The Human Factor: The Greatest Challenge in Organizational Cybersecurity

By Dan Ricci

Despite significant investments in technical controls, frameworks, and compliance efforts such as NIST SP 800-171 Rev 3, NIST SP 800-53 Rev 5, and NERC CIP standards, many organizations still struggle with implementing effective cybersecurity programs. The root of this challenge is not just technology or documentation — it's human behavior.  

This article outlines why the human element remains the most significant challenge for Chief Information Security Officers (CISOs) and Senior Information Security Officers (SISOs). It provides strategic guidance for overcoming internal resistance, particularly at the leadership level.

Beyond the Checklist 

Cybersecurity programs are often perceived as a combination of systems, software, and policies. However, organizations that reduce cybersecurity to technical compliance miss the broader challenge: people. As someone who has led the cybersecurity program of a medium-sized defense manufacturer, from drafting security plans to achieving facility clearance, I found that resistance from within, not threats from outside, posed the most consistent risk to our security posture. 

 

Case Study: Resistance from Within 

While leading the effort to align our systems with NIST SP 800-171, and later managing our Facility Security accreditation, we encountered friction not from a lack of clarity in the controls but from personnel unaccustomed to structured compliance.  

 

Even with training programs and documented procedures, employees, including executive leadership, resisted new requirements. Questions like "Why do we have to do this now?" or "Where exactly is this required in black and white?", or “Is there an easier way to comply with the requirement” became common. 

 

This resistance underscores the truth that every CISO eventually learns that change management is a cybersecurity function. 

 

Why the Human Factor is the Greatest Risk 

  1. Convenience Over Compliance 

    • People naturally avoid extra steps, even if they reduce risk. 

  2. Perception of Inconvenience 

    • Security is often viewed as a hindrance to productivity. 

  3. Executive Exemptions 

    • When leadership resists controls, it signals to the organization that cybersecurity is optional. 

  4. Cultural Misalignment 

    • A lack of a security-first mindset weakens even the strongest technical defenses and gradually creates inconsistent security processes and procedures. 

 

Strategic Guidance for CISOs and SISOs 

1. Start at the Top: Executive Buy-In is Non-Negotiable 

  • Incorporate cybersecurity into strategic planning by establishing a Security Committee that includes Executive Leadership, Directors, and Senior Managers. 

  • Present risks in business terms: reputational damage, contractual breaches, and financial loss. 

2. Tie Policies to Authoritative Standards 

  • Use language directly from NIST SP 800-171 Rev 3, 800-53 Rev 5, and NERC CIP requirements. 

  • Provide a referenceable Policy Justification Template (see next section). 

3. Normalize Accountability 

  • No one should be above policy — including leadership. 

  • Include cybersecurity responsibilities in performance reviews. 

4. Foster a Participatory Security Culture 

  • Solicit feedback from departments to co-develop usable controls. 

  • Host awareness campaigns that are engaging, not punitive. 

5. Measure and Report Behavior 

  • Use KPIs such as training completion rates, policy adherence, and incident reduction. 

  • Share dashboards with executives regularly.

 

Policy Justification Template 

Policy Requirement Control Source Justification
Multi-Factor Authentication (MFA) for privileged access NIST SP 800-171 Rev 3 (3.5.3);
SP 800-53 Rev 5 (IA-2);
NERC CIP-007-6 R5		 Protects against credential theft and unauthorized access. Required for compliance with DFARS 252.204-7012 and NERC.
Logging and Audit Controls NIST SP 800-171 Rev 3 (3.3.1 - 3.3.8);
SP 800-53 Rev 5 (AU family);
NERC CIP-007-6 R4		 Enables detection of suspicious activity and forensic analysis.
Role-Based Access Control (RBAC) NIST SP 800-171 Rev 3 (3.1.2);
SP 800-53 Rev 5 (AC-2, AC-3);
NERC CIP-003-8 R5		 Limits data exposure and enforces least privilege.
Annual Security Awareness Training NIST SP 800-171 Rev 3 (3.2.1);
SP 800-53 Rev 5 (AT-2);
NERC CIP-004-6 R2		 Ensures all personnel understand their security responsibilities.
System Security Plan (SSP) Maintenance NIST SP 800-171 Rev 3 (3.12.4);
SP 800-53 Rev 5 (PL-2);
NERC CIP-003-8 R1		 Documents the implementation status of all controls; required for audits and assessments.
 

Changing the Narrative 

To truly advance cybersecurity maturity, organizations must recognize that policy adoption is not just a technical or administrative challenge — it's a cultural transformation. CISOs and SISOs must act as both defenders and diplomats, striking a balance between regulatory enforcement and organizational empathy. By aligning security policies with clear standards, reinforcing accountability at all levels, and integrating security into the operational culture, cybersecurity can transition from resistance to resilience. 

Featured Posts

Featured
The Human Factor: The Greatest Challenge in Organizational Cybersecurity
The Human Factor: The Greatest Challenge in Organizational Cybersecurity

Despite significant investments in technical controls, frameworks, and compliance efforts such as NIST SP 800-171 Rev 3, NIST SP 800-53 Rev 5, and NERC CIP standards, many organizations still struggle with implementing effective cybersecurity programs. The root of this challenge is not just technology or documentation — it's human behavior.

Read More →
The Pillars of an Effective Incident Response Plan
The Pillars of an Effective Incident Response Plan

A strong Incident Response Plan (IRP) is more than just a document—it’s a foundation built on key elements like asset inventory, network diagrams, logging, communication strategies, backups, and clear roles. In this blog, Dan Ricci, Senior Cybersecurity Consultant at Ampyx Cyber, breaks down the critical components every IRP needs to be resilient and effective in the face of cyber incidents.

Read More →
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks

On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.

Read More →
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller

Patrick C. Miller of Ampyx Cyber testifies in front of the Senate U.S. - China Economic and Security Review Commission on Thursday, April 24 about the threat of Chinese-made technologies in U.S. critical infrastructure, including power systems and telecom. Here is a short interview with Patrick Miller about his testimony.

Read More →
Four Years In: What NERC’s Cyber Security Incident Reporting Data Tells Us (and What It Doesn’t)
Four Years In: What NERC’s Cyber Security Incident Reporting Data Tells Us (and What It Doesn’t)

In the world of Bulk Electric System (BES) cybersecurity, signals of risk don’t always arrive with alarms blaring or malware lighting up dashboards. Sometimes, the signs are quieter—brute force login failures, odd port scans, or a sudden spike in account lockouts. The annual CIP-008-6 report, filed March 21, 2025 by NERC, shines a small but telling light on just such signals.

Read More →
Patrick Miller