How to Train Your Team to Be a Human Firewall
In a digital age marked by rising cyber threats, Dr. Shaun McAlmont, President and CEO of NINJIO, believes the most powerful defense is humans.
With a background in psychology, adult learning, and leadership across public and private education and tech firms, McAlmont brought his expertise to this week’s episode of America Back to Work to share his perspective on transforming employees from vulnerabilities into vigilant defenders.
The Shift to the Human Firewall
Cybersecurity used to be dominated by tech-focused defenses, firewalls, encryption, and intrusion detection systems. But McAlmont explains that today’s most significant gaps aren’t in the software; they’re in human behavior.
“If a firewall lets certain elements of breaches go through,” he says, “there are employees on the other side that become the weaker link.” His focus? Building a “human firewall”, a workforce that understands risks and responds proactively.
This approach is what sets NINJIO apart. Leveraging principles of adult learning, McAlmont is working to reshape how companies approach cybersecurity: not as a one-time compliance task, but as a continuous, cultural transformation.
Why Employees Are Vulnerable
Phishing, ransomware, and credential theft remain the most common attack vectors, with the entry point often being a single employee.
McAlmont explains, “Employees are susceptible to prompts that appear legitimate. Whether it’s pressure from a supposed executive or a too-good-to-miss financial opportunity, personal motivations make them vulnerable.”
This is no longer hypothetical. From wire fraud to data breaches involving school children, McAlmont cites real-world cases where personal responses to deceptive prompts triggered large-scale fallout.
The takeaway: cybersecurity risk is everyone’s responsibility, and it starts with awareness.
The Cybercriminal’s Mindset
Cybercriminals, McAlmont warns, “are not worried about the ramifications of their actions.”
Their motivations are financial, and their methods are increasingly sophisticated. They study employees’ digital footprints, guess passwords based on public information, and lie in wait for months before striking, especially in spear-phishing schemes where attackers impersonate executives.
To counter this, McAlmont advocates moving from passwords to “passphrases”, longer, complex phrases like ILoveWalksInThePark45%, making credentials harder to guess or crack.
Training vs. Learning: The Behavioral Difference
Too many cybersecurity programs confuse “training” with “learning,” says McAlmont.
“Learning is understanding the ‘why’ and ‘how.’ Training is practicing that knowledge until it becomes habit.”
He draws an analogy from his own experience as a collegiate track athlete: understanding how to clear a hurdle is one thing, but doing it at full speed requires practice.
NINJIO’s approach reflects this philosophy. Their monthly, five-minute animated episodes are designed to build consistent engagement and tie real-world breaches to behavioral lessons. “We’re creating case studies employees can relate to, remember, and act on,” he says.
Why Frequency and Engagement Matter
Annual cybersecurity training simply isn’t enough.
McAlmont is blunt: “You see that hour-long training on your calendar and dread it. You open another browser tab, do the minimum to pass, and forget it. That’s not changing behavior.”
Instead, NINJIO’s bite-sized, narrative-driven episodes deliver a new lesson every month, frequent enough to build habits, but short and engaging enough to keep attention.
Cybersecurity’s Role in Culture and Engagement
Cybersecurity isn’t just a technical function; it’s a cultural imperative.
McAlmont believes the message has to come from the top: “If a CEO or CISO doesn’t reinforce this regularly, it won’t stick. Culture follows leadership.”
Importantly, making cybersecurity training engaging and inclusive can also improve overall employee engagement.
“When employees see leadership taking it seriously and get recognized for positive behavior, they feel empowered, not punished,” he says.
And it’s not just about protecting assets, it’s about protecting people. With remote work, VPNs, and personal devices blurring the line between home and work, cybersecurity awareness needs to reach every level of the organization, from the receptionist to the CEO.
Changing Behavior to Protect Business
Dr. Shaun McAlmont’s message is clear: cybersecurity is no longer a siloed IT concern. It’s a business-wide imperative rooted in behavior, culture, and leadership. By shifting from one-time training to ongoing learning and from passive compliance to proactive engagement, organizations can transform their weakest link into their strongest defense.
As McAlmont says, “We’re not born natural cybersecurity experts. But with the right training, we can build a human firewall strong enough to protect what matters.”
