Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness

Abstract

The overwhelming nature of the cybersecurity challenge, further exacerbated by continuously growing attack surfaces and artificial intelligence-enabled attacks, often drives organizations into a state of learned helplessness when employees and their leaders realize that no amount of preparedness can guarantee immunity from cyber-attacks. This sense of inevitability demotivates organizational leadership from prioritizing cybersecurity readiness. Embracing the ‘ignorance is bliss’ mindset, very often, the message from the top is to do the bare minimum to achieve cybersecurity regulatory compliance. However, the consequences of not being willing to face the challenge head-on and going above and beyond the compliance checklist can be severe. In this paper, we shed light on a whole-of-enterprise approach that focuses on engaging and optimally utilizing the competencies of individual organizational members. This human factors-focused approach is based on the fundamental premise that cybersecurity readiness is everybody’s business, and organizations must find ways of galvanizing organization-wide support and commitment. Insights gained from in-depth interviews with business leaders and subject-matter experts reveal five characteristics of a human-centered whole-of-enterprise approach to cybersecurity preparedness: (1) Enlightened and engaged leadership; (2) Capitalizing on people’s best intentions and creativity; (3) Looking inwards before looking outwards; (4) Getting ownership, responsibility, and accountability right; and (5) Measuring the right thing, incentivizing the right behavior.