I was sitting at my desk recently, looking at a stack of compliance reports, and I felt that familiar, buzzing hum in my brain that comes when I’ve been staring at a problem for twenty years. It is a specific kind of frustration (one that my ADHD-i brain likes to fixate on) where the solution is obvious but the budget is nonexistent.

We talk a lot about the “human firewall” in security circles. It is a nice metaphor, but it is also a bit of a lie. We treat people like software components that just need a patch, rather than complex biological systems with their own anxieties, distractions, and sensory overloads.

I have spent two decades watching infrastructure evolve from beige towers (like my beloved Commodore 64) to abstract clouds. Yet, in all that time, the way we fund security awareness has remained stuck in a very archaic, “check-the-box” mentality. We spend millions on Next-Generation Firewalls and Endpoint Detection and Response tools. But when it comes to the team responsible for teaching employees how not to get tricked by a Social Engineering attack, we give them a shoestring budget and a library of boring, thirty-minute videos that everyone mutes while they check their email.

This is a failure of empathy.

As someone who is both autistic and ADHD, I experience the world through a lens of high pattern recognition and, occasionally, social friction. I see the “invisible” work. Awareness teams are essentially internal marketing and education departments tasked with the hardest job in tech: changing human behavior.

When we underfund these teams, we are effectively saying that we don’t value the cognitive load of our employees. We expect them to be security experts on top of their actual jobs, without giving them the engaging, accessible, and frequent guidance they need to succeed. We treat security as a technical hurdle rather than a cultural practice.

In the old days of the Bulletin Board Systems, security was about knowing the right people and the right commands. It was intimate. Today, it is massive and impersonal. To fix the funding gap, we have to stop looking at awareness as a “cost center” and start seeing it as an investment in emotional intelligence.

If we want people to care about protecting the company, the company has to show it cares about how people actually learn. That requires more than a compliance officer with a spreadsheet. It requires writers, designers, and educators who understand how to capture attention in a world designed to fragment it.

Until we fund the human side of the equation with the same urgency we fund the silicon side, we are just waiting for the next “human error” to happen. And that is a failure of leadership, not a failure of the users.