Making Security Training Less Painful & More Human

On May 3, 2019, I received a letter offering me my first cybersecurity position. I was ecstatic. After 16 years in Human Resources with the federal government, I had decided to make a complete career change.

There was one condition I had to meet: I had to obtain my Security+ certification within two weeks of accepting the position.

The endless loop of training

I signed the offer letter, then I was off to the races. I had to learn massive amounts of content and pass an exam in just 14 days. Looking at how other cybersecurity professionals succeeded, I began to do what they did: study material, take a practice test, watch a video, repeat. Study more material, take another practice test, watch another video, repeat. The process worked. I passed the exam on the first try.

Once I got the job, that same program kept running, but for annual compliance training. Watch a video. Take a quiz. Score 85% or higher. Watch another video. Take the quiz. Pass the test. Same checkboxes. Same format. Same loop, different day.

It was exhausting. Not challenging. Just dull and something I had to do. There was a lot of training, but very little learning. In fact, the routine squeezed the desire to learn right out of me.

Coming from years of learning and development in HR, I already knew there was a better way to train and to learn. But in cybersecurity—a highly technical field—expert knowledge is widely shared, often through training programs with little deliberate design.

Training that works is training that produces changes in attitude, beliefs, thinking and behavior. Training that works doesn’t feel like training at all. It feels like work—the real kind. The kind that produces something different and valuable.

Real learning leaves a trail

Work and learning are the same process.

Work is physical and mental energy used to produce something. Learning is the same. If nothing gets produced, I have to ask—did learning actually happen? It doesn’t have to be big. But there should be evidence.

In one workshop, I looked for evidence. What did people actually create during the session? Flipchart notes? A shared document? A question that sparked discussion? A comment that shifted the room?

Sometimes the answer was nothing. In those cases, the only thing I could say was that people showed up and sat through it.

That’s not learning. That’s attendance.

Well-designed learning is not passive

In well-designed learning environments, people aren’t just clicking through slides or passively listening.

• They ask better—and different—questions
• They show their work; what went right and what didn’t
• They share what they learn and help others get unstuck

Well-designed learning environments produce excited, confused, contemplative and frustrated learners, and they encourage each other through all of it. That’s not just engagement. That’s community.

There’s a different energy in these spaces because learning is not about checking things off a list. Learning shows up as a shift in understanding, skills, the way people process information, and in the way people show up for each other. You might not see it on a quiz. But you can see it in their effort, their curiosity, and what they create together.

Cybersecurity training isn’t a game

Too many cybersecurity programs still treat learning like a video game. Teach the rule, test the rule, track the score. It’s like running a cyber range where the goal is to win points—break something, defend something, keep a tally. But the real work environment isn’t that clean.

Games have rules. Real life doesn’t care about rules. Especially in cybersecurity. A policy doesn’t stop a cyber attack. A checklist doesn’t explain why the firewall failed.

If you’re building training for the real world, you must ask: Are we preparing people for the mess? Or just helping them memorize the map?

What growth actually looks like

In real training spaces, especially technical ones, this is what I watch for:

• A learner makes their own troubleshooting sheet because the course one doesn’t fit
• Someone who was silent starts helping others
• A question shifts from “how do I…” to “what happens if…?”
• A person says, “I want to teach this next time”

None of these are required and you won’t find any of them on a multiple-choice quiz. But every one of them is a sign of life.

What gets in the way

Let’s talk about what shuts learning down:

1. Fear-based scenarios. The kind that says, “Click this and you’ll get hacked.” They scare people into silence. Fear isn’t fuel, it’s fog.
2. Rigid delivery. Everyone gets the same content, the same way, at the same speed, but people don’t learn in order. They loop. They jump ahead. They circle back.
3. Surface-level evaluation. If the only thing you’re measuring is how pretty the report looks, you’re missing the actual work.

Consider this: judgment is about merit, worth, and significance. And those things demand substance. If all you can say after a session is that “people looked at the screen” and “chairs were comfortable,” then the training didn’t do what it was supposed to. It might have been efficient. It might have followed the plan. But it didn’t move anyone.

Real training should leave behind more than attendance records and slick slides. It should leave behind decisions made differently, questions asked more deeply, or even just one person taking a risk they wouldn’t have taken before. If we can’t point to something that shifted—internally or externally—then what exactly are we calling success?

A real example

In one session focused on secure login practices, I didn’t start with a lecture or a list of objectives. I asked a simple question: “Show me how you log in. What gets in your way?”

That question came from a deliberate choice. I built an environment around trust, relevance, and agency. I didn’t tell them what to learn, I asked what they already did. I let their real routines lead the conversation. There was no pressure to perform, just room to reflect, test ideas, and respond to each other.

People opened up. They shared password habits without shame or fear. One person explained how they used a password manager. Another tried it out in real time. Someone else admitted they used two-factor authentication but didn’t understand how it worked. Within minutes, others were explaining it better than I could.

Two people who were quiet at the start ended up leading a short session, showing others how to reset a password and use an app to confirm their identity when logging in.

None of that was planned. But it happened because the space was designed for discovery and proficiency, not just performance. That shift—from showing up as a student to showing up as a contributor—is where the learning happened.

They used mental and physical energy to produce something: a change in behavior, a shared understanding, a tool tested in real time.

I didn’t just see it. They did too.

If you build cyber training, try this

Let’s stop building for compliance. Start building for change.

Here’s what helps:

• Design for emergence. Let people discover things. Don’t just tell them.
• Track behavior, not just answers. Confidence is visible.
• Notice the energy. Frustration and curiosity are clues.
• Create safe places to fail. That’s where the work gets real.

Final thought

Cybersecurity isn’t about memorizing rules. It’s about consistently making smart decisions in unpredictable situations.

That takes more than knowledge. It takes confidence. It takes trying, failing, adjusting, and trying again.

Let’s make space for that kind of learning.

Because most people want to grow and mature. They just need a room where it’s okay to show up messy.

Image credit: Cecilie_Arcurs