Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Cyber resilience: we need to talk about…your people


Later this month, the world converges at the RSA conference in San Francisco to discuss all things cyber security. During the weeks in advance of RSA as well as for several weeks following, we are sponsoring outreach to raise awareness on the role of Education Services and Training in your security planning. Look for our new materials, information, and partner contributions in this period. 

Our partner Axelos is providing a blog series with great insight and content to support our outreach. In this first blog, Axelos’ lead Gary Warzala explains that people – and how your prepare them – proves to be the most important factor in lowering your risk of security exposure.


Gary has been a CISO for over 15 years. His is currently the CISO at PNC Bank based in Philadelphia. He has worked as a trusted CISO adviser for a major retailer following a serious information security breach and was previously the CISO at Visa, the AON Corporation and at GE Aviation. Please enjoy Gary's article!

 Our Guest Blogger:
Gary Warzala, subject matter expert from AXELOS

When thinking about cyber resilience, just how important do you believe the people in your organization are? All your people, from top to bottom? 

You have heard the expression, ‘People, Process, and Technology’ a thousand times. But which is the most critical of the three when building a top-tier information security / risk management program? The answer is people – always. And it’s vital to acknowledge that, in the world of cyber resilience, your people represent both your greatest vulnerability but also your most effective solution.  

People are the determining factor between being prepared for a cyber attack and ending up on the news pages.. And it’s about all your people across the organization not only those working in the information security / risk management organization. 

So, what does the human factor in cyber resilience look like? 

Having tone from the top…

…in other words, having a clear and committed attitude from the Boardroom. In my view this is the single most important thing a CISO needs in order to develop an effective programme to manage cyber risks. If you don’t have this, then your executive team is just ticking the box in their ‘cyber commitment’, or they don’t understand the risks to their business, or perhaps they believe that they are immune. 

Without tone from the top, the CISO – or whoever is responsible for building a cyber resilient organization – will typically end up isolated with minimal support from their peers. Budget and resources will always take a back seat to another business initiative, and it’s just a matter of time before the inevitable happens and everyone wonders how that could have occurred. 

True tone from the top is when executives talk about security whenever they talk to employees; when executive teams ask for regular updates from the CISO, when they are curious about current cyber events and how it affects their company. It’s when the CISO meets regularly with the board of directors, or their risk committee, and is held accountable.

[Sidebar from HPE: We have Management of Change (MoC) services as part of our Education Consulting portfolio to help you acheive this type of alignment in your security projects. Contact Us to speak to an expert on what's available, tailored to your unique requirements.] 

Having a culture of accountability

Do you have people in your organization who are managing information risks? I don’t mean just identifying risks, but actively, aggressively managing them. This means having competent people, throughout the organization who identify and assess information risk, backed by robust processes, learning, and governance. That also means being willing to have the difficult conversation about enabling the business and accepting residual risks associated with a product, service, technology, or acquisition. 

Here are some very basic questions that you must be able to answer: do you have a culture of accountability in your business, because information risks reside and are owned across the business? Do you have a CISO, and do they know what they are accountable for? Is your business accountable for accepting risks and the consequences that could result if the risk were realized? If a breach were to occur, would there be a “deer in the headlights” look when determining who is in charge? 

Things are never going to end well in a culture which lacks accountability and real information risk management. 

Knowing what good cyber resilience is

This comes down to having an organization of people who are cyber aware, curious, ask the right questions and who are not just ticking the box.  

And the most effective people in an organization, from the board to the lowest levels of the organization, are also realists. They know that, despite everyone’s best efforts, your organization will never be bullet-proof; they always prepare for the worst and understand that along with identifying risks and protecting the enterprise they will be called upon to detect, respond and recover from a cyber threat in the quickest and most efficient manner possible. 

Even an organization with an enviable level of maturity in its technology and process capabilities knows it must continue to evolve at speed, to stay ahead of their business, technology, and their adversaries.  

So you see, people are not only your greatest vulnerability; they also represent the most powerful force you have in finding solutions to protect your most sensitive information and to become a cyber resilient entity. We have to engage with all our people through regular, ongoing, short and compelling learning using some of the latest techniques to get that engagement – games, simulation, animations. We need ‘champions’ and mentors across the organization to build the resilient behaviours required to protect what’s most critical and valuable.

Without all of this it is just a matter of time before you’ll be expected to respond to a successful attack or significant data breach. Where would you rather be?



AXELOS is a joint venture company co-owned by the UK Government’s Cabinet Office and Capita plc.  It is responsible for developing, enhancing and promoting a number of best practice methodologies used globally by professionals working primarily in project, programme and portfolio management, IT service management and cyber resilience.

The methodologies, including ITIL®, PRINCE2®, MSP® and the new collection of cyber resilience best practice products, RESILIA™, are adopted in more than 180 countries to improve employees’ skills, knowledge and competence in order to make both individuals and organizations work more effectively.


About the Author


25+ years in high tech in various roles that include Consulting, Channel Mgmt, Product Mgmt and Marketing. Technology areas include storage and data management, high availability, cloud and hosting, networking, and mobility/wearable technology for enterprise, SMB , and channel business. Industries include healthcare, financial services, ISVs, Service Providers and telecos.


This is a great article as it stresses the importance of establising a culture of improvement.  Not only that but it also highlights the critical aspect of socializing cyber resilience in every conversation that is had, but also it is not a "one and done" conversation, but needs to be ongoing.

Roc Paez

I agree that people are the most important of People, Process, and Ptoducts/Tools.  In order to accomplish a culture of accountability among the staff, and to create an awareness for cyber resilience among the people, THE MOST IMPORTANT PERSON is the Chief Information Security Officier (CISO) himself.  The CISO will make or break security within the organization.  The only way to get the things discussed in this article, which are all important, is to have a CISO who makes getting these a priority.