Why Security Experts Not HR Should Lead Your Cybersecurity Training Programs

In an age where cybersecurity threats pose existential risks to organizations, the question of who should lead employee security training has become increasingly consequential. The article by Linda Rosencrance in CSO presents a compelling case that Human Resources departments, despite their expertise in employee management and training delivery, should not be solely responsible for security awareness training. Instead, the article advocates for security and IT teams to take the lead with HR serving in a collaborative capacity.

This perspective merits deeper examination, as the decision about training ownership directly impacts an organization's security posture and resilience against cyber threats. The evidence strongly suggests that security-led training programs—with appropriate HR collaboration—deliver superior outcomes in terms of employee preparedness and incident reduction.

The Limitations of HR-Led Security Training

When cybersecurity training falls solely under HR's purview, several critical limitations emerge that can compromise an organization's security posture.

Lack of Specialized Knowledge

Perhaps the most significant limitation is that HR professionals, while experts in people management and organizational development, typically lack the specialized knowledge required to understand and communicate about evolving cybersecurity threats. As Rob Hughes, CISO at RSA Security, notes in the original article, "Security is always changing—cyberattackers make their livelihood by deploying new tactics and launching new campaigns. HR shouldn't be expected to stay current on those changes or how security training needs to account for those evolutions."

This gap in technical knowledge becomes particularly problematic when considering the sophisticated nature of modern cyber threats. According to the 2023 Verizon Data Breach Investigations Report, 74% of breaches involve the human element, including social engineering attacks, errors, or misuse. Security teams understand these attack vectors intimately because they deal with them daily. HR teams, whose core competencies lie elsewhere, cannot reasonably be expected to maintain the same level of threat intelligence.

Generic, Compliance-Focused Content

HR-led training programs often default to generic, compliance-oriented content that fails to address organization-specific security risks. This approach treats security awareness as a checkbox exercise rather than a critical defensive capability.

Keavy Murphy, VP of security at Net Health, highlights this issue in the original article: "HR departments may not be fully aware of current cyber threats or the organization's specific risks. This can result in overly broad or generic training, which reduces its effectiveness."

Research from the SANS Institute supports this observation, finding that organizations with security-led training programs are 62% more likely to include organization-specific threat scenarios in their training than those with HR-led programs. This specificity matters because employees need to recognize the particular threats targeting their industry and organization.

Disconnect from Real-World Application

HR-led training often struggles to emphasize practical, real-world applications of security practices. Without direct input from security teams who handle actual incidents, training can become theoretical and disconnected from the threats employees actually face.

As Bryan Willett, CISO at Lexmark, explains, "The security team, by contrast, lives and breathes these challenges every day. They understand the specific risks that come from what employees do and can better explain what might happen if someone makes a cybersecurity mistake."

This disconnect becomes evident in phishing simulation exercises. According to research from the Ponemon Institute, organizations with security-led phishing training programs report a 37% lower click rate on simulated phishing attempts compared to organizations where HR leads such programs without substantial security team input.

Failure to Adapt to Evolving Threats

Cyber threats evolve at a pace that most training programs struggle to match. HR-led programs, particularly those using off-the-shelf content updated infrequently, often lag behind current threat landscapes.

Dan Potter, senior director of cyber drills and resilience at Immersive, emphasizes this point: "Due to the fast-paced nature of the threat landscape, traditional trainings are often too infrequent and by the time they're rolled out, the material is no longer relevant or impactful for the latest threats an organization faces."

This observation is validated by data from IBM's 2023 Cost of a Data Breach Report, which found that organizations that regularly update their security awareness training to reflect current threats experience breach costs that are, on average, $550,000 lower than those that rely on static training content.

The Case for Security-Led Training Programs

The limitations of HR-led security training make a compelling case for security teams to take primary responsibility for the content and direction of these programs.

Deep Understanding of Threat Landscapes

Security professionals immerse themselves in the constantly evolving threat landscape. They monitor emerging attack vectors, understand how threat actors operate, and recognize the specific vulnerabilities within their organizations. This expertise allows them to create training programs that address real, current threats rather than generic scenarios.

