When Security Training Backfires: Why Box-Ticking Won’t Save Your Agency

2025-05-20

It’s the annual ritual dreaded by just about everyone: security awareness month. Inbox floods, PowerPoint slides pile up, and civil servants everywhere click “next” in a half-awake daze, just to mark the training complete. Somewhere, metrics improve—every staff member is now “compliant”—but chances are, very little has actually changed.

Plenty in the Singapore public sector have seen the same movie: post-incident or after a regulator’s prod, training gets ramped up and everyone is expected to memorize new rules by next week. The trouble is, this kind of box-ticking rarely achieves what well-meaning policies intend. If anything, it breeds cynicism, a sense that “security” is just another quota to fill. Anyone trying to build real risk resilience should recognize this for what it is—security theatre in a different costume.

Here’s the paradox: agencies need security awareness, but what they usually get is disengagement or performative compliance. The challenge is especially tough when your teams are multi-generational, spread across branches, and already juggling more than their share of process paperwork. The best-intentioned reminders about password hygiene or phishing end up ignored, or worse, resented.

What works better? Leaders who ditch the lecture circuit and instead create regular, informal platforms for sharing stories—not just war stories or scare tactics, but honest discussions about mistakes, near-misses, and practical lessons learned. Make it safe for someone to speak up about the attachment they nearly opened, or the login link that made them pause. The outcome isn’t instant compliance, but sustained vigilance rooted in the messy reality of government work.

Effective CISOs—and those who want the job—are measured by their ability to foster engagement rather than mere form-filling. If your agency’s security metrics are mostly about training completion, it’s time to ask what’s actually being measured. Real transformation comes when people care enough to act, not because they have to, but because they understand what’s at stake. Box-ticking has never saved an organization; thinking people have, and always will.