A robust cybersecurity strategy depends not only on the technology, but more importantly on the people who work with it. In my experience, the role of people is often underestimated, even though they are crucial to the success of security measures. By putting people at the heart of your cybersecurity strategy, you significantly increase the chances of success.

Humans as the first line of defense

Within organizations, employees are the first line of defense against security problems. However, these same employees can also unknowingly create security risks. How often do we see a secure network become vulnerable through a single ill-considered action, such as charging a smartphone with an outdated operating system via a computer’s USB port? Phishing links that employees accidentally click on can also cause major problems.

This highlights the importance of awareness within organizations. Employees need to be continually made aware of the dangers and threats, but this needs to be done in an educational and positive way. It is counterproductive to scare people or threaten them with dismissal for mistakes. Not only employees, but especially management needs education. They often decide on cybersecurity budgets, but sometimes have insufficient knowledge about the importance of security. Regulations such as NIS, NIS2 and DORA help management understand their responsibilities, what risks exist and what consequences poor cybersecurity can have.

NIS2: Expectations and enforcement

With the introduction of NIS2, I am curious to see how these regulations will be enforced. Which organisations will be the first to run into problems and how will European authorities respond? Will they get big fines straight away or will they get a warning first? Once enforcement starts, the willingness to invest in cybersecurity will likely increase. Because to date, we have seen that the realisation has not yet fully sunk in to senior management. However, they can be held personally accountable.

Every organisation will be the first to encounter problems, and how will the European authorities react?

Wytze Rijkmans, Regional Vice President Tanium

All sectors are a target

Cybercriminals do not distinguish between the public and private sectors; the threats are the same for both governments and commercial companies. The line between public and private is often blurred, as governments also work with private companies and subcontractors. Effective collaboration requires insight into partners’ security strategies, their patching strategies, and the training of their employees. Fundamentally, little has changed in 20 to 30 years: computers still communicate with each other, but everything has become faster and more complex, increasing the likelihood of problems.

There are differences between the public and private sectors in the area of ​​human resources. Governments often have more difficulty retaining employees due to lower salaries. Nevertheless, working in the public sector can be attractive because of the long-term vision and unique projects that are not possible in the private sector. At Tanium, for example, we work a lot with the Dutch government, which I consider to be progressive in the area of ​​cybersecurity. Appointing a central government Chief Information Security Officer obliges different agencies to work together better, which increases efficiency. Other countries can certainly follow this example.

Change processes: People are the focus

Getting different departments to work together can be difficult. Many IT and security organizations have grown organically, meaning each service has its own culture around cybersecurity. Some services refuse to collaborate or adopt best practices developed elsewhere. Individual departments or separate government services should not view each other as competitors, but should engage in awareness-raising and change management. Threatening sanctions doesn’t work; it’s more effective to entice people with positive incentives. For example, a colleague of mine once painted a baseball bat as a carrot to emphasize the principle of positive motivation.

Ultimately, it’s about people. They are the ones who must drive change. Organizations must continue to focus on the human aspect and continuous education. Technology solutions like Tanium’s Converged Endpoint Management solutions and our recently announced Autonomous Endpoint Management are important, but people are at the heart of it all. A successful cybersecurity strategy is not possible without the commitment and awareness of employees and management.

This is a post by Wytze Rijkmans, Regional Vice President of Tanium. Learn more about the company’s capabilities here.