Top 10 Reasons to Invest in the Human Element of Cybersecurity

Alexander Supertramp/

Organizations must prioritize people if they are to see a greater return on their cybersecurity investment.

Dan Waddell is (ISC)2 managing director, North America Region, and director of U.S. government affairs.

Today’s investment world can be described as tumultuous at best. In fact, I have actually heard the word “devastating” used on more than one occasion by a news reporter describing Wall Street’s performance over the past several weeks.

The good news is that there is a timely and lucrative investment opportunity available to those of us in the cybersecurity profession. There is no downside and no risk, and the return on investment is guaranteed to impact every area of our lives, from our finances to our jobs to our children’s future. Whether you are an executive, a middle manager, a practitioner or student, there is no better time like the present to invest in the “human element of cybersecurity.” Here are 10 reasons why:

People are more suited to changing culture and aligning cyber budgets to business needs: As compared to five years ago when cyberthreats were just starting to seriously threaten the bottom line of our nation’s economy, corporate executives and government leaders are now more open to growing their organization’s security team.

(ISC)2’s Philip Casesa, director of product development and portfolio management, says it best in a recent article, “If CISOs can tie the need for resources and people directly into something that the organization is trying to accomplish -- such as gaining revenue, launching new products or services, or showing how security is protecting it from theft of intellectual property or customers’ personal identification information -- they have an argument that senior management can’t ignore.”

Training lowers corporate risk: Advancing an organization’s security agenda no longer rests upon educating its cyber workforce; rather, its entire workforce must be educated in cyber. Research shows that increasing cybersecurity awareness training can reduce corporate security risk by up to 70 percent.

Additional benefit to offer prospective employees: The cyber workforce of the future will not resemble the workforce of the past, or even of the present. The extreme shortage of qualified professionals, the demand for specialized training, the silver tsunami and the focus on managing risk is reshaping the role of the cyber practitioner. Organizations that cater to this changing role by offering education, training and certification in emerging areas of career growth will attract the best and the brightest.

Improves employee retention: According to the (ISC)2 2015 Global Information Security Workforce Study, the top two initiatives for retaining security professionals are training related. Interestingly, “improving compensation” falls third on the list. In other words, training ranks higher on the scale of importance than salary when building employees satisfaction and retention. That speaks volumes for the importance of training.

Marketplace differentiator: A rise in vulnerabilities and costly breaches inevitably will reveal a security organization operating at a deficit of skilled cybersecurity talent, the devastation of which filters through the organization down to its very consumers/customers. Customers who are assured an organization is well-staffed with qualified security personnel -- and as a result provides a safer user experience -- sets you apart from other organizations.

Build customer trust: High-profile breaches have created an elevated sense of fear and have diminished citizen trust. More and more, citizens are determining their level of engagement online by the cyber profile of the organization. Hiring top cybersecurity talent and dedicating increased funding for training helps to regain citizen trust.

A powerful tool in the hands of a poorly trained operator is a dangerous concept: The classic knee-jerk reaction to any cyberincident is to buy a complex tool that can either prevent the next incident or mitigate prior ones. But equally important to having an effective tool is having a trained staff in place to safely use it.

Majority of breaches are caused by human error: With evidence that the majority of breaches are caused by human error, leaders are realizing people can be their organization’s greatest cybersecurity asset or greatest liability.  

Enterprisewide training programs foster collaboration and communication: Protecting digital assets was -- and remains now -- unchartered territory. It is an undertaking best achieved when experts in the field connect, collaborate and contribute.  Enterprisewide training programs that cut across departments (IT, finance, HR, legal, etc.) increase cyber risk collaboration and communication, helping to prevent a cyberincident from becoming a breach.

The “human” factor should be driving a “people patching” culture: Equal in significance to the best practices of software patching, vulnerability scanning or password management, is the ongoing nurturing of human awareness and vigilance through training, education and certification. Regular “people patching” must become a standard mindset.

For those of us long-term investors who have recently cringed at the arrival of our 401K statements in the mail, it’s time for a surge of internal fortitude and to refocus our attention on what we can be doing to nurture our human assets. Organizations must prioritize people if they are to see a greater return on their cybersecurity investment. While there is clearly a shortage of skilled cybersecurity professionals, there is an abundance of opportunity to invest in the human element – in many different ways at many different levels.

(Image via /