What is the "human-centered practice" approach in cybersecurity?

The human-centered practice in cybersecurity, is an approach that acknowledges that true security is not just about technology or policies. It is about understanding the people within organizations—their motivations, workflows, challenges, and potential. It shifts the focus from viewing "people as the weakest link" to empowering individuals as active participants in defense, designing security processes that are simple, relevant, and integrated into their daily tasks.

How does making security "simple and relevant" help in building a secure culture?

Making security "simple and relevant" is crucial because simply providing more information does not always translate into action. When security measures introduce friction or seem irrelevant to daily tasks, they are often resisted. By designing security processes and tools that are intuitive and integrate seamlessly into existing workflows (making them simple), and by connecting security to personal benefits, team protection, and the organization core mission (making it relevant), employees become more invested. This approach transforms security from a burden into an enabler, fostering a culture where secure behaviors become second nature.

Building a Resilient Security Culture

Q: How does combining the roles of Security Awareness Program Manager and Incident Manager create a unique advantage?

Combining the roles of Security Awareness Program Manager and Incident Manager creates a powerful feedback loop. Mauricio has direct involvement in actual security incidents, and provides firsthand insights into real-life human behaviors and vulnerabilities that contribute to breaches. These practical lessons can then be immediately integrated into the security awareness program, making the training more relevant, impactful, and tailored to the organization specific threat landscape, rather than relying on generic information.

Q: Why is it crucial to move from the mindset of "people are the weakest link" to "people are the attack vector"?

It is crucial to shift from "people are the weakest link" to "people are the attack vector" because the former often leads to a blame-centric culture that alienates employees. The latter perspective, "people are the attack vector," more accurately reflects that adversaries leverage human interactions and behaviors (like through phishing or social engineering) to achieve their objectives. This mindset fosters empowerment, focusing on enabling people with the tools, knowledge, and support to behave securely and defend themselves, rather than just pointing out their flaws.

An Unconventional Path into the Heart of Cybersecurity

Mauricio’s entry into the cybersecurity realm was anything but conventional, a testament to how passion and curiosity can forge a unique professional destiny. Unlike many who follow a direct academic or professional pipeline, Mauricio found his calling in cybersecurity relatively recently, about five years ago, after a foundational career in IT. His pivotal moment, he shared with us, was sparked by a significant historical event: the massive distributed denial-of-service (DDoS) attack on Estonia’s government websites in 2007.

This unprecedented cyberattack, which crippled critical national infrastructure, ignited a deep-seated interest in cybersecurity within him. It wasn't just about the technical challenge; it was about the profound impact on a nation and its citizens.

This eye-opening experience propelled him to pursue a master's degree in cybersecurity in Estonia itself, a decision that speaks volumes about his commitment to understanding the roots of digital defense. This academic pursuit in a nation that had experienced such a profound cyber-assault provided him with a unique, real-world context for his studies. Upon completing his degree, he landed a pivotal role at Pipedrive, initially joining as a Security Operations Center (SOC) analyst. This foundational experience in the SOC provided him with critical hands-on exposure to the daily realities of cyber threats and incident detection.

What truly set his journey apart, however, was his subsequent transition into a remarkably unique dual role: Security Awareness Program Manager and Incident Manager. This blend of responsibilities, as we would soon discover, was not just a career move but a strategic advantage that would profoundly shape his approach to cybersecurity. His path underscores a vital lesson: the most impactful cybersecurity professionals often come from diverse backgrounds, bringing fresh perspectives and innovative solutions to complex problems.

An Unconventional Path into the Heart of Cybersecurity

One of the most compelling aspects of our conversation with Mauricio revolved around his dual responsibilities. This integrated approach, we learned, offered a distinct and powerful advantage that is often missing in traditional cybersecurity structures.

