For decades, cybersecurity leaders operated under a simple but limiting mantra: “Humans are the weakest link in cybersecurity.” This mindset fueled an approach heavily centered on technical controls, compliance training, and occasional user testing.
But times, and threats, are changing.
This week at the Gartner Security & Risk Management Summit, Will Candrick, Senior Director Analyst at Gartner, presented new research that urges cybersecurity leaders to fundamentally rethink their approach to human factors in cybersecurity.
“CISOs are much more open to rethinking how they approach human factors in cybersecurity,” Candrick explains. “The era of mandatory trainings and occasional phishing simulations is starting to expand into more proactive approaches to engage, teach and nudge employees toward safer habits.”
Surprising Findings That Challenge Assumptions
One of the report’s most refreshing elements is that it does not merely rehash the risks posed by human error, it highlights an emerging opportunity.
Candrick puts it directly: “Traditionally, cybersecurity professionals have viewed users as the weakest link. While human error will always occur, our research emphasizes that users are also an opportunity to boost cyber resilience. This is a new, and surprising, approach to a perennial cybersecurity challenge.”
This insight marks a big shift in mindset.
Rather than focusing only on preventing failure, security leaders are now exploring ways to actively engage employees in detecting and responding to threats, transforming them from liabilities into resilience drivers.
And the data supports this need for a new approach: 68% of breaches now involve a nonmalicious human element, whether it’s an employee clicking on a well-crafted phishing email, misconfiguring a SaaS solution, or inadvertently exposing sensitive information.
Importantly, the report urges leaders to embrace this reality, not by punishing mistakes, but by building organizational resilience.
After all, even the best technical controls are imperfect, and humans will occasionally err.
The question is: how quickly can the organization detect, absorb, and adapt when those errors occur?
A More Effective Way Forward
One of the most actionable insights from this research is its focus on rethinking training and engagement.
Static, compliance-based training, while still the default in many enterprises, often leaves employees feeling tricked, shamed, or disengaged:
- “Why is cybersecurity trying to trick and shame us with phishing tests?”
- “I take the same security compliance training every year. It disrupts my work!”
Instead, the report recommends adopting dynamic nudges and experiential learning, targeted interventions that meet employees in the moment and in the tools they already use, like Slack or Microsoft Teams.
For example:
- Developers can be guided to enterprise-approved GenAI solutions rather than unvetted public tools.
- Sales staff can receive real-time prompts about secure ways to share sensitive data.
- Employees who may inadvertently create risk (such as sharing proprietary files) can be prompted to review and adjust permissions.
These tactics focus less on testing and penalizing employees, and more on helping them make safer choices, an approach that builds a stronger, more resilient security culture.
The Next 12–18 Months
While Candrick is encouraged by the shifting mindset, he is realistic about the challenges ahead.
“CISOs will continue to advance their thinking around human factors in cybersecurity. While this is positive, the real challenge is getting more CISOs to act on this thinking. Fewer than ten percent of large enterprises have adopted more advanced user engagement that goes beyond traditional security awareness. CISOs have an intention to improve, but many are still evaluating their options.”
In other words, a leadership gap remains.
Intent is growing, but sustained investment and execution are lagging.
The Gartner report offers a clear action plan to help close this gap:
- Monday morning: Adopt a resilience mindset and shift how cybersecurity teams talk about employees.
- Next 90 days: Develop new metrics that emphasize resilience behaviors, not just failure rates.
- Next 12 months: Transition away from static compliance training toward dynamic, behavior-driven engagement.
The Wrap
The 2025 outlook for human factors in cybersecurity, and Will Candrick’s message to CISOs this week, is compelling:
- Employees remain a source of cyber risk but also of immense untapped potential.
- Dynamic engagement and culture-building are key.
- CISOs must translate intent into action and begin creating resilience-first cybersecurity cultures.
As Candrick reminds us: “Users are also an opportunity to boost cyber resilience.” It’s time for leadership teams to seize that opportunity, and to elevate human factors to the strategic priority they deserve.
