There are many things in our lives we must prepare for to be ready. For other things, we wing it, or we're not prepared to deal with it at the moment.
For me, I've reached that point in my life where I needed to have a medical procedure done, and it was something I've put off for several years. It may not be very comfortable to admit, but last week, I had a colonoscopy.
That's not exactly how you'd expect a cybersecurity blog to start, but hear me out on this one!
Granted, the experience was awkward and somewhat disgusting, but it contained moments that required trust, preparation, and transparency. Somewhere between the 40-hour fast, paperwork, and my own personal modesty or vulnerability, it made me realize that this is along the lines of what it feels like to manage human risk in cybersecurity.
Preparing is one key to being successful.
Honestly, the most challenging part wasn't the procedure; it was the prep or, as they called it, Suprep. Twenty-four hours of a clear liquid diet, a heavy dose of laxatives comprising of sodium sulfate, potassium sulfate, and magnesium sulfate oral solution, which requires one to stay near a bathroom.
I know this will be weird to say, but does this sound familiar?
In cybersecurity, the real work often happens before the incident. We need to prepare for hurricanes, or we could lose our house. We need to prepare for exams, or we fail and don't pass a course. We need to prepare for many things, but there are things we don't prepare for, like a full-scale cyberattack. Or can we?
When we look at how successful cyberattacks are due to unpatched systems, zero days, credential stuffing, or users who fall victim to phishing or spear phishing, it's no longer about security awareness training but about human risk management (HRM) and building a strong cybersecurity culture program. When it comes to building a strong human risk management program, it means identifying behaviors, training staff, and running simulated attacks, all before the breach.
Now, back to the colonoscopy.
Blind Trust in a System You Can't See
During a colonoscopy, you're sedated. You have no clue what's going on. You trust that the staff, the tools, and the process are doing what they're supposed to and keeping you safe.
That's what we ask employees to do every day. We ask them to follow security protocols they may not fully understand. Click this. Don't click that. Use MFA, use a password manager, or report phishing emails. We ask them to trust the process.
But trust without understanding is a risk. That's where human risk management comes in. We must build a culture where people understand the why behind the what because it's not just about rules. It's about empowering the user and educating them about their responsibility.
The Risks You Don't See Can Hurt You Most
The whole point of a colonoscopy is to find problems you can't see until they get serious, require a lot of effort to correct, or potentially lead to disastrous consequences.
Ransomware, AI-powered phishing, or business email compromise – most threats don't scream their arrival. They sneak in through missed patches, reused passwords, or a user clicking on a link, providing credentials on a well-crafted social engineering email. Organizations can spend so much time reacting to breaches that they forget what cybersecurity should be: proactive, not reactive.
It's Uncomfortable, but It's Necessary.
Let's be honest: no one looks forward to a colonoscopy. Trust me, I am one of those folks. However, after multiple operations due to cancer treatment in the '90s and 2000s, I'm not anxious about procedures or being in the hospital.
That life changing experience was the determining factor of whether it was worth it or not. This mentality is like that of executives, who can view cybersecurity as a cost center and security awareness training as a waste of time. These events can be invasive, inconvenient, and maybe embarrassing, especially if someone clicks on a phishing link, or if you need to inform the board that your culture audit showed risky behavior at the executive level.
But avoiding uncomfortable conversations doesn't make the risk go away. It makes it worse. Real resilience comes from transparency, something healthcare, cybersecurity, and leadership all share.
The Follow-Up Is Where You Grow
After the procedure, the doctor gave me a clear plan in the post-op: what looked good, what we were watching, and what to do next. See you in 7 years!
Cybersecurity leaders need to do the same.
After every phishing test, breach simulation, or awareness campaign, ask yourselves or your team: What did we learn? Where did we fall short? What's the plan now?
It is not just about compliance or getting the most people to click a phishing assessment, it is about maturing your risk posture over time.
Final Thoughts
Cybersecurity isn't glamorous. It's often awkward. Uncomfortable. Necessary.
Like a colonoscopy.
If you've never had one, you will... one day. Like they say, it's all downhill after 50.
When you embrace the discomfort, prepare early, and focus on continuous improvement, you reduce the risk of damage to your systems and people.
And who knows? Your next uncomfortable experience might inspire your strongest security strategy yet.
Awareness, like health, only works when it's a habit, not a reaction.
Let's connect if this hits home or if you'd like to talk more about building resilient human risk programs, just maybe not in a hospital gown.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
