Cyber threats are more sophisticated than ever, and the human element of cybersecurity is often the weakest link—but also the most critical one. As a business leader, your cybersecurity strategy likely spans beyond your internal operations to include every partner in your supply chain. But have you considered whether these efforts are truly consistent across all your partners, especially the smaller contractors?
The Human Element in CybersecurityCybersecurity is not just about firewalls, encryption, and software updates; it's about people. The most advanced technical defences can be undone by a single human error—whether it’s a misplaced click on a phishing email or a weak password. This reality is magnified in a supply chain where smaller contractors may not have the same resources or training as larger organisations. Their vulnerability becomes your vulnerability, making it imperative to ensure that every individual in your supply chain is equipped to be a strong link in the cybersecurity chain.
Cybersecurity as a Shared Human ResponsibilityHuman-centric cybersecurity recognizes that people, not just technology, are at the core of a resilient cybersecurity posture. As a business leader, your role extends to ensuring that your partners, regardless of size, are aligned in this approach. How can you support and uplift the people within your smaller contractors to foster a culture of security that permeates the entire supply chain?
Practical Steps to Cultivate Human-Centric Cybersecurity

1. Empower Through Education and Training: Human errors often stem from a lack of knowledge. Providing your smaller contractors with access to cybersecurity training and resources tailored to the human element—like recognizing phishing attempts, creating strong passwords, and understanding social engineering tactics—can empower their teams to act as the first line of defence.
2. Foster Open Communication Channels: Encourage a culture where security concerns can be openly discussed across all levels of the supply chain. Create avenues for your contractors to share challenges and insights, and ensure they feel supported in reporting potential security risks without fear of repercussions.
3. Build Trust Through Collaboration: Collaborate with your contractors on cybersecurity initiatives, treating them as partners rather than just service providers. Share threat intelligence, provide tools for secure communication, and work together to develop protocols that consider both technological and human factors.
4. Regularly Reinforce Human-Centric Security Practices: Make cybersecurity awareness an ongoing conversation, not a one-time event. Regularly remind all partners of the importance of human-centric practices, such as careful handling of sensitive data and vigilance against social engineering.
5. Support with User-Friendly Security Tools: Ensure that the security tools and protocols you expect your contractors to use are not only robust but also user-friendly. Complex, cumbersome tools can lead to frustration and non-compliance, whereas intuitive solutions can enhance security without adding unnecessary burden.
6. Recognize and Reward Good Practices: Celebrate and reward contractors who demonstrate strong cybersecurity practices. Positive reinforcement can motivate others to follow suit and create a sense of shared responsibility and pride in maintaining a secure supply chain.

Building a Resilient, Human-Centric Supply ChainBy focusing on the human side of cybersecurity, you not only protect your organisation but also contribute to creating a more resilient, human-centric supply chain. This approach reduces the risk of breaches, enhances trust among partners, and builds a culture where every individual is empowered to contribute to a secure network.
Cybersecurity is fundamentally a human challenge. No matter how advanced the technology, the people who use it are the key to its success—or its failure. As a business leader, it's your responsibility to ensure that every person within your supply chain, from the largest partner to the smallest contractor, is equipped to be a strong link in the cybersecurity chain.
So, I ask you: Is your supply chain cybersecurity truly human-centric and consistent across all partners?
By taking steps to focus on the human aspect of security, you can help ensure that your entire supply chain is not only secure but also resilient, creating a safer, more reliable network for all.
Let’s continue the conversation. Share your thoughts on how to integrate human-centric cybersecurity practices across the supply chain in the comments below. If you’re interested in learning more about building a human-centric security culture, I’d love to connect and explore this topic further.

