{"id":211024,"date":"2026-05-08T13:38:00","date_gmt":"2026-05-08T17:38:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/08\/you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security\/"},"modified":"2026-05-08T13:50:08","modified_gmt":"2026-05-08T17:50:08","slug":"you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/08\/you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security\/","title":{"rendered":"You can buy better tools, but that alone won\u2019t get you to perfect cyber security"},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/05\/you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security\/\">You can buy better tools, but that alone won\u2019t get you to perfect cyber security<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/05\/you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/05\/you-can-buy-better-tools-but-that-alone-wont-get-you-to-perfect-cyber-security\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-08 13:38:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Terry Gerton Cybersecurity is a big topic for us. We talk about it a lot. Our audience is really interested in it. We talk about typically cybersecurity tools, training, rules and regulations. And at the same time, though, we\u2019re noticing that phishing and social engineering attacks are getting more sophisticated every year. Breaches continue to happen at every level of government. From your perspective there at Fors Marsh, What explains the gap between investment in technology for cybersecurity and outcomes?<br \/>\nNicole Togno So I see this as, I think to answer honestly, I think perhaps we\u2019ve been solving for the wrong problem. So agencies invest a lot in the tools and those tools are really good at managing systems. I think perhaps what they haven\u2019t invested as much in is understanding the people operating inside those systems, right? People are complicated. We\u2019re all very complicated beings, right. We are busy. We act under pressure more and more, right, as our work advances and technology infuses the way in which we work. And so we are called upon to make, you know, a zillion judgment calls throughout the course of a day. And attackers understand that, right? Phishing, really prominent, works not just because someone\u2019s careless or they lack the competence. Those things work because it\u2019s designed to exploit how humans actually process information, especially when they\u2019re under stress. So when I look at why these kinds of breaches still happen, and I don\u2019t see necessarily the technology gap, right? I\u2019m coming at it from a different angle. I see how the gap really is an understanding, is in the way in which we understand human behavior.]]><\/p>\n<p>Terry Gerton What I hear you say is that no matter how much we invest, we\u2019re never going to have a fail-safe technical solution to cybersecurity, that it\u2019s a behavioral challenge. What does that mean for government leaders in a practical sense, when they\u2019re thinking about their cyber risks?<br \/>\nNicole Togno Practically speaking, it means that people are going to be people, right? It means that, you know, I want to come at this from perhaps a different question. So I think a lot of technologists, right, come into this space by asking the question of, what do people need to know? Right. You know, I think from a behavioral lens to come at it from perhaps different set of questions, what shapes how people behave and what drives action, right, those are two very different kinds of questions. So there\u2019s a framework I like to use. It\u2019s really helpful. It\u2019s very simple. COM-B, it\u2019s very well known in behavioral science. It stands for Capability, Opportunity, Motivation and Behavior. Basic idea is just that behavior is not just a function of what we know. It\u2019s not just knowledge. It\u2019s very complicated. So it\u2019s, behavior is rarely a logical endeavor, right, most of the time. So behavior is really a function of whether the environment that we\u2019re creating makes the behavior easy or hard and whether people are genuinely motivated to do it. So when I look at a security problem, I\u2019m not a technologist, right? I\u2019m, I\u2019m just asking, did the people complete the technology training, right, so that they know now what it is that they need to know. They have the knowledge. I\u2019m asking, like, does this environment set people up to make secure choices? Do they trust the system enough to engage with it honestly? Right? Those questions don\u2019t necessarily come naturally to technologists, and that\u2019s by no means a criticism. It\u2019s just a different discipline. And that\u2019s why I think behavioral science is this like additive lens to bring to the table.<br \/>\nTerry Gerton That\u2019s a really interesting perspective. And I\u2019m sitting here thinking about the last cyber training I clicked through about recognizing a phishing email and not clicking on it and those kinds of things. Sounds to me like you\u2019re saying that\u2019s not enough.<br \/>\nNicole Togno It\u2019s not enough, yeah. So I think most of us have sat through those kinds of trainings where we click through, it\u2019s a compliance exercise, right? And also you get the knowledge, okay, but knowing and doing are two very different things. And I think we\u2019ve known this for a long time in behavioral science, right. There\u2019s decades and gobs of research showing that information alone \u2014 gobs by the way is an empirical term \u2014 rarely changes behavior, right, security programs are still largely built on an assumption and that if you tell people what the risks are, they\u2019re going to act logically, they\u2019re going to behave accordingly, they are going to be responsible. But that\u2019s just not how people work, right? If I\u2019m rushing to meet a deadline and I get a login prompt that asks me to go through three, four, five additional steps, right, I want to find a workaround, not because I don\u2019t care about security, but because in that moment, my brain is optimizing for getting my work done. Like we are very good doers in this society now, like the systems we all operate within have prompted us to work smarter, more efficiently and faster. And that need for efficiency or that drive to optimize, it\u2019s not a character flaw, it\u2019s just the way cognition works. So when training is your entire strategy, what you\u2019re really doing, I think, is putting the burden of security on the individual and then blaming them when something goes wrong. And it feels both ineffective and a little bit unfair.<br \/>\nTerry Gerton I\u2019m speaking with Nicole Togno. She\u2019s senior director for civilian experience and policy research at Fors Marsh. Nicole, let\u2019s just be real for a minute. Most of our cybersecurity folks are technologists. They\u2019re not behavioral scientists. They\u2019re trained to set up the kind of environment that you\u2019re describing. What should they be thinking about as they look at their cybersecurity risk? What are some quick steps they could take?