As a Security Awareness Program Manager, Mauricio’s primary objective was to cultivate secure behaviors across the organization. This meant actively mitigating what he terms "human risks" – the vulnerabilities that arise from human actions, or inactions, within a digital environment. His work involved:

Content Creation: Developing relevant, engaging, and digestible content designed to educate employees on various security topics. This wasn't about dry, compliance-driven training, but about making security relatable and actionable.
Program Management: Strategizing and executing comprehensive awareness campaigns that resonated with diverse teams and roles within the company.
Behavioral Nudging: Understanding the psychology behind human decision-making to gently guide employees towards more secure practices.

Simultaneously, Mauricio operated as an Incident Manager, a role that required him to be on rotation, ready to pivot at a moment's notice. When a severe security incident occurred, his security awareness duties would be temporarily set aside, and he would plunge into the high-stakes world of incident response. This meant:

Rapid Response: Leading or participating in the immediate containment, eradication, and recovery efforts during critical security breaches.
Forensic Analysis: Investigating the root cause of incidents, understanding attack vectors, and identifying vulnerabilities exploited by adversaries.
Post-Incident Review: Participating in post-mortems to analyze what went wrong, what worked well, and what lessons could be learned.

The brilliance of this dual role, as Mauricio eloquently explained, lies in the direct, real-time feedback loop it creates. Traditional security awareness professionals often operate in a theoretical vacuum, relying on generic threat intelligence or industry best practices. Mauricio, however, had firsthand insight into actual security incidents that impacted his organization. This direct exposure meant that.

Lessons from the Trenches: He could immediately identify the specific human behaviors or lack of awareness that contributed to a breach or near-miss.
Actionable Insights for Awareness: These real-life scenarios weren't just abstract concepts; they were concrete examples that could be woven directly into the security awareness program. For instance, if a phishing attempt led to a compromise, he could then design targeted training modules using elements from that very incident (anonymized, of course) to educate employees on what to look out for, how to report suspicious activity, and the potential consequences of falling victim.
Increased Relevance and Impact: This direct integration made the awareness program far more practical, relevant, and impactful. Employees weren't just learning theoretical concepts; they were learning from their organization's own experiences, making the lessons more memorable and actionable. This continuous cycle of learning from incidents and feeding that knowledge back into awareness training is, in our view, a paradigm shift for effective human-centered security. It transforms awareness from a compliance checkbox into a dynamic, evolving defense mechanism.

Challenges and the Crucial Mindset Shift: From "Weakest Link" to "Attack Vector"

Mauricio’s journey as a security awareness program manager was not without its hurdles, and his candid insights into these challenges were particularly enlightening. He emphasized that the role is far more complex than simply delivering training; it involves navigating organizational dynamics and fostering a fundamental mindset shift.

One of the primary challenges he faced, common in many organizations, was resource constraints. Security awareness often competes with other critical security initiatives for budget, personnel, and time. This necessitates a keen ability to prioritize efforts, focusing on the most impactful areas that yield the greatest return on investment in terms of risk reduction.

Equally challenging was securing buy-in from various stakeholders. Effective security awareness isn't confined to the security department; it requires collaboration with:

Internal Communications: To ensure messages are clear, consistent, and delivered through appropriate channels.
Human Resources (HR): For policy integration, employee onboarding, and addressing behavioral issues.
Department Heads: To gain support for training initiatives and ensure that security messages are reinforced within specific teams.

However, perhaps the most profound challenge Mauricio discussed was the need for a fundamental mindset shift within the cybersecurity industry itself. He passionately argued for moving away from the outdated and often counterproductive mantra that "people are the weakest link." This phrase, while seemingly highlighting a vulnerability, often leads to a blame-centric culture that alienates employees and hinders genuine security adoption.

