Exclusive: Cybrary on cyber training as tailored defence, not checkbox

Most companies still treat cyber training as a compliance checkbox rather than a security control, leaving them exposed to increasingly sophisticated, AI-assisted attacks, warns Cybrary.

The Maryland-based cybersecurity training provider says that while organisations invest heavily in firewalls and technical tuning, they rarely take the same disciplined approach to training their people, who remain the primary target for attackers.

Chris Murphy, Senior Vice President of Global Sales at Cybrary, said the issues begin with where cyber training traditionally sits inside companies. "It just gets lumped in with every other bit of training," he said, explaining how it fell naturally under HR and became treated as an administrative requirement. "It was more handled as a thing that needed to be done in order to meet, a piece of compliance, or maybe cyber insurance and less of a view as it is a security control."

Cybrary's data (drawn from its broad customer base and internal surveys) shows that organisations embracing a "culture of learning" are pulling ahead. These firms treat cyber capability as a dynamic skill set rather than an annual obligation. According to Murphy, that difference is reflected in measurable behaviour change across their workforce.

AI Is Making Attacks Harder to Spot

AI, like virtually everything else, has radically changed the cyber threat landscape. Where phishing emails were once riddled with errors or odd phrasing, attackers can now use compromised inboxes and AI tools to craft perfectly contextualised messages.

"[Thinking] about attacks before. They were greatly incorrect. They were sort of obvious," Murphy said. Threat actors previously depended on a basic "intelligence threshold". If a victim was aware enough to spot a poor-quality attack, they were unlikely to fall for the follow-on steps. Now, contextual intelligence has flipped the dynamic. AI can mine inboxes, extract ongoing conversational patterns, and generate email prompts that seem very natural in the context of the ongoing conversation.

The shift to remote and hybrid work has also widened the attack surface. Employees use personal devices, public Wi-Fi, and home networks to access sensitive systems. Murphy said these new working patterns demand more dynamic training because they introduce more unpredictable variables.

"People have a lot more freedom. They're using personal devices to do work things sometimes," he said. Accessing secure environments from phones, tablets, coffee shops, and unsecured networks has forced CISOs to balance productivity with rapidly expanded risk.

Context-driven phishing, combined with an increasing number of remote employees and personal device use for work, gives attackers more vectors and more believable pretexts. Detecting these attacks increasingly depends on human judgement, something Murphy argues organisations are not training with sufficient depth or frequency.

Skills, Not Policies, Are Causing Breaches

"One of the things that you need to do is be sceptical, right? Even more sceptical today," he said. Even experienced cybersecurity professionals now second-guess emails that appear legitimate at first glance. Training needs to equip employees to pause, validate, and cross-check their actions, which Murphy said are central to preventing credential theft or lateral movement inside networks.

He argues that companies must move beyond surface-level modules. Many employees repeatedly fail simulated attacks not because they don't know the rules, but because they don't understand the deeper context of how attackers weaponise minor lapses. "We've seen a pretty good improvement in skill acquisition when people understand the deeper context of why and what's happening behind it," he said.

Who's Getting It Right

Service providers, particularly SIs, MSPs and MSSPs, are leading the modernisation of cyber training. Murphy said these firms perform best because people are the business's resource. Their trade depends on adaptable skill sets that fit any client environment, creating a strong incentive to maintain a robust learning culture.

"They are the most engaged…their skill acquisition, their notification rates, the actual ability for them to see behavioural changes is far higher than other organisations," he said. Regulated sectors such as financial services, healthcare, and critical infrastructure are improving, but still lag behind service providers in embedding learning as a competitive differentiator.

Training Must Match the Tempo of Threats

It seems the prevailing model of annual or quarterly training is no longer fit for purpose.

"No one would ever set a firewall, set a policy and say it's done," he added. "The threat landscape changes, and you got to go tune it."

He argues for a baseline training cadence supplemented by rapid, targeted modules that respond to the threats a company is seeing in real time. This requires a tight partnership between HR and cybersecurity teams. HR provides scale and communication; cybersecurity provides the intelligence. "If you've got your SOC analyst and security engineers out there saying, 'Here's what we're seeing happen,' let's go then direct that training specifically so that we can tune our behaviour pattern."