Action required. Your compliance certification expires in seven days. Failure to remediate will result in audit findings, regulatory exposure, and personal liability for the authorizing officer. Click below to begin.

The CISO opens the email on a Tuesday. The framework requires annual security awareness training for all employees. The cyber insurance policy renewed last quarter with the same requirement. The auditor flagged it in the last review. Incomplete. Needs remediation before Q3. The CISO reviews three vendors. Sits through two demos. Picks the one with the most customers because that’s the one the auditor won’t question. Submits the purchase order. Finance approves. IT grants access. The software deploys to every endpoint in the organization. Every employee gets an account. The billing is per-seat. Monthly. Annual contract. Auto-renews.

Nobody asks if it works.

You won’t learn anything from it. You know this. The person who made the training video knows this. The CISO who bought it knows this. The auditor who required it knows this. The vendor who sold it has known since at least 2019, when Oxford researchers found that passing a quiz does not mean the person will behave differently. The vendor has known since 2023, when the University of Adelaide reviewed dozens of studies and found limited evidence of sustained behavioral change. The vendor has known since 2024, when the University of Chicago and UC San Diego found no evidence — none, not weak, not mixed, none — that annual security awareness training reduces phishing failures. The training content is what even the most susceptible participants called unhelpful. ETH Zurich found that. The only thing that moved the needle was the nudge. Being tested. Even that faded by six months. Gartner kept it short. Awareness training is ineffective at reducing security incidents.

Completion rate: 100%. Behavior change: zero. But NIST 800-53 requires it. ISO 27002 requires it. GDPR requires it. Your cyber insurance requires it. So the CISO buys it. Not for protection. For the receipt. The receipt costs $500 million a year across seventy thousand organizations. KnowBe4’s founder said he started the company because the human element of security was being seriously neglected. Fourteen years later. Half a billion in ARR. The human element is still neglected. The product didn’t fix the problem. The product is the problem’s best business model.

Click “Complete” to confirm you finished this training.

July 15, 2024. 9:55 p.m. EST. KnowBe4’s SOC gets an alert. The new hire. Principal software engineer. Internal IT AI team. Four video interviews. Background check. Verified references. Clean. Not clean. North Korean operative. Stolen American identity. AI-enhanced stock photo. The moment the Mac arrived, it started loading malware. Raspberry Pi. Session history manipulation. Unauthorized payloads. When the SOC called, the operative said he was troubleshooting his router. The security awareness training company got socially engineered through its own HR pipeline.

SOC caught it in 25 minutes. No data lost. No systems breached. This is true. It is also the structure of every training video the company has ever sold. The close call. The near miss. The system working just in time. Be like Janice. Janice lost a leg to a bear but still comes to work. CEO Stu Sjouwerman published a blog post. Then a FAQ. Then a whitepaper. Then a webinar. Then another webinar. The failure became a case study. The case study became a product demo. “If it can happen to us,” he wrote, “it can happen to almost anyone.” The North Koreans kept applying. After the press. After the whitepaper. After the webinars. They didn’t google the company. “Sometimes,” Sjouwerman wrote, “they are the bulk of the applicants we receive.” Volume. Persistence. The assumption that the background check is the security. Same playbook KnowBe4 runs on its customers. Different payroll.

February 2023. Vista Equity Partners takes KnowBe4 private. $4.6 billion. Cash. The IPO eighteen months earlier valued it at $2.6 billion. Vista paid a 44% premium. For a training product that research says doesn’t work. Sold by a company that got hit by the thing it trains against. Bought by seventy thousand organizations that need the receipt, not the protection. Vista didn’t buy a security product. Vista bought a toll booth on a mandatory road. The audit doesn’t check if the training works. The audit checks if the training happened. The checkbox is the product. The product is the checkbox.

If it can happen to us. The training doesn’t work for the company that makes the training. The awareness platform was not aware. The vendor that teaches you to spot social engineering got socially engineered. If it can happen to us, it can happen to almost anyone. You’re exposed. The threat is real. The deadline is approaching.

Click here.