Cybersecurity Awareness Month may be winding down, but the work of protecting organizations never stops. This week, we’ve gathered insights from cybersecurity leaders across the industry who are tackling everything from human-centered security to emerging threats like shadow artificial intelligence (AI). Their advice offers something for every managed service provider (MSP), regardless of size or portfolio.
From securing executive buy-in to treating employees like endpoints, these experts are helping us mark Cybersecurity Awareness Month by sharing practical strategies for building security programs that are both resilient and adaptable in an ever-evolving threat landscape.
Start with leadership buy-in
Ray Spangler, Senior Vice President and CTO at Barge Design Solutions, emphasizes that cybersecurity is not just an IT issue—it’s an organizational imperative.
“Cybersecurity extends beyond the IT department. The first step is securing leadership and executive buy-in. Once that’s achieved, security can be addressed as a comprehensive issue involving IT, HR, Legal, and the broader business.”
Ray recommends tapping into internal teams like HR and marketing to help drive awareness and adoption of cybersecurity policies.
“These groups specialize in employee engagement and communication. They can help determine the best methods for distributing policies and reaching employees in ways that resonate. HR understands how people learn best, and marketing knows how to deliver messages effectively.”
He also suggests involving key employees in training efforts.
“Peer-to-peer communication is still one of the best—and often most underused—methods to drive meaningful change.”
Training employees like endpoints
When it comes to managing human risk, DaVonda St. Clair, Information Security Architect, offers a fresh perspective.
“Train your people like endpoints, and your endpoints like people.”
She points out that while organizations often deploy layered controls for devices, employee training is frequently treated as a one-time checkbox.
“Human error remains the number one cause of breaches. Security awareness should be continuous, contextual, and adaptive, just like patching.”
For MSPs, DaVonda recommends integrating micro-drills, simulated phishing, and just-in-time prompts into client workflows, especially for non-technical roles. She even recommends packaging this approach as a “Human Firewall-as-a-Service” to help SMBs strengthen their security posture without adding overhead.
Don’t overlook AI risk
DaVonda also warns about the growing threat of “shadow AI” which is unauthorized or unmonitored use of AI tools by employees.
“Many organizations don’t know which AI tools their teams are using, what data is being fed into LLMs, or how AI is integrated into their tech stack. MSPs can’t protect what they can’t see.”
Her advice? Build an AI asset inventory and risk register now before it becomes a compliance requirement. Include approved tools, data classification policies, and guardrails for generative AI in customer-facing operations.
Building resilience in people
Jeff Foresman, VP of Cybersecurity at Resultant, believes that the strongest security programs go beyond technology.
“Attackers exploit human behavior more than firewalls. Training alone isn’t enough. You also need to measure and manage human risk just like technical risk.” That means tracking behaviors, reinforcing good decisions, and embedding security into daily operations. “True cyber resilience starts when your people know how to respond under pressure and not just how to avoid a phishing email.”
Stay focused on what matters
With the rise of AI and other emerging technologies, it’s easy to get distracted. Nick Muy, CISO at Scrut Automation, urges organizations to stay grounded.
“Don’t let shiny objects pull you away from what truly matters. Whether it’s AI agents or other innovations, you need to be clear on what you’re protecting and why.” He cautions against letting hype dictate priorities. “AI may pose real risks, or it may not. Only you know what’s critical to your business.”
From policy to practice
Policies are important, but they’re just the beginning. Anthony Scharf of E-Sharp Consulting reminds us that documentation alone doesn’t make a security program. “A policy is just paper. Auditors want to see it, but they also want evidence that it’s being followed.” His advice? Make evidence collection part of your procedures so you’re always audit-ready.
Securing the browser
Browsers have become a primary attack vector, yet many organizations still rely on outdated tools. Alon Levin, VP of Product Management at Seraphic Security, recommends integrating a Secure Enterprise Browser (SEB) into your stack. “Legacy tools leave major gaps in visibility and control. Modern SEBs offer secure remote access, data loss prevention, safe AI adoption, and identity protection—all with zero user friction.” Look for solutions that enforce real-time zero trust, work natively in the browser, and adapt to your workflows.
Don’t neglect the perimeter
Finally, Shehzad Mirza from CyberWa Inc. shares best practices for perimeter security:
“Conduct annual assessments, not just for security, but also to evaluate device placement and age. Use a third party to avoid bias.” He also recommends regular vulnerability scans and reducing firewall visibility. “Disable unnecessary services and ports like ping and telnet. The less visible your firewall is, the harder it is for attackers to find a way in.”
Building a security-first culture requires more than just tools—it demands collaboration, continuous education, and a clear understanding of what matters most. By engaging leadership, empowering employees, and staying focused on both human and technical risk, organizations can build resilience from the inside out.
Photo: BiancoBlue85 / Shutterstock
This post originally appeared on Smarter MSP.