September 15, 2025
Why “we already have that data” is bullsh*t
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
You raise the idea of integrating behavioral data. You barely finish the sentence before someone cuts in with:
“We already capture that.”
“We already block that behavior.”
You’ve heard it before. You knew it was coming. But it still grates. No, let’s say the quiet part out loud: it hurts.
Because this isn’t really about the data, but about what that response actually reveals.
The objections sound technical. But they go deeper than that. Behind the words is a quiet assumption: you’re the training, education, and comms person. You don’t need telemetry. You don’t belong in the technical conversation.
You know it’s based on a misunderstanding. But it feels like a dismissal of you, your role, and everything your team brings to the table. It’s frustrating and it’s exhausting.
Human risk management often gets sidelined. It’s too soft, too fluffy, too optional – these are the subtle (or, let’s be honest, sometimes not-so-subtle) messages you’re probably picking up. But managing human cyber risk demands serious technical thinking. Just not the kind some teams are used to.
It takes discipline to understand behavior, structure and evidence to shift habits, and strategic intent to drive outcomes at scale. This is behavioral engineering grounded in psychology, systems thinking, intervention design, measurement, and automation.
They may see you as just sending messages. But I see you: You’re working your socks off to shape risk outcomes. And in a world where cybercriminals move fast and AI keeps shifting the landscape, the security function has to change with it.
You’re doing work that’s strategically vital to the organization. And you shouldn’t have to keep explaining why.
SIEMs, DLPs, and endpoint tools serve a purpose. They’re excellent at flagging technical activity.
But they weren’t designed to help you understand people.
They don’t explain motivation. They don’t distinguish between one-off mistakes and ongoing risk patterns. They don’t show intent, and they weren’t made to support behavior change.
They can tell you what happened. They just can’t tell you why.
And if you can’t understand why something happened, you can’t prevent it from happening again. That’s the gap. That’s the risk. And it’s exactly why human risk teams need tools that go beyond detection, to interpretation, context, and change.
Even when the data exists, it’s fragmented. It’s scattered across dashboards, owned by different teams, and completely disconnected from the people who actually need it – Human risk leads, culture specialists, governance teams, and risk owners.
They can’t use what they can’t see. And even if they could access it, the data doesn’t tell a coherent story. It’s noise. It’s out of context. It’s incomplete.
And yet, you’re expected to drive real change with half the picture missing.
And when the story’s incomplete, the solutions will be too. You can’t drive meaningful change when every team sees a different part of the picture. To manage human risk effectively, the data needs to come together, so people can come together, too.
It’s not enough to collect more data. What matters is what it means and what it enables you to do.
To manage human risk, you need to connect:
That’s what Human Risk Management (HRM) technology is designed for. It turns fragmented telemetry into meaningful, usable behavioral insight.
This isn’t about repeating what the security team already collects. It’s about making that data work harder by turning it into something you can act on. It’s about adding the context that turns data into something you can work with. Because without that context, even the best data can’t help you change anything.
Here’s another line you’ve probably heard:
“We already block that behavior.”
The assumption here is that blocking solves the problem. But blocking isn’t the end of the story.
If someone is entering sensitive data into ChatGPT, using unapproved AI tools, or misclassifying documents, blocking that action doesn’t address the reason it happened in the first place. It doesn’t change the behavior. It just conceals it.
Eventually, people will find a workaround, or controls will fail elsewhere. It might be shadow IT, unmanaged devices, or apps you didn’t even know were in use. By the time you notice, it’s too late.
And this is why behavioral security needs to be the foundation you build everything else on.
Blocking might stop a single action, but it won’t show you the bigger picture or help you prevent what’s next.
So next time someone says “We already have that data”, try this:
“You have the data. But we’re not using it to manage behavioral risk. HRM technology gives it meaning, context, and purpose. It turns telemetry into insight, and insight into action.”
You can’t automate what you can’t see. You can’t fix what you don’t understand.
HRM technology (like CybSafe) helps surface patterns across people, systems and environments. It gives you a joined-up view of:
That’s how real resilience gets built.
Some teams will still think this is extra. Which is cute, as long as your org’s next breach sends a calendar invite ahead of time. They’ll file it under “something to look at when Things Calm Down™️”. Or as something someone else should own. But the truth is, they don’t own the data.
That telemetry doesn’t belong to a single team. It’s organizational data, and it should be used in ways that support the whole business, not just one function’s KPIs.
This is optimization, not duplication. And let’s be honest. If reusing data were a crime, half the org would already be in handcuffs.
This conversation is hard. You’re asking already-stretched, brilliant security teams to rethink deeply embedded assumptions. To reconsider what technical work really means. To give time and attention to a problem they’ve been trained to deprioritize.
The friction is real. And your instincts are right.
If you want help having that conversation, or if you want to see how other human risk leaders are making the case for a behavior-first approach, CybSafe can help.
If you’re still reading, this probably hit close to home. Which makes now the perfect time to book a call to talk about making your data work for behavior change.
(They’ll thank you later.)
