According to Shahee Mirza, CISSP, the daily routine for many Chief Information Security Officers (CISOs) and their teams revolve around the usual suspects: patching systems, setting up firewalls and keeping an eye on threat feeds. However, he argues that some of the biggest threats aren’t malicious code or compromised hardware at all, but people, processes and subtle misalignments that live outside of technology.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
Let’s start with employee behavior. Most staff aren’t trying to sabotage anything, they are just trying to do their jobs under varying degrees of pressure. Imagine a finance team trying to hit a tight deadline; the company VPN is lagging, so they toss some sensitive files into a personal cloud drive just to get things done. Or imagine the remote employee reusing a password because juggling dozens of them is, frankly, exhausting. These aren’t acts of rebellion, but compromises made in the name of productivity.
Un Unfortunate Occurrence
For example: in June 2024, Evolve Bank & Trust (a U.S. financial institution), was hit by a ransomware attack from the LockBit gang. Exposing data tied to fintech partners like Wise and Affirm, the breach didn’t begin with some advanced exploit. Reports point to a simple, human mistake: an employee clicked on a phishing link.
Such examples are a wake-up call for CISOs; a reminder that security must integrate with how people work. I find that tools like single sign-on and seamless authentication can reduce friction. By doing so, they actually make the secure path the easiest one to take. Our employees aren’t liabilities; they’re our frontline. We should equip them accordingly.
Then there’s compliance. Too many organizations treat frameworks like SOC 2 or GDPR as if they’re invincible shields. My view is that regulatory and standards compliance is a starting point, not a finish line - it’s built for general standards, not for our unique risks.
Take the Evolve Bank breach again. Despite all the regulations in place, attackers still got in, possibly due to gaps in oversight or employee training. Sophos's 2024 ransomware report backs this assumption up: over 30% of attacks stem from unpatched systems or human error – areas compliance doesn’t always catch. The lesson I’ve learned? Ask the hard questions, of myself and employees. What’s specific to my organization? Where are my blind spots? Tailored risk assessments reveal what checklists can’t.
Let’s Talk About Incentives
My experience is that if security feels like a burden, people will push back. Maybe your IT team resists a new tool because it adds more manual work? Or maybe employees stay quiet about suspicious emails because they're afraid of getting blamed, or because it slows down their performance metrics?
In one healthcare organization I worked at, I saw nurses hesitate or neglect to report phishing attempts because that meant delays in patient care, which impacted their evaluations. On the other hand, I’ve worked in a logistics company where the CISO flipped the script and rewarded teams for reporting phishing attempts. Detection rates jumped 40% in just six months. What did I learn? To design incentives that reward secure behavior. When people see security as a win, not a hassle, they act accordingly.
These three “invisible” factors – behavior, compliance assumptions and misaligned incentives – may not grab headlines like a nation-state attack, but they can do just as much damage. The Evolve Bank incident wasn’t just a technical slip-up, but a chain reaction of missteps. IBM’s 2024 Cost of a Data Breach report found that human error plays a role in 74% of breaches. That’s a statistic CISOs can’t ignore.
Approaching the Challenge
So, what should your playbook be? I start by mapping out my business processes, not just the technology. I look for places where people take shortcuts – not because they’re lazy, but because the system they’re using is cumbersome. Then, I challenge assumptions and run tabletop exercises across departments. My guess is that you’ll quickly spot where the disconnects are, such as the manager who sees security as “IT’s job” and nothing more.
Protecting infrastructure is only one aspect of cybersecurity. It involves understanding individuals, coordinating incentives and realizing that compliance is merely a guide and not a guarantee. Ignoring these human factors can be expensive, both in terms of money and trust, as the examples above discussed.
As CISOs we need to close that gap. Having the best tools isn't enough; we all need to adopt strategies based on how real people work. Consider my suggestions above: it may help you to detect hidden risks and make secure decisions easier, as well as help you to cultivate a culture in which cybersecurity isn't just a checkbox but a way of life. In today's environment, smart leadership is vital to survival.
Shahee Mirza, has over 18 years of experience in cybersecurity, digital healthcare, e-commerce and critical infrastructure. He has held business, technical and leadership roles with responsibility for offensive security, red teaming and cyber risk management. His work spans leading advanced cyber operations, mentoring, along with driving community-based cybersecurity awareness and resilience.
Related Insights