Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
One of the most persistent misconceptions in cyber security is the belief that human risk is primarily a people problem. In reality, it is a design problem and increasingly, boards, regulators, and threat actors alike recognise it as such.
Research consistently shows that the vast majority of cyber incidents involve human error. Yet most organisations continue to respond by increasing training, tightening policies, and adding layers of control. Despite decades of investment, why are incident levels still so stubbornly high?
The explanation is uncomfortable but clear: many security failures occur not because people are careless, but because the environments in which they operate are misaligned with how work actually gets done.
When security slows execution, interrupts workflow, or makes the secure path harder than the alternative, behaviour adapts predictably. Shortcuts emerge. Informal practices normalise. Controls are bypassed — sometimes unintentionally, sometimes deliberately.
Resilience rarely collapses suddenly. It erodes. And when it does, the consequences are operational as much as technical: disrupted services, financial loss, regulatory scrutiny, and damaged trust.
Forward-looking organisations are recognising a critical truth:
Security that works in theory but fails in practice is not resilience, it’s exposure.
By designing controls around real workflows, decision points, and incentives, these organisations reduce risk while simultaneously improving operational performance. Well-aligned security minimises disruption, supports productivity, protects revenue, and strengthens confidence in the organisation’s ability to operate under stress. Security, in this model, becomes not just protective but economically enabling.
Security as Friction Is a Structural Risk
Across industries, a familiar pattern persists. Complex password requirements drive insecure storage and credential reuse. Authentication processes disrupt workflow continuity, encouraging shortcuts. Approval chains designed to control access instead teach employees how to route around them when urgency rises. On paper, these environments appear controlled. In reality, they are fragile.
The gap between documented control and operational behaviour creates the conditions for both unintended error and deliberate misuse.
The issue is not awareness alone. Most professionals understand what is expected of them. The deeper problem is structural: security is too often experienced as friction — competing with productivity, service continuity, and commercial outcomes.
Faced with this tension, people respond rationally. They prioritise delivery. Over time, workarounds become embedded in the operating model. Vulnerabilities accumulate quietly until they surface as incidents.
Poorly aligned security therefore creates a dual cost. Not only does it elevate cyber risk, but it also suppresses operational efficiency.
Organisations that redesign controls so the secure path is also the easiest path achieve something strategically powerful, they reduce exposure while improving execution. Security stops being organisational drag and starts enabling performance.
Accountability Has Changed the Conversation
The shift underway is not driven solely by attackers. It is being accelerated by regulators. Supervisory expectations have moved beyond demonstrating that controls exist. Increasingly, regulators are asking a far more demanding question: Can the organisation continue to operate securely when conditions are no longer normal?
On the frontline, this includes scenarios where:
Operational pressure intensifies
Decision velocity increases
Systems degrade
Suppliers fail
Human error rises
Malicious behaviour is attempted
This question reaches far beyond cyber tooling. It interrogates how organisations behave under stress and whether important business services remain within tolerance when disruption occurs.
For boards, this marks a governance inflection point. Cyber resilience is no longer a technical matter that can be delegated downward. It is now directly tied to operational continuity, financial stability, regulatory confidence, and enterprise value.
Leading organisations understand that resilience is not merely defensive, it is commercially material and becoming a performance characteristic. Those that design security to function in real conditions experience fewer operational disruptions, lower incident costs, faster recovery, stronger execution under pressure and ultimately, greater stakeholder confidence.
From Behaviour Correction to Environment Design
The organisations responding most effectively are no longer attempting to “fix people.” They are redesigning the environments in which decisions occur.
Rather than relying primarily on vigilance, they embed security directly into workflows, tooling, and operational processes. This not only reduces reliance on individual effort but also strengthens guardrails against misuse. Controls are aligned to real roles meaning security supports decisions in real time. Put into action, this ensures operational pressures are designed for, not ignored.
This shift is particularly critical in highly regulated sectors such as financial services and critical national infrastructure, where resilience extends well beyond corporate IT estates.
Large portions of the workforce operate across branches, control rooms, operational sites, and data centres, all environments where access decisions are simultaneously physical and digital, and where hesitation carries real-world consequences for everyday citizens. When resilience is designed only through a traditional cyber lens, organisations often default to manual processes, shared access, inconsistent safeguards, or locally developed workarounds.
The result is predictable: A widening gap between policy and practice — and rising operational risk. By contrast, organisations that align security with the realities of delivery streamline execution, strengthen accountability, reduce avoidable delay, and protect revenue-generating services. Security becomes less about restriction and more about enabling reliable performance.
Critically, these organisations validate their designs, meaning assurance shifts from theoretical to observable. Through scenario testing, operational exercises, and real-world simulation, they generate evidence that controls hold under pressure.
The Emergence of Human Centric Resilience
Out of this shift has emerged a more mature operating philosophy: Human Centric Resilience.
And its premise is straightforward:
Organisations are resilient when they are designed to operate securely in the real world, not just in control frameworks.
This requires anchoring security to important business services rather than abstract control sets, understanding where human judgement materially affects outcomes, and shaping environments that guide behaviour toward secure action while constraining unsafe or malicious activity.
Just as importantly, it requires evidence, not assumptions, that services can remain within tolerance during disruption. Organisations adopting this approach recognise that resilience is both protective and economically significant.
By removing the structural conditions that drive unsafe behaviour, organisations can: lower incident frequency, reduce operational drag, protect revenue and improve execution consistency, strengthening stakeholder trust in the long term.
The most resilient organisations do not simply recover faster; they fail less often.
Through deliberate design and continuous validation, they reduce exposure before it materialises — enabling more predictable operations and supporting long-term value creation.
Why Boards Are Paying Attention
For boards, this evolution presents both a strategic challenge and a material opportunity. Organisations that embed resilience into their operating model do more than satisfy regulatory expectations, they perform with greater consistency and confidence.
By supporting secure behaviour and constraining misuse, they minimise disruption, protect critical services, and strengthen organisational trust. Those that fail to adapt face a growing gap between perceived resilience and actual performance under stress.
Controls that appear robust on paper can falter rapidly in live conditions, particularly when human behaviour intersects with poorly aligned systems.
The debate over whether human factors matter is over. The real question now is whether organisations continue attempting to correct behaviour or redesign the systems that shape it. Because in 2026, resilience is not defined by policies. It is defined by performance under pressure.
Organisations that design for reality will be better positioned to operate securely, respond decisively, and sustain enterprise value in an increasingly volatile environment.
