Make Security Awareness Training More than a Compliance Requirement

Checking the box feels good. Moving the needle on security culture and awareness will feel even better.

What would happen if you treated security awareness training as an opportunity, not an obligation? While regular, structured Security Awareness Training is now an almost universal requirement of doing business, especially for MSPs, too many organizations are still stuck in compliance checkbox mode. Let’s look at why that’s a mistake and how teams can fully maximize SAT investments and their impact.

Security awareness training can feel like just another fire drill

Too many companies still treat security awareness training like a fire drill. At worst it’s a loud, annoying disruption, at best it’s a chance to get some fresh air and catch up with your friend Carlos who now works downstairs in finance. This is the perfect example of training as an unappreciated requirement.

Turning obligation into opportunity

In some very important ways, SAT feels like a similar obligation. Federal government agencies and some companies have been required to train all employees on information security and risk avoidance for almost 40 years. 

More recently, security awareness training is one of those bare minimums required when applying for cyber insurance–these are obligations. But what if training wasn’t just about checking a box, but actually moving the needle on security? This is the opportunity.

Companies know they’re stuck in compliance mode

• 1 in 5 companies still only conduct yearly security training exercises, far under the best practice recommendation of monthly training.

• Leaders think 8 out of 10 employees are still motivated to complete SAT by compliance requirements only

This level of engagement keeps regulators and underwriters happy. But like that fire drill: could the time be used more effectively?

Now’s the time to get out of compliance mode

• It’s not just what you’re training on, but how you’re engaging, including mode, frequency, and level of interactivity.
• This also has to happen without adding a whole new training team. This means businesses, MSPs in particular, need solutions they can deploy with minimal stress.

Suddenly, lots of things get a easier

But leaning into SAT means the same obligation, executed differently, is now a tremendous opportunity to:

• strengthen your operational security readiness
• nurture your organizational security culture
• reduce the cost and stress of compliance

We’ll get to what these benefits look like in a bit, but we need to start with the requirements.

Checking the box vs changing the game

While the federal government has been requiring SAT since 1987, most of the rest of the world is still a work in progress. But that hasn’t stopped regulators and underwriters from putting bare minimums in place, and they’ve been effective at improving basic cyber hygiene.

Frameworks like PCI-DSS and HIPAA differ on details while sharing core mandatories, also mirroring basic underwriting requirements for cyber coverage. We’ll use these overlaps as our discussion set. Then, we’ll look at how doing more pays off, often exponentially.

Roster: Who’s getting trained?

The obligation: Train most new hires before granting system access, especially those with access to sensitive systems and data.

The opportunity: No one should be exempt. Make sure everybody gets trained, including leadership.  This top-down approach actually helps build security culture from the ground up and encourages everybody to take it seriously. Plus, leadership is a common target for attacks.

With Phin:

• • Quick 5-minute trainings ensure everyone has time to get trained, even executives
  • Group users by department or title to ensure each set of users is getting the training they need
  • Automated training reminders every 7 days ensure no users slip through the cracks

Frequency: How often are users getting trained?

The obligation: Train users before granting access, with mandatory refresher training at least annually.

The opportunity: Break training into frequent, short sessions delivered throughout the year. Frequent touchpoints boost knowledge retention, responsiveness to threats, up-to-date information, and real culture change.

With Phin:

• • 90% of Phin's training content is 5 minutes or less
  • Automated campaigns ensure users are receiving monthly training without the hassle of managing it every month
  • 30-second learning moments provide frequent, relevant, and real-time feedback on phishing simulations that don't cause disruptions to the end-user's day

Updates: How fresh is your content?

The obligation: Review and update training content annually to incorporate new threats, compliance changes, and incident lessons, ensuring relevance and proof of due diligence for auditors and insurers.

The opportunity: Update immediately after security incidents or emerging risks. Dynamic, responsive content proves ongoing diligence and demonstrates true commitment to evolving threats, not just annual checkbox compliance for auditors.

With Phin:

• • 6 expert content providers ensure Phin's training content is relevant and updated
  • Select relevant training topics for each tenant when automating training campaigns

Breadth: What gets covered in training?

The obligation: Address current, organization-specific cyber threats such as phishing, ransomware, and insider risks, tailoring coverage to industry vulnerabilities that regulators and underwriters expect to see mitigated.

The opportunity: Grow your curriculum past the basics. Expand topics for all risk groups, including privileged users and vendors. Make training scenario-driven and focus on real-life threats people encounter, raising situational awareness for everyday decisions, including around AI.

With Phin:

• • 6 expert content providers ensure Phin's training content is relevant and updated
  • Select relevant training topics for each tenant when automating training campaigns
  • Customize training campaigns with your own content

Relevance: How relatable is the content?

The obligation: Provide role-based training aligned with employees’ data and system access, focusing on risks most relevant to their responsibilities to satisfy regulatory and insurer expectations.

The opportunity: Keep the security conversation current by engaging around real-world stories and challenges. Blend this content with required systems training.

