With the final ruling from the US Securities and Exchange Commission’s (SEC) proposed amendments to its security incident disclosure requirements set to be announced this month, many organizations are reevaluating their tech stack to ensure they have the right solutions in place. But in today’s growing threat landscape, is technology enough? As leaders invest in their defensive capabilities, they must also invest in their people’s preparedness for cyber attacks. Throwing money at tech stacks alone will not be enough to ensure resilience.
Breaches have never been more prevalent or damaging. Cyber criminals have targeted schools and hospitals, along with high-profile organizations like T-Mobile, MailChimp, and the U.K. postal service, Royal Mail. It’s clear that traditional technology-centric approaches to cybersecurity aren’t working.
Today, there is a tool for every cybersecurity challenge, from next-generation firewalls to the latest XDR, SASE, CSPM, SAST/DAST/IAST solutions. While these tools do provide some layers of defense, they alone cannot stop, or help teams recover from, cyber attacks. Why? Because cybersecurity is ultimately about people and teams, their capabilities, and how they work together in a crisis. Today, effective security requires an innovative approach that builds lasting cyber resilience –the ability and confidence to effectively respond to cyber threats.
Whether people-based vulnerabilities arise from team members sharing sensitive data with an external contact or mistakenly clicking on a phishing email, the general workforce continues to play a large role in data exposure incidents and breaches. According to the Verizon Data Breach Investigations Report 2022, 82% of breaches involved a human element. It’s time for organizations to reconsider how they approach the people side of cybersecurity and move beyond the checkbox mentality. Instead of viewing the human element of cybersecurity as being about individuals, think of it instead in terms of teams.
Teams play multiple roles within the organization, from understanding and responding to risk at the C-level to security teams waiting to respond to the next breach notification. Employees across the company will inevitably encounter phishing and social engineering attacks. Within each team, there are people with unique strengths and weaknesses. People need to know how to work together to mitigate an attack before one actually occurs.
It’s been said before, but it is worth repeating – the likelihood of a breach is a matter of when, not if. This reality raises a key question: how does a leader know their team is prepared? The answer requires more than a spreadsheet of training scores. In order to understand how teams will perform during a cybersecurity incident or crisis, people and teams need to be tested using realistic scenarios that simulate a real-world threat.
Organizations can no longer rationalize investing in costly traditional cybersecurity trainings. They can no longer spend their way out of our cybersecurity challenges. Instead, leaders should focus on the following:
- Make the most of your investments by ensuring that they will be used effectively in the event of a crisis
- Understand how your people and teams will work together and where their strengths and weaknesses lie
- Fill those gaps and continuously exercise your teams until you can prove that they will be resilient in the face of growing cyber threats. This requires realistic simulations of cybersecurity crises and incidents that span from techs to execs
A people-centric approach is no longer optional. Boards and customers are requiring visibility into cybersecurity risks and demanding proof of resilience. Governments are enforcing standards that were unthinkable mere years ago, and regulations are only growing more complex.
It’s time to stop pretending that investments in technology and legacy training are enough to provide an adequate defense. With the right mindset that accounts for the human element and approach to cybersecurity, we can make the most of our investments while measurably reducing risk.
