How “Right-Sizing” Cybersecurity Initiatives Can Prevent Data Loss

In a recent webinar, Jon Burt, Head of Enterprise Architecture at Manchester City Council, and Rick Goud, Co-Founder and Chief Innovation Officer at Zivver, discussed what is meant by “right-sizing”, how it impacts the risks of data loss, and how to build a security-conscious culture across the entire organisation.


As any security leader will be all too aware, safeguarding data can be something of a tightrope walk. It isn’t necessarily about having the “best” or most robust cybersecurity strategy in place; it’s about striking a balance between data protection, cost-effectiveness, usability, and discovering an approach to cybersecurity that works for your business.

Overly strict security measures may frustrate users and disrupt workflows, while lax controls can lead to data leaks and regulatory breaches.

By “right-sizing” their cybersecurity initiatives, businesses can dispel the frustrations and limiting aspects of day-to-day security and turn it into a business-supporting asset that enables and empowers their workforce instead of the holding them back. 

Defining “Right-Sized” Security
Right-sized security involves creating a protective environment that respects the balance between stringent security measures and practical usability. Rick described this concept as finding the “sweet spot” where security measures are strong enough to protect sensitive information but not so rigid that they hinder productivity. He noted that overly secure systems can often be counterproductive, as users may circumvent complex or time-consuming protocols to complete their work. Instead, right-sized security encourages organisations to implement tailored protections that fit the context of each task, providing the appropriate level of security without burdening employees with unnecessary steps.

Jon echoed this view, adding that the most secure systems in the world are useless if no one wants to use them. He illustrated this with examples from the public sector, where high-stakes, complex tasks are a daily reality, and where security needs to be woven seamlessly into workflows. When security is right-sized, it becomes a natural part of the work process rather than an added layer of hassle. This approach reduces friction, makes compliance more achievable, and ensures that security isn’t sacrificed for the sake of convenience.

The Human Risk Factor
Human error remains one of the primary causes of data breaches, especially in environments where information frequently changes hands. Jon highlighted how, in sectors like local government, employees often manage sensitive data across departments and with external organisations, increasing the risk of accidental exposure. He explained that data leaks often happen due to simple mistakes, like sending an email to the wrong recipient or overlooking a security setting. In high-stakes settings, where rapid response is sometimes required, relying solely on users to make the correct security decisions can be a significant vulnerability. 

Rick agreed, emphasising that a successful security strategy should account for human error as an unavoidable factor. He suggested that organisations need security measures that don’t overly depend on employees to make constant judgement calls about data sensitivity. Instead, security should be built in, with intelligent tools guiding users and handling most of the classification and protection tasks automatically.

By reducing the opportunity for error, right-sized security helps mitigate risks without relying on employees to be cybersecurity experts in addition to their primary roles.

Making Security Usable for Everyone
One of the core principles of right-sized security is ensuring that protection measures are accessible and intuitive for all employees, not just those with technical expertise. Rick emphasised that security tools should be seamlessly integrated into the applications employees already use, reducing the need for disruptive, standalone solutions. When security is built into everyday workflows, it becomes a natural part of the work process, encouraging consistent use without adding extra steps. Rick explained that user-friendly tools make it easier for employees to follow security protocols, lowering the risk of data breaches caused by frustration or oversight.

Jon added that overly complex, IT-centric solutions often backfire by alienating the very people they’re meant to protect. He stressed the importance of designing security measures that align with employees' daily routines, allowing them to work efficiently while staying secure. In his view, involving employees in the selection and implementation of new tools can also help them feel more engaged and responsible for maintaining data protection. By focusing on usability, organisations can create a security environment where compliance feels like a natural extension of work, rather than a burdensome requirement.

Leveraging Intelligent Technology for Decision Support
Intelligent technology, particularly AI-driven decision support, is transforming how organisations manage data security without overburdening employees. Rick explained that AI can take on much of the classification and protection process, offering real-time guidance that assists employees in making secure choices. By automatically identifying sensitive information and suggesting appropriate security measures, AI reduces the pressure on employees to remember complex security protocols. This approach allows security to be proactive, with technology acting as a “safety net” that minimises errors while ensuring compliance.

Jon agreed, noting that decision support tools make security a shared responsibility without overwhelming employees with technical demands. He highlighted that, for many public sector employees, managing security settings isn’t part of their core skill set, so providing intuitive, automated assistance can be invaluable. AI-driven decision support tools ensure that employees receive contextual guidance as they work, making it easier to follow best practices. This enables organisations to implement right-sized security that empowers users, reduces risk, and reinforces a strong security culture throughout the workplace.

Building a Security-Conscious Culture 
For right-sized security to be effective, cybersecurity must be a shared responsibility that permeates the entire organisation. Jon stressed that security cannot be siloed as an IT issue; it needs to be a collective commitment that involves every department and individual. He pointed out that building a security-conscious culture starts with raising awareness and helping employees understand their role in protecting sensitive information. Regular training sessions and open discussions about security risks can keep cybersecurity top of mind, fostering a proactive attitude towards data protection.

Rick added that empowering employees to take ownership of security in their daily tasks requires more than just training; it requires a supportive environment. When employees see that leadership values data protection and invests in practical, user-friendly tools, they’re more likely to view security as integral to their work. This shift helps to eliminate the perception of security as an obstacle, instead positioning it as a vital, collaborative effort that supports everyone’s roles.

By embedding right-sized security into the organisational culture, companies can enhance their defences in a way that feels natural and sustainable for employees across all levels.


Readers can register to watch the free webinar in full here


Image: Ideogram

You Might Also Read: 

Cybersecurity Measures To Enhance Data Security In 2025:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Looking Ahead Of The OMB Zero Trust Mandate In 2025
How To Streamline Compliance With NIS2 & DORA  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Keyfactor

Keyfactor

Keyfactor is a leader in cloud-first PKI as-a-Service and crypto-agility solutions. Our Crypto-Agility Platform seamlessly orchestrates every key and certificate across the enterprise.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

STM

STM

STM provides system engineering, technical support, project management, technology transfer and logistics support services for the Turkish Armed Forces.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

Wipe-Global

Wipe-Global

Wipe-Global is specialized in data erasure with an international established service partner network.

PQShield

PQShield

PQShield are specialists in Post-Quantum Cryptography. We provide quantum-secure cryptographic solutions for software, software/hardware co-design and data in transit.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

DeNexus

DeNexus

DeNexus is the leading provider of cyber risk modeling for industrial networks. Our Mission is to build the Global Standard for Industrial Cyber Risk Quantification.

DeXpose

DeXpose

DeXpose is a hybrid dark/deep web monitoring and attack surface mapping platform to help you find compromised data or exposed assets related to your organization way before threat actors.

Knowit

Knowit

Knowit support customers in the digital transformation, simplify people’s everyday lives and create secure and innovative solutions enabling a sustainable future.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.

PlanNet 21 Communications

PlanNet 21 Communications

PlanNet 21 Communications is Ireland most specialised technology solution provider.

Infrassist Technologies

Infrassist Technologies

We're Infrassist - a trusted white label Managed IT & Professional Services partner for MSP businesses.