Why Cybersecurity Is a People Problem Before It Is a Technology Problem
Neil C. HughesJuly 12, 202600:43:14

Why Cybersecurity Is a People Problem Before It Is a Technology Problem

Why do companies continue spending heavily on cybersecurity technology while human behavior, poor governance, and skills shortages leave them exposed to attacks?



In this episode of Tech Talks Daily, I speak with Phil Chapman, Cybersecurity Subject Matter Expert at Firebrand Training, about what more than two decades in the Royal Air Force, signals intelligence, counterterrorism, threat intelligence, and cybersecurity education taught him about defending companies in an increasingly complex threat environment.



Phil’s career provides a fascinating perspective on how intelligence skills developed in military and national security environments can be applied to modern cyber defense. After 23 years in the RAF, including work supporting organizations such as GCHQ and the NSA, training intelligence analysts, and working in counterterrorism, Phil moved into technology training and cybersecurity education. Today, he helps companies understand their cybersecurity training needs while supporting people building careers in an industry that continues to need new talent.



A major theme throughout our conversation is Phil’s belief that cybersecurity is fundamentally about people. Technology matters, but expensive security products cannot compensate for employees who do not recognize threats, executives who misunderstand their responsibilities, or companies that treat security awareness as an annual compliance exercise.



Phil explains threat intelligence in practical business terms, examining the relationship between threats, vulnerabilities, business assets, and risk. We discuss why insiders remain one of the biggest security concerns facing companies, including malicious employees and the far more common problem of accidental actions such as clicking phishing links, sharing sensitive information, or sending data to the wrong recipient.



The arrival of generative AI is making these problems harder to manage. Phil discusses how criminals are using AI to create more convincing phishing campaigns, deepfakes, social engineering attacks, and other forms of cybercrime. At the same time, employees are introducing new risks by using AI tools without understanding what happens to company data or whether appropriate policies and controls are in place.



But this episode is also about opportunity. Phil challenges the stereotype that cybersecurity careers are only for highly technical people sitting behind multiple screens writing code. He explains the different career paths available across cybersecurity engineering, threat intelligence, incident response, security operations, governance, risk, compliance, and analysis, and why skills from customer service, the military, data analysis, writing, communications, and other professions can transfer successfully into cyber roles.



For anyone considering a career change or trying to enter the technology industry, Phil offers practical advice on where to begin. Rather than chasing advanced certifications or trying to become an ethical hacker immediately, he recommends building a strong foundation, understanding networks and operating systems, staying current with the news, developing analytical thinking, and remaining curious about how criminals adapt world events and new technologies to create attacks.



We also discuss cybersecurity apprenticeships and why alternative routes into technology careers could help companies develop talent while giving people of different ages and professional backgrounds access to an industry they may previously have considered out of reach.



Finally, Phil explains why cybersecurity professionals cannot focus only on today’s threats. AI is already changing both attack and defense strategies, while quantum computing is forcing companies to examine cryptography, data protection, and long-term security planning. His message to business leaders and technology professionals is clear: buying more technology will not solve every security problem. Companies need informed leadership, better governance, continuous learning, practical training, and people who understand how threats evolve.



This conversation offers business leaders a clearer understanding of cyber risk, provides technology teams with practical ideas for improving security awareness, and offers anyone considering a cybersecurity career a realistic view of the opportunities, skills, and pathways available through training and apprenticeships.