By Chuck Gallagher — Ethics Keynote Speaker and Consultant
I was recently speaking to a defense contractor, and from an IT perspective at the senior organizational level, there was a real sense of satisfaction about their cybersecurity posture. They had invested in new tools, updated firewalls, hardened endpoints, and aligned with the latest compliance frameworks. They felt secure — until we began exploring how the bad actor gets a foothold in the network to begin with.
And the answer brought us back to something that should not have been surprising, but too often is:
It starts with people.
Bad actors don’t break in through perfect encryption or flawless code. They break in through people — through behaviors, habits, reactions under pressure, social engineering, and the everyday “breadcrumbs” employees leave behind that signal where vulnerabilities live. These are not dramatic breaches overnight. They are small, ordinary moments where humans become the gateway.
A recent article on Defense Opinion highlights a new set of cybersecurity certification requirements for defense contractors that is underway. This certification effort underscores the intensity and complexity of technical expectations. But if we focus only on systems, standards, and certifications — and we leave people out of the equation — we are not secure at all.
The technical layers are necessary — but not sufficient
There is no question that technical readiness matters. The new cybersecurity certification for defense contractors reflects an evolving, rigorous landscape of expectations: compliance with frameworks like NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC), stronger controls over controlled unclassified information (CUI), and validated security practices that make networks harder to penetrate.
But here’s the hard truth most organizations don’t admit:
Most breaches don’t begin because a firewall failed. They begin because a human did something normal.
I’ve seen it in companies of every size:
- An engineer uses the same password on multiple systems because it’s “easier to remember.”
- A program manager opens an unknown attachment at the end of a long day.
- A newly onboarded employee stores a password in a document labeled “Passwords.”
- A contractor answers a question about internal systems on LinkedIn because it seemed innocuous.
- A team member connects through a personal device because the corporate laptop is inconvenient.
These aren’t hackers in hoodies scripting zero-day exploits. These are everyday people operating under everyday pressures — and the bad guys don’t need more than that.
Breadcrumbs: the human leftover that signals weakness
The threat doesn’t always arrive in a dramatic phishing email with blinking lights and sirens.
Often, it arrives in a Slack message, a shared drive, a reused password, an unpatched internal app, or a casual answer to a seemingly innocent question.
I call these breadcrumbs — little behavioral clues that tell bad actors where to look.
And here’s the critical point:
Security controls can be perfect. But if humans are unaware, unprepared, or untrained, then the controls are neutralized.
You can have the most sophisticated intrusion detection system in the world — but if an employee posts a photo on social media with a whiteboard full of internal project names in the background, you have just handed bad actors context, structure, and focus.
The attack begins long before the code executes
When we talk about cybersecurity, we tend to talk about:
- firewalls
- endpoint protection
- encryption
- patch management
- network segmentation
All of these are essential.
But the first vulnerability isn’t a technical one.
It’s a psychological one.
It’s a moment of fatigue.
A moment of distraction.
A moment of poor judgment under pressure.
A moment when someone believes “it won’t happen to me.”
And defense contractors are full of high-performing, talented professionals — people who would never think of themselves as careless or vulnerable. Yet these are the same people who leave subtle signals that show an attacker exactly where to focus.
In other words:
The most sophisticated defensive tools in the world can be bypassed by the simplest human oversight.
Without addressing why humans make these choices, we are trying to build an armored fortress with paper doors.
The ethical and cultural dimension of cybersecurity
This is where ethics intersects with cyber-defense in a way that is often overlooked.
If we treat cybersecurity training as a compliance checkbox — “annual module completed; certification granted” — then we miss the deeper, human-level preparation people need.
Real cybersecurity readiness means:
- teaching people to recognize social engineering attempts
- building comfort with not clicking that link
- rewarding honesty when someone realizes they may have exposed a vulnerability
- removing blame when a user wants to test an assumption
- encouraging people to ask questions when they’re not sure
- creating environments where admission of uncertainty is valued more than looking competent
It’s why I say:
I don’t deliver ethics training. I build ethical decision-making reflexes under pressure.
Because cybersecurity under pressure isn’t a matter of knowing the rules.
It’s a matter of deciding to follow them when shortcuts feel easier, when the deadline looms, or when the boss asked for something “quick and dirty.”
When training ignores the human element, we create security theater
Most cybersecurity programs do a great job of telling people what they shouldn’t do.
Don’t click this.
Don’t reuse that password.
Don’t store credentials in documents.
Use the VPN.
Lock your screen.
Update your software.
Those are all valuable. But people don’t fail because they didn’t hear the rules.
They fail because, at the moment of decision:
- they prioritized convenience over discipline
- they rationalized that “it won’t matter this one time”
- they feared being labeled difficult
- they didn’t know how to escalate a concern
- they didn’t understand what the ripple effects might be
And that is exactly where ethical training matters.
When people understand their role in risk, culture changes
Cybersecurity isn’t simply an IT problem.
It’s an organizational problem.
A cultural problem.
A behavioral problem.
And a leadership problem.
The best defense in cybersecurity — especially in the era of heightened requirements and certification standards — is not only a strong network architecture but a culture where people aren’t afraid to:
- say “I’m not sure if that’s safe”
- take the longer but more secure path
- ask for help when something doesn’t feel right
- pause instead of react
- escalate potential issues early
That requires a culture of trust — trust that the message will be heard, not punished, and that the organization genuinely values integrity over speed or ease.
The bad actor doesn’t need your firewall to fail
A hacker doesn’t need root access.
All they need is a window into a human habit.
And when people aren’t aware of their own vulnerabilities — emotional, cognitive, social — we give attackers exactly what they need.
So here’s the bottom line for defense contractors:
If your cybersecurity strategy focuses on hardware, software, and certification alone…
you are building defenses around the wrong target.
The real target is the human element — the decisions, the habits, the pressures, the shortcuts under stress.
And until you train for that level of awareness — until you help people see how their actions become the path of least resistance for bad actors — your system isn’t secure.
If you’re a defense contractor leader, take a step back from firewalls and patch logs for a moment. Ask yourself:
Are your people prepared not just to comply with cyber rules, but to make the right choice under pressure when no one’s watching?
If you want to build a program that goes beyond check-the-box compliance and grooms ethical decision-making reflexes that protect your network, your culture, and your mission — I’d love to help.
As always, I welcome your comments and I’m happy to respond. Feel free to share your thoughts below — especially experiences where the human factor mattered more than the tech.
Related Articles:
Defense Contracting Is Entering a New Era—And Ethics Training Just Became a Strategic Imperative