Instead, Mauricio advocated for a more empowering and accurate perspective: "People are the attack vector." This subtle but crucial rephrasing shifts the focus from blaming individuals for security failures to understanding how adversaries leverage human interactions and behaviors to achieve their objectives. It acknowledges that:

Humans are Targets: Phishing, social engineering, and other human-centric attacks are designed to exploit natural human tendencies, not necessarily a lack of intelligence or malicious intent.
Enabling, Not Blaming: The goal of a security program should be to enable people to behave securely, providing them with the tools, knowledge, and support to defend themselves and the organization. It's about building resilience, not just pointing out flaws.
Shared Responsibility: By framing people as an "attack vector," it becomes clear that protecting this vector is a shared responsibility, requiring collaboration between the security team and every employee.

Implementing this mindset shift can be a significant hurdle, not only for the broader organization but often within the security team itself, where traditional views may be deeply entrenched. Overcoming this requires consistent communication, empathy, and a focus on positive reinforcement rather than punitive measures. It's about building a culture of trust where employees feel empowered to report suspicious activity without fear of reprisal.

Challenges and the Crucial Mindset Shift: From "Weakest Link" to "Attack Vector"

Internal Communications: To ensure messages are clear, consistent, and delivered through appropriate channels.
Human Resources (HR): For policy integration, employee onboarding, and addressing behavioral issues.
Department Heads: To gain support for training initiatives and ensure that security messages are reinforced within specific teams.

Humans are Targets: Phishing, social engineering, and other human-centric attacks are designed to exploit natural human tendencies, not necessarily a lack of intelligence or malicious intent.
Enabling, Not Blaming: The goal of a security program should be to enable people to behave securely, providing them with the tools, knowledge, and support to defend themselves and the organization. It's about building resilience, not just pointing out flaws.
Shared Responsibility: By framing people as an "attack vector," it becomes clear that protecting this vector is a shared responsibility, requiring collaboration between the security team and every employee.

Navigating a Dynamic Landscape: The Continuous Evolution of Awareness

Maintaining a continuous and effective security awareness program in today's rapidly evolving threat landscape presents its own set of unique challenges. Mauricio highlighted that security awareness is not a one-time training event but an ongoing, dynamic process that must constantly adapt to new technologies and emerging threats.

One vivid example he shared was the sudden emergence and widespread adoption of Generative AI tools like ChatGPT. When ChatGPT burst onto the scene, his team faced an immediate and critical need to:

Rapidly Assess Risks: Understand the potential security implications of employees using such powerful AI tools, including data leakage, intellectual property exposure, and the introduction of malicious code.
Develop Timely Guidance: Quickly create and disseminate clear, concise, and actionable training on how to use these tools securely, outlining acceptable use policies and best practices.
Proactive Education: Ensure employees are educated before they gain widespread access to these tools, rather than reacting to incidents after they occur.

This scenario perfectly illustrates the need for flexibility and adaptability in security awareness. The program cannot be static; it must be agile enough to respond to technological disruptions and evolving threat landscapes. This requires a proactive stance, continuous monitoring of industry trends, and the ability to quickly translate complex technical concepts into understandable guidance for the entire workforce.

Another significant challenge Mauricio touched upon is the inherent nature of changing human behavior, which takes time and patience. Unlike configuring a new security alert that might show an immediate impact in terms of detected threats, the results of security awareness programs are often not instantly quantifiable. Behavioral change is a gradual process that requires:

Consistent Reinforcement: Regular, varied, and engaging communication to embed secure habits.
Long-Term Commitment: Understanding that a single training session won't fundamentally alter ingrained behaviors.
Patience and Persistence: The security team must be prepared for a marathon, not a sprint, in seeing the fruits of their awareness efforts.

This long-term perspective is crucial for success. It means celebrating small wins, continuously refining strategies based on feedback, and maintaining a steadfast commitment to the program, even when immediate ROI isn't apparent. The dynamic nature of threats demands a dynamic and patient approach to human security.

The Right Way to Phish: Education Over Punishment

When our conversation turned to phishing simulations, Mauricio’s perspective was particularly insightful and, again, deeply human-centered. He firmly believes that these simulations, while a powerful tool, must be approached with transparency and an educational mindset, rather than as a means to punish or shame employees.

