Chad Fullerton is the Vice President of Information Security at ECI, where he leads cybersecurity, risk management, and compliance initiatives for highly regulated industries. With a strong foundation in IT and a master’s in business administration, Chad bridges the gap between technical execution and executive strategy. He has spearheaded the development of robust security frameworks, enhanced regulatory compliance, and fortified defenses against evolving cyber threats. A CISSP-certified expert, Chad is also a devoted husband to his beautiful wife Jenn and proud father to two awesome boys, Asher (7) and Atlas (5), balancing professional excellence with a deep commitment to family life.
As we move deeper into 2025, one cybersecurity truth remains unchanged: the human element continues to be the most exploited vulnerability in the enterprise. Despite decades of investment in awareness campaigns and technical controls, Gartner estimates that nearly half of all significant cyber incidents this year will involve human error or manipulation. Whether it’s phishing, social engineering, or deepfake-enabled fraud, users remain a primary attack vector.
For CIOs and CISOs, this presents both a challenge and an opportunity. While we’ve made tremendous strides in modernizing our security stacks—adopting Zero Trust architectures, AI-driven XDR platforms, and cloud-native defenses—user training often remains outdated, underfunded, and misaligned with today’s threat landscape.
The Human Firewall: Still the Weakest Link
Security awareness training has historically been treated as a compliance requirement rather than a strategic initiative. It’s often generic, infrequent, and disconnected from real-world threats. Worse, it’s rarely tailored to the unique needs of different user groups or industries. This approach is no longer tenable.
Modern threats are dynamic, sophisticated, and increasingly personalized. Attackers are using AI to craft convincing phishing emails, generate synthetic voices, and even create deepfake videos to impersonate executives. If our adversaries are using AI to attack, we must use AI to defend—starting with how we train our people.
AI-Driven Learning: The Future of User Awareness
The next generation of security awareness platforms are leveraging artificial intelligence to deliver personalized, adaptive learning experiences. These platforms analyze user behavior, communication patterns, and threat telemetry to deliver training that is:
- Contextual: Tailored to the user’s role, risk profile, and recent activity.
- Bite-sized: Delivered in short, digestible modules (under 3 minutes), optimized for mobile consumption.
- Dynamic: Continuously updated based on emerging threats and user performance.
This shift from static, one-size-fits-all training to intelligent, behaviorally driven learning is a game-changer. It allows organizations to meet users where they are—on their devices, in their workflows, and within their attention spans.
Know Your Users Like You Know Your Network
Just as we segment networks and classify data, we must segment our users. Different demographics consume information differently and are vulnerable to different types of attacks. For example:
- Digital Natives (<40): Prefer short-form, mobile-first content. They’re less likely to follow rigid processes but more responsive to gamified, socially integrated training.
- Experienced Professionals (40–60): Respond better to instructor-led sessions and interactive workshops. They’re more cautious but also more susceptible to deepfake and voice spoofing attacks.
- Executives and High-Value Targets: Require bespoke training and simulation exercises, including deepfake awareness and social engineering tabletop scenarios.
Understanding these nuances allows CIOs and CISOs to deploy training that resonates with each group, increasing engagement and retention.
Tailoring Training to Industry-Specific Threats
Generic phishing simulations are no longer sufficient. AI-enhanced platforms can now ingest real phishing attempts from your organization’s environment—email gateways, SIEMs, and endpoint logs—to craft hyper-relevant simulations. This enables:
- Role-based training for finance, HR, and executive teams.
- Threat modeling aligned with your industry—be it healthcare, finance, manufacturing, or defense.
- Real-time feedback loops that improve both user behavior and detection systems.
This level of specificity not only improves training outcomes but also aligns user awareness with your broader risk management strategy.
Beyond the LMS: Building a Culture of Security
Security culture is not built in a Learning Management System (LMS). It’s embedded in how your organization responds to mistakes, encourages reporting, and reinforces positive behavior. Punitive approaches—such as shaming users who click on simulated phishing links—can backfire. They create a culture of fear, where employees are hesitant to report real incidents.
Instead, foster a culture of curiosity and psychological safety:
- Celebrate early reporting.
- Encourage questions, even if they seem “basic.”
- Use mistakes as teachable moments, not disciplinary triggers.
When users feel safe to speak up, your organization becomes more resilient.
Tabletop Exercises: Preparing for the Unthinkable
CIOs and CISOs should champion cross-functional tabletop exercises that simulate modern attack vectors—especially those involving AI-generated content. For example:
What happens when your CFO receives a video call from a “CEO” requesting an urgent wire transfer—only it’s a deepfake?
These exercises not only prepare your teams but also expose gaps in your incident response playbooks and communication protocols. They help bridge the gap between theoretical training and real-world readiness.
Metrics That Matter: Measuring the ROI of Awareness
To elevate user training to a strategic initiative, CIOs must measure its impact. Key metrics might include:
- Reduction in phishing click-through rates.
- Increase in incident reporting volume and speed.
- Engagement rates with training content.
- Behavioral improvements over time.
These metrics can be tied to broader business outcomes—such as reduced incident response costs or improved audit performance—making it easier to justify continued investment.
Conclusion: You Can’t Patch Users—But You Can Upgrade Them
The phrase “you can’t patch users” has become a cliché in cybersecurity circles. But with the right strategy, tools, and leadership, we can do something even better: we can upgrade them.
As CIOs and CISOs, we must treat user training with the same strategic rigor as any other security investment. AI-driven, behaviorally intelligent training platforms are no longer optional—they are essential. The human layer is not a liability; it’s an underutilized asset. Let’s start treating it that way.