The Secure Practice playbook for cybersecurity training for managers

Engaging managers in security awareness isn’t easy.

They’re under pressure to deliver results, keep operations smooth, and manage people. Security often looks like a competing priority—and in many organizations, managers are the very group most likely to block awareness initiatives.

Awareness professionals need a clear, structured way to bring managers on board. 

This playbook is a practical guide for designing and running cybersecurity training for managers that fits into their world and influences behavior where it matters most.

Why managers need a cybersecurity training playbook

Cybersecurity often feels like it lives in two separate worlds. 

Security teams speak in terms of incident response, risk management, and compliance frameworks. Employees hear about phishing, malware, and the latest round of mandatory e-learning modules.

Somewhere in the middle sit managers—keeping projects on track, protecting data, and making sure their teams don’t burn out. With constant meetings, deadlines, and budgets to handle, security easily slips into the background.

Managers aren’t expected to be security experts, yet their decisions shape how teams respond to cyber threats every day.

The subtle choices mid-level managers make every day (whether to acknowledge a phishing risk in a team meeting, to report an incident quickly, or to quietly move on) contribute to what people like to call security culture—a buzzword, yes, but one that matters when it’s translated into daily habits.

At the same time, managers are often the biggest blockers to security programs. 

Not because they don’t care about information security, but because security is usually presented as a competing priority.

The SANS 2025 Security Awareness Report puts numbers behind this: out of more than 2,700 practitioners surveyed across 70+ countries, roughly one in four said mid-level managers were the biggest obstacle to their program’s success.

Managers deal with teams of people and are focused on meeting business objectives, so they often see cybersecurity as a blocker itself, rather than a business enabler.

They’re also a tough group to reach. There’s rarely a direct line of communication between them and the security team. 

And yet, the same report shows managers can become the strongest multipliers of secure behavior when they’re given the right training and support. A quick reminder about phishing in a team meeting. Staying calm in the face of a potential incident. Encouraging reporting instead of blame. 

These small choices set the tone for everyone else.

With this cyber security training for managers playbook, our goal is to move managers from being unintentional blockers to confident multipliers. 

And to do it in a way that respects their time, acknowledges their pressures, and gives them hands-on training solutions they can actually use.

The Secure Practice method: role-based training that sticks

Managers don’t need to know the fine details of malware strains, ransomware variants, or ISO 27001 controls. Their influence comes from somewhere else: how they set priorities, what they emphasize in team meetings, and how they balance production goals with security expectations.

Generic “information security courses for managers” often miss the mark because they’re too broad. What makes training stick is tying it to real managerial responsibilities.

At Secure Practice, our role-based method builds scenarios managers actually face:

• Finance managers deciding whether to approve or stop a fraudulent payment

• HR managers handling a sensitive data leak under time pressure

• Project managers responding to ransomware that delays delivery

• IT managers managing a spear-phishing attack that compromises admin accounts or a sudden outage tied to misconfiguration

These aren’t abstract cases. They’re the kind of dilemmas managers deal with under stress, where every choice sends a signal to their teams. Do we stop to check, or push ahead and hope for the best?

Research from SANS shows cyber security awareness training programs mature fastest when they’re adapted to role, department, or region. For managers, this means linking cyber security threats to the pressures they already juggle: deadlines, budgets, customer trust, and people management.

It also means building awareness of how their behavior shapes the workplace. 

It’s part of the reason why we built PrepJam—a tool for running realistic, role-based cybersecurity exercises. With plug-and-play scenarios, managers don’t just learn theory; they practice making decisions under pressure. 

Over time, this awareness and preparedness filters through to their teams, making security less of a hurdle and more of a shared responsibility.

The Secure Practice playbook for managers

Managers have plenty on their plates. They’re expected to deliver results, keep teams motivated, and manage endless meetings. The last thing they need is another checklist. 

That’s why this playbook is different. It’s designed to help managers weave security into what they’re already doing—so it strengthens their team without slowing them down.

Here are five practical steps to make cyber security training for managers more effective.

1. Normalize security in their leadership role

Managers may not realize how much influence they have over team behavior. Help them see that their actions set the tone:

• If they cut corners on approvals or ignore suspicious activity, employees will follow suit

• If they pause to double-check, ask questions, and respond calmly, they’ll mirror that instead

Security often gets lost in the rush of projects and meetings. The simplest fix is to make it part of their regular rhythm. Give managers simple scripts and prompts they can use in everyday settings:

• A two-minute check-in during weekly meetings (“Any odd emails this week?”)

