



























Steve Riley is a VP and Field CTO at Netskope.

getty
Most of us are familiar with the routine annual security training exercise: several three-minute videos filled with contrived acting, wooden dialogue and pretend scenarios that feel nothing like the way people actually work.
When faced with this yearly ritual, employees behave like all other adults when confronted with mandatory content that isn’t relevant to their daily lives or doesn’t respect their time: they rush through it. They scrub through the video at the fastest speed allowed, skip to the transcript, jump straight to the quiz and get back to real work.
And if you asked them an hour later what they’d just learned, most wouldn’t be able to recall more than a line or two.
That isn’t a moral failing, nor is it an attack on training exercises as a whole. It’s simply how the human brain works. Pouring facts into adults’ heads once a year, at a time when the topics are not pertinent, fails its basic task: maximizing retention. Retention relies on experience. Learning switches on when the brain actually has to do something, not just watch.
Memories form when neurons rewire themselves, and the strength of that rewiring is what determines whether a lesson sticks. Passive training doesn’t create that rewiring because the experience doesn’t require meaningful decisions or reinforce the behaviors security teams want people to adopt.
If the goal is behavior change, then the annual video is fundamentally targeting the wrong mechanisms, because people remember what they experience, not what they’re told.
Yet most security programs are still built around the opposite assumption.
Consider the experience most people have when they encounter a security rule during their workday. It often shows up as a hard stop: an error message that scolds the user, blocks the action and offers no explanation.
When people aren’t told why an action isn’t allowed or shown a safer alternative, the interaction loses its chance to become a learning moment. Instead, people simply feel shut out of the security decision loop.
When they don’t understand the rationale behind a block, or what the secure path forward looks like, they do what humans have always done: they find a workaround to finish the task. Not because they want to break policy, but because the system hasn’t helped them succeed within the policy.
Real-time coaching, however, completely changes this dynamic. Rather than treating every policy violation as a dead end, it treats such moments as learning opportunities, because this is when users’ brains are most primed to learn.
For example: if a user uploads a sensitive file to personal cloud storage, coaching can stop the upload, explain why it’s not allowed and provide a one-click redirect to the approved corporate location. Or consider a developer who pastes source code into a personal AI assistant: coaching can block the action, show the policy reason and point them straight to the company’s approved AI coding service.
These in-the-moment nudges—showing the right choice at the right time—provide people context, clarity and agency, making them far more willing to participate in the security program. The result is a system that encourages people to make secure decisions, by reinforcing behavior change in ways that stick—all without slowing down their work.
Over time, coaching reshapes the organization’s security posture not through mandates but through thousands of tiny, appropriately delivered nudges. I've witnessed this myself and it's confirmed by many of our customers who implement policies with coaching elements.
When people understand why a rule exists and how to follow it, they stop seeing security as something imposed on them and start seeing themselves as part of it. Most people don’t want to break the rules or put the company at risk; they just want to do their jobs and sometimes need a bit of clarity in the moment.
This is why coaching can’t be treated as an add-on: if a policy affects people, it should include a coaching message. Enforcement alone doesn’t change behavior; instead, guidance does. And when guidance is delivered at the point of risk, it turns policy into practice.
And coaching naturally opens a positive feedback loop: as people explain why they’re taking certain actions, security teams discover a clearer view of real-world workflows and can adjust policies accordingly. It’s a small shift that makes security both smarter and less disruptive.
To help their companies navigate the challenges of our time—especially as we move deeper into the AI era—modern security teams must incorporate coaching into their policies. More training modules or added friction will only do so much, but a system that guides and reinforces secure choices as people work will strengthen an organization’s posture through everyday experience.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。