How “Right-Sizing” Cybersecurity Initiatives Can Prevent Data Loss

In a recent webinar, Jon Burt, Head of Enterprise Architecture at Manchester City Council, and Rick Goud, Co-Founder and Chief Innovation Officer at Zivver, discussed what is meant by “right-sizing”, how it impacts the risks of data loss, and how to build a security-conscious culture across the entire organisation.


As any security leader will be all too aware, safeguarding data can be something of a tightrope walk. It isn’t necessarily about having the “best” or most robust cybersecurity strategy in place; it’s about striking a balance between data protection, cost-effectiveness, usability, and discovering an approach to cybersecurity that works for your business.

Overly strict security measures may frustrate users and disrupt workflows, while lax controls can lead to data leaks and regulatory breaches.

By “right-sizing” their cybersecurity initiatives, businesses can dispel the frustrations and limiting aspects of day-to-day security and turn it into a business-supporting asset that enables and empowers their workforce instead of the holding them back. 

Defining “Right-Sized” Security
Right-sized security involves creating a protective environment that respects the balance between stringent security measures and practical usability. Rick described this concept as finding the “sweet spot” where security measures are strong enough to protect sensitive information but not so rigid that they hinder productivity. He noted that overly secure systems can often be counterproductive, as users may circumvent complex or time-consuming protocols to complete their work. Instead, right-sized security encourages organisations to implement tailored protections that fit the context of each task, providing the appropriate level of security without burdening employees with unnecessary steps.

Jon echoed this view, adding that the most secure systems in the world are useless if no one wants to use them. He illustrated this with examples from the public sector, where high-stakes, complex tasks are a daily reality, and where security needs to be woven seamlessly into workflows. When security is right-sized, it becomes a natural part of the work process rather than an added layer of hassle. This approach reduces friction, makes compliance more achievable, and ensures that security isn’t sacrificed for the sake of convenience.

The Human Risk Factor
Human error remains one of the primary causes of data breaches, especially in environments where information frequently changes hands. Jon highlighted how, in sectors like local government, employees often manage sensitive data across departments and with external organisations, increasing the risk of accidental exposure. He explained that data leaks often happen due to simple mistakes, like sending an email to the wrong recipient or overlooking a security setting. In high-stakes settings, where rapid response is sometimes required, relying solely on users to make the correct security decisions can be a significant vulnerability. 

Rick agreed, emphasising that a successful security strategy should account for human error as an unavoidable factor. He suggested that organisations need security measures that don’t overly depend on employees to make constant judgement calls about data sensitivity. Instead, security should be built in, with intelligent tools guiding users and handling most of the classification and protection tasks automatically.

By reducing the opportunity for error, right-sized security helps mitigate risks without relying on employees to be cybersecurity experts in addition to their primary roles.

Making Security Usable for Everyone
One of the core principles of right-sized security is ensuring that protection measures are accessible and intuitive for all employees, not just those with technical expertise. Rick emphasised that security tools should be seamlessly integrated into the applications employees already use, reducing the need for disruptive, standalone solutions. When security is built into everyday workflows, it becomes a natural part of the work process, encouraging consistent use without adding extra steps. Rick explained that user-friendly tools make it easier for employees to follow security protocols, lowering the risk of data breaches caused by frustration or oversight.

Jon added that overly complex, IT-centric solutions often backfire by alienating the very people they’re meant to protect. He stressed the importance of designing security measures that align with employees' daily routines, allowing them to work efficiently while staying secure. In his view, involving employees in the selection and implementation of new tools can also help them feel more engaged and responsible for maintaining data protection. By focusing on usability, organisations can create a security environment where compliance feels like a natural extension of work, rather than a burdensome requirement.

Leveraging Intelligent Technology for Decision Support
Intelligent technology, particularly AI-driven decision support, is transforming how organisations manage data security without overburdening employees. Rick explained that AI can take on much of the classification and protection process, offering real-time guidance that assists employees in making secure choices. By automatically identifying sensitive information and suggesting appropriate security measures, AI reduces the pressure on employees to remember complex security protocols. This approach allows security to be proactive, with technology acting as a “safety net” that minimises errors while ensuring compliance.

Jon agreed, noting that decision support tools make security a shared responsibility without overwhelming employees with technical demands. He highlighted that, for many public sector employees, managing security settings isn’t part of their core skill set, so providing intuitive, automated assistance can be invaluable. AI-driven decision support tools ensure that employees receive contextual guidance as they work, making it easier to follow best practices. This enables organisations to implement right-sized security that empowers users, reduces risk, and reinforces a strong security culture throughout the workplace.

Building a Security-Conscious Culture 
For right-sized security to be effective, cybersecurity must be a shared responsibility that permeates the entire organisation. Jon stressed that security cannot be siloed as an IT issue; it needs to be a collective commitment that involves every department and individual. He pointed out that building a security-conscious culture starts with raising awareness and helping employees understand their role in protecting sensitive information. Regular training sessions and open discussions about security risks can keep cybersecurity top of mind, fostering a proactive attitude towards data protection.

Rick added that empowering employees to take ownership of security in their daily tasks requires more than just training; it requires a supportive environment. When employees see that leadership values data protection and invests in practical, user-friendly tools, they’re more likely to view security as integral to their work. This shift helps to eliminate the perception of security as an obstacle, instead positioning it as a vital, collaborative effort that supports everyone’s roles.

By embedding right-sized security into the organisational culture, companies can enhance their defences in a way that feels natural and sustainable for employees across all levels.


Readers can register to watch the free webinar in full here


Image: Ideogram

You Might Also Read: 

Cybersecurity Measures To Enhance Data Security In 2025:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Looking Ahead Of The OMB Zero Trust Mandate In 2025
How To Streamline Compliance With NIS2 & DORA  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CertiKit

CertiKit

CertiKit produce toolkit products that accelerate the adoption of ISO/IEC standards, including ISO 27001, helping organizations all over the world to realize the benefits as soon as possible.

Matta

Matta

Matta is a cyber security consulting company providing information security services and solutions including vulnerability assessments, penetration testing and emergency response.

Navarino

Navarino

Navarino is the maritime industry’s most advanced communications and connectivity company. We develop advanced technologies and innovative IT solutions including cyber security.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

US-Africa Cybersecurity Group (USAFCG)

US-Africa Cybersecurity Group (USAFCG)

USAFCG provides cybersecurity consulting services and delivers training programs for capacity building in Africa.

DarkOwl

DarkOwl

DarkOwl provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data.

Wiser Market

Wiser Market

Wiser Market is a leading company in global online brand protection services, intellectual property protection, anti-Counterfeit & trademark infringements.

Axis Security

Axis Security

Axis Security technologies transform open networks and vulnerable applications into fully protected resources that the business can trust.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

KirkpatrickPrice

KirkpatrickPrice

KirkpatrickPrice is dedicated to providing you with innovative security guidance and efficient audit services.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

Dope Security

Dope Security

Dope Security is a fly-direct Secure Web Gateway that eliminates the data center stopover architecture required by legacy providers, instead performing security directly on the endpoint.

ISSQUARED

ISSQUARED

ISSQUARED is a leading provider of Cyber Security, Cloud, Infrastructure, Consulting and Digital Transformation services.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

AFRY

AFRY

AFRY is a world leading engineering company, trusted as a supplier of services and solutions within the industry, energy, and infrastructure sectors as well as for authorities.

DataKrypto

DataKrypto

DataKrypto’s advanced data encryption solutions protect data throughout its lifecycle.