Security Awareness Training and the 2026 CISO Agenda

Security awareness training has a reputation problem. And honestly, a lot of it is deserved.

For years, the industry ran on annual compliance modules, click-through videos, and phishing simulations that were basically a gotcha game. Employees clicked a fake link, got a stern reminder, forgot about it by lunch. Auditors were satisfied. Threat actors were not worried.

Most security awareness training was not designed to change behavior. It was designed to satisfy auditors. Those are very different goals, and the gap between them is where breaches live.

But here is something to consider: the biggest challenges CISOs face in 2026 are not purely technical. Most of them have a human layer. A misconfigured AI tool someone deployed without telling security. A vendor email that looked legitimate. An analyst who did not know what to do with an alert. A compliance decision made by someone who did not understand the personal liability implications.

Training cannot fix everything. Let's be upfront about that before we go any further.

Three challenges training genuinely cannot address

Post-quantum cryptography is an infrastructure migration problem. No amount of awareness training helps you inventory your cryptographic dependencies or migrate to NIST-standardized algorithms. That is an architecture job.

CISO burnout and role sustainability is a workload, organizational support, and mental health problem. Training does not fix a job that 63% of people doing it have described as burnout-inducing in the past twelve months, according to Splunk's CISO Report. It needs structural change: realistic budgets, board access, headcount.

Budget stagnation is a business case and boardroom priorities problem. Average security budget growth landed at just 4% in 2025, according to IANS and Artico Search's benchmark of 587 CISOs. That gap closes through better risk communication with leadership, not through training programs.

Those three are out. The other seven are not, and here is why.

The 7 CISO challenges where training has real work to do

1. AI governance and shadow AI

The challenge is not that employees are using AI. It is that they are using it before security has any idea it is happening.

Accenture's 2025 State of Cybersecurity Resilience report surveyed 2,286 executives and found that 77% of organizations lack foundational AI and data security practices. Only 22% have written policies for how employees should use generative AI. IBM's 2025 Cost of a Data Breach Report found shadow AI was a factor in one out of five breaches, and those breaches cost an average of $670,000 more than the baseline.

The human gap here is not malicious. Employees are not trying to create security incidents. They are trying to do their jobs faster. The training gap is that most organizations have never clearly told employees what "using AI safely" actually means in practice: what data they cannot paste into a public model, who to loop in before deploying a new tool, what the actual risk looks like when a vendor's AI system processes customer data.

Generic AI awareness modules that warn people about deepfakes and then move on are not enough. What closes this gap is role-specific training that mirrors the actual AI tools employees are using, with concrete scenarios. What happens when finance uses a public LLM to summarize a deal memo? What is the correct behavior when engineering wants to deploy a new AI model over a weekend? Training needs to make those decisions instinctive, not something employees have to look up in a policy document.

2. SOC speed and analyst overload

Let's be honest about the limits here first. Splunk's State of Security 2025 report found that 46% of security teams spend more time maintaining their tools than doing actual security work. CrowdStrike's 2026 Global Threat Report documented average eCrime breakout times dropping to 29 minutes, with the fastest observed case at 27 seconds. The primary answer to that arithmetic problem is automation, AI-assisted triage, and better tooling. Not training.

But the human layer still matters, and it tends to get overlooked in the automation conversation. SOC analysts trained on AI-assisted workflows make faster, more confident decisions when the system hands something off to them. Analysts who understand behavioral baselines catch what automated tools flag as noise but is actually signal. And the skills gap inside SOC teams is real: ISC2 puts the global cybersecurity workforce shortfall at 4.7 million unfilled positions, and the fastest-growing demand is for people who understand how to work with AI systems, not just operate traditional tools.

Training will not close a 27-second breakout window. But the analyst who knows how to interpret an AI triage output and act on it in 30 seconds rather than 3 minutes is a real competitive advantage.

3. Third-party and supply chain risk

Verizon's 2025 Data Breach Investigations Report, built from 12,195 confirmed breaches, found that third-party involvement in breaches doubled in a single year, from roughly 15% to 30%. SecurityScorecard's analysis puts it at 35.5%. The World Economic Forum named supply chain vulnerability the number-one obstacle to cyber resilience for 54% of large enterprises.

Most conversations about third-party risk focus on vendor assessments, continuous monitoring, and contract requirements. All valid. But the human entry point gets less attention than it deserves.

Employees share credentials with vendors without thinking twice. They click links in emails that appear to come from familiar SaaS platforms. They approve OAuth integrations without reading the permission scopes. They respond to IT-impersonation calls from people claiming to be from a software vendor with a critical update. In the Salesloft-Drift breach of 2025, the vector was stolen OAuth tokens from a vendor integration that nobody had scrutinized closely enough.

