What Would Make Launching New Training Campaigns Easier For You?
59% feel more time or support would make launching new training programs easier
Launching a campaign often depends on more than just the training content itself:
More time and support tops the list at 59%, suggesting that resource constraints, not a lack of strategy, are the biggest blockers to launching new training campaigns. This may reflect limited staffing or competing priorities that leave few resources for program rollouts.
Pre-built templates appeal to 16%, pointing to a need for ready-made materials that reduce setup time and simplify campaign launches. 14% prioritize better feedback mechanisms, likely indicating a desire for clearer signals on what’s performing well and what needs adjustment in real time. Clearer metrics rank close behind at 12%, showing that while measurement matters, it’s slightly less urgent than having usable input during execution.
Where Is Your Organization Primarily Based In The USA?
63% of senior technology leaders are primarily based in the West
Regional patterns can offer useful context for understanding organizational behavior:
More time and support tops the list at 59%, suggesting that resource constraints, not a lack of strategy, are the biggest blockers to launching new training campaigns. This may reflect limited staffing or competing priorities that leave few resources for program r
At 63%, the majority of our audience is based in the Western United States, which may reflect the concentration of tech-driven industries along the West Coast, where cybersecurity tends to be a front-line priority.
The South follows at 26%, with continued business growth across states like Texas and Florida. In 2025, the South is projected to be the only U.S. region with net domestic inflows for the seventh year in a row, reinforcing its rising economic prominence. Nationwide organizations make up 5%, while the Northeast and Midwest each account for 3%, proving that these areas are not that well covered.
Overall, the findings offer a clear window into what senior technology leaders think about security training in 2025. Support is high, priorities are clear, and the call for relevance is louder than ever. What’s missing isn’t awareness, it’s the structure to scale good intentions into everyday practice. As threats evolve and responsibilities spread across teams, the organizations that succeed won’t be those with the loudest messaging, but those that make training feel timely, targeted, and part of the job.
As organizations continue to evolve their security awareness strategies, the focus is shifting from compliance to culture. Andrew Evers summarizes the path forward: “The next evolution in security awareness isn’t about better content—it’s about better context. Organizations that connect training to real-world scenarios, tailor it to specific roles, and integrate it into everyday workflows are seeing measurable improvements in their security posture. The future of effective security awareness lies not in teaching employees about security, but in embedding security into how employees work.”
Methodology
The data used in this article was sourced from an independent sample of 58,984 senior technology leaders from X, Quora, Reddit, TikTok, and Threads. Responses are collected within a 65% confidence interval and a 12% margin of error. Engagement estimates how many people in the location are participating. Demographics are determined using many features, including name, location, and self-disclosed description. Privacy is preserved using k-anonymity and differential privacy. Results are based on what people describe online — questions were not posed to the people in the sample.
About the representative sample:
- 70% of senior technology leaders are over the age of 35.
- 70% of senior technology leaders are over the age of 35.
- 44% earn between $200,00 and $500,000 annually.
- 25% are in the East North Central US, and another 25% are in the South Atlantic.