How “Right-Sizing” Cybersecurity Initiatives Can Prevent Data Loss

In a recent webinar, Jon Burt, Head of Enterprise Architecture at Manchester City Council, and Rick Goud, Co-Founder and Chief Innovation Officer at Zivver, discussed what is meant by “right-sizing”, how it impacts the risks of data loss, and how to build a security-conscious culture across the entire organisation.


As any security leader will be all too aware, safeguarding data can be something of a tightrope walk. It isn’t necessarily about having the “best” or most robust cybersecurity strategy in place; it’s about striking a balance between data protection, cost-effectiveness, usability, and discovering an approach to cybersecurity that works for your business.

Overly strict security measures may frustrate users and disrupt workflows, while lax controls can lead to data leaks and regulatory breaches.

By “right-sizing” their cybersecurity initiatives, businesses can dispel the frustrations and limiting aspects of day-to-day security and turn it into a business-supporting asset that enables and empowers their workforce instead of the holding them back. 

Defining “Right-Sized” Security
Right-sized security involves creating a protective environment that respects the balance between stringent security measures and practical usability. Rick described this concept as finding the “sweet spot” where security measures are strong enough to protect sensitive information but not so rigid that they hinder productivity. He noted that overly secure systems can often be counterproductive, as users may circumvent complex or time-consuming protocols to complete their work. Instead, right-sized security encourages organisations to implement tailored protections that fit the context of each task, providing the appropriate level of security without burdening employees with unnecessary steps.

Jon echoed this view, adding that the most secure systems in the world are useless if no one wants to use them. He illustrated this with examples from the public sector, where high-stakes, complex tasks are a daily reality, and where security needs to be woven seamlessly into workflows. When security is right-sized, it becomes a natural part of the work process rather than an added layer of hassle. This approach reduces friction, makes compliance more achievable, and ensures that security isn’t sacrificed for the sake of convenience.

The Human Risk Factor
Human error remains one of the primary causes of data breaches, especially in environments where information frequently changes hands. Jon highlighted how, in sectors like local government, employees often manage sensitive data across departments and with external organisations, increasing the risk of accidental exposure. He explained that data leaks often happen due to simple mistakes, like sending an email to the wrong recipient or overlooking a security setting. In high-stakes settings, where rapid response is sometimes required, relying solely on users to make the correct security decisions can be a significant vulnerability. 

Rick agreed, emphasising that a successful security strategy should account for human error as an unavoidable factor. He suggested that organisations need security measures that don’t overly depend on employees to make constant judgement calls about data sensitivity. Instead, security should be built in, with intelligent tools guiding users and handling most of the classification and protection tasks automatically.

By reducing the opportunity for error, right-sized security helps mitigate risks without relying on employees to be cybersecurity experts in addition to their primary roles.

Making Security Usable for Everyone
One of the core principles of right-sized security is ensuring that protection measures are accessible and intuitive for all employees, not just those with technical expertise. Rick emphasised that security tools should be seamlessly integrated into the applications employees already use, reducing the need for disruptive, standalone solutions. When security is built into everyday workflows, it becomes a natural part of the work process, encouraging consistent use without adding extra steps. Rick explained that user-friendly tools make it easier for employees to follow security protocols, lowering the risk of data breaches caused by frustration or oversight.

Jon added that overly complex, IT-centric solutions often backfire by alienating the very people they’re meant to protect. He stressed the importance of designing security measures that align with employees' daily routines, allowing them to work efficiently while staying secure. In his view, involving employees in the selection and implementation of new tools can also help them feel more engaged and responsible for maintaining data protection. By focusing on usability, organisations can create a security environment where compliance feels like a natural extension of work, rather than a burdensome requirement.

Leveraging Intelligent Technology for Decision Support
Intelligent technology, particularly AI-driven decision support, is transforming how organisations manage data security without overburdening employees. Rick explained that AI can take on much of the classification and protection process, offering real-time guidance that assists employees in making secure choices. By automatically identifying sensitive information and suggesting appropriate security measures, AI reduces the pressure on employees to remember complex security protocols. This approach allows security to be proactive, with technology acting as a “safety net” that minimises errors while ensuring compliance.

Jon agreed, noting that decision support tools make security a shared responsibility without overwhelming employees with technical demands. He highlighted that, for many public sector employees, managing security settings isn’t part of their core skill set, so providing intuitive, automated assistance can be invaluable. AI-driven decision support tools ensure that employees receive contextual guidance as they work, making it easier to follow best practices. This enables organisations to implement right-sized security that empowers users, reduces risk, and reinforces a strong security culture throughout the workplace.

Building a Security-Conscious Culture 
For right-sized security to be effective, cybersecurity must be a shared responsibility that permeates the entire organisation. Jon stressed that security cannot be siloed as an IT issue; it needs to be a collective commitment that involves every department and individual. He pointed out that building a security-conscious culture starts with raising awareness and helping employees understand their role in protecting sensitive information. Regular training sessions and open discussions about security risks can keep cybersecurity top of mind, fostering a proactive attitude towards data protection.

Rick added that empowering employees to take ownership of security in their daily tasks requires more than just training; it requires a supportive environment. When employees see that leadership values data protection and invests in practical, user-friendly tools, they’re more likely to view security as integral to their work. This shift helps to eliminate the perception of security as an obstacle, instead positioning it as a vital, collaborative effort that supports everyone’s roles.

By embedding right-sized security into the organisational culture, companies can enhance their defences in a way that feels natural and sustainable for employees across all levels.


Readers can register to watch the free webinar in full here


Image: Ideogram

You Might Also Read: 

Cybersecurity Measures To Enhance Data Security In 2025:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Looking Ahead Of The OMB Zero Trust Mandate In 2025
How To Streamline Compliance With NIS2 & DORA  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

2|SEC Consulting (2-SEC)

2|SEC Consulting (2-SEC)

At 2|SEC Consulting, we deliver an end-to-end service of cyber and information security solutions which are tailored to each client’s exact security needs.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

KoolSpan

KoolSpan

KoolSpan’s security and privacy solutions address the growing threat of loss or theft of intellectual property, information, and proprietary assets.

SAS Institute

SAS Institute

SAS is a leader in business analytics software and services providing solutions for a wide range of critical business areas including risk management, compliance and fraud prevention.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

ACA Group

ACA Group

ACA Group are a leading governance, risk, and compliance (GRC) advisor in financial services.

AUREA Technology

AUREA Technology

The photon counter SPD_OEM_NIR from AUREA Technology is designed for quantum key distribution at telecom wavelengths.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

Hudson Cybertec

Hudson Cybertec

Hudson Cybertec are an internationally recognized Subject Matter Expert for cyber security in the Industrial Automation & Control Systems (IACS) domain.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

Plante Moran

Plante Moran

Plante Moran is a leading audit, tax, consulting, and wealth management firm. Areas of consulting expertise include cybersecurity.

IriusRisk

IriusRisk

IriusRisk is an open Threat Modeling platform that automates and supports creating threat models at design time.

Hawk AI

Hawk AI

Hawk AI’s mission is to help financial institutions detect financial crime more effectively and efficiently using AI to enhance rules and find anomalies.

Millennium Corporation

Millennium Corporation

For nearly two decades, Millennium Corporation has been operating on the leading edge of cybersecurity.