Let’s be brutally honest. For years, our industry has been locked in a civil war. In one camp, the technologists have been building higher walls and smarter traps, arguing that the right AI-powered, next-gen firewall will solve all our problems.
In the other camp, the behaviorists have been calling for more training and better awareness, convinced that if we just make people understand the risks, they’ll stop clicking on things.
Here’s the thing: they’re both right, and they’re both missing the point.
While we’ve been arguing, a massive elephant has made himself comfortable in our server rooms. That elephant is the simple fact that our defences are fractured. We’re fighting a psychological war against AI-powered adversaries with a strategy that’s split right down the middle. The result? A staggering 74% of CISOs now consider human error their number one risk. As highlighted in our recent Human Risk Management (HRM) whitepaper, the old ways are no longer working. The game has changed, especially with AI now turbo-charging the tricksters, making their phishing lures and social engineering scams almost indistinguishable from the real thing.
The old way of just “making people aware” with a once-a-year, tick-box training session? That’s like bringing a water pistol to a lightsaber fight. It’s a compliance activity, not a security strategy. It might check a box for an auditor, but it does little to stop a sophisticated attacker who knows how to play on basic human emotions like urgency, helpfulness, or fear. This creates the dangerous “Awareness-Action Gap”—the chasm between what your employees know they should do and what they actually do at 3PM on a Friday when they’re tired and distracted.
It’s time for a peace treaty. It’s time for a strategic upgrade. It’s time for Human Risk Management (HRM).
HRM isn’t just another buzzword; it’s a fundamental shift in how we approach security. It’s a unified strategy that stops treating technology and people as separate problems and starts treating them as a single, interconnected system. It acknowledges that you can’t firewall your way out of a well-crafted phishing email, and you can’t train your way out of a poorly designed security process. HRM is about treating the human element with the same analytical rigour we apply to our tech stack. It’s about understanding behaviors, motivations, and yes, even the occasional lapse in judgement, and then building a supportive ecosystem of both tech and culture to account for it.
This isn’t about pointing fingers at “Dave from accounts.” It’s about acknowledging that people are, well, people. We’re busy, occasionally distracted, and sometimes a bit too trusting. A modern security strategy must be designed for the people you actually have, not the perfectly rational, always-vigilant security automatons you wish you had. It’s about shrinking the threat surface with smart tech while simultaneously growing savvy users who can act decisively, all within a system that provides safety nets for the inevitable slip-up.
In this blog series, we’re going to deconstruct what a modern HRM strategy looks like. We’ll move from the “why” to the “how,” giving you a practical framework to turn your biggest vulnerability into your most intelligent defence.
Make sure not to miss the next blog post in this series where we’ll dive into the fascinating and often frustrating world of behavioral science to understand why even the smartest people click on the dumbest things.
