Amanda Coleman

11/14/2025

The Human Factor in Cybersecurity

BLUF: This write-up details how one would balance technological updates with staff training as a CISO.

Cybersecurity faces new challenges and rapid technological advancements constantly. As a Chief Information Security Officer, maintaining confidentiality, integrity, and availability of sensitive data and operational capability, requires a layered, proactive strategy. This starts with balancing security needs with allocated funding. My strategy would include the following:

Funding Justification

CISOs can lobby for additional funding for the cybersecurity program by proving its value to the business. For instance, “$1.571 billion was lost in cyber-attacks against US critical infrastructure organizations, including commercial facilities, financial services, and IT” (FBI Internet Crime Report 2024). The most common complaints were phishing, extortion, and personal data breaches. I would present leadership with an enterprise risk management plan that states how exposure will impact operations, profits, supply chains, research, and other departments, and how adequate cybersecurity can mitigate those risks.

Key Asset Updates

            To maximize the use of limited funds, the key assets and high-priority systems must be updated to industry standard protective posture. Other data processing hardware and software will be outfitted with updated anti-virus, role-based access, and affordable continuous monitoring. Operational equipment that cannot be replaced will be restricted to internal networks to prevent outside access.

Training

After technological updates, the remaining funds will be spent on a company-wide cybersecurity training initiative. Employee negligence caused more losses in 2024 cyberattacks than any other form. ”In 2024, companies lost over $2 billion to business email compromise, compared to over $12 million in ransomware and over $364 million in data breaches” (FBI Internet Crime Report 2024). A well-trained staff is instrumental in managing risk. I would update policies to include bi-annual cybersecurity training with emphasis on phishing, cyber-smart signage in all departments, multi-factor authentication, strong password regulations, and categorized role-based access. Passwords will be prompted to change every 60 days. To effectively enforce these measures, I will liaise with the HR, Operations, and IT departments.

Conclusion

            A balance between training can be achieved by prioritizing the most important assets and providing the most effective training methods in a cost-saving manner. In many cases, posters and literature about phishing and strong passwords are cheaper than computerized training modules and are easier to remember. By teaching the importance of cybersecurity at all levels, it becomes a team effort and can reduce the risks of exposure and losses to the organization.

References

Internet Crime Complaint Center (IC3). FBI Internet Crime Report 2024. (2024) US Department of Justice. IC3.gov/AnnualReport/Reports/2024_IC3Report.pdf