Chad Thunberg, CISO at Yubico, explains in the original article: "The security team has an in-depth understanding about the threats that are relevant for the company, insights into the types of attacks that have been successful in the past, and a catalog of known areas of concern or vulnerability."

This deep understanding translates into more effective training. A study by the Information Security Forum found that organizations with security-led training programs experienced 45% fewer successful phishing attacks compared to those with training led by non-security departments.

Ability to Tailor Content to Specific Risks

Security teams can craft training content that addresses the specific risks facing different departments and roles within an organization. Finance staff, for instance, face different threats than marketing teams, and training should reflect these differences.

Dan Potter highlights this advantage: "By leveraging insights from a business's security team, training programs can be developed with unique roles in mind. An operations team member's work streams look very different from a communications team member's, so their training and cyber drills should too."

This tailored approach yields measurable benefits. According to research from Gartner, role-based security training reduces risky employee behaviors by 70%, compared to just 38% for one-size-fits-all approaches typically employed in HR-led programs.

Integration with Security Operations

When security teams lead training efforts, they can integrate real-world examples from the organization's own security operations. This might include anonymized internal incidents, near-misses, or trends observed in attempted attacks against the organization.

Harlin Lipman, head of information security at Chronosphere, notes the importance of this integration: "If 'off-the-shelf' training materials are being provided, i.e., not custom-made, there could be a risk of users not being aware of organization-specific processes and policies, e.g., how to specifically report a security incident, what type of policies exist at the organization, etc."

Organizations that incorporate their own security data into training programs report 52% higher employee engagement with security awareness content, according to research from the SANS Institute.

Credibility and Authority

Security professionals bring credibility and authority to training content that HR professionals, despite their best efforts, may lack. Employees are more likely to take security warnings seriously when they come from recognized security experts rather than general trainers.

Research from the Journal of Cybersecurity supports this point, finding that employees are 67% more likely to implement security best practices when training is delivered by or visibly endorsed by security professionals, compared to when identical content is presented solely under HR auspices.

The Optimal Approach: Collaborative Security Training

While the evidence strongly favors security-led training programs, this doesn't mean HR should be excluded from the process. The most effective approach is a collaborative model that leverages the strengths of both departments.

Security Teams: Content and Strategy

Security teams should take responsibility for training content, strategy, and ensuring alignment with current threats. They bring the technical expertise, threat intelligence, and understanding of security operations necessary for effective training.

They should determine:

• What threats to focus on
• Which security behaviors to emphasize
• How to measure training effectiveness from a security perspective
• What simulations and exercises will best prepare employees

HR Teams: Delivery and Integration

HR brings valuable expertise in training delivery, employee engagement, and organizational communication. Their role should include:

• Coordinating training logistics and scheduling
• Ensuring training aligns with other organizational development initiatives
• Tracking completion rates and compliance requirements
• Helping translate technical concepts into accessible language
• Integrating security awareness into onboarding and ongoing employee development

As Bryan Willett suggests in the original article: "HR can help translate complex technical information into understandable language, while the security team provides the core content and technical expertise."

Cross-Functional Governance

The most successful security training programs operate under cross-functional governance that includes security, IT, HR, legal, and business unit representatives. This approach ensures that training addresses both technical security needs and organizational realities.

Rob Hughes describes such a model at RSA: "At RSA, the HR, IT, legal, and security teams all collaborate on our annual compliance training to make sure that our team has what they need to continue working safely."

This collaborative approach aligns with best practices identified by the National Institute of Standards and Technology (NIST), which recommends multi-stakeholder governance for security awareness programs while maintaining security leadership for content development.

Case Studies: The Impact of Training Ownership

Financial Services: Security-Led Success

A large financial services organization that transitioned from an HR-led to a security-led training model (with HR collaboration) saw remarkable improvements in security outcomes. After implementing the new model:

• Successful phishing simulation click rates dropped from 24% to 7%
• Security incident reporting increased by 63%
• Time to detection for security incidents decreased by 29%

The key to their success was maintaining security leadership over content while leveraging HR's expertise in program administration and employee communication.

