Scaling Security Awareness: FTE Requirements and Frameworks for Large Enterprises

According to the 2025 SANS Security Awareness Report, a minimum of 2.8 full-time equivalents (FTEs) is required to shift user behavior at scale. Enterprises aiming to embed security into organizational culture should plan for closer to 3.9 FTEs, with behavioral improvement typically taking 3 to 5 years and culture change often requiring 5 to 10 years. For global organizations, risk level, program maturity, and delivery scope are better sizing inputs than employee headcount.

Before We Get Into Numbers, Let's Define the Terms

Security awareness professionals use a lot of shorthand that can obscure what's actually being discussed. So before the staffing benchmarks, a quick definition of terms used throughout.

Security awareness program: The full set of activities an organization runs to improve how employees recognize and respond to security threats. That includes training campaigns, phishing simulations, practical exercises, and role-specific learning, not just the annual e-learning module HR sends out.

FTE (full-time equivalent): A measure of how much staffing capacity a function actually has. One FTE means one person working full-time on that function. 0.5 FTE means someone spending half their time on it.

Behavior change: A measurable shift in what employees actually do, such as reporting suspicious emails more consistently, clicking fewer phishing links, or using stronger authentication. Not what they know. What they do.

Security culture: A broader organizational state where secure behavior becomes the normal way of working. Culture isn't something a training team builds in a quarter. It's the long-term result of leaders modeling secure behavior, teams reinforcing it, and the organization holding both accountable.

Program maturity: How developed and operationally capable a security awareness program is. Low-maturity programs run generic annual training and track completion rates. High-maturity programs run continuous, role-based learning, measure behavioral outcomes, and have dedicated staffing.

Learning framework: A structured operating model that guides how a program is planned, delivered, measured, and improved over time. NIST SP 800-50r1 is the most current example.

The Problem: Awareness Is Chronically Under-Staffed

Most large organizations treat security awareness as something that runs itself once a platform is in place. That assumption is why so many programs produce training activity without producing behavior change.

The pattern is familiar. Someone in the security team gets assigned "awareness" on top of their existing responsibilities. They schedule the annual phishing test, enroll people in compliance training, and report completion rates to leadership. The program technically exists. It just doesn't work at the scale the organization needs.

The 2025 SANS Security Awareness Report, which draws on input from more than 2,700 security professionals across 70 or more countries, is the most comprehensive global benchmark available for how awareness programs are actually resourced and run. Its data shows that the gap between what organizations staff and what they need to run effective programs is significant.

This matters now more than ever. The same SANS report found that 80% of organizations rank social engineering as their top human-related risk. Attackers aren't primarily exploiting software vulnerabilities at this point. They're exploiting people. And the function responsible for reducing that exposure is often running at a fraction of the capacity it needs.

Large enterprises face compounding challenges on this front. They have employees across multiple regions, languages, time zones, and roles. Regulatory requirements vary by jurisdiction. Risk profiles differ by department. A program that works for a 50-person startup doesn't transfer to 5,000 employees across six countries without significant redesign.

The Consequence: Under-Staffing Kills Program Quality

When an awareness program doesn't have enough people behind it, the problems are predictable.

The program defaults to compliance training because that's what one person can manage. Annual content gets recycled. Simulations run without follow-up because there's no bandwidth for remediation. Metrics stay stuck at completion rates because nobody has time to build the dashboards that track real behavioral outcomes. Regional teams receive generic content that doesn't reflect their actual threat environment or language.

The most quietly damaging consequence is harder to see in the metrics: employees learn that security training is something to get through, not something that's genuinely useful. Once that perception takes hold, it's very difficult to reverse.

Leadership often reinforces the problem without realizing it. When the program's metrics are completion rates and click rates from a single phishing test per quarter, leadership evaluates the program on those numbers. Nobody has a reason to ask whether the program is actually changing how employees handle real threats, because nobody has staffed the function to produce that kind of evidence.

Moving from compliance training to behavior change is an operational challenge, not just a philosophical reframing. It requires people who can design role-based learning, analyze simulation results, coordinate regional delivery, run practical exercises, and measure behavioral outcomes over time. That capacity doesn't come from a platform license. It comes from people.

The Benchmark: What the Numbers Actually Say

Here's the number you need if you're making a staffing case to leadership.

According to the 2025 SANS Security Awareness Report, a minimum of 2.8 full-time equivalents (FTEs) is required to shift user behavior at scale.

