Episode 14: Improve your organization’s cyber security posture by addressing the human component

Podcast
Ilona Simpson on digital resilience and the need for change management in cyber security
You’re never 100% safe and secure. It’s all about what we do to reduce risk and how many hurdles there are for our adversary to hop through.
As technology and the threat landscape advance at an astounding pace, embracing change and improving the digital resilience of organizations is key. But digital resilience can be a complex, abstract topic that is hard to measure, communicate to business leaders, and transmit to employees.
In the latest episode of the Human Firewall Podcast, Dr. Niklas Hellemann and Ilona Simpson discuss how organizations can improve digital resilience by focusing on the human element in cyber security. They also explain why the traditional approaches to cyber security, which enforce security policies through rigid, one-size-fits-all training programs, are not enough to drive true behavior change and resilience. Instead, they emphasize the need for context-specific, personalized education that meets people where they are.

Human
Firewall
Podcast

Overview of episode 8
Want to dive into the most important discussion parts? Our detailed summary with timestamps allows you to jump directly to the sections you’re interested in.

Minute | Description |
00:00:51 – 00:09:18 | Introduction to Ilona Simpson and her career path from a psychologist to becoming a CIO |
00:09:18 – 00:12:20 | The need for change management in cyber security and the importance of creating real behavior change |
00:12:20 – 00:23:50 | How to increase digital resilience in organizations, measure it effectively, and communicate it to business leaders |
00:23:50 – 00:27:56 | Ways to help people accept new technology and changes in their environment |
00:27:56 – 00:34:14 | Shifting from traditional security awareness training to a more personalized, targeted approach |
00:34:30 – 00:38:00 | How to achieve a security culture and how to quantify it |
00:38:00 – 00:40:00 | The importance of continuous and situation-based awareness tools |
00:40:02 – 00:48:58 | Increasing diversity in tech and empowering underrepresented groups to enter the security industry |
00:48:58 – 00:49:43 | Farewell and an invitation to preview the next episodes |

Highlights & key learnings
We need to give people tools and support them with processes so they can become good digital citizens.
- Human-centric approach: Security policies often fail because they don’t account for human behavior and its complexities. A human-centric approach is necessary to achieve real behavior change.
- Education with motivation and context: People need more than just knowledge of rules. They also need context and motivation to change their behavior.
- Compliance vs. resilience: Achieving compliance is necessary, but it is not enough to build resilience in an organization.
- Layers of resilience: It is a misconception to believe that cyber risk can be reduced to 0%. No measure will achieve this. Digital resilience is multi-faceted, and it requires protecting the organization and improving risk in many different areas.
- Personalized training: Traditional security awareness training can be ineffective due to its one-size-fits-all approach. Tailored training that addresses individual needs and contexts is more engaging and effective in creating awareness and understanding.
- Role of top management: How top management views and handles security greatly influences the effectiveness of defense measures. Leaders on all levels should actively demonstrate and support security practices to promote a security culture.
- Measuring digital resilience: Current metrics like phishing click rates are insufficient for grasping an organization’s security culture. We need to adopt a more holistic view of risk, where multiple factors are considered to measure resilience.
- Storytelling as a tool: Communicating to business leaders about security risks requires moving away from technical language and using storytelling to deliver the message in a clear, relatable way.
- Innovation and diversity: Diversity can drive innovation by bringing varied perspectives that enhance problem-solving and resilience.
- Meeting people where they are: We need to train people in the moments and channels where they are more likely to learn. Thus, security awareness must be flexible, continuous, and adapted to employees’ needs.
Let’s all be that change agent we want the organization to move towards.
Deepen your knowledge: Further information
- Pareto Principle: A concept specifying that 80% of problems come from 20% of the causes.
- Digital Operational Resilience Act (DORA): This EU regulation entered into force on January 16, 2023. It aims to harmonize the rules for the European financial sector to strengthen its IT resilience even in cases of severe disruptions.
- NCSC Board Guidelines: Resources and guidelines that help businesses handle cyber security risks more effectively.
- BitSight score: A measurement of an organization’s security rating and risk portfolio.
- McKinsey report on digital trust: A 2023 research survey analyzing the importance of having digital trust in the companies we buy from.
- National Institute of Standards and Technology (NIST) framework: The NIST Cybersecurity Framework helps businesses better understand their cyber security risks, enhance their management strategies, and strengthen their defenses to protect networks and data.
- CMMI appraisal method: Defined by ISACA (professional IT governance association), CMMI is an official evaluation tool that assesses organizational processes and gives them ratings reflecting capability and performance levels.
- Forte Group: An advocacy and education non-profit organization where senior CISOs and CPOs can share resources, form connections, and work together to elevate the cyber security industry.
Learn more about digital resilience in our recent report
This podcast offers a deep dive into the importance of digital resilience, the role of leadership in security, and the necessity of fostering a proactive security culture. Ilona Simpson’s insights underline how digital citizenship, change management, and diversity are key drivers of innovation and security in the modern business landscape.
If you want to discover more expert insights on how to adopt a holistic human risk management approach to cyber security, read our Human Risk Review 2024.

Human Risk Review 2024

Discover the latest cyberthreats, industry changes, and how security professionals are responding to the evolving threat landscape.