If you’re around my age, then you know the joy of using an old paper map. Not real joy, obviously. More the sort of joy normally associated with trying to keep track of 3 pages, getting told off for not holding it the right way up, or for giving instructions too late, and discovering that the road you were confidently following was replaced by a retail park sometime during the Blair years.
A paper map is only useful for as long as the world stays still. The moment roads change, roundabouts vanish, diversions appear, or somebody decides to turn half the town into a one-way system designed by a sadist, that map becomes less a guide and more a historical artefact. Lovely if you are Christopher Columbus. Less useful if you are trying to get to Leeds for a 10am meeting.
That, in essence, is how most security awareness training still works; like a paper map. Printed at a moment in time and handed out at scale. The content may well be fine. The design may be polished. But none of that changes the basic problem. It is static. The threat landscape is not.
Threats do not stand politely still while your annual training cycle catches up. Attackers change tactics constantly because they are trying to succeed, not preserve the integrity of your procurement process. Phishing lures are now shaped by AI, tuned to context, tailored to the individual, and adjusted faster than most organisations can update a slide deck. By the time next year’s awareness module rolls round, the threat it was designed to address has already had several costume changes and a passport renewal.
It’s also worth bearing in mind that people change too, not just the threats. The person who looked low risk six months ago may now be drowning in a new role, dealing with unfamiliar suppliers, handling pressure they did not have before, and are one rushed Friday away from making a regrettable decision. A static programme cannot see that. It cannot reroute. It cannot say there is trouble ahead, avoid this road, try this instead. It just sits there, insisting this field used to be the A41.
This is why custom training needs to look like something much closer to Google Maps. It needs to be responsive and personal. Aware of what is happening now, not what was true when the training content was commissioned and everyone still thought fax machines had a future. If there is a pile-up ahead, it should know. If one route is riskier than another, it should adjust. If someone is driving, cycling, walking, or taking public transport, it should understand that different people need different guidance depending on the context they are in.
Security awareness should work the same way. The new joiner does not need the same intervention as the finance director. The person who just failed a sophisticated phishing simulation does not need a generic reminder that phishing exists, in the same way a driver stuck behind a motorway collision does not need a note explaining that roads can sometimes be busy. They need timely guidance, based on what is happening around them, that helps them make a better decision in that moment.
That is what dynamic training does. It meets people where they are. It takes account of behaviour, context, pressure, patterns, and changes over time. It understands that behaviour change is not achieved by showing everyone the same video once a year and hoping muscle memory somehow forms out of corporate obligation.
Google Maps is also useful because it lets people contribute back. Spot an accident, a speed trap, a closed lane, and you can report it so others benefit. Security culture should have the same quality. If an employee spots something suspicious, reporting it should be easy, encouraged, and actually useful to everyone else. A phish alert button is not just a feature. It is your equivalent of warning the drivers behind you that there is a flaming bin lorry overturned in lane two. Shared visibility matters.
Then there is personalisation. Avoid toll roads. Avoid motorways. Take public transport. Walk instead. The route changes depending on what is sensible for you. Security training should be no different. Some users need more help. Some need less. Some are repeatedly targeted. Some are consistently resilient. Some need coaching in the moment. Some need reinforcement over time. Treating all of them the same is like telling a cyclist and an HGV driver to follow the identical route and then acting surprised when somebody ends up in a canal.
A decent security awareness programme should not behave like a souvenir map from the age of sail. It should behave like a living navigation system. It should reflect current threats, current users, current pressures, and current behaviours. It should help people avoid danger before they fall into it. It should learn. It should adapt. It should reroute.
Because if your training cannot tell the difference between the road as it was and the road as it is, then it is not guiding anyone anywhere. It is just nostalgia with branding.
