Cybersecurity is often framed as largely or entirely technology-dependent. But many breaches begin with an instance of human error, whether that is an inadvertently clicked link, the ill-advised sharing of a password, or responding to a request apparently from senior management, even though something about it did not feel quite right. With employee behavior playing such a critical role in cybersecurity, chief human resources officers (CHROs) and chief people officers (CPOs) are increasingly involved.
For Kerri O’Neill, CPO at global market research and opinion polling firm Ipsos, this is nothing new. “The topic of cybersecurity has been part of my CHRO remit for almost a decade now,” she says. Notably, during her preceding role at Ofcom, the UK regulator for communications services, the organization took on responsibility for making sure the UK’s telecoms networks were safe and secure.
According to O’Neill, the scale of cybersecurity challenges means that CPOs and CHROs must act now to get ahead of them. “For most businesses, a major cyberattack is catastrophic, both financially and reputationally. It impacts the whole enterprise and takes a huge toll on the people both inside the firm and customers and clients. There is always a people component to any enterprise risk.”
Often, when it comes to technology risks, the people dimension is where many organizations are most exposed, and where traditional approaches to cybersecurity fall short.
In most cases, when an employee causes a breach, it is unintentional.
In most cases, when an employee causes a breach, it is unintentional. “People often don’t join the dots and may not realize that their individual actions carry a cybersecurity risk,” says O’Neill. Increasingly sophisticated attacks, such as advanced phishing schemes, and even deepfakes of company executives, make it harder for employees to distinguish genuine communications from malicious fakes.
While uninformed employees pose a cybersecurity risk, informed and engaged employees can constitute your organization’s first – and strongest – line of defense. But for a people-centric approach to succeed, company leaders must secure buy-in from the whole workforce, embedding cybersecurity best practice into everyday work culture.
“Building a cybersecurity culture really means building behaviors around vigilance, hyper-awareness of the different techniques used by bad actors, and also the importance of raising the alarm when things go wrong or don’t feel right,” says O’Neill.
People leaders play a critical role in shaping organizational culture and must be ready to lead efforts to integrate these principles into the fabric of the business. O’Neill highlights three priorities for establishing an effective cybersecurity culture.
Most organizations have cybersecurity initiatives in place, but not all are fit-for-purpose. “Most have some form of e-learning course that employees complete on an annual basis, just to feel like they are doing something. But if that is the only tactic, you probably have more to do,” says O’Neill.
The most successful approaches emphasize the potential for real damage to the business. At Ipsos, one of the most impactful initiatives involved senior leaders participating in a simulated cyberattack. “Experiencing what an attack feels like, seeing what we would need to do and what we need to prepare for, brought the risk to life,” O’Neill says.
Grounding training in realistic scenarios is critical. For example, tailoring phishing simulations and training exercises to reflect evolving threats, such as deepfakes of senior executives requesting sensitive information, helps employees to recognize risks in practice, not just in theory.
Leaders must ensure that workers do not come to view cybersecurity measures principally as a source of irritation. Additional security steps can slow work processes down, impacting efficiency goals and creating friction with a workforce under pressure to hit productivity targets. If left unaddressed, such frustrations can undermine cybersecurity culture. Rather than allowing workers to see security measures as a drag on productivity, people leaders must reframe them as essential to safeguarding business processes and protecting the workers themselves.
“The more you can do to help people understand that this friction benefits all of us, the less likely they are to try to find workarounds that could compromise security,” says O’Neill. “It requires a huge amount of buy-in for people to play their role in managing risk.”
Another challenge is attaining engagement. When cybersecurity is explained in overly technical or compliance-driven terms, employees can see it as a box-ticking exercise. It falls to people leaders to translate the concept into language that resonates with employees.
“If your employees think cybersecurity is boring, it is probably because you have made it sound dull. Once you start talking to people about it in the right way, they see how vital and interesting it is,” says O’Neill. “Employees then want to play a community role in making sure good cybersecurity habits are in place and understand they are part of a broader ecosystem that keeps us all safe.”
One of the most commonly overlooked aspects of cybersecurity is creating an environment where no employee fears the potential repercussions of highlighting a breach or risk. “I would always prefer people to raise the alarm about something they are worried about and find out it was actually legitimate, rather than be afraid to raise it,” says O’Neill.
This is particularly important when dealing with highly convincing – and consequently difficult to detect – executive deepfakes used to solicit sensitive information from employees. But O’Neill acknowledges that, in global organizations, cultural dynamics can make this challenging. “In some countries, management hierarchies are very established and the idea of questioning someone more senior is hard to grasp,” she explains.
CHROs and CPOs should have the firmest understanding of these dynamics and should lead on communicating expectations effectively across different regions. This includes creating environments where employees feel safe to question unusual requests, even when they appear to come from senior leadership.
Measurement also plays an important role. As a research firm, this comes as second nature to Ipsos. “We regularly measure people’s sentiment about raising concerns. For example, we ask: have you made a mistake and what was the response when you reported it? That allows us to identify areas, such as countries or functions, where more targeted activity is needed,” says O’Neill.
Cybersecurity cannot be treated as a purely technical function.
Cybersecurity, then, cannot be treated as a purely technical function. As threats grow in sophistication, employees form both an early warning system and a first line of defense. Embedding cybersecurity into everyday working culture, and fostering the confidence to speak up are critical to reducing risk.
CHROs and CPOs should have the deepest understanding in the business of employee behavior and organizational dynamics, uniquely positioning them to influence how employees engage with cybersecurity.
By designing tailored training and fostering psychological safety, people leaders can turn cybersecurity from abstract policy into an organizational mindset shift. In an evolving threat landscape, it is this dynamic that will determine degree of resilience.
Organizations should stop using rigid assessments, embrace ‘messy’ human talent, and harness the talent of multigenerational teams, argue Robert Hooijberg and Tania Lennon. Here, they explore ways to make the most of...
Audio available
Most transformations fail because leaders treat employees as one group – when in fact they belong to four distinct tribes that each demand a different approach....
HubSpot CPO Helen Russell says future-ready leaders must upskill for AI, stay close to operations, think like founders, and build trusted hybrid teams....
Global biopharmaceutical group Ipsen is using AI to help leaders sharpen how they give feedback – transforming a learnable skill into a consistently practiced, organization-wide capability. ...
Explore first person business intelligence from top minds curated for a global executive audience