Hosted by Brian Roberts of Campbell's and Ali Mace of the CRC Group, this lightning-round showcase allowed attendees to step up to the mic and discuss what’s actually working in their security awareness programs. 

The result? A flood of fresh ideas, creative experiments, and inspiring wins. Another way to put it? The kind of grassroots successes you don’t always hear about at conferences. There were a few standout shares and brags that we'd like to, well, share and brag about! 

Turning phishing clickers into security champions 

One health system shared how they reimagined phishing simulations. Instead of handing everyone the same off-the-shelf training, they created a tiered system. Employees who fell for multiple phishing emails got additional simulations. If the pattern continued, they received instructor-led training tailored to their needs. In the latter case, it often involved ESL or less tech-savvy employees who benefited from a human touch rather than another online module. The message was clear: the people who click on simulated phishing emails aren’t bad; they need support tailored to how they learn best. 

Security awareness with a sense of humor 

Another team proved that awareness doesn’t have to be dry. They created short, playful videos tied to real-world events, like spoofing a Super Bowl “challenge flag” to explain corporate tailgating. Fake social media accounts, tongue-in-cheek characters, and even props made their campaigns memorable and fun while still driving home serious lessons. 

Growing from zero to a reporting culture 

At one manufacturing company, the security awareness program had to be built from scratch for 2,000 employees. A phishing report button was introduced, and the team focused on providing positive reinforcement, especially by thanking individuals directly for their reports. Within months, employees who once “didn’t even know how to spell phish” were eagerly spotting and reporting suspicious emails. 

Newsletters people actually read 

How do you make a monthly cybersecurity newsletter stand out? One organization took inspiration from April Fools’ Day and the NCA's AI Fools, Stay Sharp! campaign to create a playful, AI-themed April newsletter. With jokes like “Don’t want to call your relatives? Let AI do it for you,” paired with serious awareness resources, the issue hit a 70% read rate. Not bad for a company newsletter... 

Recognizing everyday heroes 

Positive reinforcement was a recurring theme. A small company in Montana started a "Security Champion of the Month" award, spotlighting employees who reported phishing attempts. The result was a noticeable culture shift: employees began competing for recognition and saw themselves as part of the solution. 

Creative training on a deadline 

What happens when leadership demands new all-employee cybersecurity training yesterday? One newly minted awareness leader leaned on AI tools to storyboard content, generate images, and create modules that matched learning objectives all while keeping messaging clear and engaging. It was a crash course in becoming a “Don Draper for cyber awareness.” 

Building human firewalls across schools 

In some schools, the “IT department” is just a gym teacher with extra duties. A statewide initiative shared how it is bridging those gaps by providing schools with a common baseline of cybersecurity training and practical support. Their philosophy: meet schools where they are and make it easier for staff to be part of the human firewall. 

Cybersecurity beyond the workplace 

One longtime IT pro from Ohio shared how she turned an unexpected career shift into an opportunity to teach cybersecurity basics to seniors in her community. From scams to password safety, she’s now leading workshops in churches and local groups, proving that security awareness doesn’t stop at the office door.  

You can actually teach people in your community using the Then & Now workbook resources from the NCA!  

Why sharing and bragging matters 

If there was one theme that ran through all these stories, it was creativity paired with empathy. Whether it’s tailoring phishing training to employees, rewarding positive behavior, or bringing cybersecurity to seniors, the professionals at Convene showed that there’s no one-size-fits-all approach to awareness. 

“Share and Brag” was supposed to last an hour, but with so many people lined up, we ran out of time. That’s the best kind of problem to have! It's a reminder that, across industries and communities, cybersecurity awareness is not only alive and well, but thriving. If you want to Share & Brag about your org's successes, join us at our next Convene in March, 2026 in Florida!