Most people assume security awareness training started with the rise of phishing. It did not. It started with a federal law.

For 37 years, the security industry has asked one question repeatedly: if humans are the weakest link, what do you actually do about it? Three answers have been tried. Each solved the last generation's problem and created the next one. For MSPs managing compliance-sensitive clients, this history explains why your margin currently dies in campaign babysitting.

The industry has been selling security awareness training the same way for a decade. Annual compliance session, twelve-minute video, multiple-choice quiz at the end, checkbox on a compliance report. Everybody involved knows it does not work. Understanding how we arrived at this broken model is the first step to abandoning it.

The Federal Mandate (1988)

The Computer Security Act of 1987 required periodic security awareness training for all federal employees working with sensitive computer systems. Signed into law on January 8, 1988, this was the origin. This happened before the public web. It happened before email phishing.

Security awareness training became something organizations must do, not something they might do. Compliance, not efficacy, was the yardstick. There was no measurement of behavioral change. The only metric that mattered was whether the session occurred.

The Compliance Era (1996–2010)

HIPAA, Sarbanes-Oxley, and PCI DSS pushed the training requirement into the private sector. The format calcified quickly. Annual session. Long video. Multiple-choice quiz. Completion certificate.

The research on human learning had been settled since Ebbinghaus published his forgetting curve in 1885. Spaced practice beats massed practice. But compliance regulations did not ask about retention. They asked whether training was delivered. The entire category optimized for the wrong outcome for fifteen years. MSPs became record-keepers, spending hours hunting down users just to check a box. The training did not stop breaches, but it passed audits.

The Commercial Category (2010)

Stu Sjouwerman founded KnowBe4 in August 2010. Kevin Mitnick joined as Chief Hacking Officer in 2011. The genuine innovation was pairing interactive training with simulated phishing. Organizations could finally measure whether behavior actually changed.

Threats like CryptoLocker in 2013, WannaCry, and the BEC fraud wave drove massive adoption. By 2014, KnowBe4 was on the Gartner Magic Quadrant. The commercial category was real.

But success bred the next problem. The answer to "what if training doesn't work?" became "more content." Libraries grew past 1,000 modules. Admin burden exploded. Completion rates industry-wide hovered around 50 percent. MSPs found themselves operating as the managed service, eating the labor costs of building campaigns, chasing learners, pulling reports. That is not managed. That is sold-as-managed.

The Human Risk Pivot (2017–2024)

In 2017, Robert Fly and Masha Sedova co-founded Elevate Security. Both were former Salesforce security executives. Their premise rejected the category's core assumption. Treating all employees the same was a fundamental error. Every employee introduces a different risk level based on their role, their access, and the frequency of attacks against them.

Elevate pioneered a new category called human attack surface management. The goal was identifying high-risk employees and applying tailored controls.

In May 2021, Elevate published a Cyentia Institute study of 114,000 platform users over three years. The finding was stark. Traditional security awareness training and phishing simulations had no significant effect at the organizational level during real-world attacks. In some cases, more training was counterproductive. This was a remarkable admission from inside the industry.

In January 2024, Mimecast acquired Elevate. By Q3 2024, Forrester published its inaugural Wave for Human Risk Management Solutions. The category Fly and Sedova created finally had its official name: Human Risk Management (HRM).

What Comes Next (2025 and Beyond)

HRM solved the measurement problem. However, most HRM platforms inherited the legacy operating model. Big libraries. Manual campaigns. Admin-heavy operation. Excel gymnastics.

The fix is not more content. The fix is fewer decisions. The next step is less. Fewer modules. Shorter workshops. Campaigns that dispatch on schedules set once. Compliance reports that generate themselves. Personalization driven by directory data.

Kinds Security is built on this premise. The difference isn't a feature. It is a philosophy. Legacy SAT asks the admin to be the managed service. Kinds removes them from the loop.

Connect Microsoft 365, Google Workspace, or Okta. Users sync. Training dispatches on a schedule the admin sets once. A DocuSign user at one of your clients gets DocuSign lures because Kinds reads that from the directory. A GitHub user gets GitHub lures. Your admin never builds a campaign, never selects content, never sends a reminder email. Compliance PDFs for HIPAA, SOC 2, PCI DSS, and GLBA generate themselves when the insurance carrier asks.

40 Years of Progressive Honesty

Return to the through-line. The industry has asked the same question for nearly forty years, providing progressively more honest answers.

• 1988: Make training mandatory.

• 1996 to 2009: Make training annual.

• 2010: Pair training with simulated phishing to measure if it works.

• 2017: Accept that training alone does not work. Treat each employee as a distinct risk.

• 2024: Name the category Human Risk Management.

• Now: Remove the admin from the loop so the platform runs itself while still hitting the compliance bar.

Whoever defines the next decade of HRM will build on the operational lessons of everything that came before. MSPs do not need another security vendor pitch. They have heard it. What they need is a product that stops being a problem the day after they sign up.

Free trial. No demo required.