SoSafe named a Strong Performer in The Forrester Wave™: Human Risk Management Solutions, Q3 2024. Learn more.

Podcast

Ilona Simpson on digital resilience and the need for change management in cyber security

9 January 2025 · 3 min read

You’re never 100% safe and secure. It’s all about what we do to reduce risk and how many hurdles there are for our adversary to hop through.

As technology and the threat landscape advance at an astounding pace, embracing change and improving the digital resilience of organizations is key. But digital resilience can be a complex, abstract topic that is hard to measure, communicate to business leaders, and transmit to employees.

In the latest episode of the Human Firewall Podcast, Dr. Niklas Hellemann and Ilona Simpson discuss how organizations can improve digital resilience by focusing on the human element in cyber security. They also explain why the traditional approaches to cyber security, which enforce security policies through rigid, one-size-fits-all training programs, are not enough to drive true behavior change and resilience. Instead, they emphasize the need for context-specific, personalized education that meets people where they are.

Background

Human
Firewall
Podcast

Listen now

Episode 14: Improve your organization’s cyber security posture by addressing the human component

Overview of episode 8

Want to dive into the most important discussion parts? Our detailed summary with timestamps allows you to jump directly to the sections you’re interested in.

Minute
Description

00:00:51 – 00:09:18

Introduction to Ilona Simpson and her career path from a psychologist to becoming a CIO

00:09:18 – 00:12:20

The need for change management in cyber security and the importance of creating real behavior change

00:12:20 – 00:23:50

How to increase digital resilience in organizations, measure it effectively, and communicate it to business leaders

00:23:50 – 00:27:56

Ways to help people accept new technology and changes in their environment

00:27:56 – 00:34:14

Shifting from traditional security awareness training to a more personalized, targeted approach

00:34:30 – 00:38:00

How to achieve a security culture and how to quantify it

00:38:00 – 00:40:00

The importance of continuous and situation-based awareness tools

00:40:02 – 00:48:58

Increasing diversity in tech and empowering underrepresented groups to enter the security industry

00:48:58 – 00:49:43

Farewell and an invitation to preview the next episodes

Background dots

Highlights & key learnings

We need to give people tools and support them with processes so they can become good digital citizens.

  • Human-centric approach: Security policies often fail because they don’t account for human behavior and its complexities. A human-centric approach is necessary to achieve real behavior change.
  • Education with motivation and context: People need more than just knowledge of rules. They also need context and motivation to change their behavior.
  • Compliance vs. resilience: Achieving compliance is necessary, but it is not enough to build resilience in an organization.
  • Layers of resilience: It is a misconception to believe that cyber risk can be reduced to 0%. No measure will achieve this. Digital resilience is multi-faceted, and it requires protecting the organization and improving risk in many different areas.
  • Personalized training: Traditional security awareness training can be ineffective due to its one-size-fits-all approach. Tailored training that addresses individual needs and contexts is more engaging and effective in creating awareness and understanding.
  • Role of top management: How top management views and handles security greatly influences the effectiveness of defense measures. Leaders on all levels should actively demonstrate and support security practices to promote a security culture.
  • Measuring digital resilience: Current metrics like phishing click rates are insufficient for grasping an organization’s security culture. We need to adopt a more holistic view of risk, where multiple factors are considered to measure resilience.
  • Storytelling as a tool: Communicating to business leaders about security risks requires moving away from technical language and using storytelling to deliver the message in a clear, relatable way.
  • Innovation and diversity: Diversity can drive innovation by bringing varied perspectives that enhance problem-solving and resilience.
  • Meeting people where they are: We need to train people in the moments and channels where they are more likely to learn. Thus, security awareness must be flexible, continuous, and adapted to employees’ needs.

Let’s all be that change agent we want the organization to move towards.

Deepen your knowledge: Further information

  • Pareto Principle: A concept specifying that 80% of problems come from 20% of the causes.
  • Digital Operational Resilience Act (DORA): This EU regulation entered into force on January 16, 2023. It aims to harmonize the rules for the European financial sector to strengthen its IT resilience even in cases of severe disruptions.
  • NCSC Board Guidelines: Resources and guidelines that help businesses handle cyber security risks more effectively.
  • BitSight score: A measurement of an organization’s security rating and risk portfolio.
  • McKinsey report on digital trust: A 2023 research survey analyzing the importance of having digital trust in the companies we buy from.
  • National Institute of Standards and Technology (NIST) framework: The NIST Cybersecurity Framework helps businesses better understand their cyber security risks, enhance their management strategies, and strengthen their defenses to protect networks and data.
  • CMMI appraisal method: Defined by ISACA (professional IT governance association), CMMI is an official evaluation tool that assesses organizational processes and gives them ratings reflecting capability and performance levels.
  • Forte Group: An advocacy and education non-profit organization where senior CISOs and CPOs can share resources, form connections, and work together to elevate the cyber security industry.

Learn more about digital resilience in our recent report

This podcast offers a deep dive into the importance of digital resilience, the role of leadership in security, and the necessity of fostering a proactive security culture. Ilona Simpson’s insights underline how digital citizenship, change management, and diversity are key drivers of innovation and security in the modern business landscape.

If you want to discover more expert insights on how to adopt a holistic human risk management approach to cyber security, read our Human Risk Review 2024.

Background

Human Risk Review 2024

Read the report

Discover the latest cyberthreats, industry changes, and how security professionals are responding to the evolving threat landscape.

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual

Request a demo

Learn how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure. Schedule a demo and one of our experts will contact you soon.

G2 Europe Leader Winter 2025 G2 Leader Winter 2025 G2 Momentum Leader Winter 2025 The Forrester Wave™ Strong Performer 2024: Human Risk Management Solutions

Experience our products first-hand

Use our online test environment to see how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure.

G2 Europe Leader Winter 2025 G2 Leader Winter 2025 G2 Momentum Leader Winter 2025 The Forrester Wave™ Strong Performer 2024: Human Risk Management Solutions