Your Security Strategy is Missing the Most Important Piece—People

Awareness Isn’t Strategy, and People Aren’t a Footnote

You might read the headline and roll your eyes. “Of course we think about people—we have a security awareness program.”

But here’s the question: Is that program a core part of your security strategy—or just a checkbox in your compliance calendar?

If it’s the latter, you’re not alone. And that’s a problem we'd like to highlight here.

In the race for resilience—especially in an AI-accelerated world where risks and rewards both scale faster than ever—the gap between strategy and reality is growing wider by the day.

Dated but still valid, according to a 2023 SANS Institute report, most organizations allocate less than 5% of their cybersecurity budgets to training, awareness, or human-centric initiatives. And even fewer are investing in deeper capabilities like behavioral risk analysis or culture transformation. Yet studies from Gartner and IBM have shown that organizations with mature human risk management practices significantly outperform on metrics like mean time to respond (MTTR) and breach recovery time, thanks to better communication, faster reporting, and higher engagement.

Bottom line? Maturity matters—and "good enough" doesn’t cut it in a world where attackers are using AI to scale social engineering at speed.

Most companies run annual training. Some throw in phishing simulations. Fewer still provide tailored, role-specific content.

And yet, in the face of AI-generated phishing, deepfakes, behavioral manipulation, insider threat amplification, and complex socio-technical attacks, this baseline approach is wildly underpowered.

We’re not saying stop training. We’re saying: don’t confuse minimal effort with maximum impact.

A true information security strategy integrates:

• Risk assessment and prioritization

• Capability mapping

• Technology and tooling

• Incident response and recovery

• Governance and compliance

• Culture and communication

• Workforce development

Sound familiar? It should. These are the pillars of modern cybersecurity.

But how much of your actual spend, roadmap, or talent plan goes toward human risk management?

Budget Follows Belief: And Right Now, Belief is Lagging

Global cybersecurity spending exceeds $200 billion annually. Only a tiny fraction of that goes toward understanding human behavior, improving risk culture, or building resilience beyond awareness.

Compare that to what your organization invests in:

• Security awareness (basic)

• Training (often compliance-focused)

• Actual human capability development, culture transformation, or psychological risk insight (rare)

We judge a tree by its fruit. And the fruit of today’s human-centered security programs is still underdeveloped.

Boards and executive teams are asking better questions about cyber. But most still hear about:

• Phishing simulation click rates

• Training completion stats

• Compliance audit readiness

Useful? Yes. Strategic? Not really.

What if you could present:

• Cultural engagement heatmaps

• Departmental risk clusters

• Human vulnerability indexes by role

• Leading indicators of disengagement or exposure risk

That’s what a modern human risk management program enables.

(And if you're looking to start this conversation, check out our blog: The Weakest Link? Maybe It’s Your Security Strategy, Not Your People)

A real human risk strategy is not plug-and-play. It must:

• Fit the contours of your workforce, business model, and operating environments

• Account for internal capabilities and external threats

• Measure not just what people know, but how they behave, what they believe, and how they respond under pressure

• Include a roadmap to maturity, from measurement to transformation

This isn’t soft stuff. It’s strategic, measurable, and tied directly to your organizational resilience and readiness.

AI will change everything—including how fast risks move, how humans are targeted, and how data loss prevention must adapt. But without a strong understanding of your human layer, your cybersecurity foundation is incomplete.

A modern security strategy doesn’t just protect code, infrastructure, and assets. It protects people.

We help organizations build that strategy—with tools to measure human factors, assess culture, align teams, and elevate security leadership.

Your people aren’t a checkbox. They’re the core of your defense.