When it comes to security awareness, most tools are solving the wrong problem. That’s the starting point for this conversation with Harley Sugarman, founder of Anagram Security – and from there, we go deep.
Harley’s background isn’t your typical cybersecurity CV. Before launching Anagram, he worked in engineering and security, often wondering why awareness was treated as an afterthought. Despite being labelled the biggest risk in most organisations, people rarely get the investment or attention they deserve. And training? Too often it’s just a compliance box ticked once a year.
In this episode, Harley talks about how that disconnect pushed him to start building something different. Something that treats behaviour change as a core goal – not a side effect. Anagram’s approach? Short, engaging content, interactive puzzles, and mindset shifts that help people think like attackers. The result is more than knowledge. It’s habit-building.
We dig into:
-
Why phishing click rates can be gamed – and why they don’t tell the full story
-
What makes a good “nudge” (and what just becomes noise)
-
How AI could enable contextual, real-time awareness – if used right
-
The real reason security awareness gets such a small slice of the budget
-
And why vague compliance standards might actually be a hidden opportunity
One of the most interesting parts of the conversation is around metrics. We’ve all been asked to prove impact. But most of the metrics we rely on – completions, clicks, reports – are poor proxies for real behaviour. Harley argues that many CISOs already know who their riskiest users are. The challenge is moving from identification to actual change. And doing it in a way that feels human, not punishing.
There’s also a brilliant moment where Harley talks about how much of today’s awareness training would be considered totally unacceptable in a classroom. If we taught children the way we teach adults about cyber, there’d be protests. He’s not wrong.
Oh, and somewhere in the second half of the episode, there’s a small detail about Harley’s earlier career that explains a lot about how he sees behaviour, storytelling, and audience engagement. Let’s just say it involves a certain flair for the unexpected. You’ll spot it when it comes.
Whether you work in security awareness, lead a team, or are just trying to make your organisation care a bit more about human risk, this episode offers a refreshing take on what’s possible – and a reminder that we can do better than "click here to complete your annual training."
Listen now and start thinking about what your awareness programme could be if you reimagined it from the ground up.
You can find Harley at anagramsecurity.com or connect with him on LinkedIn.
