Leading CSOs realise that blaming people for falling victim to phishing attacks, losing devices, or otherwise causing a security incident isn\u2019t beneficial.People who fear reprisal are less likely to come to security when there is a problem, most of which could have been avoided with better controls and training. Despite this, companies seemingly still see people as the weak link, according to a new study by CSO.To coincide with the launch of CSO UK, IDG conducted a survey of 200 IT leaders from major UK enterprises to explore the state of cybersecurity within UK organizations including key threats, main investment areas and what is driving the security agenda within the business. The full results are published our new report, The State of Enterprise Security.Despite fearing the potential damage fallible humans can cause to a business, security teams recognise reducing that risk requires people-centric solutions as well as technology.People present a problem and opportunityAlthough moving away from blame culture and the idea that people are the problem should be a goal of today\u2019s security teams, most organizations still see employees as a chink in company defenses. A massive 98 percent of respondents agreed with the statement that: \u2018The human employee is the weakest link when it comes to cybersecurity\u2019. Over two-thirds agreed with this idea strongly.Social engineering, phishing, and business email compromise \u2013 all attacks which rely on people falling prey to manipulation and trickery \u2013 were listed amongst the top threats organizations are most concerned about.This dim view of the role people play in security likely feeds into why only 13 percent of organizations would rate internal cybersecurity awareness as very good. Also, 40 percent of respondents said awareness was merely adequate, suggesting there is still much work to be done around improving education, raising awareness and reducing people-based risks as a result.While organizations may still view humans as the problem, security teams also recognize that people-based problems require people-based solutions. 85 percent of the companies surveyed stated they were utilizing awareness training to reduce human error.GDPR: A more positive effect on the board than scare storiesIn the wake of businesses becoming more digitally-enabled and data breaches making headlines on a near-daily basis, communicating the potential risks and benefits of cybersecurity to company leadership is becoming an increasingly important part of the CSO\u2019s role.Yet there still seem to be a disconnect between reality and perception between CSOs and leadership. Over 60 percent of organizations surveyed agreed that a data breach is almost inevitable, yet just 10 percent said management understand the cybersecurity challenges that their organisation faces 'very well'. A third of respondents said management do not understand these risks very well, and another four percent said \u201cnot well at all\u201d, which can put the organization and the CSO\u2019s position in danger.However, it seems the European Union and the General Data Protection Regulation (GDPR), despite its detractors, has been beneficial for getting security\u2019s message across more than any scare stories about breaches. Just under 80 percent of respondents said that GDPR had been the main thing to help improve cybersecurity understanding in the board room over the last two years; more than any single security incident, including Wannacry and NotPetya attacks, the Facebook\/Cambridge Analytica scandal, or the breaches of either Equifax or the Marriott.The introduction of GDPR was also deemed to be practically helpful; 70 percent of those surveyed agreed that the regulation\u2019s requirements had improved their organisation\u2019s cybersecurity maturity level.