We carry our organization's security perimeter in our pockets—and that alone should give us pause. At a basic level, it's essential that security awareness be ubiquitous to keep personnel (and anyone they share a device or WiFi pass with) from getting snagged on phishing hooks. But as we bring our focus to risks surrounding our software manufacture and infosec, we find that awareness isn't a substitute for actual training. And not just any tired click-to-complete videolesson will do: corrective/preventive programs need to be relevant, specific, and measurable in order to have a real impact on attack readiness. As the saying goes, "we are only as good as our worst day of [security] training."