With Phin:

• • Sort end-users by department based on Azure or Google sync groups to ensure each end-user is getting relevant training
  • You know your end-users best — automate customized phishing and training content 

Delivery: How do employees consume training?

The obligation: Use diverse learning formats including e-learning, simulations, and live sessions to maximize engagement, accommodate learning styles, and reinforce continuous awareness beyond a single annual event.

The opportunity: Change up your training routines. Gamify, stoke competition, nurture collaboration. Interactive formats beat annual lectures by boosting interest and participation and making training more fun, memorable, and embedded into the daily work.

With Phin:

• • Gamify training with a leaderboard
  • With 6 different content providers, there's a wide variety of training to choose from that keeps your end-users engaged, including videos with well-known actors and a series that feels like Sunday morning cartoons

Tracking: How do you audit activity and completion?

The obligation: Require annual written acknowledgment of security policies, maintaining signed records as compliance evidence for regulators, auditors, and insurers to demonstrate program accountability and enforcement.

The opportunity: Capture meaningful metrics and look for actual behavior change such as phishing reporting and strong passwords rather than just training completion. Share positive outcomes to encourage participation and foster a supportive reporting culture. 

With Phin:

• • Track how users engaged with training and note users to watch
  • Automate reporting to send out to key stakeholders to review behavior change and ensure the training is doing more than meeting requirements
  • Prove ROI to customers by better understanding your end-users performance and improving your use of the platform by attending personalized P.H.I.N. (Partner health, insights, and news) meetings with the partner experience team 

What happens when your security awareness training is more than just a compliance requirement?

So, we’ve seen the bare SAT minimums and talked about how MSP teams can stop checking boxes and start moving the needle on security. As they begin to elevate and accelerate their programs, suddenly some very good things start to happen.

1. Your operational security readiness gets stronger (and just in time)

At core, the goal of SAT is to increase operational security readiness by training users to avoid mistakes that increase the potential for cyber risk. Working on the fundamentals–don’t click, don’t download, don’t visit, see something/say something etc.--is making a difference. Proofpoint’s research showed a huge impact from consistent security training:

• 40% reduction in number of harmful links clicked by users
• 80% reduction in overall security risks

This is why regulators and underwriters make training mandatory: it works. And it’s not just about defending against existing threats. The right SAT program also prepares employees to defend the business from new and evolving threats. In an “AI everywhere” era, this is more critical than ever:

• Almost 8 of 10 CISOs admit AI-powered threats are now a significant challenge
• AI toolkits are making attacks easier, leading to a 202% increase in phishing messages

Ultimately, more mature security awareness training prepares teams and users to protect the business from today’s threats and whatever comes next. Every effective touchpoint is a step in that journey.

2. Your security culture gets more mature and effective

Company culture comes from all the intangibles that get produced in pursuit of your mission. Whether it’s empathy, innovation, or a focus on high standards, these are critical by-products of your business.

But we also know that culture is never just an output, it also impacts the institutions it inhabits. When it comes to cybersecurity, a strong culture keeps teams and users aligned and defending the business against modern threats.

Surveys show that culture absolutely drives outcomes, and that training alone is never enough.

• This one says regular training increases awareness of risk by 50%
• This says orgs who build for security culture, and don’t just rely on training, increase risk awareness by 70%

Successful culture building requires broad and deep collaboration across the organization, as best practices turn into individual habits and, eventually, collective values.

• Executive buy-in is great, executive enthusiasm is even better
• Remember, training is a conversation, so maximize the opportunity!

Operational security readiness and big picture culture are both separate things but also always closely interconnected. Done right, smarter security culture and stronger security operations should nurture each other.

3. You reduce the cost and stress of compliance

Last but not least: you have a security story that others want to hear, so make it a good one. Expanding the reach, frequency, and depth of your security awareness training all demonstrate your commitment to meaningfully shaping your organization’s security culture. That pays off big with both regulators and underwriters.

• Advanced SAT can reduce your costs of coverage. Better training helps lower your overall risk, so underwriters may offer better insurance deals—like lower premiums, more coverage, or fewer hoops to jump through—because the chances and impact of an incident are clearly reduced.
• Advanced SAT can engage and impress regulators. Showing you’re serious about security through more advanced and proactive training puts you in a stronger position with regulators. They may see you as going above and beyond the basics, making audits smoother, reducing the risk of fines, and building more trust in how you run things.

We talked earlier about how good training is really like having a conversation with your employees. In this case, it makes difficult conversations with really important stakeholders a lot easier. 

No more fire drills — it's time for smarter SAT

Security awareness training should no longer be seen as a compliance chore or an annual box to tick. When MSPs and organizations transform SAT into a continuous, engaging, and measurable process, they unlock a boatload of benefits. 

The challenge for most MSPs isn’t realizing they need to do more—it’s about creating a path to make it happen. The most important decision you’ll make is about the right partner to help you take that next step. Need help finding the right partner? Use this SAT acceptance criteria checklist to make sure your provider has what you need.