When I think of security awareness, I see a lot of opportunities to engage with the users, not only with training that is important, but with information (cyber intelligence) that will be useful for them to make a decision. Sometimes, when I see a security awareness team, I only see them as developing content that emphasizes good cyber security hygiene and a reiteration of the protocols of the organization.

Have you ever asked the question, what else can they do?

My opinion is that security awareness is the interface between IT ops, InfoSec, and the user. If knowledge is power, then we should take the opportunity to develop the capability of this team to go beyond protocols and cyber security hygiene. We should develop this capability to enable the users to be another set of eyes for the organization.