In a recent webinar, Jon Burt, Head of Enterprise Architecture at Manchester City Council, and Rick Goud, Co-Founder and Chief Innovation Officer at Zivver, discussed what is meant by “right-sizing”, how it impacts the risks of data loss, and how to build a security-conscious culture across the entire organisation
As any security leader will be all too aware, safeguarding data can be something of a tightrope walk. It isn’t necessarily about having the “best” or most robust cybersecurity strategy in place; it’s about striking a balance between data protection, cost-effectiveness, usability, and discovering an approach to cybersecurity that works for your business. Overly strict security measures may frustrate users and disrupt workflows, while lax controls can lead to data leaks and regulatory breaches. By “right-sizing” their cybersecurity initiatives, businesses can dispel the frustrations and limiting aspects of day-to-day security and turn it into a business-supporting asset that enables and empowers their workforce instead of the holding them back.
Defining “Right-Sized” Security
Right-sized security involves creating a protective environment that respects the balance between stringent security measures and practical usability. Rick described this concept as finding the “sweet spot” where security measures are strong enough to protect sensitive information but not so rigid that they hinder productivity. He noted that overly secure systems can often be counterproductive, as users may circumvent complex or time-consuming protocols to complete their work. Instead, right-sized security encourages organisations to implement tailored protections that fit the context of each task, providing the appropriate level of security without burdening employees with unnecessary steps.
Jon echoed this view, adding that the most secure systems in the world are useless if no one wants to use them. He illustrated this with examples from the public sector, where high-stakes, complex tasks are a daily reality, and where security needs to be woven seamlessly into workflows. When security is right-sized, it becomes a natural part of the work process rather than an added layer of hassle. This approach reduces friction, makes compliance more achievable, and ensures that security isn’t sacrificed for the sake of convenience.
The Human Risk Factor
Human error remains one of the primary causes of data breaches, especially in environments where information frequently changes hands. Jon highlighted how, in sectors like local government, employees often manage sensitive data across departments and with external organisations, increasing the risk of accidental exposure. He explained that data leaks often happen due to simple mistakes, like sending an email to the wrong recipient or overlooking a security setting. In high-stakes settings, where rapid response is sometimes required, relying solely on users to make the correct security decisions can be a significant vulnerability.
Rick agreed, emphasising that a successful security strategy should account for human error as an unavoidable factor. He suggested that organisations need security measures that don’t overly depend on employees to make constant judgement calls about data sensitivity. Instead, security should be built in, with intelligent tools guiding users and handling most of the classification and protection tasks automatically. By reducing the opportunity for error, right-sized security helps mitigate risks without relying on employees to be cybersecurity experts in addition to their primary roles.
Making Security Usable for Everyone
One of the core principles of right-sized security is ensuring that protection measures are accessible and intuitive for all employees, not just those with technical expertise. Rick emphasised that security tools should be seamlessly integrated into the applications employees already use, reducing the need for disruptive, standalone solutions. When security is built into everyday workflows, it becomes a natural part of the work process, encouraging consistent use without adding extra steps. Rick explained that user-friendly tools make it easier for employees to follow security protocols, lowering the risk of data breaches caused by frustration or oversight.
Jon added that overly complex, IT-centric solutions often backfire by alienating the very people they’re meant to protect. He stressed the importance of designing security measures that align with employees’ daily routines, allowing them to work efficiently while staying secure. In his view, involving employees in the selection and implementation of new tools can also help them feel more engaged and responsible for maintaining data protection. By focusing on usability, organisations can create a security environment where compliance feels like a natural extension of work, rather than a burdensome requirement.
Leveraging Intelligent Technology for Decision Support
Intelligent technology, particularly AI-driven decision support, is transforming how organisations manage data security without overburdening employees. Rick explained that AI can take on much of the classification and protection process, offering real-time guidance that assists employees in making secure choices. By automatically identifying sensitive information and suggesting appropriate security measures, AI reduces the pressure on employees to remember complex security protocols. This approach allows security to be proactive, with technology acting as a “safety net” that minimises errors while ensuring compliance.
Jon agreed, noting that decision support tools make security a shared responsibility without overwhelming employees with technical demands. He highlighted that, for many public sector employees, managing security settings isn’t part of their core skill set, so providing intuitive, automated assistance can be invaluable. AI-driven decision support tools ensure that employees receive contextual guidance as they work, making it easier to follow best practices. This enables organisations to implement right-sized security that empowers users, reduces risk, and reinforces a strong security culture throughout the workplace.
Building a Security-Conscious Culture
For right-sized security to be effective, cybersecurity must be a shared responsibility that permeates the entire organisation. Jon stressed that security cannot be siloed as an IT issue; it needs to be a collective commitment that involves every department and individual. He pointed out that building a security-conscious culture starts with raising awareness and helping employees understand their role in protecting sensitive information. Regular training sessions and open discussions about security risks can keep cybersecurity top of mind, fostering a proactive attitude towards data protection.
Rick added that empowering employees to take ownership of security in their daily tasks requires more than just training; it requires a supportive environment. When employees see that leadership values data protection and invests in practical, user-friendly tools, they’re more likely to view security as integral to their work. This shift helps to eliminate the perception of security as an obstacle, instead positioning it as a vital, collaborative effort that supports everyone’s roles. By embedding right-sized security into the organisational culture, companies can enhance their defences in a way that feels natural and sustainable for employees across all levels.
Readers can watch the webinar in full here.