He stressed that phishing simulations should not be a "gotcha" exercise. The traditional approach, where employees who click on a simulated phishing link are publicly shamed, subjected to punitive measures, or forced into remedial training, is, in his view, counterproductive. This approach:

Fosters Fear and Mistrust: Employees become fearful of reporting mistakes or suspicious emails, leading them to hide potential incidents rather than seeking help.
Creates a Defensive Culture: It makes employees defensive and resistant to participating in future simulations or engaging with the security team.
Undermines Security Goals: If employees are unwilling to engage with security initiatives, the overall security posture of the organization is weakened.

Instead, Mauricio advocated for a transparent and educational approach to phishing simulations. This means:

Clear Communication: Informing employees beforehand that phishing simulations are a regular part of the security program and are designed to help them, not to catch them out.
Focus on Learning: When an employee clicks a simulated link, the immediate follow-up should be educational. This could involve a brief, informative message explaining what happened, why it was a risk, and how to identify similar threats in the future.
Positive Reinforcement: Acknowledging and praising employees who correctly identify and report simulated phishing emails. This reinforces desired behaviors.
Building Awareness: The primary goal is to inform people that they are constant targets of such attacks and to equip them with the skills to recognize and report them. It's about building a collective defense mechanism.

By treating phishing simulations as a learning opportunity rather than a disciplinary tool, organizations can foster a culture where employees feel empowered to report suspicious activity without fear of reprisal. This open communication channel is vital for early detection of real threats and for building a robust, human-powered defense. It transforms phishing simulations from a dreaded test into a valuable, ongoing training exercise that genuinely enhances organizational resilience.

Making Security Simple and Relevant: The Human-Centered Imperative

Perhaps the most impactful segment of our discussion with Mauricio centered on his philosophy of making security simple and relevant. He argued that simply providing more information, while well-intentioned, often falls short in bridging the critical gap between knowledge and action. This is a core principle derived from behavioral science: knowing what to do doesn't automatically translate into doing it, especially if the secure action introduces friction or feels irrelevant to one's daily tasks.

Mauricio eloquently articulated the concept of "friction" in security. He cited a compelling example: the Bank of England, after a data leak, reportedly considered removing email autocomplete for certain recipients. While the logical intent was to prevent misdirected emails, Mauricio pointed out that this approach, though technically sound, introduces significant friction into a common workflow. Such measures can make the security department seem like the "department of no," hindering productivity and fostering resentment rather than cooperation.

His core message here was clear: the simpler the secure change, the easier it is for people to adopt. Security solutions should be designed with the user experience in mind, minimizing disruption to workflows while maximizing protection. This involves:

User-Centric Design: Building security processes and tools that are intuitive and integrate seamlessly into existing workflows.
Automation: Automating security tasks wherever possible to reduce the burden on individual employees.
Clear, Concise Guidance: Providing instructions that are easy to understand and follow, avoiding technical jargon.

Beyond simplicity, Mauricio emphasized the critical importance of making security relevant to individuals at three distinct, yet interconnected, levels:

Personal Relevance

This is about demonstrating how security practices learned at work directly benefit an individual's personal life.

Transferable Skills: If an employee learns to spot a sophisticated phishing email at work, they gain a valuable skill that protects their personal email, bank accounts, and online identity.
Real-World Impact: Understanding the risks of password reuse, public Wi-Fi, or suspicious links at work translates into safer personal online habits.
Empowerment: When individuals see how security knowledge empowers them to protect themselves and their families, they become more invested in learning and applying these principles. This personal connection fosters a deeper sense of ownership over security.

Team Relevance

Security is not an individual sport; it's a collective effort. Mauricio highlighted how individual secure actions contribute to the safety of the entire team.

