Improving information security through cybersecurity education and training

Information security structureel verbeteren: waarom trainen belangrijker is dan tooling.

Structurally improving information security: why training is more important than tooling

Most organizations now have a stack of security tools. EDR, SIEM, IAM, awareness modules, MFA, DLP. Yet the question keeps coming up at the MT and board level: why are we still being surprised by incidents, audits, and supplier risks? The answer is rarely found in "another tool." It lies in people, structure, and behavior. Anyone who wants to improve information security structurally must start there. Not with the next tool, but with a targeted approach to information security at the organizational level.

Anyone who takes information security seriously first looks at the organization. At security governance, at the skills in the team, at decision-making, at escalation, at the pace at which you learn from near misses. Tooling only accelerates what you already master. If processes, knowledge, and responsibilities are not clear, you mainly automate confusion.

In 2025 and 2026, additional pressure will be added. According to Check Point Software Technologies, cyberattacks in the Netherlands rose by 53% in Q1 2025 (47% worldwide), and the upcoming Cybersecurity Act (NIS2) requires demonstrable risk management, incident reporting, and chain security. This necessitates structural improvements in information security, not isolated purchases. Trivian helps organizations do just that: with practical cybersecurity training and scenario-based cybersecurity awareness training that accelerates employability, even for people without an IT background.

The reality of 2025-2026: pressure on capacity and demonstrability

The labor market for cyber professionals remains tight. According to Dutch IT Channel, experts will be twice as expensive as software by 2026, which increases the risk that organizations will primarily invest in tooling and licenses because talent is hard to find. At the same time, the bar for demonstrable information security is rising due to legislation, customers, and chain partners.

Trivian is a Dutch cybersecurity training provider that offers hands-on retraining and traineeships, with realistic scenarios developed with experts from fields such as intelligence, security communities, and ethical hacking. The goal is simple: to train cyber professionals who can be deployed more quickly through targeted cybersecurity training, so that you get value in weeks and months rather than after long onboarding processes.

That is precisely the essence of structurally improving information security. You can only mature in security governance if you have people who know what "good" looks like and can implement it.

Where things often go wrong: tooling without security governance

Many IT managers and CISOs recognize this situation:

  • There is a lot of tooling, but few clear-cut working methods.
  • Incidents are addressed, but post-incident learning is limited.
  • Cybersecurity awareness training is "e-learning," not behavior in daily operations.
  • The CISO discusses risks, the team discusses tickets, and the MT discusses the budget.

The KPN study Cyberweerbaar Nederland 2026 confirms this gap: IT and security professionals consistently rate the maturity of their organization lower than management does. This gap is dangerous because the team sees the daily friction: lack of monitoring, unclear responsibilities, and crisis plans that have never been practiced. Without effective security governance, improvement remains reactive rather than planned.

A second harsh reality from the same study: one-third of Dutch organizations monitor digital threats insufficiently or only at a basic level. You can have the best SIEM in the world, but if your people don't know which signals are important, how to maintain use cases, and when to escalate, nothing will happen until it's too late. This is precisely where a security maturity model reveals where the gaps are.

The biggest challenge: organizing human factor security at scale

The dominant form of attack is no longer "that one zero-day." It is now human-centric attacks. The Eye Security trend report 2026 shows that Business Email Compromise (BEC) accounts for 70% of all incidents investigated in Europe, with phishing, spear phishing, and social engineering together accounting for 33% of all cases. This means that your attack surface largely consists of employee decisions: supplier contacts, financial processes, email routines, and authorizations. Human factor security is therefore not a soft precondition, but the core of your information security approach.

This requires human factor security that goes beyond posters and an annual test. It requires cybersecurity awareness training that is tailored to roles, processes, and real-life scenarios. Finance trains differently than HR. IT management trains differently than product development. And managers need to know what to do during a crisis, because any loss of time can cause immediate damage. Effective cybersecurity awareness training is role-specific, repeated, and measurable.

If you want to improve information security structurally, you need to address human factor security as an organizational issue, not as an IT project. Without paying attention to human factor security, your cybersecurity awareness training will remain superficial and your information security vulnerable.

