Ignorance is not bliss: A human-centered whole-of-enterprise approach to cybersecurity preparedness

The overwhelming nature of the cybersecurity challenge—exacerbated by continuously growing attack surfaces and artificial intelligence (AI)-enabled attacks—often drives organizations into a state of learned helplessness when employees and their leaders realize that no amount of preparedness can guarantee immunity against cyberattacks. This sense of inevitability demotivates organizational leadership from prioritizing cybersecurity readiness. The top often embraces the ignorance-is-bliss mindset, encouraging employees to do the bare minimum to achieve cybersecurity regulatory compliance. However, the consequences of not facing the challenge head-on, nor going above and beyond the compliance checklist, can be severe. In this article, we shed light on a whole-of-enterprise approach that focuses on engaging and optimally utilizing the competencies of individual organizational members. This human-factors-focused approach is based on the fundamental premise that cybersecurity readiness is everybody's business, so organizations must find ways to galvanize organization-wide support and commitment. Insights gained from in-depth interviews with business leaders and subject-matter experts revealed five characteristics of a human-centered whole-of-enterprise approach to cybersecurity preparedness: (1) enlightened and engaged leadership; (2) capitalizing on best intentions and creativity; (3) looking inward before looking outward; (4) getting ownership, responsibility, and accountability right; and (5) measuring the right thing and incentivizing the right behavior.