That number is a minimum threshold, not a target ceiling. Organizations that want to go further and build security into their culture should plan for 3.9 or more FTEs. And the timeline matters too: SANS data suggests that measurable behavior change typically takes 3 to 5 years of sustained effort, while cultural change often requires 5 to 10 years.

Here's how those benchmarks translate into program expectations:

These are maturity benchmarks, not universal staffing formulas. A financial services firm operating in five countries with strict data regulations needs more capacity than a domestic tech company of the same size. Geography, risk concentration, regulatory load, and delivery complexity all affect how much staffing is actually required.

If your awareness program has fewer than 2.8 FTEs devoted to it, you're structurally under-resourced for behavior change at enterprise scale. If you expect the program to produce the outcomes leadership is asking for, the staffing gap needs to be addressed directly.

The Framework: NIST SP 800-50r1

Headcount alone doesn't make a program effective. You also need a clear operating model that defines what the function is supposed to do. NIST SP 800-50r1, published in December 2024, is the updated federal framework for building cybersecurity and privacy learning programs, and it's the most authoritative reference available for structuring enterprise awareness at scale.

The original NIST SP 800-50 dated back to 2003. The revision reflects how much has changed since then, when annual training and policy acknowledgment were considered sufficient. The new version treats awareness not as a content delivery exercise but as a strategic program that requires planning, appropriate resources, role-based training, practical exercises, and ongoing evaluation.

The framework is built around a lifecycle model rather than a one-time delivery model. That lifecycle includes five phases:

1. Analysis: Understand the organization's threat landscape, risk priorities, regulatory requirements, and employee characteristics before designing anything.

2. Design: Develop the program structure, including which audiences need which types of learning, how frequently, and through what channels.

3. Development: Build or source the actual training content, simulations, campaigns, and exercises.

4. Implementation: Deliver the program consistently, including managing scheduling, logistics, localization, and follow-up.

5. Evaluation: Measure outcomes, report to leadership, identify gaps, and use findings to improve the next cycle.

Each phase requires dedicated effort. None of them can be skipped. Annual phishing tests and a compliance course cover only a fraction of what NIST now defines as the full program scope, which also includes topic-based training, role-based training, practical exercises, and strategic program planning.

For staffing purposes, the NIST framework is useful because it maps to distinct functional responsibilities. Someone has to do the analysis. Someone has to design and update the curriculum. Someone has to manage simulations and remediation. Someone has to run reporting and evaluation. In a small organization, one or two people might cover all of those roles. In an enterprise, they can't.

The Roles: What Those FTEs Are Actually Doing

The 2.8 FTE benchmark only makes sense when you understand what those people are responsible for. Here's how a mature enterprise awareness function typically breaks down.

Program lead: Owns the strategy, manages the vendor relationship, handles board and leadership reporting, and builds the multi-year plan. This role connects awareness to the organization's risk posture and reports outcomes in terms leadership actually acts on.

Content and campaigns: Builds or localizes training content, runs awareness campaigns across the communication calendar, and keeps materials current as the threat landscape changes. In multinational organizations, this role often has a localization component that significantly expands the workload.

Simulations and exercises: Designs and runs phishing simulations, vishing exercises, and practical tests. Critically, this role also manages what happens after a simulation: who gets remediation, what that remediation looks like, and whether it's actually changing behavior over time.

Measurement and operations: Tracks the metrics that matter beyond completion rates. That includes behavioral trends, reporting rates, simulation failure trends by role and department, and program ROI. This role is what allows leadership to see the program as an investment rather than a cost.

Regional enablement: In global enterprises, this function adapts delivery for local time zones, languages, regulatory requirements, and cultural context. SoSafe's data shows measurably better engagement when training runs in an employee's native language. This role is often the first one cut in under-resourced programs, and usually the first to show up as a gap when programs underperform regionally.

In smaller programs, one person often covers several of these areas. That's realistic at the beginning. The problem is when a single person is covering all five of these areas at a global enterprise and the organization treats that as sufficient.

The 5 Most Effective Security Awareness Platforms for Large Teams

Understanding the roles your team needs to fill is only half the equation. The other half is choosing a platform that can actually support them. Here's how the leading options compare for large enterprises.

1. Brightside AI

Brightside AI is a Swiss cybersecurity awareness platform built for organizations that need to train employees against modern AI-powered threats. Where most platforms still center their product around email phishing, Brightside covers the full range of current attack vectors: email phishing, voice phishing (vishing), deepfake video simulations, and hybrid multi-channel attacks that combine a vishing call with a coordinated phishing email in a single campaign.