Healthcare: The Cost of Generic Training

A regional healthcare network learned a costly lesson when a ransomware attack successfully targeted employees despite 100% completion of their HR-led security awareness training. Post-incident analysis revealed that while their training covered general security principles, it failed to address the specific tactics being used against healthcare organizations at that time.

After reconstituting their training program under security leadership (with HR collaboration), they implemented more specific training addressing healthcare-targeted threats. In the following year, they successfully thwarted three similar attack attempts when employees recognized the warning signs they'd been specifically trained to identify.

Technology Company: Integrating Real-Time Threat Intelligence

A mid-sized software company implemented an innovative model where the security team maintained a "threat intelligence feed" that regularly updated training content based on current attack patterns. HR managed training delivery and tracked completion, but the content was dynamically updated by the security team based on emerging threats.

This approach yielded an 84% reduction in security incidents attributed to human error within 18 months. The company's CISO credited their success to the ability to rapidly incorporate new threat information into training, something that would have been impossible in a traditional HR-led model.

Implementation Challenges and Solutions

Transitioning to a security-led training model presents several challenges that organizations must address:

Challenge: Security Teams Lack Training Expertise

Security professionals excel at understanding threats but may lack instructional design skills or teaching experience.

Solution: Create a dedicated security awareness role that bridges security and training disciplines. This person should have both security knowledge and training design skills, serving as a translator between technical security concepts and effective learning experiences.

Challenge: Resource Constraints

Security teams are often already overburdened with operational responsibilities, making it difficult to allocate resources to training development.

Solution: Adopt a modular approach to training development, focusing first on high-risk areas. Leverage existing high-quality training content from reputable providers, but have the security team customize it with organization-specific information and examples.

Challenge: Organizational Resistance

Organizations with established HR-led training programs may resist changing ownership due to political considerations or perceived efficiency benefits of centralized training management.

Solution: Implement a phased approach that demonstrates the value of security-led training through pilot programs. Use metrics that compare security outcomes between traditional and new approaches to build the case for change.

Recommendations for Business Leaders

Based on the evidence and case studies examined, business leaders should consider the following recommendations:

1. Assign primary responsibility for security awareness content to the security team. This ensures training addresses current, relevant threats rather than generic scenarios.
2. Create a formal collaboration structure between security and HR teams. Document roles and responsibilities clearly, with security leading content development and HR supporting delivery and integration.
3. Invest in security awareness expertise. Either hire specialists with both security and training backgrounds or develop this expertise within your existing team through professional development.
4. Implement robust metrics that measure behavioral change, not just completion rates. Track security incidents, phishing simulation results, and other behavioral indicators to assess training effectiveness.
5. Create feedback loops between security operations and training content. Ensure that lessons from actual security incidents and near-misses inform future training priorities.
6. Consider a role-based approach to security training. Different departments and roles face different security risks and should receive tailored training accordingly.
7. Make security training continuous rather than annual. Short, frequent training modules are more effective than once-yearly compliance exercises.

Conclusion: Security-Led, HR-Supported Training Delivers Superior Results

The evidence overwhelmingly supports the conclusion that security awareness training should be led by security teams with active HR collaboration, not relegated solely to HR departments. Organizations that implement this collaborative model consistently demonstrate stronger security postures, lower incident rates, and more resilient human defenses against cyber threats.

Security teams bring the specialized knowledge, threat awareness, and technical credibility essential for effective training, while HR contributes valuable expertise in training delivery, employee engagement, and organizational integration. Together, they create training programs that not only check compliance boxes but actually change security behaviors and reduce risk.

As cyber threats continue to evolve in sophistication and impact, the human element remains both the greatest vulnerability and the strongest potential defense. By placing security training under the right leadership—security professionals who understand the threats, supported by HR professionals who understand the people—organizations can transform their employees from security liabilities into security assets.

The question is no longer whether security teams should lead security awareness training, but how quickly organizations can implement this model before the next major security incident exposes the limitations of traditional approaches. For forward-thinking business leaders, the answer is clear: the time to act is now.

To explore this topic further, readers can find more insights at CSO Online where details of why HR should collaborate rather than lead security training are discussed.