A Whole New Thing?: Why Cybersecurity Needs to Rethink Its People Problem
In Partnership With
Setting the scene
Cybersecurity has never just been about technologies and code. It’s also about the people. And for every security-minded professional who would never dream of sharing a password and can be relied upon to spot phishing emails before they’ve clicked on any links in them, there will be dozens in every organisation who aren’t as clued in.
Traditionally, large organisations have looked on this as a training problem. But training can leave users feeling as if they’re being punished, and even the best training will not provide a 100% solution. The attacker just has to get lucky once, but even the most successful training programme will only improve your security – it won’t make it perfect.
About a dozen senior cybersecurity leaders joined staff from CultureAI for a roundtable discussion run by RANT to try to find a new way through these challenges.
Why Training Isn’t Enough
Many in the room nodded in recognition at the frustrations with current training-first approaches. Even sophisticated users fall for today’s increasingly sophisticated and well-targeted phishing attacks, and no amount of training will achieve 100% success.
“In my last company, one person – a very clever guy – gave away his MFA three times after a phishing attack. The emails were about his pension.” – CISO attendee
Additionally, clever social engineering, SaaS-targeted campaigns, and realistic-looking messages are blurring the line between work and personal vulnerabilities.
“The issues are very nuanced. I’ve queried genuine emails, thinking they’re phishing emails. Gone are the days of poor spelling, bad grammar, and obviously wrong links.” – Senior cybersecurity leader
If cyber training is insufficient and breaches still happen, what’s the alternative? What if the answer lies in real-time protection and contextual support, not just education?
The Blame Game: Broken and Counterproductive
Whether intended this way or not, a lot of employees will interpret post-incident training as a form of condemnation. This is only going to end up hurting businesses.
“You’re encouraged to move at pace – but scared to click, how do you do that? We need to create systems around people to make sure they’re not put at risk in the first place – and if they do something wrong, certainly not blamed for it.” – Senior security leader
“We call it ‘basic hygiene’, but I think it’s incredibly hard—especially at scale.” – Security veteran
Human error is inevitable. But when leaders themselves fall victim—such as one attendee who applied for excessive system access and was approved without challenge—it becomes clear: this is not a junior staff problem. It’s a systemic challenge.
Security as an Enabler—Not a Brake
Too often, security teams are seen as the bad guys inside the organisation. They’re the ones who are always having to say “No” when employees find a more efficient or more productive way of carrying out their jobs. This doesn’t just slow the business down – it erodes trust between the rank-and-file staffers and the security specialists, and makes it far less likely that sensible security protocols will be followed: all of which ends up making the business less secure.
“If you’re very restrictive, it’s a problem. If you’re not, it’s a problem too.” – CISO
“Our users are creative. If something doesn’t make sense, they’ll find another way to do it.” – CISO
Whether it’s developers, global contractors, or blue-collar workers with admin access, many users are disengaged from security. So how do you engage them?
The answer may lie in meeting them where they are, with gamification, availability-focused messaging, or simple awareness that resonates with their own lives.
Old Tricks, New Threats
Attackers don’t need to leverage new Zero Days or come up with innovative attack methods, because the ones they’ve been using for years are still generating excellent returns.
“They’re armed with verification info already; generative AI can help with that. They don’t need to do anything different—phishing, social-engineering of service desks, these still work spectacularly well.” – Security leader
Even phone numbers recycled to new users are being leveraged for credential theft. And every response to an attack tends to be singular and reactive.
“We fix that one attack vector… without realising attackers have multiple others.” – Security professional
So, What’s Next?
This conversation highlighted a broader cultural shift. Much like the industry’s move from perimeter defence to data-centric security, the next shift may be toward human-centric protection.
“We’ve been building firewalls for 30 years—but only now are we starting to think about protecting people.” – James Moore, founder and CEO, CultureAI
So we ask:
Are we building security systems for real people, or ideal ones who never make mistakes?
And what would change if we designed for the former?
Conclusion
Training isn’t obsolete—but it’s incomplete. Empowering users while protecting them in real time—without fear, blame, or friction—might just be the new foundation of cyber resilience. This will require businesses to think differently about their human risks, and maybe to take a different attitude towards their employees. It will be a journey and it will not always be an easy one, but CultureAI will be there to help.
“The focus should very much be on detection and response. Not blocking people is huge. We’ve seen so many companies trying to block employees from doing certain things, and it almost always backfires. They [employees] should be able to do what they need to do, up to the point it becomes a risk, and then they need to be protected.”– James Moore, founder and CEO, CultureAI.
Interested in learning more about the real-time, human-centric approach to cybersecurity discussed by CultureAI’s experts? Find out more here.