The world feels unstable right now. Geopolitics are volatile. Supply chains are fragile. Growth is harder to find. Margins are under pressure. Anxiety is high – not just in leadership teams, but across organisations and workforces.

That context matters for many reasons, but it matters profoundly for cyber security.

Cyber risk doesn’t spike because technology suddenly stops working. It doesn’t rise because encryption fails overnight or because systems were badly designed. It rises when people are under pressure. When organisations are stressed, corners get cut. When individuals are overloaded, judgement narrows, attention slips, and mistakes happen. That’s not a criticism – it’s basic human behaviour.

Cyber criminals understand this better than most. Periods of uncertainty and disruption are their ideal operating environment. And the uncomfortable truth is that organisations don’t get to pause cyber risk until conditions improve. There is no calmer market or quieter news cycle coming. We have to operate, progress, and protect anyway.

Cyber is still too often framed as a technical problem – firewalls, tools, policies, specialists, governance. All of those matter. But in reality, cyber has three very distinct dimensions.

The first is technology. The teams building and running networks, platforms, architecture, and code. Highly skilled, critical to modern business, and carrying a growing share of organisational spend and responsibility.

The second is the security function itself – governance, monitoring, controls, incident response, deep expertise in threat vectors and attack patterns. In many organisations, this remains one of the least diverse functions, even compared to wider technology teams.

And then there is the third dimension.

Everyone else.

The workforce. The people opening emails, sharing files, juggling priorities, responding to urgent requests, and trying to do the right thing under pressure. They are the last line of defence – and they are also the largest attack surface.

Most cyber incidents don’t begin with technology failing. They begin with plausible emails, urgent supplier requests, or small shortcuts taken on busy days. People making reasonable decisions in imperfect conditions. Technical and security teams are not immune to this either – they are part of this human system too.

This is why People and HR leaders are not adjacent to cyber security. They are central to it.

My view on this is shaped by experience, not theory. I’ve spent years leading large, complex, global technology organisations operating under sustained market pressure. In those environments, cyber security is never a standalone concern. It sits alongside growth targets, margin pressure, operational continuity, transformation programmes, and constant change.

As a leader, the challenge is not just defending against external threats. It is creating the conditions where brilliant, curious, well-intentioned people inside the organisation don’t accidentally become part of the problem. That tension never disappears. Leaders have to hold it every day.

This is where conversations about diversity often get uncomfortable, so intent matters. This is not about virtue signalling, blame, or pitting groups against one another. When it comes to cyber security, diversity is fundamentally about risk management.

Homogeneous teams increase blind spots. They increase groupthink. They reduce challenge – especially under pressure. Behavioural diversity matters as much as technical skill. Skills can be learned. Behavioural diversity reduces systemic risk.

There is credible evidence suggesting that different groups exhibit different patterns of online behaviour and risk tolerance. That doesn’t make one group better than another. It highlights that organisations benefit when multiple perspectives, instincts, and checks exist within the system.

If an organisation is heavily skewed towards one demographic group, it may be unintentionally increasing its cyber risk – not just in technology teams, but across decision-making, escalation, and response. That is a risk management issue, not an ideological one.

This matters even more in complex sectors. Industries with long supply chains, operational technology, distributed partners, and just-in-time delivery models experience cyber incidents differently. When systems fail, the impact cascades. Production stops. Deliveries are delayed. Orders can’t be taken. Confidence erodes across customers, suppliers, and partners.

Cyber resilience is not about being perfect. There has never been infinite budget, and there never will be. The job is intelligent risk management.

Most organisations invest heavily in tools, controls, and policies. That’s necessary. But far fewer invest adequately in the culture that determines whether those controls work when it matters.

Cyber security is not a compliance exercise or a training slide deck. It’s about whether people feel safe questioning unusual requests, reporting mistakes early, and acting decisively without fear. It’s about understanding why controls exist, not just what they are.

In strong cyber cultures, transparency is rewarded. Near misses are surfaced early. Action is encouraged, not punished. Detection happens faster, and faster detection reduces impact.

There is a powerful analogy from manufacturing: stopping the line. In high-performing environments, anyone can stop production if they see a fault, even if it’s costly in the moment, because preventing a bigger failure matters more. Cyber-resilient organisations operate the same way. People are empowered to act immediately and escalate without fear.

Culture is the control most organisations underinvest in.

Leaders play a decisive role here. When complexity, silence, or heroics are rewarded, risk increases. When clarity, simplicity, and challenge are valued, resilience improves. Psychological safety shortens response time. Empowerment contains damage.

Cyber security is not owned by one role or function. It is not just a CIO, CTO, or CISO issue. It is a people, culture, and leadership issue.

And inclusive cultures are not a moral extra. They create better decision-making under pressure, reduce systemic risk, and strengthen operational resilience when organisations need it most.

In a world that feels increasingly on fire, inclusive culture is not optional. It is one of the most powerful controls we have.