The platform uses generative AI to run live phone calls during vishing simulations. The AI agent responds to what the employee actually says mid-conversation, rather than playing a pre-recorded voicemail or following a fixed script. The training side runs through Brighty, a chat-based learning companion that walks employees through courses in plain language, using gamification elements like mini-games, achievement badges, and challenges to keep engagement high. Admins manage everything from a single dashboard with near-real-time reporting, NIST-aligned difficulty scoring, and automatic follow-up training triggered the moment an employee fails a simulation.

5 standout features:

• GenAI-powered live vishing calls where the AI agent responds to what the employee actually says mid-conversation, not a voicemail or pre-scripted call flow

• Voice cloning for executive impersonation, built from a short audio upload, enabling highly targeted scenarios for finance and C-suite training

• Hybrid attack campaigns that coordinate a vishing call and a phishing email as one unified simulation, testing multi-channel awareness in a single workflow

• AI-recommended attack strategy builder that suggests social engineering tactics, urgency level, and tone based on the simulation goal, with psychological reasoning included for each recommendation

• NIST Phish Scale alignment, so simulation difficulty is mapped to a recognized external standard rather than internal rating systems

2 limitations:

• Brighty's chat interactions are scripted rather than AI-generated in real time, so the course learning experience doesn't adapt to individual employee responses the way the vishing simulations do

• The platform doesn't offer in-the-moment feedback or adaptive scenario replays during simulations, so reinforcement after a failure depends on the follow-up training module

2. KnowBe4

KnowBe4 is the market leader in security awareness training by volume and has been for over a decade. Its platform offers one of the largest phishing template libraries in the industry with content available in 35 languages, and an extensive training catalog that includes interactive modules, videos, games, posters, and newsletters. The SmartRisk Agent aggregates behavioral data across the platform to generate multidimensional risk scores per user, which helps identify where training effort should be concentrated. KnowBe4 also offers personalized deepfake training that creates realistic deepfake experiences for employees at scale.

For enterprises that need a wide content library, strong compliance reporting, and years of proven enterprise integration, KnowBe4 is the most established option in the category. Its own benchmarking shows that after 12 months of use, organizations reduce their phish-prone percentage from around 30% to under 5% on average.

5 standout features:

• Content library in 35 languages covering interactive modules, videos, games, posters, and newsletters

• SmartRisk Agent that generates comprehensive user risk scores to surface high-risk individuals and groups

• Personalized deepfake training that delivers hyperrealistic deepfake experiences to employees at scale

• Over 60 built-in reports for training and phishing campaigns, plus executive-level dashboards

• Smart Groups that dynamically segment employees by behavior and attributes for targeted phishing campaigns and training assignments

2 limitations:

• Vishing simulations are only available on the Diamond pricing tier, meaning organizations on lower subscription levels don't get access to voice-based attack training

• The deepfake training is a personalized experience module rather than a self-serve, recurring simulation tool that security teams can configure and run as ongoing campaigns the same way phishing simulations can be run

3. SoSafe

SoSafe is a European security awareness platform trusted by over 6,000 organizations and 5.4 million users, with a strong foundation in behavioral science. Its training is built around the principle that lasting behavior change requires more than information delivery. Short gamified modules, story-driven scenarios, and paths that adjust by role are all designed to reduce the fatigue that comes with generic annual training. SoSafe is well suited for European enterprises navigating NIS2 and GDPR-related training obligations, with ISO/IEC 27001-compliant reporting built in and SCORM-compliant lessons for LMS integration.

5 standout features:

• Behavioral science-driven microlearning with gamification and interactive, story-driven content focused on building lasting security habits rather than achieving compliance checkboxes

• Personalized learning experiences automatically optimized based on individual engagement scores and role

• Strong compliance framework coverage with ISO/IEC 27001-compliant reports and content aligned to NIS2 and GDPR requirements

• SCORM-compliant lessons with seamless LMS integration and support for existing learning management systems

• Fully localized content available in over 30 languages with customer success advisory included

2 limitations:

• Vishing simulations are not available as a self-serve, recurring simulation tool. Voice-based training is available as a managed experience rather than an admin-controlled, ongoing campaign that security teams can configure independently

• No deepfake video simulation capability, which means organizations need to address that specific threat vector through separate content or a supplementary platform

4. Hoxhunt

Hoxhunt builds its core product around adaptive phishing simulations that automatically adjust difficulty based on individual performance. Employees who catch everything get harder tests; employees who struggle get more approachable scenarios with clearer warning signs. This personalization model, combined with micro-training delivered immediately after each simulation, sustains engagement across months of ongoing use rather than burning out after an initial campaign.

