​Redefining the GRC Function: Leading the Shift Beyond Checkbox Security Training

Security Awareness Training was built for compliance, not resilience, and attackers are exploiting gaps that legacy models were never designed to address. GRC leaders are now expected to demonstrate measurable risk reduction, not just training completion rates.

Dune Security and Alumni Ventures hosted a virtual discussion featuring Dune Security CEO David Dellapelle, alongside Meghan Hunt of The University of Vermont Health Network, Jake Wesenberg of Koch, and Sam Pena of Tetra Tech. The conversation focused on why traditional Security Awareness Training falls short and how GRC teams can close the gap between compliance activity and true resilience.

The session explored how attackers bypass standard training, what user layer risk looks like today, how GRC leaders can shift toward a risk-based strategy, and which metrics truly demonstrate readiness to executives and regulators.

Thank you to everyone who joined us. We look forward to continuing the conversation and partnering with our community to strengthen how organizations manage user cyber risk.