Tooling is necessary, but training determines the return on investment.

Tooling is indispensable. You want identity controls, logging, detection, segmentation, patching. However, tooling is an amplifier. It amplifies good processes, and it also amplifies bad processes.

A few practical examples:

  • You purchase a SIEM, but there is no clear logging policy, no owner of use cases, and no rhythm for tuning. The result: lots of alerts, low signal-to-noise ratio.
  • You enable MFA, but you don't train the organization on push fatigue and helpdesk procedures. Result: social engineering shifts to support.
  • You introduce an awareness platform, but managers do not manage behavior. Result: modules are "checked off," and cybersecurity awareness training yields no results.

That is why training is often more important than tooling. Not because tooling is unimportant, but because people have to make the tooling work. This is also where a security maturity model helps. A security maturity model reveals which capabilities you are lacking and which cybersecurity training is needed to grow to a higher level of maturity.

Address information security in three layers

If you want to improve information security structurally, it is useful to divide the problem into three layers:

  1. Security governance: who decides, who is accountable, what risks do we accept, how do we report.
  2. Capability: which skills are present in the team, and which are lacking. A security maturity model helps to measure this objectively.
  3. Behavior: how do people act under pressure, and how often do we practice that? This is all about human factor security.

The PwC Digital Trust Insights 2026 (Dutch results) show that only 28% of Dutch CISOs share insights with the CEO about cyber programs to support strategic decisions to a large extent. Globally, that figure is 46%. Without that connection at board level, security governance becomes a paper exercise. And then tooling wins out over cybersecurity training, because it can be put on paper more quickly. But it does little to change actual resilience.

Training is the key here. You build capability, you make security governance concrete, and you practice behavior. Tooling follows logically from this, as an accelerator.

NIS2 and the Cybersecurity Act: demonstrable action requires training

The Dutch implementation of NIS2 is expected in the second quarter of 2026. For many organizations in vital and important sectors, this means identifying risks, taking appropriate measures, reporting incidents, and critically assessing suppliers.

You can record a lot on paper. In practice, this requires people who know how to:

  • performs and maintains risk assessments
  • Establish security governance with clear roles and responsibilities
  • trains and tests incident response processes through cybersecurity training
  • supply chain security translates into contracts and controls

According to the KPN study, many organizations have limited visibility into suppliers and SaaS services, which means that chain risks remain underexposed. This is not a tool problem. It is a security governance and skills problem. You need people who understand vendor risk, who know which requirements are relevant, and who can get the business on board. A security maturity model helps to measure and improve the maturity level of supply chain security.

This is where cybersecurity awareness training also affects management. Cybersecurity awareness training at board level is not a general module, but a decision-making skill. Which risks do you accept, which do you mitigate, who pays, and how do you measure the effect on your information security?

Why many awareness programs fail to take root

Awareness is often seen as an HR-type obligation. A few emails, a quiz, a phishing simulation. Then it's "done." It feels good in the boardroom, but little changes on the floor. The core of the problem: cybersecurity awareness training is carried out as a separate project, separate from security governance and separate from your security maturity model.

An effective approach has three characteristics:

  • Role-based: employees are given scenarios that are relevant to their work. That is human factor security in practice. Think of invoice fraud in finance or data sharing in sales.
  • To reiterate briefly: no annual peak, but a rhythm. Small interventions that shape behavior.
  • Measurably linked to process: not only "click rate," but also quality of reports, escalation turnaround time, and compliance with authorization processes.

The Eye Security trend report shows how big the difference is when detection and response are truly embedded. In environments with MDR (Managed Detection & Response), the median dwell time for BEC incidents fell from more than 24 days to 23.8 minutes. This is not only due to tooling, but also to 24/7 operation, triage discipline, escalation, and practice. Training and process make tooling effective. That is why the human factor security is so decisive for your information security results.

Trivian as the answer: cybersecurity training that accelerates employability

Trivian focuses on practical, scenario-based learning pathways, with the aim of rapid deployment in real security roles. This is relevant for organizations that want to structurally improve information security but struggle with capacity, disaster response time, and proven skills.

