How Untrained Staff Become Your Biggest Cybersecurity Risk
Organizations purchase millions in security tools. Firewalls, intrusion detection systems, endpoint protection, threat intelligence platforms. The list goes on. What’s overlooked with all of that purchased value? The people who actually sit behind it every day.
It doesn’t matter if an organization has the most advanced security architecture if the people engaged with it daily don’t understand the frameworks and methodologies behind it. An advanced security offering is as useless to an untrained team as giving someone a formula race car who’s just learned how to drive yesterday.
It’s not that people are inept. Most information security professionals are intelligent, driven individuals who want to do best for the organization. Yet cybersecurity isn’t just a technical endeavor. It’s an endeavor requiring engagement with frameworks, methodologies, and established practices that make tools protective rather than just in place.
Contents
Where It Cracks First
Wherever there isn’t training, it will crack first. Someone misconfigures a tool because they don’t understand the security model associated with it. Someone else overlooks an alert because they aren’t up to speed on what’s critical versus minutiae. And someone else renders a policy decision that undermines another aspect of security.
These aren’t hypothetical scenarios but constantly occurring within organizations who tried to purchase their way out of trouble instead of training people how to use what they had. The tools sit on the server and run on the endpoints, but they’re not utilized to their full protection potential because no one cares enough about training the team how to work them.
Even worse, when updates and upgrades run amok in the threat environment, it’s on the fly without any opportunity for proper adjustment. Newly discovered vulnerabilities in systems thought secure emerge. Threat actors show new tactics, techniques, and procedures. Compliance requirements shift. That’s all before someone gets up to speed with the increasingly amorphous realities.
The Problem of False Confidence
What else is little-discussed is that when people are untrained, they often don’t know they’re untrained. They know how to navigate the buttons in the security console. They know how to pull reports and have sat in on vendor demonstrations. To them, they’re doing their job.
However, knowing how to operate a tool doesn’t mean understanding what’s behind the applicable security framework. It’s the equivalent of someone turning a steering wheel versus someone who knows how to drive, sure, they can get the car started, but they are equally dangerous behind the wheel once they’re on the road.
Thus, organizations find themselves in perilous situations. Management feels secure because they purchased expensive security applications and hired people to run them. Security teams feel good because they’re using the tools every day. Yet vulnerabilities lie in wait for those without recognition until it’s far too late.
When organizations invest in structured mbse training and onboarding for their technical teams, this is precisely what’s being accomplished. Effective training does not merely put resources in people’s hands; it builds knowledge surrounding applications’ frameworks and methodologies that enable protection. It’s not about competency but capability.
What Actually Goes Wrong
Predictably. Misconfigurations leave doors open for opportunistic actors. Slow reaction times render people helpless during incidents because they haven’t undergone proper training and methodologies. Poor security decisions based on misguided ideas (no decision is still a decision) render gaps where none should exist in this day and age.
Then there’s tool sprawl, the continuously bought successors after organizations purchase ones that weren’t beneficial merely because no one understood how to use it correctly from the beginning, followed by audit and compliance errors. Whether external third-party regulations or internal standards, most don’t care if your people weren’t trained properly; they don’t want opened vulnerabilities for anyone.
With auditors knocking and finding gaps, organizations feel the pain, the cost of fines and remediation and reputational damage to worst-case scenarios positions themselves defensively because people responsible for security didn’t receive adequate foundational knowledge.
The Costs That Are Never Considered
When budgets get set, training is often an add-on instead of a means of value creation. Security tools are required, of course. People to run them are required, absolutely. But training? We’re in a minute now, we’ll save budget for quarterly consideration.
Yet the reality is this, the cost is far greater to forgo proper training than it would ever be to complete it on time. One major data breach is costlier than most organizations ever spend on remedial measures, not including intangible reputation losses, so when this occurs because someone made an error that decent training would have solved, what’s that truly worth?
Time and productivity losses reign supreme when improperly trained people are put into positions where they must troubleshoot instead of implementing solutions from minute one. Projects are delayed; implementations take longer; people spend hours unwinding what could have been solved in seconds if someone had both trained for themselves and others; this isn’t valuable even without an appropriate line item.
There’s also turnover, for good security professionals want to work at places that give them opportunities for growth; if an organization chooses not to invest in that potentiality, such individuals will inevitably leave for greener pastures down the road where operational changes with trained workers reduce hiring budgetary needs significantly as opposed to training ever could.
Why Technology Alone Never Works
The Security Industrial complex gets accused more times than not of trying to sell a technology solution that’ll fix everything, a new threat emerges? There’s a tool for that; compliance requirement? Purchase this application with flashing lights, but none of it works if people don’t have an emotional investment in applied security frameworks as prerequisites for utilization.
Imagine a hospital buying advanced medical technology, but if doctors and nurses fail to know how to operate them effectively and efficiently, it’s valueless for its best patients. The same works for these approaches, no matter how advanced their technologies become, they won’t overcome anything without applied economics by people who’ve already invested interest in established principles beforehand.
More often than not, business leaders are clueless about complicated digital business environments, cloud services, remote work, personal devices, all present potential vulnerabilities that sensible tools alone won’t answer unless trained practitioners can ensure high demand with what these pieces of technology offer.
What Really Needs To Happen
Organizations need to stop treating training as an afterthought, it should tie into planning when launching new security applications or frameworks appropriate for either security need as well as team access capabilities, and it’s not a one-stop-shop vendor demonstration or 60-minute webinar but effective training that gets buys happening at all from minute one.
That means understanding what knowledge gaps already exist within a team. What do they know? What do they need? Which frameworks and methodologies best suit this organization’s needs? These questions must be answered before anyone even starts clicking around a new platform.
Furthermore, ongoing training is required, not just one time, with updates and new iterations emerging as others drop through the cracks, not only from constant improvement across industries but also different team members joining resources must be cohesive as decisions must be made that could change from day one, second day on the job.
Investment makes sense across multiple avenues, it makes sense for fewer incidents because people know what they’re doing; it makes sense when incidents happen quicker because reactions occur; it makes sense when people buy tools because they refuse to buy new ones whenever they’re not being utilized properly.
Less turnover also exists because organizations value places that give them developing training opportunities instead of letting them go first.
The Bottom Line
Cybersecurity is as much a human problem as it is a technical one. The best tools in the world won’t protect an organization if the people using them don’t understand security frameworks and best practices. Every untrained person with access to security systems represents a potential vulnerability that adversaries can exploit.
Organizations that recognize this reality and invest properly in training their teams end up more secure and more resilient. Those that keep throwing technology at security problems while ignoring the human element keep dealing with the same issues repeatedly, wondering why their expensive security stack isn’t working as expected.
The answer is usually straightforward. The tools are fine. The people just need proper training to use them effectively.