Training that specifically addresses vendor interaction hygiene, how to verify a vendor request, what to do before approving an integration, how to recognize when a "vendor support" call is actually a vishing attempt, is underdeployed in most organizations. Most third-party risk training still focuses on questionnaires and SOC 2 reports. That is the procurement team's job. Employees need to understand their own behaviors in the attack chain.

4. The talent and skills gap

ISC2 puts the global cybersecurity workforce gap at 4.7 million unfilled positions, a number that grew 19% year-over-year. ISACA's 2025 survey of 3,800+ professionals found 55% of teams are understaffed, 65% have open positions, and 38% say filling even entry-level roles takes three to six months.

Only 29% of enterprises are cross-training non-security staff into security roles, according to ISC2. That is down from 41% just one year earlier. Organizations are cutting their own talent pipelines at exactly the moment the external market cannot supply enough people.

And the budget pressure makes it worse in a very specific way. Among the CISOs who faced budget constraints in 2025, 36% responded by reducing training spend, according to IANS and Artico Search. The exact investment that could help close the skills gap was the first thing cut when money got tight.

The skills gap is not going to be hired away. There are not enough people. The realistic path is building security capability in the people you already have: cross-training developers on secure coding, training finance staff on social engineering, building security instincts into onboarding for every role. That requires training programs designed around building durable skills, not checking compliance boxes.

5. Tool sprawl and complexity

IBM and Palo Alto Networks found earlier this year that the average enterprise runs 83 security products from 29 separate vendors. Fifty-two percent of executives named complexity and fragmentation as their single biggest cybersecurity barrier.

Tool consolidation is happening. IANS and Artico Search found close to 70% of security leaders have consolidated or are actively doing so. The payoff is real: organizations that have completed platform consolidation identify incidents 72 days faster and contain them 84 days more quickly.

But there is an angle on this challenge that gets almost no attention in the consolidation conversation: employees do not use the tools correctly because nobody properly trained them.

Security tools only work if the humans operating them understand what they are looking at. A SIEM that generates alerts nobody knows how to interpret is not a security asset. A phishing report button that employees do not know exists is not reducing risk. An MFA app that employees find confusing enough to bypass via IT helpdesk calls is actively creating a new attack surface.

Training tied specifically to the tools an organization uses — not generic security awareness content — is underinvested in almost every organization. When a company spends seven figures on a security platform and five figures on training people how to use it, something is off in the math.

6. Compliance as personal liability

Splunk's CISO Report found 78% of CISOs are personally worried about being held liable for security incidents. That is up from 56% the year before, a 22-point jump in twelve months. Twenty-one percent say they have been pressured not to report a compliance issue.

The regulatory picture has become genuinely punishing. CISOs are managing SEC cybersecurity disclosure requirements, NIS2, DORA for financial services, and the EU AI Act, which carries penalties of up to €35 million or 7% of global annual turnover. Forrester predicts that class-action costs from breaches will exceed regulatory fines by 50%.

Training intersects with this challenge in two ways, and most organizations are only using one of them.

The obvious way: training employees to follow the right procedures so the organization stays compliant. Necessary, but this is table stakes. The less obvious way: training the security and legal teams on how to document decisions, communicate risk to the board, and create the paper trail that matters when a regulator or plaintiff attorney starts asking questions. The standard of care in a cyber incident investigation now includes evidence that the organization trained its employees appropriately. Training is not just risk reduction anymore. It is legal defensibility.

7. The resilience gap

PwC's 2025 Global Digital Trust Insights report found that only 2% of organizations have implemented firm-wide cyber resilience. Not 20%. Two percent. The rest have a framework, a plan, or a meeting scheduled to discuss it.

This matters because threat volume is not stable. Accenture found organizations faced an average of 1,876 cyberattacks in a single quarter last year, 75% more than the same period the year before. Verizon's 2025 DBIR showed ransomware in 44% of breaches, up from 32%.

Technical resilience gets the most investment: backups, redundancy, incident response runbooks. Human resilience gets almost none. And those two things are not independent.

The organizations that have built genuine resilience share a common pattern: their employees have rehearsed failure. They have run tabletop exercises where the scenario is "the attacker is already inside." They have practiced incident response decisions under time pressure. They have done vishing simulations that actually simulate the panic of receiving a convincing executive impersonation call, not just the low-stakes experience of clicking a suspicious link in a test email.

The gap between "we have an incident response plan" and "our people know how to execute it under pressure" is exactly where training lives. Accenture's research shows organizations that invest in resilience are 69% less likely to get hit by advanced AI-driven attacks. The technical investments get the credit. The human rehearsal that makes those investments work in a real incident rarely does.