Hoxhunt has expanded well beyond email phishing. The platform now unifies phishing, vishing, smishing, and deepfake video simulations into one system. Its deepfake simulations use scripted avatars with voice cloning to run multi-step attack scenarios, combining a phishing email entry point with a fake meeting page and a cloned-voice avatar, followed immediately by micro-training when a user fails.

5 standout features:

• Adaptive phishing simulations that automatically tune difficulty by user, role, and location, with training delivered at roughly 10-day intervals per employee

• Deepfake simulation with voice cloning, combining phishing emails with scripted deepfake video calls that mimic real executives, available off-the-shelf and as custom builds

• Micro-training delivered immediately after each simulation failure, with a clear path to remediation and no public shaming

• Multi-channel simulation covering phishing, smishing, vishing, and deepfake video in one unified platform

• Gamified mechanics with points, badges, and leaderboards that sustain participation over continuous program cycles

2 limitations:

• Deepfake voice calls are pre-scripted rather than live and adaptive. The AI doesn't adjust mid-call based on what the employee actually says, which limits how realistic the social engineering pressure can get compared to a fully dynamic conversation

• No AI-generated attack strategy recommendation system that suggests social engineering tactic combinations, urgency levels, and psychological reasoning, which limits how precisely security teams can rationalize and customize simulation design

5. Proofpoint Security Awareness (ZenGuide)

Proofpoint Security Awareness, delivered through its ZenGuide platform, is the awareness training component of Proofpoint's broader enterprise security suite. For organizations already using Proofpoint's email security and threat intelligence products, ZenGuide connects naturally into an existing workflow where real threat data from the email environment directly informs simulation design. The Satori Phishing Simulation Agent automatically deploys attack-informed simulations based on what Proofpoint is detecting in customer environments, and the AI ThreatFlip Workflow converts real phishing emails into ready-to-run training templates with a single click.

5 standout features:

• Satori Phishing Simulation Agent that automatically deploys attack-informed simulations aligned to real-world threats currently being detected in the environment

• AI ThreatFlip Workflow that converts real phishing emails into safe simulation templates with AI-generated guidance, eliminating manual template creation

• People Risk Explorer integration that identifies high-risk individuals based on behavioral choices, threat context, role, and business privileges, then automatically enrolls them in targeted training

• Adaptive Groups and Pathways that manage learner segments by risk profile and behavior, automating curriculum assignment without manual admin intervention

• Gamified nano- and micro-learning content with just-in-time coaching and WCAG accessibility support for global, diverse workforces

2 limitations:

• Vishing simulation is not a documented feature of the ZenGuide platform, which is a notable gap as voice-based social engineering becomes an increasingly common enterprise attack vector

• The platform's strongest differentiation comes from its integration with the broader Proofpoint security ecosystem. Organizations not already using Proofpoint's email security or threat intelligence products get meaningfully less value from the features that set ZenGuide apart from pure-play awareness platforms

How the Platforms Compare

All five platforms are credible options for large enterprises. KnowBe4 offers unmatched breadth of content, 35-language coverage, and deepfake training modules. SoSafe leads on behavioral science, European compliance, and engagement design. Hoxhunt delivers a strong combination of adaptive simulations, deepfake voice scenarios, and gamification. Proofpoint connects awareness training to live threat intelligence for teams already in that ecosystem.

What separates Brightside AI is the combination of features that still sit in its column alone: live adaptive AI phone calls that respond to what the employee actually says, a hybrid attack workflow that coordinates vishing and phishing as one campaign, an AI-recommended attack strategy builder with psychological reasoning, and NIST Phish Scale alignment, all inside a single platform. For large organizations where a single successful vishing call or deepfake impersonation of a CFO can cost millions, waiting until those threats show up in post-incident reviews is too late. Brightside is currently the only platform where that full capability is self-serve, configurable, and built into the core product rather than available as a managed add-on.

Five Myths That Keep Programs Under-Resourced

A lot of the bad staffing decisions in security awareness trace back to a small set of beliefs that don't hold up when you examine them.

Myth 1: "We have a platform, so one person is enough to manage it."

Platforms reduce the manual effort of content delivery and scheduling. They don't replace the judgment required to design effective learning, analyze results, run remediation, or present outcomes to leadership. SANS identifies 2.8 FTEs as the minimum for behavior change, not as the minimum for keeping the lights on.

