Why 82% of Breaches Involve Human Risk Factors (And What That Means for Security Culture)
It’s Not Just Tech—It’s Human.
Team CM
Apr 5, 2025 4:00:00 AM
We Need to Build Bridges, Not Walls
In cybersecurity circles, you often hear: "Leadership doesn’t take security seriously."
But maybe the better question is: Have we made it easy for them to?
Digital risk has evolved beyond technical systems and compliance checklists. It now shapes every part of how we deliver value, manage trust, and protect our future.
And yet, many CISOs and security teams are still struggling to bring leadership on the journey. We may have the data. We may have the technical credibility. But if we can’t communicate the connection between cyber risk and business risk in the language of leadership, we’re leaving influence on the table.
Why the Disconnect? Some Data to Consider
Research from ISACA and PwC continues to show that CISOs often have strong technical capabilities but struggle with perceived business acumen. A 2022 PwC report noted that fewer than 30% of executives believe their cybersecurity leaders deeply understand the business.
That matters. Because if the business doesn’t understand the risk, and security doesn’t understand the business, you have a broken conversation about risk tolerance, strategy, and investment.
And that means: shared culture doesn’t exist.
If We Want the Business to Own the Risk, We Need to Translate It
Security teams often talk about attack surfaces, threat actors, controls, and compliance. Boards talk about growth, market differentiation, and shareholder value.
You’re not speaking two different languages. You’re having two different conversations.
To move forward:
Frame digital risk in terms of business continuity, regulatory exposure, customer trust, and innovation velocity
Align human risk narratives to operational KPIs and culture
Understand your company’s business model, strategy, and risk tolerance—and reflect that in your reporting
Digital risk is business risk. But it’s your job to make that unmistakably clear.
The Real Barrier: Time, Not Will
Many human risk managers, awareness leaders, and program owners want to do this strategic work. But they’re buried in the tactical trenches. Their weeks are packed with creating or chasing content, tweaking phishing templates, writing internal comms, designing yet another newsletter, juggling stakeholder approvals, configuring simulations, sorting out segmentation, cleaning up data, formatting reports, and trying to make sense of half-baked dashboards from five different systems. Add in the ad hoc requests from compliance or IT, the last-minute "just one more course" requests, and the emotional labor of trying to keep people engaged with content that’s often inherited, outdated, or misaligned—and you’ve got a recipe for burnout, not breakthrough.
This operational gravity pulls you further and further from the strategic table. You're the program owner, yet you’re left managing a patchwork of tools instead of building the business case for transformation. And it’s not your fault. The system isn’t set up to give you the time, resources, or backing to do the big-picture work. But without carving out space for it—without reclaiming your time and reframing your role—you’ll always be seen as a deliverer, not a driver. You can’t expect leadership to prioritize your program if you’re never able to show up as a strategic partner.
Rethink Your Role. Rebuild Your Strategy.
The evolving role of a Human Risk Management (HRM) leader is no longer limited to awareness campaigns and compliance reminders—it’s strategic, consultative, and deeply embedded in the business. You are uniquely positioned within the organization to understand both the human element of digital risk and the operational realities your business faces. Only you can bridge that gap—working with stakeholders to align on strategy, building trusted relationships, and helping shape a shared understanding of what risk really means in your organization. This is where real influence lives. This is where trust is built.
But here’s the challenge: the strategic part of your job—relationship-building, translating insights, communicating vision—is also the part most HRM professionals feel least equipped or empowered to focus on. Why? Because they’re buried in the tactical. To lead at the highest level, you have to rethink your delivery model, reclaim your time, and elevate your voice. That kind of shift doesn’t happen overnight. But it starts with one choice: to lead like your role matters—because it does.
Managed Services Can Help You Shift the Model
We work with organizations every day to shift the human risk function from reactive to strategic. That means:
Running assessments and delivering insights that resonate with leaders
Managing content, training, campaigns, and reporting from top to bottom
Providing a platform that enables automation, measurement, and clarity
This frees your internal team to do what only you can do: build relationships, influence decision-makers, and turn risk conversations into culture-shaping moments.
Final Thought: Leadership Doesn’t Ignore Risk. They Just Haven’t Heard It in Their Language Yet.
It’s our job to bring the message in a way leadership understands—to paint the picture, tell the right story, and frame the data so it aligns with the business priorities they’re tasked to manage. Digital risk, AI risk, and cyber risk are no longer technical challenges alone—they’re strategic issues that shape growth, resilience, and trust. If we want a seat at the strategy table, we need to show up speaking the language of strategy.
Rather than blaming leadership for not prioritizing what they don’t yet fully grasp, we need to reframe our role: as translators, advocates, and facilitators. It’s on us to communicate risk in ways that resonate, to build shared understanding, and to drive action that’s informed and aligned. Let’s stop saying leadership doesn’t get it—and help them get it instead. That’s our job. And we’re here to help you do it.
It’s Not Just Tech—It’s Human.
4 min read
The Case That Shook Legal Circles: AI-Generated Lies in Court In a striking example of recent AI risk in the workforce, three lawyers recently found...
5 min read
For years, human risk has been synonymous with cybersecurity awareness training: phishing simulations, compliance courses, and annual reminders to...
3 min read
Subscribe to our newsletters for the latest news and insights.
Stay updated with best practices to enhance your workforce.
Get the latest on strategic risk for Executives and Managers.