During the 2016 National Cyber Security Awareness Month in October, Frederick Scholl wrote an intriguing article for CSO Magazine entitled, \u201cTime to kill security awareness training.\u201d Many people expressed the view that the headline was a shocker.\n\nSome security pros who commented on the article directly, or expressed their views on social media sites like LinkedIn, responded with strong push-back and a combined feeling of disbelief. Words like, \u201cIt\u2019s not time to kill security awareness training. It\u2019s time to kill Stupid Security Awareness Training.\u201d\n\nTo summarize these reader sentiments in a few words: You\u2019re going in the wrong direction.\n\nExcept, Scholl was not really proposing the death (or even the crippling or the cut-back) of security awareness training as others have done in the past. The author wants security awareness training to be stronger, more effective, more comprehensive, more in-depth and for responsibility to be spread to business areas.\n\nIn Frederick\u2019s own words from the article:\n\nThe reality is that the headline is clever, but misleading. Many readers kind of fell for clickbait and commented before they truly understood what was being proposed \u2013 or not.\n\n[ ALSO ON CSO: How to craft a security awareness program that works ]\n\nYes! We need security culture change\n\nI want to start by saying that I mostly agree with what Scholl says in this article. No doubt, we do need to change the security awareness training programs that many people suffer through once a year. Note: Some readers will want to debate the differences between security awareness training and security education, as is described in this article by Ira Winkler, but I don\u2019t want to go there in this piece.\n\nFor more than a decade, I have been championing the view that organizational culture is the hardest part of security in any public or private organization.\n\nAnd yet, security culture change is the \u201cHoly Grail,\u201d that is so hard to achieve. Yes, it does involve more than just security awareness training. As any good consultant from the Big 4 can tell you, lasting culture change requires ongoing resources (such as funding and staff time), executive buy-in as well as management leading by example. It requires the people, processes and technology to work together well.\n\nOne reason that culture change is so hard is that security must compete with ERP implementations and many other enterprise projects that are also preaching culture change. There are even best-selling books telling us how to Change the Culture, Change the Game.\n\nSecurity awareness training can help change the security culture through ongoing attention on relevant topics like social engineering. Nevertheless, stale, old, awareness material certainly doesn\u2019t help and too many programs keep doing the same thing and expect a different result.\n\nSecurity awareness training is of the utmost importance these days, and I can\u2019t stress that enough. It is the single most important thing that any organization, regardless of size or industry, can add into their employee\u2019s training regimen.\n\nBut what makes security awareness training effective?\n\nIn equal parts it combines best practices in instructional design, robust security content, high quality training materials and interactive\/game-based training. If offered with interactive content that teaches new security protection techniques and much more, the meaningful results can be measured.\n\nEffective security awareness training truly changes security culture. People become engaged and start asking questions, they understand and report risks, and realize that security is not just a workplace issue but about their and their family\u2019s security as well.\n\nThere have been many articles that point out that compliance is not enough for good security and many of those same principles apply to security awareness training. There are many helpful articles that will point out why security awareness programs fail, as well as articles on how to use gamification and other techniques to be more successful in security education.\n\nIndeed, I teach a class all over the U.S. on How to Build a Successful Security Awareness Program. As described by NIST 800-50 and NIST 800-16, an effective, ongoing program goes much deeper than a once year hour-long video or some extra attention during October Cybersecurity Awareness Month.\n\nTime for a new name for security awareness training?\n\nBut I want to go further and ask a few bold questions. If real culture change has been the security awareness goal for a long time, why can\u2019t we achieve that goal?\n\nBeyond, \u201cit\u2019s hard\u201d or \u201cthe playing field of bad guys keeps changing,\u201d what can we do?\n\nIsn\u2019t it time for a new emphasis on security awareness training that gets a better response from the masses than: \u201cBeen there, done that, got the T-Shirt?\u201d\n\nIt may be time for a new, bolder name for security awareness training, but not everyone agrees that we need a name change. In fact, Marie White, Security Mentor\u2019s CEO, thinks there are many legal, policy, framework and other challenges to changing the overall name that people know so well.\n\nHowever, Marie does agree that it is time for a new focus in the security industry on training that drives true behavior change and for security awareness solutions that achieve this through gamification and a focus on brief, frequent and focused content that can change behaviors.\n\nWhat do you think? In a world of insecure IoT devices and botnets being used to DDoS important companies, should we elevate or strengthen the importance of this effort? Do we need to issue end user driver\u2019s licenses for the internet in the same way we do for driving on physical roads?\n\nShould we change the name? If yes, how would you strengthen the name? What would you call it?\n\nI\u2019d love to hear your viewpoint.