
The power of the pivot
Why pivoting your cybersecurity career is good for professional growth and industry resilience.
Read MoreHelp build a more resilient future – with insights and inspiration from the global Black Hat MEA community, in your inbox every week.
Why cybersecurity leaders need to keep their focus on human behaviour.
Because on the blog this week we dug into two new cybersecurity reports: one that shows security teams need to understand threat actor behaviour, and one that highlighted how vulnerable organisations are to vendor email compromise (VEC) attacks.
Both reports are packed with data that tells an important story about what’s really important in cybersecurity right now – and the moral of that story is that it’s all about people. Everyone’s a frontline player in cyber defence; from entry-level employees to trusted vendors.
And unless they’re educated, they’re vulnerable.
As Omar Khawaja (CISO at Databricks) told us,
“I used to think technical security controls were the most important part of a security program, then I realised it was important to not just have controls but for the controls to be part of some comprehensive framework (compliance!). Then I evolved my thinking to consider the business as the most important stakeholder (risk management). Along the way, I learned that in a complex organisation, people and process are immensely more important than technical controls.”
Today’s threat landscape demands that everyone experiences this shift in perspective.
According to the latest Abnormal Security report, threats are arriving thick and fast in our inboxes; and VEC attacks are proving especially dangerous:
What makes these attacks so effective? They blend perfectly into normal business communication. Fake invoices, urgent payment requests, spoofed email threads – all crafted to look entirely legitimate. Sometimes they even come from real compromised vendor accounts.
So technical controls alone aren’t enough. Education is critical. And that education can’t be limited to your IT or security teams.
Nisreen Al Khatib (Expert in IS Risk Management, Data Privacy, and Cybersecurity Management) has spent years working on this issue. She told us:
“Cybersecurity awareness and education is one of the most challenging domains in cybersecurity...awareness and education touches all people who go online – and this covers a huge population with diverse knowledge, educational backgrounds, and security understanding.”
She emphasised that communication must be tailored to different audiences – because not everyone speaks the same technical language. What works for engineers won’t work for sales teams or finance admins.
The report by Abnormal also showed that entry-level sales staff had an 86% engagement rate with VEC emails. That’s not because they’re careless – it’s because their jobs demand fast responses, high volume communication, and coordination with external parties. So without training that takes context into account, they’re an easy target for cybercriminals.
Both Khawaja and Al Khatib pointed out that cybersecurity is, first and foremost, about people and processes. That means shifting from one-size-fits-all training to dynamic, role-specific education that evolves as threats evolve.
Al Khatib said:
“We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results.”
Attackers are already using AI to customise their scams. They’re hijacking real email threads and impersonating real vendors. Meanwhile, many organisations are still rolling out static training modules and hoping for the best. The cybersecurity community needs to work together to change this.
It’s now woven into every conversation, every contract, and every inbox. The best security leaders today are educators, communicators, and behavioural strategists, as well as technologists. They need to see the bigger picture.
Until we train everyone to recognise threats, we’ll keep seeing the same avoidable attacks succeed. It’s time to take education seriously – because everyone depends on it.
Join the newsletter to receive the latest updates in your inbox.
Why pivoting your cybersecurity career is good for professional growth and industry resilience.
Read MoreGet the lowdown on five of the most damaging cyberattacks so far in 2025.
Read MoreFind contacts, skills, and opportunities at this world-class cybersecurity event.
Read More