Leaders Agree that Cybersecurity is About People
Endpoint users will always be the weak link in cybersecurity. How do we mitigate the risk?

No matter how robust your cybersecurity controls are, one user incident could compromise your entire network. This dire warning — and more importantly, the solutions to it — was a running theme among cybersecurity leaders this week.
“When it comes down to protecting our systems and information,” said Federal Chief Information Security Officer Grant Schneider at the Billington Cybersecurity Summit Wednesday, “it really is about the people.”
Schneider explained that his three main priorities for his office are risk management, workforce and training, and compliance and federal regulation. Two of those, he said, require federal agencies to focus on its people from strategic planning to implementation.
The call was not for security professionals to rethink their vulnerabilities, but instead for everyone in every organization, from C-suite to contractor, to recognize their risk and train personnel on how to recognize and avoid threats.
“If you are using a phone, if you are using a computer, you are a cyber operator,” said Gregory Touhill, former federal chief information security officer who served in the role in 2016, “you are a target.”
In one breakout session, international cybersecurity experts and leads from top cybersecurity firms simulated a ransomware attack on an app developer and cosmetics company. Rather than discuss the decision-making process for the company’s incident response team, the participants played the role of the C-suite, asking the questions executive leadership ought to if found in the same situation, ranging from, “How long would it take to recover our system from backups?” to “Do we have a company bitcoin account if we decide to pay the ransom?”
As the participants chose not to pay even as the number of compromised systems and ransom demands grew, the scenario — modeled after a real attack, down to the amount of bitcoin the attacker demanded — eventually affected distributors and customers, and both law enforcement and regulatory authorities became involved.
Moreover, the incident required input from stakeholders not typically associated with cybersecurity, including the chief financial officer and marketing and public relations teams. In the end, though, even those stakeholders could not effectively mitigate the damage from a ransomware attack.
“The key takeaway is ‘protection up front,’” said Juliana Vida, chief technical advisor for Splunk who served as one of the participants. She advised that every agency needs to have a plan in place and act upon it to protect their systems ahead of ransomware, including a risk calculation put in terms that everyone in the company understands.
“If I tell you there’s a 100% chance your phone is going to be compromised,” Vida said in a subsequent interview, “that doesn’t mean something in the same way it would if I told you there was a 100% chance a tree was going to fall on your house.”
Educating everyone about security is especially important as paradigms surrounding cybersecurity shift. Traditionally, experts thought of a strong perimeter as the most important way to defend critical networks and systems.
“I think everyone has had this false sense of security about the perimeter,” said Sylvia Burns, deputy CIO for enterprise strategy at FDIC. “If you have one phishing attack, your entire network is compromised.”
Instead, cybersecurity experts have realigned their emphasis toward a zero-trust philosophy and continuous detection and monitoring to ensure that cybersecurity teams know who and what is on the network at all times. In the end, though, it comes back to the people.
“We’re trying to build systems that are more cognizant about how people operate,” said John Zangardi, chief information officer at the Department of Homeland Security. This effort has included “training days” for all staff at DHS, the first of which focused on teaching employees about cloud migration and related concepts and terms. The next training session will focus on “Cybersecurity 101,” and the final one will be just for IT and cybersecurity employees to ensure they’re up to date on the newest threats and ways to mitigate their impact as well as check to see that all staff’s credentials and certifications are up to date.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOD Turns to Skills-Based Hiring to Build Next-Gen Cyber Workforce
Mark Gorak discusses DOD’s efforts to build a diverse cyber workforce, including skills-based hiring and partnerships with over 480 schools.
20m listen -
Trump Executive Order Boosts HBCUs Role in Building Federal Tech Workforce
The executive order empowers HBCUs to develop tech talent pipelines and expand access to federal workforce opportunities.
3m read -
DOD Can No Longer Assume Superiority in Digital Warfare, Officials Warn
The DOD must make concerted efforts to address cyber vulnerabilities to maintain the tactical edge, military leaders said at HammerCon 2025.
4m read -
Tracking CIOs in Trump's Second Term
Stay informed on the latest shifts in federal technology leadership as new CIOs are appointed and President Trump's second term takes shape.
6m read -
Inside Oak Ridge National Lab’s Pioneer Approach to AI
Energy Department’s Oak Ridge National Lab transforms AI vulnerabilities into strategic opportunities for national defense.
22m listen -
DOL Turns to Workforce Development to Maintain AI Superiority
DOL is bridging the AI skills gap through partnerships and upskilling to ensure future AI workforce readiness.
10m watch -
Trump’s Executive Order Spurs Federal Push for AI Literacy
Agencies are ramping up AI literacy efforts across the federal workforce and education systems after Trump's executive order on AI education.
5m read -
White House AI Czar Outlines Industry's Role in Global AI Race
White House AI Czar David Sacks detailed the Trump administration's AI priorities and industry's role in growing the nation's AI economy.
3m read -
AWS Summit: Innovation Accelerates IT Delivery at DOD
Marine Corps Community Services is tackling outdated IT processes with agile development and cutting-edge cloud security to deliver mission-critical capabilities faster.
12m watch -
CIA's Future Relies on Human-AI Collaboration, CAIO Says
From data triage to agentic AI, Lakshmi Raman details how human expertise remains paramount for national security applications.
3m read -
AWS Summit: NIST Secures High-Performance Computing Against Evolving Threats
NIST’s Yang Guo reveals the broad attack surface of high-performance computing and explains developing guidance and future-proofing security strategies.
9m watch -
Trump Overhauls Federal Cybersecurity with New Executive Order
The new directive aims to strengthen digital defenses while rolling back "burdensome" software requirements and refocusing AI security.
3m read