TL;DR
- Even the best controls need human risk management.
- There are three situations where this is especially true:
- No technical controls exist.
- Controls work but don’t land well.
- Controls require human maintenance.
- Human risk interventions pick up where automation leaves off.
The human risk management segment is experiencing a bit of a feeding frenzy at the moment, largely driven by AI innovations—both on the threat and vendor sides. Mostly. There are still some holdouts. Occasionally, we come across a security professional who tells us they’d rather implement technical controls than manage human risk.
To them I say, you do you. But hear me out: If you’re doing technical controls and are super confident, good on ya. But even if you do them perfectly and with pristine enforcement, you’d still need human risk management. Here are three situations where this is the case.
1. When no technical controls exist
Some risks simply can’t be locked down in software. Think about employees using their own devices (BYOD) that need critical security updates. Or adopting a password manager. Or uploading data to the non-corporate version of a generative AI application. In each of these cases, there may not be a clean technical enforcement. Your best option may be to reach employees directly, briefing them on why their behavior matters and how to take corrective action, and reinforcing with nudges to boost follow-through.
2. When controls work but don’t land well with employees
Even the best controls can feel opaque to employees. A SASE platform like Netskope might block an employee from uploading a file with sensitive data, and may even give them a clear error message. The control works, but from the employee’s perspective, their file didn’t get shared and they may still not be entirely sure why. This is a missed opportunity. A human risk intervention, such as a targeted briefing, can explain what happened, why it matters, and how to fix it. Done right, it not only reduces repeat violations but also builds trust in the security team as an enabler, not a blocker.
3. When controls require human maintenance
Finally, many technical controls are only as strong as the people who maintain them. Multi-factor authentication (MFA) is powerful, but it requires IT employees to enforce its adoption. The definition of “sensitive data” may evolve over time, and data owners need reminders to classify and secure it. And there are large volumes of repeated vulnerabilities, like secrets in code or exposed PII in data tools, that can’t be solved with a one-time fix. Developers and technical employees need targeted reminders to understand patterns and take corrective action. So, even when there are controls, it’s people who ensure they’re properly configured and working effectively.
The takeaway
Each of these scenarios highlights a central truth: technical controls are necessary, but not sufficient. They stop what can be automated, and human risk interventions pick up where automation leaves off: shaping habits, clarifying context, and ensuring that the controls you’ve invested in actually deliver their intended impact. If your program leans too heavily on technical enforcement, you’re leaving exposure on the table. The next step is to build a playbook of human risk interventions that complement your controls, starting with the highest-risk gaps. Done well, this doesn’t just reduce risk; it strengthens trust, turning moments of friction into moments of partnership between security and the workforce.
Join our LinkedIn group Information Security Community!
