“I think it starts with seeing your employees as your partners in the security process rather than assets or risks to be managed,” Nicole Togno said.
The Federal Drive with Terry Gerton provides expert insights on current events in the federal community. Read more interviews to keep up with daily news and analysis that affect the federal workforce. Reach out to Terry and the Federal Drive producers with feedback and story ideas at FederalDrive@federalnewsnetwork.com.
Interview transcript
Terry Gerton Cybersecurity is a big topic for us. We talk about it a lot. Our audience is really interested in it. We talk about typically cybersecurity tools, training, rules and regulations. And at the same time, though, we’re noticing that phishing and social engineering attacks are getting more sophisticated every year. Breaches continue to happen at every level of government. From your perspective there at Fors Marsh, What explains the gap between investment in technology for cybersecurity and outcomes?
Nicole Togno So I see this as, I think to answer honestly, I think perhaps we’ve been solving for the wrong problem. So agencies invest a lot in the tools and those tools are really good at managing systems. I think perhaps what they haven’t invested as much in is understanding the people operating inside those systems, right? People are complicated. We’re all very complicated beings, right. We are busy. We act under pressure more and more, right, as our work advances and technology infuses the way in which we work. And so we are called upon to make, you know, a zillion judgment calls throughout the course of a day. And attackers understand that, right? Phishing, really prominent, works not just because someone’s careless or they lack the competence. Those things work because it’s designed to exploit how humans actually process information, especially when they’re under stress. So when I look at why these kinds of breaches still happen, and I don’t see necessarily the technology gap, right? I’m coming at it from a different angle. I see how the gap really is an understanding, is in the way in which we understand human behavior.
Join us May 11 for Federal News Network’s Risk & Compliance Exchange as government and industry experts discuss how to navigate evolving cybersecurity mandates and accelerate secure adoption of emerging technologies.
Terry Gerton What I hear you say is that no matter how much we invest, we’re never going to have a fail-safe technical solution to cybersecurity, that it’s a behavioral challenge. What does that mean for government leaders in a practical sense, when they’re thinking about their cyber risks?
Nicole Togno Practically speaking, it means that people are going to be people, right? It means that, you know, I want to come at this from perhaps a different question. So I think a lot of technologists, right, come into this space by asking the question of, what do people need to know? Right. You know, I think from a behavioral lens to come at it from perhaps different set of questions, what shapes how people behave and what drives action, right, those are two very different kinds of questions. So there’s a framework I like to use. It’s really helpful. It’s very simple. COM-B, it’s very well known in behavioral science. It stands for Capability, Opportunity, Motivation and Behavior. Basic idea is just that behavior is not just a function of what we know. It’s not just knowledge. It’s very complicated. So it’s, behavior is rarely a logical endeavor, right, most of the time. So behavior is really a function of whether the environment that we’re creating makes the behavior easy or hard and whether people are genuinely motivated to do it. So when I look at a security problem, I’m not a technologist, right? I’m, I’m just asking, did the people complete the technology training, right, so that they know now what it is that they need to know. They have the knowledge. I’m asking, like, does this environment set people up to make secure choices? Do they trust the system enough to engage with it honestly? Right? Those questions don’t necessarily come naturally to technologists, and that’s by no means a criticism. It’s just a different discipline. And that’s why I think behavioral science is this like additive lens to bring to the table.
Terry Gerton That’s a really interesting perspective. And I’m sitting here thinking about the last cyber training I clicked through about recognizing a phishing email and not clicking on it and those kinds of things. Sounds to me like you’re saying that’s not enough.
Nicole Togno It’s not enough, yeah. So I think most of us have sat through those kinds of trainings where we click through, it’s a compliance exercise, right? And also you get the knowledge, okay, but knowing and doing are two very different things. And I think we’ve known this for a long time in behavioral science, right. There’s decades and gobs of research showing that information alone — gobs by the way is an empirical term — rarely changes behavior, right, security programs are still largely built on an assumption and that if you tell people what the risks are, they’re going to act logically, they’re going to behave accordingly, they are going to be responsible. But that’s just not how people work, right? If I’m rushing to meet a deadline and I get a login prompt that asks me to go through three, four, five additional steps, right, I want to find a workaround, not because I don’t care about security, but because in that moment, my brain is optimizing for getting my work done. Like we are very good doers in this society now, like the systems we all operate within have prompted us to work smarter, more efficiently and faster. And that need for efficiency or that drive to optimize, it’s not a character flaw, it’s just the way cognition works. So when training is your entire strategy, what you’re really doing, I think, is putting the burden of security on the individual and then blaming them when something goes wrong. And it feels both ineffective and a little bit unfair.