Collective Defense: Reporting a suspicious email, for instance, doesn't just protect the individual; it allows the security team to analyze the threat, block it across the organization, and potentially alert other team members who might receive similar attacks.
Mutual Protection: When everyone on a team practices good security hygiene, the entire team's attack surface is reduced, making it harder for adversaries to gain a foothold.
Shared Responsibility: This level emphasizes that "we are all in this together," fostering a sense of shared responsibility and mutual support in maintaining security.

Organizational Mission Relevance

This is perhaps the most powerful level of relevance, as it connects security directly to the core objectives and success of the entire organization. Mauricio shared a brilliant anecdote from his time at Pipedrive, illustrating this point perfectly.

Connecting Security to Business Goals: He explained how he linked security training directly to the company’s ISO 27001 certification. For many employees, ISO 27001 might seem like an abstract compliance standard. However, Mauricio helped them understand that this certification was not just a bureaucratic hurdle; it was a crucial requirement for Pipedrive to secure new customers and maintain trust with existing ones.
Customer Trust and Market Access: He articulated that customers, especially larger enterprises, often demand ISO 27001 certification as a prerequisite for doing business. Without it, Pipedrive would lose out on significant market opportunities.
Fostering Ownership: By demonstrating this direct link between security training (e.g., how to handle data, report incidents) and the company's ability to acquire and retain customers, employees realized that their secure behaviors were not just about "following rules." They were directly contributing to the company's growth, revenue, and overall mission. This connection fostered a profound sense of ownership and responsibility for security that extended far beyond the security team. It made security a tangible part of everyone's job.

By making security simple, reducing friction, and demonstrating its relevance at personal, team, and organizational levels, organizations can move beyond mere compliance. They can cultivate a deeply ingrained security culture where secure behaviors become second nature, driven by understanding, empowerment, and a shared commitment to the company's success.

Our Final Takeaway: The Human-Centered Imperative

Our extensive conversation with Mauricio Duarte was a powerful reminder that in the complex world of cybersecurity, the human element remains paramount. His journey, his dual role, and his philosophical approach all converge on a singular, critical insight: cybersecurity is fundamentally a human-centered practice.

We learned that true security resilience isn't achieved by merely implementing the latest technologies or writing the most stringent policies. It's about understanding the people within our organizations – their motivations, their workflows, their challenges, and their potential. By embracing a human-centered approach, we can:

Understand Our Audience: Tailoring security messages and training to resonate with diverse roles and levels of technical understanding.
Make Security Simple: Designing processes and tools that minimize friction and integrate seamlessly into daily tasks, transforming security from a burden into an enabler.
Connect Security to Life and Mission: Demonstrating how secure behaviors protect individuals personally, strengthen teams collectively, and directly contribute to the overarching success and mission of the organization.

Mauricio's insights challenge us to move beyond the reactive, blame-centric models of the past. Instead, he inspires us to build a proactive, empathetic, and empowering security culture where every individual is an active participant in defense. By doing so, we can transform our organizations from simply reacting to threats into resilient entities that are inherently secure, driven by a collective commitment to protecting our digital future. This journey, as Mauricio showed us, is not just about technology; it's about people.

Securing the Human Element: Our Journey from Reactive to Human-Centered Cybersecurity

Episode No: 81

An Unconventional Path into the Heart of Cybersecurity

An Unconventional Path into the Heart of Cybersecurity

Challenges and the Crucial Mindset Shift: From "Weakest Link" to "Attack Vector"

Challenges and the Crucial Mindset Shift: From "Weakest Link" to "Attack Vector"

Navigating a Dynamic Landscape: The Continuous Evolution of Awareness

The Right Way to Phish: Education Over Punishment

Making Security Simple and Relevant: The Human-Centered Imperative

Personal Relevance

Team Relevance

Organizational Mission Relevance

Our Final Takeaway: The Human-Centered Imperative

Insights from Cloudanix

Understanding Non-Human Identities

Emotional Intelligence for Security Leaders

Checklist for you

Role of AI in Identity and Access Management