• Sharing quick reminders during one-on-ones or project updates

• Connect security back to ongoing work: if they’re approving invoices, mention fraud attempts; if they’re onboarding staff, remind them about data protection

• A reminder to praise effort, not just accuracy, when their colleagues report suspicious activity

• An effort to treat mistakes as opportunities to learn, not reasons for blame

These small touches normalize security as “just another part of work” instead of an extra burden. Managers stop seeing it as someone else’s job and starts seeing it as part of their own.

Leading by example doesn’t mean perfection. It means modeling the behavior they expect, and showing that security is part of their decision-making, even under pressure. That consistency builds trust—and over time, habits.

2. Frame training around business impact

Most managers won’t engage with long, generic courses. They’re busy, pragmatic, and used to focusing only on what helps them deliver. 

That’s why awareness professionals need to design training that mirrors their world—short, concrete, and clearly tied to business outcomes.

Show how security connects to their daily challenges:

• A fraudulent invoice means money lost and deadlines missed

• A ransomware attack means project delays and customer dissatisfaction

• A data breach means HR or compliance headaches, plus reputational damage

When you frame training in terms of business outcomes—time, money, customer trust—managers start to care.

3. Run interactive exercises with role-based scenarios

Managers are often tasked with achieving something called cyber resilience—and given no insight into what that actually means. 

In practice, it comes down to building awareness and preparedness:

• Awareness means understanding the risks your team is likely to face. 

• Preparedness means knowing how to respond under pressure so incidents don’t spiral into bigger problems.

Creating awareness at the team level is part of what gradually adds up to resilience across the organization. And that’s where managers play a central role.

Generic training often falls flat with managers. They don’t see how a phishing quiz or a compliance video connects to their daily responsibilities, so security feels abstract and irrelevant.

Interactive role-based exercises change that. By putting managers in situations they actually face under pressure, they see the link between security vulnerabilities and their own decisions 

This approach not only makes the cyber risks tangible, it also builds confidence that they can lead effectively when something goes wrong.

Anchor scenarios in real priorities

Role-based scenarios should reflect the choices they actually face under pressure. Open every session by linking security risks to the goals they’re already responsible for.

Instead of starting with “phishing” or “ransomware”, start with what managers care about: budgets, customer deadlines, reputational risks. From there, build the link to the threat. For example:

• “How would a fraudulent invoice impact your quarterly targets?”

• “What would a delayed delivery mean for client trust?”

This framing shifts security from abstract risk to immediate relevance.

Keep exercises short and high-pressure

Managers don’t need half-day workshops. What they need are 30-minute, high-stakes exercises that force quick decisions under stress. 

A timer on the screen. Competing priorities. Incomplete information. This format simulates the reality they face and leaves a stronger impression than slides or lectures.

Debrief with leadership lessons, not technical detail

After the scenario, avoid diving into malware types or forensic steps. Instead, focus on the leadership angle:

• Did the manager pause to ask questions?

• How did their choices affect the team’s ability to respond?

• What signals did they send—intentionally or not?

This reinforces the idea that security isn’t an add-on, it’s part of everyday leadership.

4. Measure through team-level signals

Managers need feedback to stay engaged, but it has to be constructive. This is where human risk metrics come in.

Instead of singling out individuals, show managers aggregated patterns from across activities—for example:

• How many phishing emails are being reported and analyzed through MailRisk

• What recurring mistakes simulations reveal when people are under pressure

• Which scenarios tend to cause the most hesitation or uncertainty

These inputs are part of the bigger picture that human risk metrics provide. Taken together, they show where teams may be vulnerable and where leadership can make a difference—without turning security into surveillance.

5. Support managers with quick wins

Managers won’t adopt training that feels like extra work. Provide them with security tools and content they can use immediately:

• MailRisk: an email checking and reporting tool that gives people instant feedback on suspicious emails, reinforcing the “better safe than sorry” culture

• PrepJam: plug-and-play exercises that let managers run realistic scenarios in under 30 minutes

• Gamified e-learning trainings and guides: short, ready-to-use resources managers can drop into day-to-day activities

• Simulated phishing exercises: safe, controlled campaigns that help managers and their teams practice spotting and reporting real-world threats in everyday inboxes

The goal is to lower the barrier. The easier you make it for managers to engage, the more likely they are to build security into their leadership routines.

Start your manager-focused training journey

Awareness spreads middle-out through managers. When they understand the risks their teams face and practice making decisions under pressure, security becomes part of how work gets done, not just an add-on.

Training managers in role-specific ways makes cyber security relevant and actionable. It creates measurable impact, like in DNB’s case, where skeptical participants became advocates, and awareness built at the managerial level cascaded down through teams.

Whether you’re using Secure Practice tools or starting small, the steps in this playbook give you a path to engage managers where it matters most—linking security to their daily responsibilities and helping them lead by example.

FAQs about cybersecurity training for managers