Last year, Hong Kong police disclosed a reported case that would become a watershed moment in cybersecurity: a finance worker at global engineering firm Arup transferred $25 million to fraudsters after attending a video conference call with what appeared to be the company’s CFO and several colleagues. Every person on the call was a deepfake. The voices matched. The faces were convincing. The worker initially suspected the emailed request was phishing—but the video call with familiar colleagues erased those doubts.
This wasn’t a zero-day exploit or supply chain attack. Just an AI-generated video and audio, and an employee whose security awareness training had never prepared them for anything like this.
The Arup case exposed an uncomfortable truth: while threat actors have weaponized generative AI to create increasingly convincing social engineering attacks, most organizations are still training their people to spot misspelled phishing emails and suspicious attachments. The gap between the threats we face and the training we provide has never been wider.
The AI Advantage Goes to Attackers First
For years, security professionals taught employees to look for telltale signs of phishing: poor grammar, generic greetings, suspicious sender addresses. These indicators worked when attackers were casting wide nets with low-quality bait.
But AI has fundamentally changed the economics and quality of social engineering. Large language models can now generate perfectly grammatical, contextually appropriate phishing emails at scale. Voice synthesis technology can clone an executive’s voice with just a few seconds of audio. Deepfake video technology that once required Hollywood-level resources is now accessible to anyone with a laptop and an internet connection. Worse, attackers are now orchestrating multi-channel campaigns that blend email, SMS, voice, and collaboration tools into scams that feel indistinguishable from legitimate internal workflows. The Arup employee didn’t fall for a single phishing email—they were caught in a coordinated attack that moved seamlessly from email to video conference.
Employees trained to spot obvious red flags no longer see them because they aren’t there. Meanwhile, our training approach remains largely static: annual compliance modules, generic scenarios, and completion metrics that measure whether someone clicked through a course, not whether they can actually recognize and respond to real threats. If that sounds familiar, your training is still optimized for yesterday’s phishing, not today’s social engineering.
The Real Problem: Security Training Is an HR Program
The disconnect runs deeper than outdated content. In most organizations, security awareness training has been architected as an HR compliance function rather than a security control. HR owns the budget, selects the platform, tracks completion rates, and reports to leadership that 98% of employees finished their annual training.
This isn’t a criticism of HR professionals—they’re executing on the mandate they’ve been given. But that mandate is fundamentally misaligned with security outcomes. Organizations spend billions on firewalls, EDR, SIEM, and zero-trust architecture—then leave human security preparedness to an annual 45-minute module that feels like it hasn’t been updated since 2015.
Security teams see phishing attempts hitting their users in real time. They know which tactics are working. They understand the current threat landscape. Yet the people best positioned to prepare employees for today’s threats rarely control the training budget, select the content, or influence the approach. Security discipline means treating human behavior the same way we treat any other control: with clear objectives, real-time telemetry, response playbooks, and continuous tuning based on attacks observed in the wild.
What Security-Led Training Actually Looks Like
Security-led training usually has four defining characteristics:
Instead of annual events, training becomes a continuous practice. Employees encounter realistic scenarios regularly—not as punishment, but as a skill-building opportunity. A security team that just blocked a sophisticated BEC attempt can quickly create a simulation based on that real attack, training employees on threats they’re actually facing, not generic examples from a content library.
Instead of generic phishing tests with obvious indicators, employees practice recognizing subtle social engineering tactics, such as pretexting, authority exploitation, and urgency manipulation. They learn to verify requests through secondary channels, especially for high-risk actions like wire transfers or credential sharing.
Instead of measuring completion rates, organizations track behavioral metrics, such as the number of employees who report suspicious messages. How quickly? Are people following verification procedures for unusual requests? Are we seeing fewer successful credential-harvesting attempts from campaigns targeting our users?
For many organizations, the first step isn’t a new tool – it’s moving ownership of training strategy into the security team, with HR as a key partner, and redefining success metrics around reporting, verification, and reduced incident rates.
Most importantly, the content is informed by current threat intelligence. When security teams observe new attack patterns, that intelligence flows directly into training scenarios. Employees aren’t learning to defend against last year’s threats—they’re preparing for this week’s.
Security and HR: Better Together
The turning point comes when Security and HR share ownership of the same outcomes: fewer successful social engineering incidents, higher reporting rates, and faster time-to-detection – not just 99% completion on an LMS.
This isn’t a call to take training away from HR. It’s a call for partnership.
HR brings critical capabilities security teams often lack: adult learning principles, change management expertise, and the relationships that enable organizational adoption. Security brings threat intelligence, technical context, and risk prioritization. The most effective programs combine both—HR ensures training is engaging and accessible, Security ensures it’s relevant and aligned with actual risk.
This collaboration extends beyond content development. When HR and Security work together on metrics. When they align on metrics, they move beyond completion rates to behaviors that actually reduce risk: reporting suspicious activity, following verification protocols, and escalating anomalies. When they align on messaging, security training stops feeling like a checkbox and starts to look like career-critical skill-building.
The cybersecurity industry has spent two decades building increasingly sophisticated technical defenses. We’ve made enormous progress. But we’ve largely neglected the human element—not because people are the “weakest link,” but because we’ve treated their preparation as a compliance obligation rather than a security discipline.
AI-powered social engineering isn’t coming. It’s here. Start small: move training strategy into the security function, give HR a seat at the design table, and replace completion metrics with behavioral ones. Then ask whether your program prepares people for deepfake-enabled scams—or just misspelled emails.
The only real question is whether your organization will treat this as a warning shot and modernize its training now- or wait for your own watershed incident to force the conversation for you.
Chris Murphy is Senior Vice President and Chief Evangelist at Cybrary, where he works directly with CISOs and security leaders to address the human layer of enterprise defense. With deep expertise in how organizations translate security awareness into measurable behavioral change, Chris advocates for Security-HR collaboration that moves beyond compliance theater to genuine risk reduction.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.