Your organization’s security revolves around one thing: your people

Who protects your organization’s data and system security? Your CEO? CTO? CISO? HR? All of the above and others?

If you selected the last option, you’d be right. While data and IT systems security are often viewed as the responsibility of the CIO (or some C-level executive), in truth, data security is the domain of everybody in the organization.

Not focusing on the human side of security can put everything at risk. Media reports continually provide stories of how a single employee’s innocent click on a phishing email took down an entire system or exposed thousands of customer records to nefarious hackers.

Protecting against these simple, yet devastating, missteps requires constant and ongoing vigilance and the understanding that you and your employees—from the bottom of the organization to the top—are all in this together.

The importance of human layer defence

Hackers are crafty, but they’re not infallible. Technology-based perimeter defences have gotten so good at keeping attackers at bay that hackers have shifted their approach to focus primarily on the widest attack surface and most vulnerable endpoint: people who log in to network-hooked devices.

Humans are now the primary attack vector. Attackers are doing a simple ROI analysis: why spend days, weeks, or months attempting to defeat technical controls when they can just trick Bob in accounting into giving them what they want?

Taking steps to strengthen your human layer of defence is essential to any organizational security posture. Doing so won’t replace technical controls; it will augment them by adding another layer to your cybersecurity defence arsenal.

Companies must leverage both technology and people for maximum security

We’ll always have to solve (and evolve for) both sides of the technology and people equation when it comes to data and security. Failing to implement standard and reasonable technology-based tools that can improve an organization’s security posture would simply be negligent. Likewise, not acknowledging that even the best technology-based solutions will never be 100 per cent effective at preventing bad players from targeting people with well-crafted phishing emails is also negligent.

Neither of these approaches is mutually exclusive. We know that the strongest security protocols, even those that are well-communicated to employees, are still at risk from those who intentionally or unintentionally find ways to bypass these controls.

Quick tips for bolstering your people-focused security efforts

So, what can you do to ramp up your human layer defence? A number of things. It starts with understanding that security is a journey and a conversation, not a destination and a directive. Set the expectation that security doesn’t just happen—it’s a continual journey where you’re highly likely to encounter detours, distractions, and even danger.

Here are some quick tips for gaining and maintaining internal support for your security awareness initiatives:

  • Sell by using stories: always be on the lookout for analogies and anecdotes that help make your points.
  • Create alignment: make sure your security program and related messages are aligned with your organization’s values, strategy, mission, and initiatives.
  • Build on what’s known: tie your efforts to already known and understood compliance requirements.
  • Use the media: use current events and stories in the media to help educate and advocate, but avoid using these stories as scare tactics.
  • Mirror best practices: align your program to established industry best practices, like the NIST Cybersecurity Framework or the National Association of Corporate Directors’ guidance on cybersecurity.

Finally, lead with empathy and know your audience. Keep in mind that most of your communication efforts won’t be in the form of large, formal presentations. Instead, the power of these connections will come by running more informal one-on-one discussions with individual stakeholders. That’s how you can make an impact — one person at a time. These individuals will then become your advocates or ambassadors, assisting you in supporting the importance of ongoing efforts to protect data and systems security.

Take steps to make your employees your staunchest allies and best defence against cybercrime.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Perry Carpenter
Perry Carpenter
Perry Carpenter, C|CISO, MSIA, is a recognized thought leader on security awareness and the human factors of security, he’s provided security consulting and advisory services for the world’s best-known brands. His previous book, "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors", quickly gained a reputation as the go-to guide for security awareness professionals worldwide, and, in 2021, he was inducted into the Cybersecurity Canon Hall of Fame. He’s the creator and host of the popular 8th Layer Insights podcast and co-author of the new book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer."

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight