Cybersecurity is a people problem dressed up in technology, says Dan Jones, Senior Security Advisor, at the cyber firm Tanium.
The conversation around cybersecurity is often dominated by technology and the ever pressing need to keep pace with the latest threats. But having spent years working in the sector, I’m also firmly of the belief that cybersecurity is a “people problem” rather than something that can be solved simply by adding more tools.And I’m not alone. It’s a theme that emerged in a recent report published by Tanium and Chief Disruptor, which gathered insights from 23 senior IT and security leaders across multiple sectors, including contributions from the NHS, Spotify and Virgin Media O2.
What appeared in the report – The Interconnection between People, Process and Technology – was a view that without the right people, working in the right way and with the right leadership creating the right culture, even the best technology will fail to deliver.
After all, technology alone doesn’t create resilience. People do. They set priorities, design processes, challenge assumptions and – here’s the important bit – they build the culture that enables transformation.Take the automotive sector, for example. One contributor described how automation has helped reduce a manual task from three weeks to just three days. That kind of impact requires people who understand the process, know what to automate and are empowered to challenge the status quo.
Thumbing through this report, I was particularly taken by the interview with Stuart Seymour, Group CISO and CSO, Group Security, at Virgin Media O2. He said something that really struck a chord with me. He explained that if he had an unlimited budget, he would invest in people over process and technology every time. He said he would also prefer to prioritise training after hiring, and only then focus on processes and technology.
“Smart, well-trained individuals will write processes, analyse lessons learned, procure the right technology, run the technology, and improve and tune the technology,” he said. “The great mistake in our industry is thinking that a tool will be the silver bullet. It’s not. It’s the combination of all three.”
Compliance alone is no substitute for security
And he’s not the only one who sees it that way. Duncan Hayes, Head of Cyber Defence at Hargreaves Lansdown, is equally clear about the limits of relying on tooling alone. His team uses a threat-informed defence model that actively tests whether controls work, rather than assuming compliance equates to protection. “Compliance alone isn’t security,” he said. “Did you know that all of the top 10 ransomware attacks in the UK last year happened to companies that were ISO27001 compliant?”
His approach hinges on the idea that technology is only as effective as the people who operate it and the environment in which they work. “The best security tools mean nothing without skilled, well-supported professionals to operate them,” he said.
That means making sure people have the right tools and also that they’re properly looked after to make sure they’re on top of their game.
Spotlight on culture, not just tech
“Security professionals enjoy their jobs when they’re solving interesting problems, not sifting through endless alerts,” said Duncan. “Our goal is to use AI and automation to enhance their efficiency, while keeping their roles engaging. AI can help contextualise alerts, filter out false positives and provide actionable intelligence. This allows our analysts to focus on investigations that require human intuition and lateral thinking,” he said.
This notion that tools are only as useful as the people behind them is a thread that runs throughout the entire report. At Spotify, for instance, the team faced a situation where 17 disconnected tools were slowing down delivery and creating internal silos.By consolidating these into a single platform, they enabled better collaboration, clearer metrics, and faster decision-making. It wasn’t just a tooling fix. It was a shift in how teams worked and aligned with each other. Without that cultural change, the technology wouldn’t have landed.
The importance of leadership
But when we talk about ‘cultural changes’, sometimes it can be difficult to pinpoint exactly what it means and what it might involve. Training is something that has already been identified. But there are other areas as well, such as building trust, giving people space to improve processes and embedding security and resilience into everyday practice. All these things come under the remit of leadership.
This is something I saw during my own time leading defensive cyber services and operations at the Ministry of Defence. We made progress not by chasing tools, but by building and leading diverse, high-performing teams and giving them the mandate to challenge the status quo.
That’s the real task for security leaders. Not just to patch vulnerabilities, but to reframe the problem. To stop thinking of cybersecurity as something that happens to people, and start treating it as something that happens with them. If we don’t, then tools won’t matter. That’s why it’s time we stop dressing up cybersecurity as just an IT problem and recognise that it’s a “people problem” as well.
