Suneth Mendis

A personal blog by a technologist and a leader contextualising thoughts…

Reframing Cyber awareness as Digital Safety

Cybersecurity is often misunderstood as a technology problem. Firewalls, EDR, SIEM, zero trust, AI-driven detection. All important. All necessary. But at its core, cybersecurity is about managing risk.

It is no different to insuring your home or your car. You don’t buy insurance because you expect your house to burn down tomorrow. You buy it because the impact of that unlikely event would be catastrophic. You accept that risk exists, and you manage it in a structured, sensible way.

Cyber risk works the same way. We invest in controls not because we expect to be breached every day, but because the downside of getting it wrong is existential.

And yet, one of the biggest risks in any organisation does not sit in the data centre. It sits behind a keyboard.

Phishing remains the most reliable entry point for attackers. Whether the lure is a fake invoice, a credential harvest, a business email compromise attempt, or a well-crafted impersonation, the common factor is human behaviour. A single click can bypass millions of dollars’ worth of technical controls.

That is why awareness matters. Not as a compliance tick-box. Not as a once-a-year eLearning module everyone rushes through. But as a core risk treatment strategy.

For a CISO, user behaviour is not a “soft” issue. It is a material risk variable. If you can reduce click rates, improve reporting speed, and normalise healthy scepticism, you have materially reduced organisational risk. The return on that investment is often higher than yet another security tool.

But there is an important balance. Just as you would not turn your home into a bunker because you bought insurance, you cannot turn your organisation into a culture of fear. Overloading people with constant warnings, aggressive phishing simulations, and alarmist messaging can backfire. Fatigue sets in. Cynicism creeps in. Engagement drops.

This is where reframing becomes powerful.

“Cyber awareness” sounds technical. It sounds like something IT runs for other people. It feels abstract and corporate.

“Digital safety” is different. It is personal. It connects to how people bank, shop, help their kids with homework, and use social media. It recognises that the same habits protecting the company also protect the individual.

When employees see that spotting a phishing email at work is the same skill that protects their family at home, the message lands differently. It becomes practical. Relevant. Human.

Managing cyber risk is not about eliminating every threat. That is impossible. It is about building layered resilience: technology, process, and people working together.

Insurance for your home. Insurance for your car. And in the digital world, insurance through sensible controls and digitally safe behaviours.

For any CISO thinking about priorities, the question is simple: are we just buying more locks, or are we helping people understand why the doors matter?