To dare is human

Many organizations and leaders believe that cybersecurity is merely a matter of bits and bytes, and therefore that cyber risks can be resolved solely through tools and technology. If you believe that, I’d like to change your mind—even as artificial intelligence (AI), the greatest technological advancement since the internet, continues to grow and dominate our attention.

Throughout my career, I have dedicated myself to prioritizing and working with people. Whether in the armed forces, or through leading diverse teams across the globe, or as a consultant helping clients solve complex challenges, I have always put people first.

Why?

Because I understand that in an increasingly technology-focused world, technology and information systems are only as effective as the people who use them. The decisions and actions of individuals shape the outcomes of these systems. This isn’t going to change, and it’s why fostering collaboration and empowering individuals can ensure that technology serves to enhance human potential rather than overshadow it—especially as AI continues to grow and dominate our attention.

It was therefore encouraging to me that 80 per cent of respondents to KPMG’s most recent Canadian CEO Outlook survey agreed that building a cybersecurity-focused culture is central to successful integration of AI across the enterprise.

The fact is people are at the core of cybersecurity. Yes, people also pose risks—phishing remains the top attack vector for cybercriminals, with 68 per cent of cyber breaches involving a “non-malicious human element”¹, meaning someone in the organization fell for the phishing attack and clicked a link they shouldn’t have. But that is also why right-sized and relevant cybersecurity training and support for individuals can be a game changer. This approach enables organizations not only to survive cyberattacks but to thrive in spite of them.

I acknowledge the dystopian concern that AI could take our cybersecurity jobs and functions. But let's flip that script. What if AI could not only help us do our jobs better, but also boost our cybersecurity culture and mitigate the risk to us and our organizations?

Maybe I’m getting ahead of myself. You might be asking, What exactly is “cybersecurity culture”? Generally speaking, it’s the values, attitudes and beliefs that drive employee behaviours to protect and defend the organization from cyberattacks.² In other words, it’s good old “culture” wearing a cybersecurity uniform.

Building and maintaining a strong cybersecurity culture can be challenging. From resistance to change and managing human risk factors to being geographically distributed (now the norm irrespective of organization and industry) and the complexities of interconnected systems, cultural behaviours and norms cannot simply be willed into being. They can, however, be articulated, communicated, modelled  and reinforced.

As it happens, AI can support all of this in the following ways:

• Shaping secure behaviours
• Quantifying human risk
• Improving visibility and efficiency
• Enhancing threat detection and reporting
• Facilitating change management
• Addressing human errors
• Supporting leadership in decision-making.

Advancements like these can not only bolster an organization's defences against cyber threats but also foster a culture of security awareness and resilience among employees.

During a security culture course in London last year, I was both surprised and encouraged by how many people in the room had titles like ‘Cybersecurity Culture Director’ or ‘Security Awareness Lead’ or ‘Human Risk Manager’—positive proof that some of the world’s leading organizations are putting people at the centre of their tools, technology and processes.

It was also a reminder of Peter Drucker’s famous dictum, that “culture eats strategy for breakfast.” The question therefore is: How do we know what our cybersecurity culture even is? And how do we assess it?

Believe it or not, there are frameworks and methodologies that can do this. The most useful ones naturally require regular “pulse checks” and don’t really work in a once-and-done fashion. They, too, can be augmented by AI.

How? Here are some practical steps:

1.  Promote transparency around AI. Clearly explain how and where we can use AI in our day-to-day tasks to make our lives easier, while also explaining AI’s limitations and why the ‘human in the loop’ is essential. This will build trust and encourage adoption.
2. Invest in AI-driven training. Implement gamified or interactive learning platforms powered by AI to engage employees in cybersecurity education. Start small with a credible platform. Augment what you already have—don’t throw away something useful and effective just because a tool seems new and shiny.
3. Support decision-making with AI insights. Leverage AI to provide actionable insights for leadership, helping to align cybersecurity with broader business goals. AI can use our existing datasets to help make risk-informed decisions.

KPMG’s “A new age of cybersecurity culture” offers a bit more in the way of detail on this, identifying seven considerations to transform your cybersecurity culture. To effectively leverage AI in enhancing cybersecurity culture, organizations should:

1. Outline their aspirations
2. Secure leadership support
3. Explore and experiment with AI use cases
4. Prioritize implementation
5. Collect and measure relevant data
6. Be mindful of new risks
7. Prioritize the employee change journey.

That last one is especially relevant to me, whose enduring captivation with the human experience is not at any kind of risk—cyber or otherwise.

Want to talk more about it? I’m always happy to engage in conversation on anything and everything related to cybersecurity culture. Whether it’s training, awareness, risk management, you name it. Drop me a line.

1. Verizon Business. “2024 Data Breach Investigations Report.” Accessed January 20, 2025.
2. Huang, Keman and Pearlson, Keri. “For What Technology Can’t Fix: Building a Model of Organizational Cybersecurity Culture.” MIT Sloan School of Management. January, 2019. Accessed January 20, 2025.