Search Rocket site

Digital: Disrupted: The Human Side of Cybersecurity

Rocket Software

October 27, 2023

In this week’s episode, Paul sits down with Doctor Jessica Barker to discuss the “human side” of cybersecurity and how organizations can develop a culture of cybersecurity. Jessica shares why she believes the technology and tools organizations implement for security are only as effective as the people who know how to use them.

Digital: Disrupted is a weekly podcast sponsored by Rocket Software, in which Paul Muller dives into the unique angles of digital transformation — the human side, the industry specifics, the pros and cons, and the unknown future. Paul asks tech/business experts today’s biggest questions, from “how do you go from disrupted to disruptor?” to “how does this matter to humanity?” Subscribe to gain foresight into what’s coming and insight on how to navigate it.    

About This Week’s Guest: 


Jessica is the Co-founder and Co-CEO of Cygenta, a cybersecurity company, and the author of Confident Cyber Security. She is a well-known keynote speaker and is currently working on her next book, Hacked: Uncovering the Strategies and Secrets Behind Cyber Attacks, set to be published in April 2024.

Listen to the full episode here or check out some highlights below.

Digital Disrupted

Paul Muller: One of the surprises I had was in the first couple of words of the first chapter [in your book], which talked about the myths, and one of the myths you described—and it's a myth I think I've perpetuated--is that cybersecurity is a people problem or a human problem. Did I get that right?

Jessica Barker: This is a big frustration of mine. It's something that is often just taken as standard when it comes to cybersecurity. People are the weakest link. It's one of the most common phrases that we hear, and for me, it's not accurate, and it's not fair, and it's also not helpful. So when I say it's not accurate, what I mean is it's not really looking at the root cause. We can easily blame people if they click a link in a phishing email, for example, without looking at it and thinking, well, the technical defenses all failed before that phishing email got through to them, but we're not saying that technology's the weakest link. We're blaming that person who is that critical layer of defense.

…I think one of the biggest problems we have in cybersecurity is our lack of understanding of people. We haven't over the years focused on the human side, so we've left people more vulnerable and then somebody working on awareness, behavior, and culture. When people are called the weakest link, when they're called the problem, that just puts them off engaging, and that's really just coming down to the fundamental psychology that has been proven true for decades. It's that self-fulfilling prophecy or the Pygmalion versus the Gollum effect. Tell someone that they're stupid, and they will behave in ways that will reinforce that perception. Whereas if we build people up, if we expect more of them, if we give them the tools and the guidance that they need, then they will engage much more positively.

PM: Well, there's so much to unpack with just that one statement. I'm going to veer off a little bit. So we're going to talk about the human cyber of cybersecurity. Let's talk a little bit about the defenders because I do think the other problem we face in cybersecurity is, and you touched on it a little, is this notion of victim shaming and victim blaming. And when there is a breach, and there have been many in recent times, a lot of the headlines do immediately commence eviscerating the board shortly thereafter… I can imagine they must go to sleep every night dreading that they wake up to find out that something that they, through misadventure or misconfiguration, managed to be associated with a breach and thinking, well, this could be absolutely career-ending for me. I can't imagine that's a particularly psychologically safe environment, and I guess that's really why I'm raising this issue of psychological safety as well, because, at the same time, people are definitely implicated in this. They have a role to play, but particularly, I guess, I'm talking about the defenders here, the people doing that technical work, how do they go to work every day without feeling fear that something they do or don't do might result in a breach because they are so close to that technology coalface?

JB: It is a reality of cybersecurity that it's a very demanding field. We have to ensure that people are as protected as possible against burnout. I think one of the most challenging roles to be in is in incident response. So you're right, absolutely. As a defender, there is a lot of pressure, I think, on individuals and teams to make sure that the defenses are as robust as possible and that they haven't missed anything. And then if you're working an incident response, you don't know where the next incident is coming from, and you have to react very quickly, and you will be working very long days according to people I know in that role. It's a very satisfying and rewarding role because you can help the organization investigate what's happened, recover an adrenaline-filled role, but one that can also be very draining and unfortunately can be quite thankless, particularly when we reflect on your earlier point about victim blaming and victim shaming.