<br \/>\nNicole Togno Yeah, that\u2019s great. So I think it starts with seeing your employees as your partners in the security process rather than assets or risks to be managed, right? It sounds pretty simple, but it\u2019s actually a pretty significant shift in how I think most security programs are designed, as you said, by technologists. Right? In practice, I think it means a couple of things. I think means looking to understand the actual ways in which people are navigating day to day through these systems, where their pressure points may be, where they\u2019re trying to work around something because they don\u2019t necessarily have a better option. It means for technologists creating and leaders creating the kinds of channels where people feel safe to report mistakes without fear of punishment. You know, right now, I think a lot of agencies and just general workplaces, if someone clicks a bad link, their instinct is to hope nobody notices, right? There\u2019s a cultural problem there, really. It\u2019s a real security consequence that comes from that. But that really means that we need to build more trust. A trust with leaders, trust with our employees, trust all around. And that\u2019s not like a soft thing, squishy trust. It\u2019s really in this context, I think, an actual security asset that technologists and leaders should be building into the system.<br \/>\nTerry Gerton I feel like what you\u2019re describing, if I was a CISO, would be swimming upstream. That is not the easy path to take. The easy path is to buy cybersecurity tools or put more checklists in place. And, say that I\u2019ve built the system that is going to address my cyber risk, how do you empower the decision-makers to actually change their approach to this?]]><\/p>\n<p>Nicole Togno I think it\u2019s a mindset shift first and foremost, right? It\u2019s moving from seeing security as something that you impose upon people to something that you build with them, being empowered to build it with them. And agencies, they may often miss that the people inside the organization are one of their greatest sources of intelligence about where real vulnerabilities are. And so empowering technologists to engage with employees to know where the workarounds may be, to understand which processes might be so cumbersome that nobody\u2019s really following them, although no one\u2019s really saying that out loud. So I think, you know, a lot of security programs aren\u2019t designed to surface that knowledge, right? They\u2019re designed to push that information down. So there\u2019s an enormous amount of insight just sitting there that\u2019s untapped, waiting for technologists and leaders and CISOs to come in and gobble up, right? It\u2019s gold for them to be able to understand, not just how do we get people to comply, but really start asking, how are the people telling us, what are the telling us about how this system is actually working? Right, it\u2019s a different kind of conversation. And so it\u2019s that mindset shift to get them new data, new interesting insights that they wouldn\u2019t get just from doing an internal penetration test for their technology assets.<br \/>\nTerry Gerton If you are a federal CIO or a CISO and you\u2019re saying, that sounds like something I\u2019d really like to try, but I have no idea where to start. How can they begin to build an environment, a structure, a culture that seeks that employee feedback?<br \/>\nNicole Togno I would say the simplest thing to do is talk to people and not, it doesn\u2019t have to be formal. It doesn\u2019t need to be a town hall. It doesn\u2019t\u2019 need to be a formalized survey. Just sitting down with a handful of employees across different roles and ask them two questions. Where does security get in the way of your work and what do you do when that happens? And then just listen. Don\u2019t defend the program. Don\u2019t explain the policy. Just listen. And what you might hear may be uncomfortable. You may find out about things people are doing that you didn\u2019t know existed, about processes that folks stopped following ages ago, moments where doing the secure thing felt hard, too hard maybe. And that information, right, that\u2019s that golden insight, right? It tells you exactly where your program is breaking down in the real world beyond that kind of pressure testing that your technology experts are doing to make sure that the system works. But in the actual daily experiences of the people that you\u2019re counting on to keep the agency secure, so that\u2019s where I\u2019d start. Simple, talk to people. Because you can\u2019t design for human behavior if you don\u2019t understand the actual humans using it.<br \/>\nTerry Gerton Once you get that kind of feedback, what\u2019s the next step?<br \/>\nNicole Togno It\u2019s a great question. So I think the next step, once you get that feedback, is you put it into the hands of your technologist team and you show them the evidence of, you\u2019ve designed this really elegant and beautiful system with which we are rock solid to this point. But to get to the next point, you need to engage the people. And so providing them the insights to make better decisions on, you didn\u2019t know this workaround was happening. Now you do, what are we going to do about it? And so taking those kind of quick steps to gather the insight and then make them actionable. And it can be one step at a time. It doesn\u2019t need to be a full overhaul. It doesn\u2019t\u2019 need to a system redesign. It\u2019s simply taking these qualitative insights from the people that you have in your organizations using your tools and systems every day and then making small adjustments and tweaks along the way.Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can buy better tools, but that alone won\u2019t get you to perfect cyber security&#8230;<\/p>\n","protected":false},"author":1,"featured_media":211025,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/01\/GettyImages-1194430863-e1738183721865.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,25],"class_list":["post-211024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211024"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=211024"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211024\/revisions"}],"predecessor-version":[{"id":211027,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211024\/revisions\/211027"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/211025"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=211024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=211024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=211024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}