Security Training Trends 2026: What Matters Now with Kevin Henry

Group classes

Security awareness is broad workforce education, while professional certification validates role-specific competence; both can improve capability, but they solve different problems and should not compete for the same training budget by default.

The more useful question is what type of learning reduces the organisation’s most relevant risks. Kevin Henry’s message about “doing what matters” is especially relevant as security teams deal with cloud complexity, hybrid work, audit pressure, and skills gaps that cannot be solved by annual training alone. Readers who want background on his teaching scope can learn more about Kevin Henry.

Security training has to follow risk, not habit

Many training plans still begin with a calendar, a catalogue, or a compliance deadline. Those inputs matter, but they rarely show where the organisation is most exposed. A better starting point is the risk register, recent incident postmortems, audit findings, and the recurring exceptions that security teams approve because the business has no practical alternative.

For example, if incident reviews repeatedly point to weak change control in cloud environments, another broad awareness module is unlikely to be the highest-value response. The stronger move may be role-based learning for engineers, short labs on identity and access patterns, and a change review checklist that managers reinforce during delivery meetings. If audit findings show inconsistent evidence collection, the training need may sit with control owners and GRC teams rather than the whole workforce.

This is where certification preparation can be valuable, provided it is used for the right reason. A breadth-first path such as a CISSP overview can help security leaders and senior practitioners connect governance, risk, architecture, and operations. A cloud-focused path such as a CCSP overview is more relevant when the immediate challenge is securing cloud workloads, identity boundaries, and shared responsibility decisions. Audit and assurance teams may get faster value from a CISA overview, while managers building a risk-led programme may find a CISM overview more aligned to their responsibilities.

What human-centred training looks like in practice

Security professionals often carry authority that affects how others work. That authority needs care. A policy reminder delivered at the wrong moment can make security feel punitive, while the same reminder framed as protection can help employees make better decisions without feeling blamed.

Human-centred training does not mean lowering standards. It means explaining why a rule exists, acknowledging the pressure people are under, and making the secure path easier to follow. In practice, that might mean coaching a project team before a risky release, helping finance staff recognise payment-change fraud during a short scenario discussion, or giving operations teams a checklist they can use before approving privileged access.

One common mistake is over-reliance on gamified phishing exercises. They can be useful, but they become weak signals when treated as the main measure of security culture. Another mistake is memorisation-only certification preparation, where learners can define concepts but struggle to apply them in design reviews, supplier discussions, or incident response. A third is neglecting operational context; training that does not reflect how developers, service desk teams, or business managers actually work is unlikely to survive contact with delivery pressure.

A quarterly cadence for doing what matters

A practical security training plan can be built in quarters rather than as a once-a-year event. The aim is to keep learning close to current risk while leaving room for reinforcement and measurement. This approach also helps security leaders avoid spreading attention across too many themes at once.

Select two or three risk themes from incidents, audits, exceptions, and planned business changes.

Map each theme to the roles that can reduce the risk through better decisions or stronger execution.

Choose the right format, such as microlearning, a lab, a tabletop exercise, coaching, or certification preparation.

Schedule manager reinforcement so the learning appears in change reviews, team meetings, and control discussions.

Review leading signals before deciding whether to continue, adjust, or stop the intervention.

Microlearning works best when it introduces a focused concept, but it should rarely stand alone. A short lesson on cloud identity, for instance, becomes more useful when followed by a lab that shows how a misconfigured role expands access. A tabletop exercise can then help managers and technical leads practise the decisions they would need to make during an incident.

The reinforcement step is often where good training plans fail. If managers do not ask different questions after training, the organisation should not expect different decisions. A secure change review, a supplier onboarding conversation, or a privileged access approval can all become moments where learning transfers into routine behaviour.

Signals that training is changing behaviour

Course completion is easy to count, but it says little about whether the organisation is safer. Completion data can confirm participation; it cannot confirm judgement. Security leaders need leading indicators that show whether people are reporting earlier, escalating better, and applying controls with less friction.

Useful signals include earlier incident reporting, fewer repeated policy exceptions, stronger evidence in change reviews, better-quality risk acceptances, and fewer avoidable escalations caused by unclear ownership. In audit-heavy environments, improved control narratives and cleaner evidence trails may show that learning is reaching the people who operate the controls. In cloud teams, better role design, clearer tagging, and fewer emergency access requests may be stronger indicators than a high score on a knowledge quiz.

These signals are imperfect, but they create a more honest conversation than attendance alone. They also help security teams distinguish between a knowledge gap, a process gap, and a tooling gap. Training is the right answer when people need judgement, context, or practice; it is the wrong answer when the organisation has designed a process that makes secure behaviour unnecessarily difficult.

A short example of refocusing a team

Consider a security team that planned to spend the quarter on broad awareness because completion rates were easy to report. Recent postmortems told a different story: several incidents involved rushed cloud changes, unclear approval paths, and late escalation when teams were unsure whether a configuration issue was serious.

The team narrowed the quarter to one theme: safer cloud change. Engineers received short labs on identity and configuration review, service managers joined a tabletop exercise on escalation decisions, and change approvers were given a revised checklist for high-risk changes. The organisation still kept baseline awareness in place, but it stopped treating awareness as the main response to every problem.

The early signals were practical rather than dramatic. Change reviews began to include more specific security questions. Engineers escalated uncertain access decisions earlier. Fewer exceptions were submitted without a clear compensating control. None of those signals proved perfection, but they suggested the training was moving into daily work.

Applying Kevin Henry’s message to the next training decision

Doing what matters in security training means investing in people while staying disciplined about risk. It asks security leaders to be supportive without becoming vague, and firm without turning policy into punishment. The right mix may include awareness, coaching, tabletop exercises, domain deep-dives, or certification preparation, but the choice should follow the problem the organisation is trying to reduce.

A practical next step is to take one current risk theme and ask which roles can change the outcome this quarter. For teams that want a structured live session to frame those choices, Readynez offers focused masterclasses with Kevin Henry across CISSP, CCSP, CISA, and CISM. The key takeaway is simple: training matters most when it helps people make better decisions at the moment risk is created.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's

3 Tips to get prepared

Facilities

Latest resources, technology and programs for all our candidates.

Culture

Educate and create a security culture.

Plan

Address communications with clients, employees, suppliers, media and regulatory bodies.

Are you ready for a new career?

For over a decade, Readynez consultants have been enabling digital transformation with cutting-edge Training, Talent and Learning Services in every type of business – big and small. All over the world.

Where do you start?
With Readynez services that support every vision, you will soon be ready for the future, with speed and reliability.

Subscribe to Tech Blogs

Stay up to date on current developments in the Tech world related to Skills.

Basket

{{item.CourseTitle}}

Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}