Myth 2: "Headcount tells us how big the team should be."

Employee count is a poor proxy for program complexity. A 2,000-person organization with operations in ten countries, multiple regulated business lines, and a high-value target profile has a fundamentally different awareness challenge than a 2,000-person domestic software company. Risk, geography, regulation, and delivery scope are better sizing inputs than headcount.

Myth 3: "Completion rates tell us the program is working."

Completion rates tell you whether employees opened the training. They don't tell you whether behavior changed. A program where 95% of employees complete the annual module but nothing changes in how they handle suspicious emails is not a successful program. What you have is an expensive compliance exercise, not a behavior-change program.

Myth 4: "Awareness is just phishing simulations."

NIST SP 800-50r1 frames modern programs to include awareness campaigns, topic-based training, role-based training, practical exercises, and strategic planning. Phishing simulations are one component of a multi-part program. Organizations that treat simulations as the whole program are usually the ones whose metrics plateau after the first six months.

Myth 5: "We can build a security culture in a year."

SANS is unambiguous on this. Measurable behavior change takes 3 to 5 years of consistent effort. Culture change often takes 5 to 10 years. That's not a reason to delay investing. That's a reason to start now and staff for sustained delivery rather than treating awareness as a short campaign with a defined end date.

Building the Business Case

When you understand the numbers, making the case to leadership becomes more straightforward. Here's how to frame the three core arguments.

Frame it as risk reduction capacity

The starting point isn't "we need more training staff." It's "our top human risk is social engineering, and the function responsible for reducing that risk is running below the minimum benchmark for effectiveness." That framing puts the ask in front of risk and security leadership, where it belongs, rather than routing it through HR budget cycles.

SANS data gives you the external benchmark. The NIST framework gives you the professional standard. Together, they make it defensible to say the current staffing level isn't an internal preference: it's a gap against published, authoritative guidance.

Frame it as program maturity

Show leadership where the current program sits against the SANS maturity benchmarks. If you have 1.0 FTE running a program for 3,000 employees across multiple countries, you're not halfway to the 2.8 FTE threshold. You're running a compliance program and calling it a behavior-change program. The ask isn't arbitrary. It's a plan to get from where you are now to the minimum viable level for the outcomes leadership expects.

A phased approach is easier to approve than a single large ask. Going from 1.0 FTE to 1.5 FTE is a defensible first step. Getting to 2.0 FTE in year two and approaching 2.8 in year three is a credible multi-year plan.

Frame it with financial stakes

IBM's 2025 Cost of a Data Breach Report puts the global average breach cost at $4.44 million. For an enterprise spending $80,000 per year on awareness staffing and platform costs, preventing one breach that would otherwise have cost $4.44 million returns more than 55 times the investment. You don't need to argue that awareness programs prevent every breach. You only need to show they meaningfully reduce the frequency and severity of human-caused incidents, which the evidence supports.

If the program is expected to change behavior globally, the staffing should reflect that scope.

Where to Start: A Practical Action Plan

If you're a CISO, security manager, or IT leader trying to make a staffing case or redesign a program, here's a concrete starting point.

1. Audit current capacity. Estimate how many hours per week are actually being spent on awareness program responsibilities across all staff: campaigns, simulations, content creation, reporting, localization, and follow-up. Convert that to FTEs. Most organizations discover they're well below 1.0 FTE of genuine program effort, even if someone is "responsible" for awareness on paper.

2. Map responsibilities to NIST lifecycle phases. Which phases have no one covering them right now? Most under-resourced programs have nobody in the evaluation phase, which is exactly why leadership doesn't know whether the program is working.

3. Benchmark against SANS. Compare your current FTE total against the 2.8 and 3.9 FTE thresholds. Document that gap explicitly. This is the evidence you need for the headcount conversation.

4. Identify the highest-priority gaps. If you can only make one hire, which function is most absent right now? For most organizations, it's measurement and operations, because that's the function that produces the evidence leadership needs to justify further investment.

5. Build a phased plan. Go from current state to 2.0 FTEs in year one, to 2.8 FTEs in year two, with a goal of approaching 3.9 FTEs in years three through five. Connect each milestone to expected program outcomes.

6. Present it as a risk and maturity conversation, not a headcount request. Lead with the external benchmarks, the financial stakes, and the specific gaps in current program capability. Headcount is how you close those gaps, but the conversation itself should lead with what's currently missing from the program, not with a number.