Many businesses still believe there is such a thing as 100% security, despite every cybersecurity expert affirming the opposite. Because companies push for and demand 100% security, the organization ultimately settles for a false sense of it so their people can function. Such a mindset is not only wrong but incredibly dangerous.

Business leaders must recognize that breaches are imminent, and a robust approach to cybersecurity involves detecting and responding quickly and effectively to incidents. Nevertheless, threat detection and response are like a boxer’s one-two punch — essential but not enough to win a fight or significantly enhance one’s cybersecurity posture.  

Train general employees no different than cyber teams 

The bad news for many businesses is that their cybersecurity teams lack personnel because of a shortage of available talent. This worsening cybersecurity talent shortage puts pressure on understaffed teams, resulting in higher burnout. However, the talent shortage, while significant, is not the main issue. The primary problem is that general employees don’t receive proper training.

While cybersecurity teams run through engaging simulations and life-like rehearsals, other employees watch videos and take quizzes. As such, companies should simulate role-relevant security situations for all of their employees. Just as medical trainers use techniques to help reduce anxiety and build confidence, the entire organization needs to be able to exercise sound judgment. However, remaining aware of cyber dangers isn’t enough; they need to know how to act and apply their knowledge in real situations. A company is only as secure as the least safety-conscious team member — therefore, everyone must understand their role in the organization’s overall security strategy.

Cybersecurity by design: Make things smooth and avoid complexity 

With the threat landscape constantly evolving, organizations must design security to be a smooth process. In other words, if security is too complicated — which it often is — it won’t work. For example, employees know not to click on suspicious links from strangers. But they don’t want to take the time to check if the link is safe — in fact, they might not know how to verify it beyond their gut feeling. As such, businesses must bring their cybersecurity employees and designers together to create a human-centered design process, often called a “cybersecurity-by-design” approach.

A cybersecurity-by-design approach sees security as a core business requirement, not some nice-to-have technical feature. Moreover, the human-centered design element puts the people (or, in this case, employees) at the heart of the process, meaning that the designers are empathic toward the intended targets’ attitudes, skills and capabilities. In the case of dubious links, the security team and designers should build a link-verification tool or solution that is easy to use and not time-consuming, something employees will see value in deploying.

Architect security from the start 

This year saw the rise of generative AI, a technology that benefits businesses and bad actors alike. For instance, hackers leverage AI to create hyper-realistic phishing campaigns and tailored social engineering traps, including malicious code and malware designed to slip past traditional defenses. Likewise, a survey of 1,000 cybersecurity experts revealed that over half thought AI tools made it ‘somewhat’ or ‘much easier’ for people to steal sensitive information using human-like chatbot outputs.

Today, many organizations follow the old security model of fencing off their business with software. This approach isn’t just wrong — it’s almost a farce in the age of generative AI. At the same time, businesses must account for existing vulnerabilities in the cloud and data alongside security challenges with large language models.

Amid the growing prevalence of generative AI, organizations need to architect security at the start to reduce potentially exploitable flaws rather than adding it as a final touch once a product is nearly ready to go to market. This idea of implementing security during the design phase of a product’s development lifecycle is a fundamental principle of cybersecurity-by-design.

Companies should also design their systems with security in mind to make them more defensible. Unfortunately, business leaders often rush technology adoption, forgoing a security officer until later. By not creating self-defenses during development or design, businesses can end up in security debt, which is incredibly costly despite not showing up on one’s profit and loss statement.

It all comes back to strong leadership 

While everyone shares responsibility for ensuring cybersecurity across the enterprise, leaders carry a much heavier burden. The strongest leaders understand this reality and will strive to get the entire organization to do as they do and commit to the best cybersecurity practices, beginning with thinking defensively. Businesses could have the best cybersecurity solutions and software at their disposal. However, if there is no motivation from the top, organizations shouldn’t expect any real behavioral change at the employee level.