As the department of “NO”, Cybersecurity is often dominated by technology and policy, rarely coughing up enough innovation that would inspire a human-centric approach or any change of consequence. We run our gamified program for all employees once or twice a year, check our boxes, file our report with the auditors and fall back into that false sense of security that this training typically provides.

Moving this model toward training for those whom, through their behaviors specifically indicate they need it, is no longer just a smart idea but it’s becoming a necessity, and the whole notion of addressing the complexities of human behavior in the cybersecurity landscape is gaining traction.

Consider this: a recent survey by Gartner, “Drivers of Secure Behavior,” reveals a startling truth – 93% of employees who engage in insecure behaviors do so knowingly. It begs the question – why? Often, it’s the path of least resistance. The cumbersome nature of security measures, like multifactor authentication, though secure, adds layers of complexity for employees, driving them to seek workarounds.

Human-Centric Shift

The shift towards a human-centric security model is not just a trend but a paradigm shift in tackling the cybersecurity conundrum. This approach considers the human element in every aspect – not just in incident response, but in everyday interactions. It advocates for clear, friction-reducing policies, simplification of security processes, positive reinforcement, and non-judgmental support for employees.

Gartner predicts a significant rise in the adoption of this model by CISOs by 2027, indicating a profound change in how we approach cyber security. By 2030, the majority of enterprises are expected to have a dedicated human risk management program.

The challenge, however, is friction. More than one in three employees find cybersecurity controls hard to adhere to, a Gartner report found. This friction is not just a technology issue but a human one. While implementing browser security and passwordless access are steps in the right direction, they don’t fully address the human element.

Nudge Your Way Home

One innovative solution lies in technology that prompts behavioral change. For instance, a system could be set up to alert users when they’re emailing someone new, serving as a modern check-engine light to nudge a change in behavior.

Understanding users is paramount. It involves direct communication with them, using feedback to refine the user experience. Many companies have recognized this, teaching cybersecurity staff the principles of user experience to better understand employee challenges and adapt accordingly.

Training also plays a crucial role but must be tailored to individual roles, recognizing that different employees interact differently with technology and data.

A Culture of “Yes”.

The key to a successful human-centric security model lies in building a culture of ‘yes’. It’s about providing safe workarounds and positive alternatives rather than flat denials. Johnson & Johnson, for example, has transformed its restrictive policies into a positive self-service assessment, directing employees towards safe solutions and providing 1:1 specific security training for behaviors known to create additional vulnerabilities.

In the end, it’s about balancing the people/process/technology triangle, with people at the heart of it. Technology lays the foundation, but it is the process and philosophy that drive success. This shift towards a human-centric model is not just about adopting new technological tools; it’s about embracing a culture that prioritizes user-centered design.

We are convinced, that in this ever-evolving cyber landscape, it is this human element that will make all the difference in the future.