A related issue is that users can often be reluctant to report a problem because they fear the consequences when they’ve taken an action that puts the company’s security at risk. Such delays in notification extend the time for malicious actors to cause serious damage. According to Verizon’s DBIR, it takes an average of 55 days for organizations to patch critical vulnerabilities, and that time can translate into serious losses, from costly ransomware attacks, to damage to the company’s reputation.

CISOs can address this issue by further fostering a culture where everyone recognizes the essential role they play in maintaining the security of the organization. Instead of contributing to a culture of fear by naming and shaming, CISOs can highlight people who have made smart security decisions and averted risks to serve as role models and turn events into learning experiences.

2. They prioritize convenience over security 

People are naturally inclined to find the fastest possible route at work, and that often translates into taking shortcuts that compromise security for the sake of convenience. Even tech employees are not immune when, for example, importing libraries from public repositories assuming these are safe, as they continue to be used to distribute malware and steal passwords.

To avoid these shortcuts that can threaten systems, CISOs can put automated MFA prompts in place to avoid risks due to compromised passwords and restrict access to services that could put data at risk, including generative AI or downloadable libraries of code. CISOs should provide a list of safe alternatives to free services that the company’s developers can refer to for downloadables that have been scanned and certified to be free of malware. 

3. They suffer from alert fatigue 

Humans tend to go into auto-pilot mode for repetitive tasks and tune out constant alerts, explains cybersecurity advisor Alexandre Blanc. Scammers exploit this by inserting their phishing attempts and other attacks into digital messages that match what employees see all the time. 

While it’s possible to put up alerts on those, a constant flow of notifications creates alert fatigue. Employees learn to tune out the alarms and can come to ignore warnings for a real threat.