​In New Zealand's current economic climate, where every dollar is scrutinized, management must make critical decisions about where to allocate resources. Cybersecurity, while undeniably important, often presents itself as a substantial investment. However, as cyber threats continue to evolve, the need for robust protection becomes more evident. Understanding the pros and cons of investing in cybersecurity—especially within the context of a tight economy—is essential for making informed decisions that align with your organisation’s strategic goals and financial constraints.
The Pros of Investing in Cybersecurity1.Protection of Assets and Reputation
   In a challenging economic environment, safeguarding your organisation’s valuable assets—such as sensitive data, intellectual property, and financial information—is crucial. A strong cybersecurity strategy helps prevent costly data breaches that could lead to significant financial losses, legal liabilities, and damage to your organisation’s reputation. Protecting these assets not only secures your bottom line but also maintains customer trust and upholds your brand’s integrity.
2.Compliance with International Standards
   While New Zealand’s regulatory framework around cybersecurity may not be as stringent as that of Australia or other major trading partners, compliance with international standards is increasingly necessary for doing business globally. Investing in cybersecurity ensures that your organisation meets the regulatory requirements of these markets, allowing you to maintain and expand business relationships without facing legal or operational barriers. This is particularly important in a tight economy, where accessing international markets can be a vital growth strategy.
3.Cost-Effective Operational Continuity
   Cybersecurity investments contribute to operational continuity by minimizing the risk of disruptions caused by cyberattacks. In a tight economy, where every operational hour counts, avoiding downtime is essential. A well-implemented cybersecurity strategy ensures that your organisation can continue to operate smoothly, even in the face of cyber incidents, thereby protecting revenue streams and preserving business momentum.
4.Starting with Staff Training
   Given budget constraints, investing in staff training can be a cost-effective and impactful starting point. Educating employees on cybersecurity best practices can significantly reduce the risk of human error—often the weakest link in security. This proactive measure is not only affordable but also empowers your team to become the first line of defense, potentially preventing costly breaches and reducing the need for more expensive solutions later.
The Cons of Investing in Cybersecurity1.Upfront Costs in a Tight Budget
   One of the most significant challenges of investing in cybersecurity during an economic downturn is the upfront cost. Implementing effective security measures often requires substantial financial investment in technology, personnel, and training. For many organisations, these costs can be prohibitive. However, it's crucial to recognize that in order to maintain international business relationships—especially with countries that have more stringent cybersecurity requirements—such investments may be necessary to stay competitive.
2.Complexity and Resource Allocation
   Cybersecurity is a complex field that demands specialized knowledge and resources. Allocating the necessary financial and human resources can be particularly challenging when budgets are tight. The ongoing management and updates required to maintain strong cybersecurity further strain existing resources. However, starting with targeted, cost-effective measures like staff training can help manage this complexity and lay the groundwork for more comprehensive solutions.
3.Perceived ROI Challenges
   Unlike other investments, the return on investment (ROI) for cybersecurity is not always immediately apparent. In a tight economy, where every expenditure is closely monitored, justifying these costs can be difficult when the benefits—such as preventing incidents—are intangible. However, failing to invest in cybersecurity could jeopardize your ability to do business with international partners who require compliance with more stringent regulations.
4.Potential for Complacency
   A less frequently discussed downside is the risk of complacency. After making an initial investment in cybersecurity, there may be a false sense of security that the job is done. However, cybersecurity requires continuous monitoring, updates, and adaptation to new threats. Even in a tight economy, senior management must remain vigilant and committed to ongoing improvements, ensuring that initial investments continue to yield long-term benefits.
In today’s tight economy, management must carefully weigh the costs and benefits of every investment. While the upfront costs and complexity of cybersecurity pose real challenges, the protection of assets, compliance with international standards, operational continuity, and the cost-effective option of staff training are compelling reasons to prioritize cybersecurity.
By starting with affordable measures like staff training, organisations can build a strong foundation for cybersecurity without straining their budgets. This approach not only enhances security but also positions the organisation for future growth, both domestically and internationally. Ultimately, viewing cybersecurity as a strategic investment in the organisation’s resilience will help ensure that your business is not only protected from today’s threats but also well-prepared to thrive in a competitive global market, even amid economic challenges.

​As organisations increasingly shift towards a risk-based cybersecurity strategy, they aim to prioritize their security efforts based on specific threats, ensuring resources are allocated effectively to protect their most critical assets. However, implementing this approach is not without its challenges—particularly for organisations that have yet to quantify the value of their data. Here are some potential hurdles that organisations may encounter and strategies to overcome them.
 
1.Lack of Risk Awareness and Understanding
One of the primary challenges in adopting a risk-based approach is a lack of awareness and understanding of the actual risks the organisation faces. Many organisations follow industry standards and compliance requirements that may not align with their specific risk profile, leading to a one-size-fits-all approach that overlooks unique vulnerabilities.
To overcome this hurdle, it’s essential to conduct a comprehensive risk assessment that identifies and evaluates the specific threats to your organisation. This assessment should involve input from various departments, including IT, finance, operations, and legal, to ensure a holistic understanding of the risks. Additionally, investing in cybersecurity awareness training for all employees can help build a culture of risk awareness throughout the organisation.
 
