Certified: The Security+ Prepcast

Security awareness is one of the most cost-effective, high-impact investments an organization can make in its cybersecurity posture. It empowers users to recognize threats, follow policies, and act responsibly when something feels off. But to be effective, awareness doesn’t happen by accident—it needs to be structured, intentional, and ongoing. In this episode, we’ll look at how to develop a strong security awareness program from the ground up, and how to execute it in a way that actually reaches and influences employees across the organization.
Let’s start with program development. The first step in creating a security awareness program is defining your objectives. What behaviors do you want to reinforce? What risks are you trying to reduce? A good program isn’t just about ticking boxes or handing out training modules—it’s about changing behavior. That means aligning the program with real-world risks your organization faces, and identifying the audiences that need targeted guidance.
To begin, perform a risk assessment and talk to different teams across your organization. What are the biggest threats? What’s your phishing click rate? Where are the most frequent compliance failures happening? Are there departments with access to sensitive data but low training completion rates? Use this data to identify gaps and tailor your content accordingly.
Once you have a foundation, build a structure that combines short-term actions with long-term strategy. At the core of any awareness program should be a policy framework that defines the purpose of the training, the roles and responsibilities of participants, and how success will be measured. From there, plan a training calendar. This might include an annual core curriculum, quarterly refresher modules, and monthly micro-trainings or reminders.
It’s also helpful to create content tiers based on role. Executives need different information than front-line staff. Developers need different training than human resources. By segmenting content, you avoid generic sessions and make the material relevant to the people who are actually applying it.
Make sure your program also includes reinforcement. One-time training doesn’t stick. Plan for repetition. This can take the form of phishing simulations, weekly tips, short videos, or even internal security challenges and recognition programs. The more consistent the engagement, the more likely people are to internalize the lessons.
Let’s consider an example. A university launches a new security awareness program to reduce data mishandling. The program begins with a 30-minute kickoff video for all employees, followed by tailored modules for faculty, administrative staff, and IT personnel. Each module is paired with a checklist, a short quiz, and an in-person discussion group hosted by security champions in each department. Monthly emails reinforce key points, and random phishing simulations track progress. Within six months, the organization sees a 40 percent drop in policy violations and a 60 percent increase in incident reporting. That’s the power of a well-structured program.
Now let’s talk about execution. Designing a program is one thing—delivering it effectively is another. Execution starts with choosing the right channels. Different people learn in different ways. Some prefer videos. Others need live instruction. Still others respond best to brief reminders or visual posters. A strong program uses multiple delivery methods to ensure the message lands across all audiences.
Start with formal training. This might include onboarding sessions, annual compliance modules, or live webinars. Make sure your content is interactive, scenario-based, and focused on real behavior—not just abstract theory. Replace lectures with stories, simulations, and roleplay whenever possible. The more your training feels like the actual situations employees will face, the more useful it becomes.
Next, supplement formal training with informal reinforcement. Use digital signage in break rooms, messages in collaboration tools, or short alerts in internal newsletters. Use humor where appropriate. Engage people. Make security feel like part of the workday, not a separate activity.
Another key to execution is visibility. Leadership must be seen supporting the program. When executives attend training, refer to policy, and share their own lessons learned, it sends a message that security is everyone’s responsibility—not just something delegated to IT. Culture shifts from the top down, and security is no exception.
You’ll also need infrastructure. That means a learning management system that can deliver content, track completions, send reminders, and generate reports. Without good infrastructure, you won’t know who’s participating, what’s working, or where gaps still exist.
Let’s walk through another real-world example. A global consulting firm launches a security awareness campaign focused on social engineering. They roll out a five-minute weekly video series, with each episode focusing on a different attack type—phishing, vishing, pretexting, tailgating. Videos are paired with short quizzes, and results are tracked through a dashboard accessible to department heads. Posters go up near elevators and coffee stations with weekly reminders. Executives mention the campaign in town halls. Within three months, reported phishing attempts have doubled, and click rates on test emails have dropped by half. Execution made the difference—not just the material.
Consistency is another big part of execution. Don’t let training fade into the background. Establish a cadence—weekly, monthly, quarterly—and stick to it. Keep materials fresh, relevant, and tied to real incidents. If your industry has experienced a data breach or your company faces a new threat, address it directly in your next training message. When employees see that your training is responsive to the real world, they pay closer attention.
Monitoring is critical as well. Track training completion rates, policy acknowledgments, phishing simulation outcomes, and help desk tickets related to security issues. This data shows whether the program is making an impact. It also helps target new training efforts to areas where behaviors aren’t changing.
And finally, make room for feedback. Ask employees what’s working and what’s not. Run anonymous surveys. Encourage suggestions. The more users feel included in the training process, the more likely they are to take ownership of their role in the security culture.
As you prepare for the Security Plus exam, expect questions that address both program structure and execution. If a scenario describes planning content based on risk assessments and roles, it’s about program development. If it describes delivery methods, tracking systems, or leadership involvement, it’s focused on execution. Remember, it’s not just about having a program—it’s about making it effective.
For downloadable program planning templates, content calendars, and execution checklists, visit us at Bare Metal Cyber dot com. And for the most exam-focused Security Plus guide available—complete with hundreds of practice questions and real-world scenarios—go to Cyber Author dot me and grab your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success.