The idea that cybersecurity is a people problem is so often repeated that it has become a truism for the sector.

A casual search of “Cybersecurity people problem” returns 341 million results and, unsurprisingly, a wide range of answers to the question: ‘Which people are the problem?’ Bosses, cybersecurity teams, users, employees, hackers: if a party exists to whom blame could be apportioned, it’s been done.

But the ‘who’ and ‘why’ of the “people problem” is misunderstood. And even when the weak human link is correctly identified, the factors driving peoples’ vulnerability are often much more complex and nuanced than they’re made out to be.

We know this because we studied some of the key groups of people involved in cybersecurity posture and protection, to understand how they were resourced to deal with the threat landscape, and to what extent that resourcing reduced risk or resulted in more well-rounded security protections.

Hiring More Cybersecurity Professionals

The obvious way many organisations seek to boost their defences to deal with increasingly sophisticated cybersecurity threats is by increasing headcount. A third of team leaders according to Fastly’s annual global security research report felt that security issues in the last 12 months were directly attributable to the talent shortage. As a result, 48% of businesses increased their spend on new talent over the last year, and over a third (36%) of businesses we surveyed say that high-quality recruitment continues to top their investment wishlists in the coming year.

Where it gets interesting, however, is that only 36% feel their new hires possess the necessary skills to protect the business. Meanwhile, nearly half of cybersecurity professionals surveyed are worried about the ability of their existing talent pool to deal with threats arising from emerging technologies. This may come as a surprise to organisations that view their “people problem” as a resource shortfall; increasing headcount may not result in the linear improvement in internal capability they think, and the “people problem” is likely to persist in some form, despite a large team size and staff cost.

A key personnel challenge is that the skills cybersecurity teams require have to flex to match the developing threat landscape. That landscape is broad and requires specialist knowledge across a growing number of subdomains in order to remain effective. Our research shows that the most common attacks are ransomware, experienced by 29% of businesses, followed by DDoS (28%), attacks related to open source software (25%), social engineering (22%) and API/web application-related attacks (20%).

As varied as these threats are, they really only scratch the surface of a broad and ever-changing array of methods criminals can tailor to their targets. Certain sectors are more susceptible to particular types of cyber attacks, for example media and entertainment companies are more likely to be targeted for social engineering attacks. In addition, threat actors often utilise multiple tactics, techniques and procedures (TTPs) in order to execute and/or escalate an attack.

The range and specialisation of skills required by inhouse teams, and the rapidly evolving nature of those skills, means that adding headcount by itself isn’t enough. People problems may persist, even with the presence of more people.

An emerging response to this challenge is utilising Generative AI (GenAI) to augment the skills of – and counteract the strain on – security teams. Nearly half (43%) of security professionals recognise this and expect a productivity boost as the technology is more widely adopted.

One area where cybersecurity professionals expect generative AI to have a big impact is in training and development, with generative AI’s content development potential coming to the rescue of security professionals tasked with writing training programmes.

In addition, more than one-third of security professionals predict that generative AI will allow them to train their colleagues more effectively in cybersecurity basics. This development will offer them significant support when it comes to fostering security-first mindsets throughout organisations. Small wonder that 42% of security professionals believe that, deployed correctly, AI is likely to be an effective tool when it comes to protecting their businesses.

Employee Awareness

Raising awareness is often viewed as the end goal for the employee base. That might help regular workers to understand their role in preventing cyber attacks, but is insufficient to eliminate them as a key component of cybersecurity’s ‘people problem’. In addition to awareness, staff need to be trained to use any and all cybersecurity tools and controls at their disposal.

Instilling a Secure by Design mindset with all staff is also important. This mindset involves designing security into the core of any project right from the outset. Addressing and preparing for security hazards when designing a product or system shifts the need for human action further away from the stack, which means that security success does not need to rely on human perfection to succeed.

There are two ways to embrace a Secure by Design approach. The first is through solutions that eliminate hazards and the second is via solutions that reduce hazards. Eliminating hazards is all about ensuring solutions don’t rely on human behaviour to be safe.

Security teams don’t need to spend wildly to combat the growing danger from cyber attacks.  However, by adopting an enterprise security architecture, prioritising cross-organisational security and accessibility, embracing Secure by Design and using generative AI for training, companies can implement security resilience through the entire organisation.