2.Quantifying the Value of Data
For many organisations, the challenge lies in quantifying the value of their data. Without a clear understanding of what their data is worth, it becomes difficult to prioritize security efforts and justify investments in cybersecurity. This lack of clarity can lead to either underestimating the importance of protecting critical data or overspending on unnecessary security measures.
To overcome this, begin by categorizing and valuing your data assets. Consider the potential financial loss, reputational damage, and operational impact that could result from a data breach. Engage with stakeholders across the organisation to assess the importance of different data types and to establish a data valuation framework. This process not only helps in prioritizing cybersecurity efforts but also in making informed decisions about where to allocate resources.
 
3.Resistance to Change
Introducing a risk-based cybersecurity strategy often requires significant changes to existing processes and mindsets. Employees and leadership may resist these changes, especially if they perceive them as adding complexity or disrupting established workflows.
To address resistance to change, it’s crucial to communicate the benefits of a risk-based approach clearly and consistently. Explain how this strategy aligns with the organisation’s overall goals and can lead to more efficient use of resources. Engaging key stakeholders early in the process and involving them in decision-making can also help build buy-in and reduce resistance.
 
4.Inadequate Resources and Budget Constraints
Implementing a risk-based cybersecurity strategy requires adequate resources, including skilled personnel, tools, and technologies. However, many organisations face budget constraints, making it challenging to allocate the necessary resources to support a risk-based approach.
To navigate resource limitations, prioritize cybersecurity initiatives based on the level of risk they address. Focus on protecting the most critical assets and implementing cost-effective measures that offer the greatest impact. Additionally, consider leveraging automation and AI-driven tools to enhance efficiency and reduce the burden on your cybersecurity team.
 
5.Complexity in Risk Assessment and Management
Risk-based cybersecurity strategies require organisations to continuously assess and manage a wide range of risks, from external threats to internal vulnerabilities. This can be a complex and time-consuming process, particularly for organisations with limited experience in risk management.
Investing in risk management frameworks and tools can help simplify the process of identifying, assessing, and prioritizing risks. Consider adopting established frameworks such as NIST’s Cybersecurity Framework or ISO 27001, which provide structured approaches to risk management. Additionally, partnering with cybersecurity experts or consultants can provide valuable guidance and support in navigating complex risk assessments.
 
6.Difficulty in Measuring and Communicating Risk
One of the challenges of a risk-based cybersecurity strategy is the difficulty in quantifying and communicating risk to stakeholders, especially those without a technical background. It can be challenging to convey the importance of addressing certain risks and justifying the associated costs.
To overcome this hurdle, use risk metrics and key performance indicators (KPIs) to quantify and communicate risk in a way that resonates with stakeholders. Visual aids such as risk heat maps and dashboards can help illustrate the potential impact of different risks and the effectiveness of mitigation strategies. Additionally, framing discussions around risk in terms of business outcomes—such as potential financial loss or reputational damage—can help bridge the gap between technical and non-technical audiences.
 
7.Balancing Risk with Business Objectives
A key challenge in risk-based cybersecurity is finding the right balance between managing risk and supporting business objectives. Overemphasizing security can stifle innovation and hinder business growth, while underestimating risk can leave the organisation vulnerable to attacks.
Effective risk-based cybersecurity strategies should be aligned with the organisation’s overall business objectives. Engage in regular discussions with business leaders to ensure that cybersecurity initiatives support and enable business goals. Consider adopting a flexible approach that allows for risk tolerance in areas where innovation is critical, while ensuring robust protection for the organisation’s most valuable assets.
 
Introducing a risk-based cybersecurity strategy offers numerous benefits, including more effective resource allocation and a stronger alignment between cybersecurity efforts and business objectives. However, it also presents challenges that organisations must be prepared to address. For those still grappling with the task of quantifying the value of their data, this process becomes even more critical.
 
By fostering risk awareness, accurately valuing data, managing resistance to change, prioritizing resources, simplifying risk management, effectively communicating risk, and balancing security with business goals, organisations can successfully navigate these hurdles and build a resilient cybersecurity posture. In today’s rapidly evolving threat landscape, a risk-based approach is not just a strategic advantage—it’s a necessity.

​In times of economic downturn, business leaders face the challenge of maintaining robust cybersecurity measures while operating under tightened budgets. Cyber threats continue to evolve and become more sophisticated, making it crucial for leaders to support their Chief Information Security Officers (CISOs) in prioritizing cybersecurity effectively. Here are some strategies to help navigate this challenging landscape.
 
