Cybersecurity is Everyone’s Job

Cybersecurity is Everyone’s Job

The most effective factor in combatting cybercrime is an informed and alert employee. And that includes every employee in the company.

I learned that by talking to CISOs while conducting a research study to determine the tools and processes they use to thwart ransomware and other cyber-attacks.

On behalf of a tech company, Futurum Research conducted this study to understand:

  • How CISOs from large organizations (more than 1,000 employees) are approaching the issue of protecting their companies’ data from cyber criminals and enabling sufficient recovery after an attack
  • How the ransomware threat has changed security and data protection practices
  • What tools and processes CISOs are using now, which areas need improvement, and what they feel they are not getting from their current products
  • How budgets and security teams are growing to meet the increase in cyber threats

We surveyed 163 security executives and conducted a dozen in-depth interviews with CISOs. We promised the interview subjects anonymity to ensure they could speak freely.

The CISOs we talked to emphasized they need help – both externally and internally – to secure their organizations. That includes getting IT teams to work closely with security teams, and outsourcing processes to large providers with expertise that could not be found in-house. But it also means getting every employee in their company involved and educated on all potential threats.

“The easiest way for a hacker to get in is to exploit a human vulnerability,” said a senior information security executive at a pet supplies company. “Most attacks come through phishing. It’s the human factor that we have to worry about. Someone has to click on the phishing link [for an attack to be successful]. If you can prevent that, then most likely you’re going to prevent someone from getting inside and causing havoc in your network.”

A bank Information Security Officer said he holds security awareness training sessions with all non-security staff.

“As I train staff, I tell them ‘You are the first line of defense,’” he said. “We train users to report suspicious events. If something weird is going on, we ask them to report it. So, it’s a combination of detection, monitor controls and ongoing user awareness.”

An oil company CIO with CISO responsibilities said he makes security training an ongoing process throughout the company. He circulates weekly security videos created by an outside firm to the entire organization. He also distributes quizzes every week, and gives an award to the employee who gets the highest score.

“Employees have become a lot more aware of how to spot an issue, which is important because most attacks start with some kind of access to an account,” he said. “We brought the same rigors we have for physical security to the cybersecurity side. The KPI on the physical side is Lost Time to Injury (LTI). I created a zero Cyber Incident as a KPI. And we track how many months we have zero cyber-incident. And lots of people are now spotting these kinds of issues and sending emails [to the security team].”

A former CISO for a Fortune 500 company and current cybersecurity consultant said cybersecurity awareness should be mandatory for all employees.
“You’ve got to hold them accountable upfront where they understand that there are certain policies that they have to follow,” he said. “Otherwise, we cannot protect the company. That’s a real conversation that continues to happen.”

Budget, Staffing Can Limit Security Efforts

Our survey identified the two main obstacles for managing cyber recovery as financial-related: the high cost of solutions (37%) and limited budget (36%). The former CISO-turned-consultant said another limiting factor for security professionals is, there are too few of them.

“There may be an expectation that every company has a good security incident response team and plan, and that’s the fallacy,” he said. “I know CISOs who are the only security practitioner in the company.”

We found in interviews that it is common for large organizations to outsource security expertise, particularly through Security Operations Centers including monitoring for Security Information and Event Management (SIEM) systems, and Managed Detection Response (MDR) services. Several executives said they also use services for scanning and monitoring data and other functions instead of trying to find in-house expertise.

CISOs also see the public clouds as offering complementary services to a wide range of on-premises tools. When asked which vendors’ products/services they use to address cybersecurity needs, the three major hyperscalers ranked in the top five. Microsoft Azure (39%) and AWS (30%) were the top two, followed by IBM, Cisco, and Google. Others mentioned by at least 10% of respondents were VMware, Dell, Palo Alto Networks, and CrowdStrike. Interviews revealed that executives see the public clouds as complementary services to a wide range of on-premises tools.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

NetApp BlueXP Boosts Cyber-Resiliency Capabilities

Cyber Detection and recover Drive Commvault’s Portfolio Strategy

Decentralized Storage in the Battle Against Ransomware

Author Information

Dave focuses on the rapidly evolving integrated infrastructure and cloud storage markets.

Related Insights
Selling Agent Provenance to the CIO: Entire Changes Who Signs
July 14, 2026

Selling Agent Provenance to the CIO: Entire Changes Who Signs

Futurum stakes a position on Entire's distributed Git launch: agent provenance is the control point, the mirror network is the wedge, and the decision moves to the CIO. The analysis...
SAP's Flexible Support Overhaul Raises the Stakes for Enterprise Software Loyalty
July 10, 2026

SAP’s Flexible Support Overhaul Raises the Stakes for Enterprise Software Loyalty

Keith Kirkpatrick, Vice President & Research Director, Enterprise Software & Di at Futurum, SAP's flexible support model and customer-centric approach help compete for enterprise loyalty as 74% of enterprises consider...
Can Anthropic's GRAM 'Off Switch' Make Dual-Use AI Safer Without Killing Utility?
July 10, 2026

Can Anthropic’s GRAM ‘Off Switch’ Make Dual-Use AI Safer Without Killing Utility?

Anthropic and AE Studio introduced GRAM, enabling selective removal of sensitive AI capabilities without retraining, potentially addressing privacy and security concerns for organizations adopting generative AI....
Zoom's Platform-Agnostic AI Receptionist Reshapes Telephony Competition
July 10, 2026

Zoom’s Platform-Agnostic AI Receptionist Reshapes Telephony Competition

Keith Kirkpatrick, Vice President & Research Director, Enterprise Software & Di at Futurum, Zoom's Virtual Agent Receptionist disrupts legacy phone systems and accelerates enterprise adoption of GenAI-powered customer service solutions....
Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?
July 10, 2026

Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?

Exprivia announced partnership with ABI's WeSec summit as Main Partner, aligning with surging demand for cybersecurity and AI solutions across Italian banking. The move positions the company to capitalize on...
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.