I firmly believe that the only people who come to work to do cyber security are people in those roles. Everyone else in the organisation has their own role they need to perform - whether in finance, payroll, marketing, management, production etc. The goal of cyber security is to implement measures that work in the background to reduce risk without adversely affecting the ability of people to perform their roles. Yes, people need to be aware of the risks to security and privacy, and to understand the actions they can take. But if someone clicks a phishing email, or buys a gift card, it doesn't mean that they have failed. The failure is in the security measures that are meant to protect the organisation.

https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html