Cybermaniacs CEO Featured on The Professional CISO Show to Reframe Human Risk, Culture & Resilience

In the latest episode of The Professional CISO Show, host David Malicoat sits down with Kathryn Brett Goldman, CEO & Founder of Cybermaniacs, for a candid, high-energy conversation that challenges one of cybersecurity’s most stubborn myths: that “humans are the weakest link.”

Instead, Kate makes the case that the future of cyber resilience depends on understanding the Human Operating System — and building security programs that treat people as adaptable, upgradable assets, not liabilities.

“If you think your people are your weakest link, you’ll design everything around control and blame. If you see them as your strongest defense, you design for empowerment, culture, and resilience.”

🎧 Watch/Listen now:

From “Awareness Training” to Human Risk Operations

Early in the episode (02:10 – Meet Kate Goldman and Cybermaniacs), Kate introduces Cybermaniacs’ core mission: helping organizations move beyond checkbox awareness into true human risk management.

At 03:45 – The misunderstanding of human risk, she breaks down how many security programs still treat people as one-dimensional risks to be controlled. This mindset, she argues, is fundamentally outdated in a world where:

• Digital behavior is deeply tied to culture, incentives, and norms

• “Non-compliance” is often a signal of broken processes, not “bad users”

• Resilience requires continuous learning, not once-a-year mandatory training

Human risk, in this framing, isn’t a side project. It’s a core operational discipline that belongs at the center of modern cybersecurity strategy.

For more reading and thought leadership on Human Risk and Human Resilience, check out or blog The Human Risk Management Blueprint: Turning Strategy into Action and What We’ve Learned: Human Risk Management in Action

The Human Operating System: Patching People the Right Way

At 05:20 – Defining the Human Operating System, Kate introduces the idea of a Human Operating System (HumanOS™) — the blend of psychology, behavior, emotions, habits, norms, and culture that drives how people actually behave in digital environments.

Key ideas from this segment include:

• Understanding the “stack” of human behavior
  Roles, stress, incentives, social dynamics, and cognitive load all influence whether a person clicks, reports, ignores, or bypasses security controls.

• “Patching” human vulnerabilities
  At 10:00 – Assessments and baseline human risk, Kate explores why organizations must first measure human risk before they can meaningfully change it — via baselines, diagnostics, and continuous feedback loops.

• Designing interventions, not just courses
  Instead of one-off modules, Kate advocates for nudges, micro-learning, reflection points, and cultural levers that align everyday work with safer choices.

For more reading and insight, check out What is Human OS and Why Humans Are the New Endpoints, and Patch the Human OS: A Roadmap for Programmatic Behavior Change. As we patch the HumanOS via our Cyber Learning Experience, you can request a demo here. 

Killing the “Weakest Link” Narrative

One of the most powerful moments comes at 13:00 – Humans aren’t the weakest link.

Kate argues that the “weakest link” framing:

• Devalues employees, eroding trust and engagement

• Encourages fear-based and punitive approaches to training

• Ignores the reality that humans are also the last line of defense when technical controls fail

She proposes a different lens:

Humans are adaptive, creative, and contextual. With the right support, culture, and design, they become your most powerful security asset.

This shift in language isn’t just cosmetic. It changes how CISOs design controls, communicate risk, and partner with business leaders.

See: The Weakest Link? Maybe It’s Your Security Strategy, Not Your People.

Culture as a Security Control

At 16:00 – CISOs and culture as a security lever and 20:00 – Learning organizational culture, Kate and David dive into the messy, real-world side of culture:

• Why some teams quietly bypass controls just to get work done

• How local norms and leadership behavior often override policy

• Why culture work is not “soft stuff” — it’s a hard performance and risk driver

For CISOs, this means:

• Treating culture as a strategic control surface

• Partnering with HR, leadership, and operations to shape norms and expectations

• Measuring not just who “completed training,” but how attitudes, behaviors, and trust are shifting over time

What is Security Culture? Why It’s the Most Overlooked Asset in Cybersecurity

Security Culture Is a System, Not a Vibe

Culture Has a Topology. Are You Mapping It?

AI, Acceleration & the Future of Workforce Resilience

From 21:30 – AI’s impact on human risk and workforce roles onward, the conversation shifts to one of the most urgent topics in security today: AI and the human-technology relationship.

Kate and David explore:

• 21:30 – AI’s impact on human risk and workforce roles
  How AI reshapes roles, decision-making, and cognitive load — and why this increases the need for digital literacy and ethical awareness.

• 26:00 – Velocity of AI and top-down pressure
  Leaders are under intense pressure to “adopt AI fast,” often without fully understanding the risk surface this creates at the human level.

• 30:00 – The future of workforce resilience
  Resilient organizations don’t just deploy tools — they equip people to adapt, question, escalate, and learn inside rapidly changing digital environments.

• 33:00 – Learning to learn in the age of AI
  Kate closes this theme by emphasizing meta-learning: helping people become better at learning itself so they can keep pace with AI-driven change.

In short: the next generation of security isn’t just about resilient systems — it’s about resilient people.

Mapping Culture for Resilience: How to Spot Hidden Signals Before They Break

Securing the Loop: How to Train Oversight Humans for AI-Era Security

Episode Structure & Timestamps

Here’s a quick guide if you want to jump to specific parts of the episode:

• 00:00 – Show Intro & U.S. Tour Update

• 02:10 – Meet Kate Goldman and Cybermaniacs

• 03:45 – The misunderstanding of human risk

• 05:20 – Defining the Human Operating System

• 10:00 – Assessments and baseline human risk

• 12:00 – Sponsor: MagicMirror Security Ad Spot

• 13:00 – Humans aren’t the weakest link

• 16:00 – CISOs and culture as a security lever

• 20:00 – Learning organizational culture

• 21:30 – AI’s impact on human risk and workforce roles

• 26:00 – Velocity of AI and top-down pressure

• 30:00 – The future of workforce resilience

• 33:00 – Learning to learn in the age of AI

• 38:00 – Closing thoughts & 10 Questions with Kate Goldman

Why This Conversation Matters

This episode is a must-watch for:

• CISOs & security leaders rethinking their human risk strategy

• Risk, compliance, and HR leaders who want culture and security to work together

• Executives and board members looking for a clearer way to talk about human risk, AI, and resilience

Kate’s message is clear:

The organizations that will thrive in the next decade are those that treat human risk not as a side problem to “train away,” but as a strategic discipline that blends psychology, culture, technology, and AI-aware leadership.

Continue the Conversation

If you’re ready to move beyond checkbox awareness and build human-centered, culture-aligned resilience, we’d love to talk.

👉 Get in touch with Cybermaniacs to explore how we help organizations:

• Baseline and measure human risk

• Design culture-forward learning and engagement

• Build resilient people in an AI-accelerated world