.png?lu=104)
.gif?lu=974)
.png?lu=133)
12 February 2026
Simon Seymour-Perry, CEO of Logica Security
One of the most persistent misconceptions in cyber security is the belief that human risk is primarily a people problem. In reality, it is a design problem and increasingly, boards, regulators, and threat actors alike recognise it as such.
Research consistently shows that the vast majority of cyber incidents involve human error. Yet most organisations continue to respond by increasing training, tightening policies, and adding layers of control. Despite decades of investment, why are incident levels still so stubbornly high?
The explanation is uncomfortable but clear: many security failures occur not because people are careless, but because the environments in which they operate are misaligned with how work actually gets done.
When security slows execution, interrupts workflow, or makes the secure path harder than the alternative, behaviour adapts predictably. Shortcuts emerge. Informal practices normalise. Controls are bypassed — sometimes unintentionally, sometimes deliberately.
Resilience rarely collapses suddenly. It erodes. And when it does, the consequences are operational as much as technical: disrupted services, financial loss, regulatory scrutiny, and damaged trust.
Forward-looking organisations are recognising a critical truth: Security that works in theory but fails in practice is not resilience, it’s exposure.
By designing controls around real workflows, decision points, and incentives, these organisations reduce risk while simultaneously improving operational performance. Well-aligned security minimises disruption, supports productivity, protects revenue, and strengthens confidence in the organisation’s ability to operate under stress. Security, in this model, becomes not just protective but economically enabling.
Security as friction is a structural risk
Across industries, a familiar pattern persists. Complex password requirements drive insecure storage and credential reuse. Authentication processes disrupt workflow continuity, encouraging shortcuts. Approval chains designed to control access instead teach employees how to route around them when urgency rises. On paper, these environments appear controlled. In reality, they are fragile.
The gap between documented control and operational behaviour creates the conditions for both unintended error and deliberate misuse.
The issue is not awareness alone. Most professionals understand what is expected of them. The deeper problem is structural: security is too often experienced as friction — competing with productivity, service continuity, and commercial outcomes.
Faced with this tension, people respond rationally. They prioritise delivery. Over time, workarounds become embedded in the operating model. Vulnerabilities accumulate quietly until they surface as incidents.
Poorly aligned security therefore creates a dual cost. Not only does it elevate cyber risk, but it also suppresses operational efficiency.
Organisations that redesign controls so the secure path is also the easiest path achieve something strategically powerful, they reduce exposure while improving execution. Security stops being organisational drag and starts enabling performance.
Accountability has changed the conversation
The shift underway is not driven solely by attackers. It is being accelerated by regulators. Supervisory expectations have moved beyond demonstrating that controls exist. Increasingly, regulators are asking a far more demanding question: Can the organisation continue to operate securely when conditions are no longer normal?
On the frontline, this includes scenarios where:
- Operational pressure intensifies
- Decision velocity increases
- Systems degrade
- Suppliers fail
- Human error rises
- Malicious behaviour is attempted
This question reaches far beyond cyber tooling. It interrogates how organisations behave under stress and whether important business services remain within tolerance when disruption occurs.
For boards, this marks a governance inflection point. Cyber resilience is no longer a technical matter that can be delegated downward. It is now directly tied to operational continuity, financial stability, regulatory confidence, and enterprise value.
Leading organisations understand that resilience is not merely defensive, it is commercially material and becoming a performance characteristic. Those that design security to function in real conditions experience fewer operational disruptions, lower incident costs, faster recovery, stronger execution under pressure and ultimately, greater stakeholder confidence.