Assess and Prioritize Risks Together 
The first step in prioritizing cybersecurity efforts is to conduct a thorough risk assessment. Work with your CISO to identify and evaluate the most significant threats to your organisation. Focus on areas that present the highest risk and have the potential to cause the most damage if compromised. This might include:

• Critical Business Assets: Protect the data and systems essential to your operations.
• Customer Data: Ensure the protection of sensitive customer information to maintain trust and comply with regulations.
• Intellectual Property: Safeguard proprietary information that gives your organisation a competitive edge.

 
By understanding where your greatest vulnerabilities lie, you can allocate resources more effectively and ensure that critical areas are well-protected.
 
Optimize Existing Resources 
In an economic downturn, maximizing the value of your existing cybersecurity investments is essential. Encourage your CISO to review current tools and technologies to ensure they are being used to their full potential. Look for opportunities to consolidate overlapping solutions and streamline your cybersecurity infrastructure. This can help reduce costs while maintaining or even enhancing your security posture.
 
Additionally, consider leveraging open-source tools and community-driven projects. Many open-source solutions offer robust security features without the high price tag of commercial products. However, be sure to evaluate these tools thoroughly to ensure they meet your organisation’s security requirements.
 
Emphasize Cybersecurity Awareness and Training 
Human error remains one of the leading causes of cybersecurity incidents. Investing in cybersecurity awareness and training programs can significantly reduce the risk of breaches caused by employee mistakes. During economic downturns, focus on cost-effective training methods such as online courses, webinars, and internal workshops.
 
Encourage a culture of cybersecurity awareness by regularly communicating the importance of security best practices and keeping employees informed about the latest threats. This not only helps protect your organisation but also empowers your staff to become the first line of defence against cyber threats.
 
Leverage Automation and AI 
Automation and artificial intelligence (AI) can play a crucial role in enhancing your cybersecurity efforts while operating under budget constraints. Automated tools can help streamline repetitive tasks, such as monitoring and incident response, allowing your security team to focus on more strategic activities.
 
AI-driven solutions can provide advanced threat detection and response capabilities, identifying and mitigating threats in real-time. While these technologies may require an initial investment, they can deliver significant long-term cost savings by reducing the time and effort required to manage security incidents.
 
Collaborate Across Departments 
Cybersecurity is not just the responsibility of the IT department; it requires a collaborative effort across the entire organisation. As a business leader, work closely with your CISO and other departments, such as finance, human resources, and legal, to ensure that cybersecurity priorities align with overall business objectives.
 
By fostering a collaborative approach, you can gain a better understanding of the organisation’s risk tolerance and allocate resources more effectively. Additionally, involving other departments in cybersecurity initiatives can help secure buy-in from senior leadership, making it easier to justify necessary investments.
 
Focus on Compliance and Regulatory Requirements 
In times of economic downturn, maintaining compliance with regulatory requirements is critical. Non-compliance can result in hefty fines and reputational damage, which can be particularly damaging when budgets are tight. Prioritize cybersecurity measures that ensure compliance with relevant regulations, such as GDPR, HIPAA, and PCI DSS.
 
Conduct regular audits to identify any gaps in your compliance posture and take corrective actions promptly. By staying compliant, you not only avoid penalties but also demonstrate your commitment to protecting sensitive data, which can enhance customer trust and loyalty.
 
Adopt a Risk-Based Approach 
A risk-based approach to cybersecurity helps you focus on the most critical areas first. By understanding and quantifying the risks your organisation faces, you can prioritize your efforts and resources more effectively. This approach involves:

• Risk Assessment: Continuously evaluate and update your risk assessment to reflect the current threat landscape.
• Risk Mitigation: Implement measures to mitigate the most significant risks first, ensuring that your resources are used where they can have the greatest impact.
• Risk Acceptance: Acknowledge and accept certain risks that are deemed low priority, allowing you to focus on more pressing threats.

 
As a business leader in an economic downturn, supporting your CISO in prioritizing your cybersecurity offering requires a strategic approach that balances risk management, resource optimization, and cost-effective solutions. By assessing and prioritizing risks together, optimizing existing resources, emphasizing cybersecurity awareness, leveraging automation and AI, collaborating across departments, focusing on compliance, and adopting a risk-based approach, you can maintain a robust cybersecurity posture even in challenging economic times.
 
Remember, the goal is to protect your organisation’s critical assets and ensure business continuity, all while operating within budget constraints. With careful planning and a focus on strategic priorities, you can navigate the economic downturn and emerge stronger and more resilient.