Whereas traditional training courses are often broad and theoretical, Trivian emphasizes practical experience. Realistic "under fire" simulations, guidance, and learning to work as it really happens in the SOC, in incident response, or in security governance teams. Trivian's cybersecurity training meets the needs of 2025-2026: people who not only know the terminology, but can translate information security into everyday actions.

View the training courses on offer via the Trivian cybersecurity training page. You can find out more about the organization and its mission on the About Trivian page.

How training fits into security governance and a security maturity model

Training should not be a separate initiative. It only works if it is part of your security governance and improvement agenda. A practical way to organize this is to use a security maturity model as a framework, so that you:

  • defines capability levels, from basic to advanced
  • cybersecurity training linked to roles and responsibilities
  • Only implement tooling when the team is ready to manage it.
  • measures effects in operational performance

Think of capabilities such as monitoring, identity governance, incident response, supplier risk, data protection, and secure change. In a working security maturity model, cybersecurity awareness training is not a separate program. It is a measurable capability that you develop structurally, just like incident response or identity governance within your security maturity model.

In this approach, human factor security is the core, not the subordinate clause. You can only make structural improvements if you align your behavior with processes. And you can only mature processes if people understand why they exist and how to implement them under pressure. That is why structurally improving information security through training is the route to predictability.

What this means for IT managers and CISOs: focus on three KPIs

If you want to grow your security maturity model over the next 12 months, don't just focus on "tooling coverage." Focus on KPIs that show that cybersecurity training and processes are working. A good security maturity model links these KPIs directly to maturity levels:

  • Time to detection and triage: how quickly is something seen, understood, and classified?
  • Quality of escalation: how many reports are useful, and how often does it go right the first time?
  • Auditability: can you demonstrate who does what, why, and how you learn and adjust?

These KPIs force you to make security governance concrete. They also ensure that budget discussions focus less on individual tools and more on demonstrable risk reduction through human factor security.

Investment logic: capability first, then automation

The KPN Cyberweerbaar 2026 survey shows that 38% of respondents consider the current security budget to be insufficient, while two-thirds expect the budget to increase in the coming period. At the same time, according to PwC's Digital Trust Insights 2026, only 60% of business leaders rank cybersecurity among their top three strategic priorities. This means that as a CISO, you often have to make choices. You want investments in information security that have an immediate effect.

A practical sequence that often yields the best results:

  1. Establish your security governance and roadmap, with clear choices.
  2. Identify the skills using your security maturity model. Where are the single points of failure?
  3. Start with targeted cybersecurity training and scenario training, including cybersecurity awareness training for non-technical teams.
  4. Adapt tooling to what your team can manage and improve.
  5. Practice incident response and crisis communication at fixed times.

This is not an argument against tooling. It is an argument for order and consistency in information security, with human factor security as the starting point.

Why Trivian is a good fit for organizations that need to move fast

According to the KPN study, many organizations are still working with outdated systems and perimeter thinking, while KPN's five cybersecurity trends for 2026 emphasize that incident response must become a strategic part of business operations. Modernization requires not only architecture, but also skills. People need to learn to work with modern detection, identity-first, zero trust principles, and cloud security. You don't learn that by buying a tool, but through cybersecurity training that focuses on practical application.

Trivian responds to this need with a training approach designed to reduce ramp-up time. This makes it attractive for organizations that:

  • want to get people involved in SOC, GRC, or IR more quickly
  • do not have sufficient senior capacity to provide long-term internal training
  • want to build structural resilience towards NIS2
  • Taking the human factor in security seriously, with cybersecurity awareness training that goes beyond "tick the box"

This will structurally improve information security by training an executable strategy, not just a nice phrase in the annual plan.

Start with training as the driving force behind structural improvement

If you want to improve information security structurally, now is the time to focus on training. Not as a separate cybersecurity awareness training course, but as the driving force behind security governance, a working security maturity model, and a better-performing team. Trivian helps you get people up to speed faster with practical cybersecurity training and scenario-based learning, so that your organization not only has the tools, but also the capability. Human factor security is the connecting link between cybersecurity training, security governance, and measurable results in your information security.

Discover how Trivian helps with rapid and sustainable employability