Managing people-risks: Why CISOs need to move beyond compliance?

Organizations need to look at compliance as a part and not the whole of their enterprise cybersecurity

Soma Tah
New Update
Information Security and Power of Data for an Enterprise

Maintaining good physical and mental health takes a lot of effort - eating right, exercising regularly, meditating… and the list goes on. On the other hand, an unhealthy lifestyle is a lot more convenient! Unfortunately, most of us choose convenience over health even in our cyber lives. According to IBM Security X-Force, preferences for convenience outweighed security and privacy concerns leading to poor choices around passwords and other cybersecurity behaviors. This was leveraged, especially during the pandemic, and poor personal security habits led to costly security incidents for companies. In fact, compromised user credentials represent one of the top sources of cyberattacks in 2020 costing ~$4.37 million.


Industries such as BFSI and healthcare among others depend heavily on compliance and policies to determine their people-related cyber risks. For example, the compliance guidelines by the Reserve Bank of India recognize the role people play in cybersecurity. They emphasize on:

Top Management and Board having a fair degree of awareness of the fine nuances of the threats

Proactive User / Employee/ Management Awareness


Customer Education and Awareness via various activities

While these guidelines give direction to enterprise cybersecurity to secure the human aspect, in an era where digital transformation is on the rise, is depending on compliance alone enough? Can there be a more dynamic interpretation of the compliances to better handle cyber risks stemming from employees?

Move your cybersecurity beyond compliances


Today, executives in India assume that their organization will never get attacked! In addition, the assumption is that even though their organization may be compromised, there is nothing they can do to stop it. Digital transformation is accelerating faster than ever and cybercrime is not far behind. Organizations need to look at compliance as a part and not the whole of their enterprise cybersecurity. To ensure they meet the mandated Compliance requirements, organizations plan activities to improve cyber awareness. These include periodic cybersecurity sessions, phishing simulations, and more. However, Sophos’ study (2021) revealed ~80% of Indian organizations struggle to provide adequate education to their leaders and employees regarding cybersecurity. 

All the activities are point-in-time and work in silos. For instance, mapping an individual’s cyber awareness after classroom-based training might not disclose anything out of the ordinary, but correlating that data with their Logging and Monitoring information might reveal valuable information to prevent an active insider threat. Unfortunately, most cybersecurity audits verify but don’t correlate results from dynamic factors such as User and Entity Behavior Analytics (UEBA), logging and monitoring, incident management, network security management, and more. 

What is stopping organizations from adopting an ML-based risk quantification platform that enables correlations between the aforementioned factors and integrates siloed data to a single metric? This single platform allows a CISO clear visibility of how likely their employees are to be breached as a result of


1. Employee’s cybersecurity awareness

2. The status of the employee in the company - if they are due for promotion, the type of customer data they’re privy to, past employment history

3. Cybersecurity services deployed: UEBA, PIM/PAM, Logging and Monitoring, etc.


4. Policies: Data backup, Password reset, Biometrics, etc, and

5. The company’s adherence to cybersecurity compliances

The output a CISO receives from this integrated data lake is the breach-likelihood of every employee, representing the real-time threat they pose to an organization. Employees are able to visualize their individual impact on the enterprise’s larger goal of reducing the possibility of being breached through trusted insiders. The output sheds light on the total dollar risk an organization has from its employees. Each employee holds a specific dollar value asset to the enterprise, and their cyber awareness quotient plays a key role in this value calculation. As awareness improves, an employee’s individual breach-likelihood reduces. This has the added advantage of showing employees their individual financial impact on the enterprise’s cybersecurity strategy. As individuals are considered part of the wider cybersecurity strategy, cybersecurity becomes a shared responsibility.


Take the case of an insider threat in General Electric. GE was losing several tenders to a new competitor that was founded by one of their previous employees. Two employees were able to download gigabytes worth of trade secrets from GE servers, and one of them even persuaded a system administrator to grant him access to privileged data! None of this triggered any alarm bells, because every cybersecurity service was working in silos, un-integrated with employee cybersecurity.

The modern business should adapt its compliance strategy in keeping with its digital-first presence. They should consider to stop practicing people-cybersecurity in a siloed, point-in-time manner and instead shift to a dynamic assessment of each employee’s breach likelihood. As Gary Cohn, then-President of IBM said, “If you don't invest in risk management, it doesn't matter what business you're in, it's a risky business.” 

The article is authored by Rahul Tyagi, Co-founder, Safe Security

cybersecurity ml ciso compliance cyber-risks