Why Every Organization Needs a People-Centric Security Strategy

Exploring the disconnect between cyber security spending and effective protection

Add bookmark

Ryan Kalembar

Organizations like yours are investing in more security tools than ever, but attackers continue to outpace technology. Global spending on cyber security products and services will top $1 trillion by 2021, according to Cybersecurity Ventures.

But why the disconnect between cyber security spending and effective protection? Consider the typical security budget: the majority of current spend is to defend against the minority of the attacks.

The battle has changed. Defense spending has not. It’s time for a fundamental re-think.


Traditional cyber security models were built for an earlier era — when the prevailing security model was to lock down the perimeter and deal with threats after they got through. The approach barely worked then; it’s hopelessly broken now.

That’s because your people, not your infrastructure, is what attackers target — and are now your biggest risk. This change in the threat landscape requires a fresh mindset and new strategy, one that focuses on protecting people rather than the perimeter.


There are two simple reasons perimeter defenses aren’t working. With more of what matters moving to the cloud, there’s less and less of a perimeter to defend. Work takes place on devices organizations don’t support, on infrastructure they don’t manage, and in channels they don’t own. As Gartner puts it, the IT department “simply does not control the bounds of an organization’s information and technology in the way it used to.”

And as organizations have shifted to the cloud, so have attackers. Cloud infrastructure may be highly secure, but the people who use it are often vulnerable. That’s why today’s attacks exploit human nature rather than technical vulnerabilities.

See Related: "A Guide To Protecting The End User"

More than 99% of today’s cyber attacks are human activated. These attacks rely on a person at the other end to open a weaponized document, click on an unsafe link, type their credentials, or even carry out the attacker’s commands directly (such as wiring money or sending sensitive files).

Credential phishing — which tricks users into entering their account credentials into a fake login form — is one of the most dangerous examples. In the cloud era, those credentials are the keys to everything: email, sensitive data, private appointments, and trusted relationships. In the third quarter of 2018, for example, corporate credential-phishing attempts quadrupled versus the year-ago quarter. And email fraud rose 77% over the same timeframe.

So how can organizations protect themselves? Start with people.


Just as people are unique, so is their value to cyber attackers and risk to employers. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse ways and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud. Together, these factors make up a user’s overall risk in what we call the VAP (vulnerability, attacks, and privilege) index.


To assess vulnerability, you need to think about your users’ digital behavior — how they work and what they click. Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics.


All cyber attacks are not created equal. While each one is potentially harmful, some are more dangerous, targeted, or sophisticated than others.

Rich threat intelligence and timely insight are the keys to quantifying this aspect of user risk. The factors that should weigh most heavily in each users’ assessment include:

  • The cyber criminal’s sophistication
  • The spread and focus of attacks
  • The attack type
  • Overall attack volume


Privilege measures all the potentially valuable things people have access to, such as data, financial authority, key relationships, and more. Measuring this aspect of risk is crucial because it reflects the potential payoff for attackers — and the harm to organizations if compromised.

Users with access to critical systems or proprietary intellectual property, for instance, might need extra protection, even if they aren’t especially vulnerable or aren’t yet on attackers’ radar.

The user’s position in the org chart is naturally a factor in scoring privilege. But it’s not the only factor — and often not even the most important one. For attackers, a valuable target can be anyone who serves as a means to their end.


Protecting against all the factors that play into user risk requires a multipronged approach. In the VAP model, that means:

  • Reducing users’ vulnerability
  • Stopping the threats that target them
  • Applying adaptive controls to highly privileged or attacked users to better protect them

To listen to an on-demand webinar session to learn more about how to use the VAP model to protect people across email, the web, cloud apps, the web, social media, and more, click here.