Terry Gerton I’m speaking with Nicole Togno. She’s senior director for civilian experience and policy research at Fors Marsh. Nicole, let’s just be real for a minute. Most of our cybersecurity folks are technologists. They’re not behavioral scientists. They’re trained to set up the kind of environment that you’re describing. What should they be thinking about as they look at their cybersecurity risk? What are some quick steps they could take?
Nicole Togno Yeah, that’s great. So I think it starts with seeing your employees as your partners in the security process rather than assets or risks to be managed, right? It sounds pretty simple, but it’s actually a pretty significant shift in how I think most security programs are designed, as you said, by technologists. Right? In practice, I think it means a couple of things. I think means looking to understand the actual ways in which people are navigating day to day through these systems, where their pressure points may be, where they’re trying to work around something because they don’t necessarily have a better option. It means for technologists creating and leaders creating the kinds of channels where people feel safe to report mistakes without fear of punishment. You know, right now, I think a lot of agencies and just general workplaces, if someone clicks a bad link, their instinct is to hope nobody notices, right? There’s a cultural problem there, really. It’s a real security consequence that comes from that. But that really means that we need to build more trust. A trust with leaders, trust with our employees, trust all around. And that’s not like a soft thing, squishy trust. It’s really in this context, I think, an actual security asset that technologists and leaders should be building into the system.
Terry Gerton I feel like what you’re describing, if I was a CISO, would be swimming upstream. That is not the easy path to take. The easy path is to buy cybersecurity tools or put more checklists in place. And, say that I’ve built the system that is going to address my cyber risk, how do you empower the decision-makers to actually change their approach to this?
Sign up for our daily newsletter so you never miss a beat on all things federal
Nicole Togno I think it’s a mindset shift first and foremost, right? It’s moving from seeing security as something that you impose upon people to something that you build with them, being empowered to build it with them. And agencies, they may often miss that the people inside the organization are one of their greatest sources of intelligence about where real vulnerabilities are. And so empowering technologists to engage with employees to know where the workarounds may be, to understand which processes might be so cumbersome that nobody’s really following them, although no one’s really saying that out loud. So I think, you know, a lot of security programs aren’t designed to surface that knowledge, right? They’re designed to push that information down. So there’s an enormous amount of insight just sitting there that’s untapped, waiting for technologists and leaders and CISOs to come in and gobble up, right? It’s gold for them to be able to understand, not just how do we get people to comply, but really start asking, how are the people telling us, what are the telling us about how this system is actually working? Right, it’s a different kind of conversation. And so it’s that mindset shift to get them new data, new interesting insights that they wouldn’t get just from doing an internal penetration test for their technology assets.
Terry Gerton If you are a federal CIO or a CISO and you’re saying, that sounds like something I’d really like to try, but I have no idea where to start. How can they begin to build an environment, a structure, a culture that seeks that employee feedback?
Nicole Togno I would say the simplest thing to do is talk to people and not, it doesn’t have to be formal. It doesn’t need to be a town hall. It doesn’t’ need to be a formalized survey. Just sitting down with a handful of employees across different roles and ask them two questions. Where does security get in the way of your work and what do you do when that happens? And then just listen. Don’t defend the program. Don’t explain the policy. Just listen. And what you might hear may be uncomfortable. You may find out about things people are doing that you didn’t know existed, about processes that folks stopped following ages ago, moments where doing the secure thing felt hard, too hard maybe. And that information, right, that’s that golden insight, right? It tells you exactly where your program is breaking down in the real world beyond that kind of pressure testing that your technology experts are doing to make sure that the system works. But in the actual daily experiences of the people that you’re counting on to keep the agency secure, so that’s where I’d start. Simple, talk to people. Because you can’t design for human behavior if you don’t understand the actual humans using it.
Terry Gerton Once you get that kind of feedback, what’s the next step?
Nicole Togno It’s a great question. So I think the next step, once you get that feedback, is you put it into the hands of your technologist team and you show them the evidence of, you’ve designed this really elegant and beautiful system with which we are rock solid to this point. But to get to the next point, you need to engage the people. And so providing them the insights to make better decisions on, you didn’t know this workaround was happening. Now you do, what are we going to do about it? And so taking those kind of quick steps to gather the insight and then make them actionable. And it can be one step at a time. It doesn’t need to be a full overhaul. It doesn’t’ need to a system redesign. It’s simply taking these qualitative insights from the people that you have in your organizations using your tools and systems every day and then making small adjustments and tweaks along the way.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Terry Gerton is host of the Federal Drive and has been working in or with the federal government for more than 40 years.
