A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

If Security Isn’t Working For The People, It’s Not Working At All

Simon Hodgkinson

Illustration by Hady Tse

Changing the cybersecurity behaviors of thousands of employees at an enterprise scale is no easy feat, but Simon Hodgkinson (with 35 years in the IT and security field) has done it before. In a recent RE: Human Layer Security Podcast episode he explained why the best security is invisible to employees, and what makes the job of the CISO is harder than ever. 

This whole podcast episode is a must-listen for any security professional, but Simon’s top three takeaways can be found below.

Cyber threats have grown exponentially in the last 35 years, but organizations have struggled to keep up

At the start of my career, cybersecurity wasn’t even a thing. Cyberattacks did occur in the 1980s but they were few and far between. Today, cyberattacks are a daily occurrence regularly seen in the mainstream press. A report by the Department for Digital, Culture, Media, and Sport in the UK stated that in the last year, almost half of businesses and a quarter of charities have had cyber breaches or attacks – so there has been a huge shift over the past few decades. To many, this increase in cybercrime has come as no suprise. Cybercrime tends to have a very low cost of entry, with a low risk of being caught, and offers pretty high rewards… so it’s easy to see why someone might want to be a part of that.

But despite the visibility of attacks has increased, we still don’t really value the human side of cybersecurity enough. Typically, cybersecurity has always been buried in IT and tech, with technologists throwing tech at problems. So when cybercrime expanded exponentially, organizations were caught out, and only the top organizations or the ones with strict regulatory requirements responded well. 


The role of the CISO has changed hugely over the past decade and is set to change even more

The creation of the CISO was a very technical response to the rise of cybercrime. Initially, the role focused on the IT side of the problem, but it is now hugely varied. 

Cybercrime is as much a human problem as it is a technology problem, so there is a whole cultural and behavioral-change side to the CISO role.

There is also the regulatory side – many CISOs need to oversee the whole governance and compliance regulatory landscape. Further to this, legalities need to be considered to ensure things like business continuity. All of these branches are no longer in the realm of just the IT department. So, the role of the CISO is now much broader than just technology, and the position needs to be elevated to reflect that. 

In ten years time, the role will have grown even bigger in response to exponentially growing threats. Cybersecurity conversations will need to be had at board level very frequently – maybe even once a week. Factors like globalisation will also increase challenges further. The role is fast becoming an enormous, 24/7 job, and the question I have at the forefront of my mind is simply: In ten years time how many people will want to be a CISO?

The ultimate goal in cybersecurity is to allow people to do their job securely without seeing security at all

You have got to put people at the heart of security. The role of security is to enable the organisation to achieve its objectives. So, if your security measures aren’t working for the people then they are not working at all. Historically, part of the challenge has been that we have made security measures quite hard to execute. For instance, when multi-factor authentication was first rolled out there were so many steps – it was just difficult. The same goes for secure enclaves for highly sensitive data, which were very difficult to get in to. People need to get their jobs done, and we didn’t think about that human factor.

This thinking has led us to the notion of embedded security – if you can allow people to do their job securely without seeing security at all, that’s a fantastic outcome. 

For more from Simon on the role of the CISO making security work for employees, listen to our Tessian Podcast episode, here.

Share this Article