Why I Refused to Say “People Are the Weakest Link in Cyber”

I froze when the question came in. If you work in cyber, you’ll know this question all too well. It’s the one that continues to resurface, both in boardrooms and at industry events:

“Why are people still the weakest link?”

Yes, it was familiar. Yes, it was provocative. But as I stood on stage, reading from my notes, I paused, looked at the question… and moved on to another.

I couldn’t ask it. Not because it was technically wrong - we all know the role human mistakes play in incidents - but because it reflected a mindset that’s no longer fit for modern leadership.

Putting it bluntly, framing people as the "weakest link" misses the mark. It’s a perspective rooted in blame rather than constructive leadership. And today, with an increasing volume of digital challenges – from malicious to mistakes and malfunction, it’s vital we move beyond this narrative and focus on governance and empowerment instead.

The good news? Change is happening.

The UK Government’s refreshed Cyber Governance Code of Practice sets a clear direction with guidance, and is holding boards accountable for human cyber risk.

In this blog, I’m going to be taking a deeper dive into this transformation and the actionable steps organizations can take to address this critical issue. I’m approaching this from my role with OutThink, the Cybersecurity Human Risk Management platform I proudly represent as an advisor and brand ambassador.

With the UK Government’s recently refreshed Cyber Governance Code of Practice, we now have official recognition that cyber risk (particularly human cyber risk) is a board-level responsibility. Not a bolt-on. Not a technicality. But a governance issue that sits squarely with those who lead.

At the launch of the Code, Cyber Minister Feryal Clark said:

“Boards must take responsibility for cybersecurity. They are ultimately accountable for ensuring their organization is resilient.” (The Times, April 2024)

This is not just rhetoric. The Code outlines clear, actionable expectations for how boards and executives must govern human risk — an area long treated as a side note or delegated to compliance teams.

NCSC CEO, Richard Horne reinforced the point, saying:

"In today's digital world, where organisations increasingly rely on data and technology, cyber security is not just an IT concern — it is a business-critical risk, on a par with financial and legal challenges."

That statement alone should shift the tone in every boardroom in the country.

Among the five key principles of the Code, ‘Principle C: People’ is arguably the most transformative. It redefines human cyber risk not as an operational problem, but as a strategic leadership issue with four areas of governance responsibility outlined:

1. Create a Cyber-Resilient Culture

Boards are expected to promote and model behaviors that enable a secure culture from the top down. Top management is expected to lead by example, prioritize secure practices, and ensure that risk awareness is embedded in how decisions are made.

Too often, boardroom agendas treat cybersecurity as an item to be “noted.” This principle says: if culture eats strategy for breakfast, then cyber culture must sit at the head of the table.

2. Align Policies to Enable the Right Behaviors

Policies shouldn’t exist just to satisfy auditors. They must align with how people work and behave daily. Abstract or punitive policies disconnected from workplace realities set employees up to fail.

When staff bypass policies to do their jobs, it’s typically not due to recklessness. Rather, it’s operational (or control) friction, I.E. a failure of governance. Secure behavior should be the easiest choice and the path of least resistance, not the hardest one.

Boards must therefore ensure policies are practical, actionable, and integrated into workflows. More importantly, they need governance systems to actively monitor if these policies truly work in practice. Policies should empower secure behavior, not hinder it.

3. Develop Cyber Knowledge, Skills, and Literacy at All Levels

Many organizations invest in security awareness training and phishing simulations for staff, but overlook their leadership teams. Boards must invest in their own security awareness not to become technical experts, but to be effective stewards. This means asking the right questions, understanding behavioral and technical risk, and overseeing strategic interventions. That entails making security awareness training adaptive and specific to the roles performed, too.

4. Use Metrics to Monitor Cultural and Behavioral Risk

If you can’t measure it, you can’t govern it. Yet most cybersecurity reports to boards focus on threat activity and system vulnerabilities, not on human risk indicators.

If they do include any reference to people, it’s typically in terms of security awareness and phishing training. However, boards need visibility into how people actually behave, what risks they take, and how these patterns shift over time. This means going beyond checkbox compliance to true performance-based assurance.

And this is where traditional tools fall short and where OutThink is changing the game.

For years, organizations have focused on raising security awareness through both training and simulation, and that’s not a bad thing. But cyberattacks haven’t slowed and behavioral risks remain high. That’s because awareness is not the same as behavior. And measurement that yields true, actionable, behavioral insight has been missing.

At OutThink, I’m seeing how organizations are shifting from compliance-driven awareness to data-driven risk governance. Unlike legacy security awareness and phishing training tools, it enables leadership teams to:

• Quantify human cyber risk at the individual, team, and business unit level
• Monitor behavioral indicators like phishing susceptibility, policy bypassing, or risk sentiment
• Track cultural maturity over time, with real metrics aligned to governance frameworks
• Provide boards with dynamic dashboards that reflect real risk, not just activity

This is how you bring Principle C to life. This is how you move from oversight to foresight.

Leading organizations are no longer asking if their people are trained in security awareness and phishing attacks. Instead, they’re asking:

• Are secure behaviors embedded?
• Can we predict and reduce human error before it becomes a cyber incident?
• Do we have the data to govern human cyber risk effectively?

The best boards now receive monthly reporting on human cyber risk trends. They’re using risk scores to prioritize investment. They’re partnering with platforms like OutThink to visualize and reduce cyber risk at scale, not just raise security awareness.

This isn’t aspirational, it’s operational.

And increasingly expected by regulators, insurers, and investors.

Back to that panel.

The reason I skipped the “weakest link” question wasn’t to avoid a tough conversation but to reframe it. The question we should be asking is:

“What have we done as leaders to make secure behavior the path of least resistance?”

Too often, human mistakes are the result of poor leadership design: unclear policies, contradictory incentives, inadequate training, or toxic cultures. If a frontline employee falls for a phishing email, the issue isn’t their intelligence; it’s the fact that the system wasn’t built to support success. When people are supported, trained, and valued — when they see leadership walking the talk — they become your most powerful layer of defense.

So no, people are not the weakest link.

They are our most underutilized security control.

When equipped, supported, and led well, they are the most adaptive and resilient cyber defense we have.

For C-suites and Boards: What to Do Next

• Download the UK Cyber Governance Code Toolkit to assess your current state.
• Start asking better questions. Not “are we compliant?” but “are we reducing cyber risk?”
• See how cybersecurity human risk management platforms like OutThink can help you operationalize Principle C with the appropriate data, dashboards, and insights aligned to the boardroom.