Top 5 Security Awareness Training Platforms in 2026

Given everything above, here is what a genuinely useful training platform needs to do in 2026: cover modern attack vectors beyond email, help employees build durable behavioral habits rather than passing a quiz, give admins meaningful data about where human risk actually lives, and work across different roles, languages, and levels of technical sophistication.

Five platforms worth knowing about, including some you may not have evaluated recently.

Proofpoint Security Awareness

Proofpoint brings its security awareness offering inside a broader stack already anchored in email threat intelligence and human risk management. Its strength is that simulations are informed by the actual threat data Proofpoint sees across its enterprise customer base, which means phishing scenarios reflect what is actually landing in inboxes today rather than generic templates. The platform includes adaptive learning paths, risk-based content targeting, and a suspicious-message reporting add-in for Outlook and Gmail that feeds back into the organization's risk posture.

Best for: large enterprises already running Proofpoint for email security who want their awareness program tightly connected to existing threat data and security tooling.

Honest limitation: Proofpoint's awareness offering is strongest inside its own stack. Evaluated independently, it does not have the simulation depth of newer purpose-built players, particularly on vishing and deepfake scenarios.

Brightside AI

Brightside is an AI-native security awareness platform built around simulation realism across the three modern human attack surfaces: phishing, vishing, and deepfakes. Its clearest differentiator is the vishing simulator, which runs live AI-powered phone calls with customizable voices, social engineering tactics, and hybrid attack flows that chain a phone call to a follow-up phishing email. Admins can clone executive voices from short recordings, build custom attack personas, define the psychological tactics used in the call, and preview the full simulation in a browser before it goes live. It is one of very few platforms with a fully documented live adaptive AI conversation engine for vishing, as opposed to a voicemail drop or a static scripted scenario.

Beyond simulations, Brightside includes structured awareness courses with Brighty, an AI guide, alongside separate admin and employee portals with multilingual support in English, French, German, and Italian. It is built in Switzerland, which matters for European organizations with data residency requirements.

Best for: organizations that treat voice fraud and deepfake impersonation as active threats, not future risks. Particularly relevant for finance teams, executive assistants, and anyone who handles sensitive transactions by phone.

Honest limitation: Brightside is a simulation specialist. If you need a massive content library, full LMS interoperability, or deep enterprise workflow automation, the broader suites will have more to offer.

Riot

Riot positions itself as an employee security posture platform rather than a pure awareness training tool. The distinction matters. Beyond phishing simulations and training content, Riot offers breach monitoring at the individual employee level, inbox assistance for flagging suspicious messages, and posture scoring that tracks improvement over time. It connects natively with Slack and Microsoft Teams, which means security guidance reaches employees in the tools they already use rather than in a separate platform they have to log into.

Best for: mid-market organizations that want a lightweight, messaging-native approach to security posture. Particularly well suited to tech-forward companies where employees live in Slack.

Honest limitation: Riot does not run live outbound vishing simulations. For organizations whose threat model includes phone-based social engineering and executive impersonation, that is a meaningful gap.

Jericho Security

Jericho is one of the newer AI-era entrants, built around multi-channel simulation depth. It runs phishing, vishing, and SMS simulations with AI-generated personalization, including voice cloning for executive impersonation scenarios and deepfake video simulations — a capability very few platforms offer. Scenario generation is fast: Jericho uses AI to build personalized attack pretexts from employee context data rather than relying on template libraries. For organizations that have matured past basic phishing tests and want to stress-test employees against realistic multi-channel attacks, it is worth a serious look.

Best for: security teams ready to move beyond phishing-only programs and test employees against voice, video, and coordinated multi-channel attacks.

Honest limitation: Jericho is a younger platform. Enterprise reporting, workflow integration, and compliance documentation are not yet as developed as more established players. Worth evaluating the admin experience carefully before committing at scale.

Arsen

Arsen is a Paris-based platform built for the social engineering reality of 2026. It covers phishing, smishing, vishing, and executive protection under one roof, with an explicit focus on multi-channel simulation realism. Arsen includes voice cloning, dark web and breach data integration for personalizing simulations, and coordinated hybrid campaigns that chain vishing to phishing in a single workflow. Its European positioning is genuine: built for the regulatory and cultural context of EU organizations, with strong multilingual support and compliance reporting aligned to NIS2.

Best for: European organizations, particularly those in regulated sectors, that want simulation-first training with real attack realism and a vendor that understands the EU compliance landscape.

Honest limitation: Arsen's market presence outside Europe is limited. For global organizations that need consistent deployment across regions, the platform's maturity outside its home market is worth scrutinizing before committing.