Security Awareness Training should meet employees where they are. The required annual training is good for checking the compliance box, but what are the current security trends impacting people every day on social media? Keep users up to date on how to protect themselves now by reinforcing how best practices will prevent the latest trends in online cyber attacks. Hold events throughout the year that encourage good cyber hygiene and have tangible rewards for users who participate.

Security staff can't be present at every meeting in the company. There are a lot of areas our eyes are blind to because we don't see the day to day activities end users are faced with. So invest time and resources into key people across the organization and empower them to bring a security mindset into their department. Have monthly 1:1s with users outside of the security team who are interested in security to teach mentor them. Encourage them to find ways to use what they learn with their own teams. Invite someone outside of the security team to a Cybersecurity conference.

Provide a password manager and teach users how to use them. Monitor use and find ways to encourage wider adoption. Invest in email security tooling that makes it easier for users to spot spoofed emails and quarantine phishing attempts. Don't punish users with staged phishing emails that they'll just warn others about when they see them, use data from real phishing attempts in your company to educate users with a missed opportunity and congratulate users who made the right decision. Invest in SSO solutions to simplify authentication for end users. The less friction security creates the more likely users are to use security.

Empower teams with the knowledge to make good decisions to keep business operations running smoothly. Create short, team-specific checklists as a way to enable them to meet minimum security requirements. Then encourage them to bring security in when the checklist isn't enough in order to make a decision. This helps handle the low-hanging fruit in a secure way while not slowing teams down but brings security in for the larger decisions where more nuance is needed.

The Security team should be a value adding partner that helps teams accomplish their goals in the most secure way possible. As soon as Security is seen as a roadblock people will involve the Security team less. Find ways to mitigate risk instead of just avoiding risk and teams will begin to seek you out. Make teams aware that Security is there to help is a way to create bridges for teaching other teams proper security techniques that are meaningful to them.