The biggest risk isn’t your tech stack

Insights and exclusive interviews from the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

The human side of cybersecurity.

We know people are critical for cyber resilience 

We know this isn’t new information; the days when the tech stack was seen as the most important aspect of a robust security system are long gone. Because breaches happen when someone clicks a link, ignores a warning sign, or makes a decision under fatigue. 

So as nice as it would be if tech alone could keep us safe, the truth is that resilience depends on people.

Human fallibility is the hardest lesson

When we asked Nikk Gilbert (CISO at RWE) about the domain that taught him the toughest lesson, he looked back to his time in the military.

“The military taught me the hardest lesson. You can have the best plan, the strongest team, and absolute clarity of mission. Yet, one small mistake – fatigue, pride, distraction – can completely alter the outcome. That truth never left me. Risk is not just technology; it is people. Strength comes from accepting human fallibility and building systems that can withstand it, not ignoring it.”

That idea – that one moment of distraction can unravel even the strongest defences – is something many security leaders know too well. Plans and technologies are necessary, of course; but they can’t erase the fact that humans are fallible.

And if we ignore that reality, we pretty much leave the door wide open for attackers.

From tools to awareness

When we spoke to Stefan Baldus (CISO at HUGO BOSS), he shared his perspective on how the security function has evolved since he joined the company in 2006.

“In the beginning it was all about getting the tools in and explaining why the company needs more than an end point protection and a firewall. 

“Later, that shifted towards processes and getting the people's attention. Although I don't think it's possible to get buy-in from every single employee, education and awareness are key components of cybersecurity these days. If people don't click on the wrong link all the time, we as security don't have to worry about if our defence systems really work.”

For Baldus, the job evolved from mostly implementing tech, to a new focus on embedding awareness and culture across the organisation. Because when employees understand the role they play, every click becomes a security decision.

Why this matters right now

Both Gilbert and Baldus described the same thing from different angles: tech is essential, but it won’t save you on its own.

What really matters is how teams and employees behave under pressure. Do they report suspicious emails? Do they understand the processes for escalation? Do your organisation’s leaders recognise that people are the centre of every breach and every defence?

And that’s why forward-looking CISOs are building resilience around the human layer. It’s not possible to eliminate mistakes, but you can create systems that expect mistakes and withstand them.

Resilience as a mindset

There’s no such thing as perfection. No organisation can predict and respond to every possible threat perfectly. Cybersecurity needs realism – because when you’re realistic about both the threats that are out there, and about your organisation’s capacity to handle them, you can build readiness. You can develop systems that can take a hit, adapt, and keep going.

At Black Hat MEA 2025, you’ll hear from leaders across industries who are embedding resilience into their organisations. From retail and energy to government and finance, they’re asking hard questions about culture, awareness, and fallibility – and they’re sharing strategies to strengthen security where it matters most.

Join us this December in Riyadh to immerse yourself in our global community of security leaders, practitioners, and innovators.

It’s your chance to learn how others are building security cultures that really are prepared for the reality of human error. 

Yes, breach is inevitable. But building systems that can withstand them (by putting people and processes at the centre) is what defines the next generation of defenders.

Read our full interview with Gilbert here, and find our conversation with Baldus here.