The Pragmatic CIO logo The Pragmatic CIO

2026-02-10

Digital Self-Defence: What CIOs Should Teach Their People

Modern digital risk follows people across devices, networks and AI tools — making personal digital hygiene part of modern CIO leadership.

CIOCybersecurityPrivacyAIDigital WorkplaceEnterprise ITTechnology LeadershipSecurity Awareness
Download PDFDownload EPUBMarkdown
Verification files
Markdown SHA256Markdown signaturePDF SHA256PDF signatureEPUB SHA256EPUB signaturePublic signing key
Digital Self-Defence: What CIOs Should Teach Their People
Digital self-defence starts with personal habits — and scales into organisational security.

For years, the CIO remit was clear:

secure the office, the network, the systems.

That mental model no longer holds.

Today, most digital risk doesn’t originate in the data centre or even on managed endpoints.

It follows people:

  • across personal devices
  • home networks
  • hotel Wi-Fi
  • free tools
  • browser extensions
  • generative AI services

…all of which increasingly blur the line between work and life.

If CIOs want to reduce risk meaningfully, we have to accept a simple truth:

You can’t firewall behaviour — but you can influence judgement.

Helping people protect themselves privately is now part of modern CIO leadership — not as a welfare exercise, but because good habits at home have a boomerang effect at work.

When people understand risk in their own lives, they act more deliberately, more cautiously, and more consistently in the office.

Security stops being something they comply with and starts being something they practice.

The Boundary Has Disappeared

Work and personal technology are no longer separable.

People:

  • draft emails on personal devices
  • copy/paste content between work and free AI tools
  • store “temporary” files in personal cloud drives
  • reuse passwords because it’s convenient
  • connect to public Wi-Fi while travelling, gaming, or streaming

None of this is malicious.

It is normal behaviour in a hyper-connected world.

But the risk is cumulative — and it does not respect corporate policy boundaries.

Why Policy Alone No Longer Works

Most organisations respond with:

  • longer policies
  • tighter prohibitions
  • more mandatory training

Yet breaches still happen.

Why?

Because policies do not operate at the moment of decision.

People make choices based on:

  • speed
  • habit
  • convenience

…not PDF documents.

What does scale is a simple mental model:

“Would I be comfortable explaining this decision in an audit, a breach review, or a courtroom?”

That question works just as well at home as it does in the office.

Digital Self-Defence: The Basics CIOs Should Actually Teach

This is not about paranoia.

It is about literacy.

A few examples resonate far more than abstract rules:

  • Free tools are rarely free — data is the price
  • Personal cloud storage is not private by default
  • Browsers and extensions leak more context than people realise
  • Screenshots are data exfiltration
  • Password reuse is still one of the most common failure points
  • Public Wi-Fi turns convenience into exposure

Teach people why something matters, not just that it is “not allowed”.

Leadership by Example Matters

If we expect employees to think critically about digital risk, we have to model that behaviour ourselves.

Personally, I do not separate enterprise thinking from personal digital hygiene.

The same questions apply:

  • Who can see the data?
  • Where does it live?
  • What happens if it leaks?
  • Can I control or revoke access?

After testing numerous tools over the years — professionally and privately — I settled on Proton for my own use.

Not because it is perfect — it is not — but because its design choices align with how I think about minimising unnecessary exposure.

Applying the Principles at Home

This is not a product endorsement.

It is simply how the thinking translates into practice.

Email — Proton Mail

Encryption by default, clear data boundaries, and no incentive to monetise content.

Zero-access architecture means even the provider cannot read message content.

Files — Proton Drive

Personal documents, travel paperwork and family records stored with:

  • least exposure
  • strong access control
  • no silent data mining

Passwords — Proton Pass

Unique credentials stored in an encrypted vault without tying identity to an advertising ecosystem.

This alone removes a huge amount of avoidable risk.

Connectivity — Proton VPN

Used routinely:

  • while travelling
  • on public Wi-Fi
  • while gaming
  • during streaming
  • at home

Not because we are doing anything “sensitive”, but because privacy is not about secrecy.

It is about reducing avoidable exposure when networks cannot be trusted.

The important point is not the tools themselves.

It is the thinking behind them.

Why CIOs Should Care — Even Outside the Office

Because today’s personal shortcut becomes tomorrow’s corporate incident.

Helping people protect themselves:

  • reduces shadow behaviour at work
  • builds trust instead of fear
  • reinforces judgement instead of blind compliance
  • quietly lowers organisational risk

…without adding unnecessary friction.

That is far more effective than trying to lock everything down after the fact.

A Personal Digital Hygiene Checklist CIOs Can Actually Share

This is not about locking everything down.

It is about reducing avoidable exposure — both at home and at work.

1. Pause Before Pasting

Would you paste this into a public forum?

Would you be comfortable explaining this action during an audit or incident review?

If not, do not paste it into free tools, AI services, or chat interfaces.

2. Assume Free Tools Learn from What You Give Them

If a service is free, your data may be the product.

Drafts, screenshots, uploads, and “temporary” files still count as data.

Convenience should never be mistaken for privacy.

3. Treat Personal Cloud Storage as Shared, Not Private

Personal drives sync, index, and retain by default.

Store sensitive material only where access and exposure are intentional.

“Just for now” is rarely temporary.

4. Use Unique Passwords Everywhere

One reused password becomes one breach multiplied.

Password managers remove friction.

Reuse adds risk.

This remains one of the easiest wins available.

5. Be Deliberate on Public and Unfamiliar Networks

Assume public Wi-Fi is observable.

Encrypt traffic while:

  • travelling
  • gaming
  • streaming
  • working remotely

Most exposure happens when people are relaxed, not careless.

6. Remember: Screenshots Are Data

Screenshots bypass:

  • encryption
  • access controls
  • audit trails

If it should not be forwarded, it should not be captured.

Visual leaks are still leaks.

7. Optimise for Judgement, Not Rules

Tools and policies change.

Habits and instincts persist.

Good security is not about memorising rules.

It is about making fewer bad assumptions.

The Pragmatic Takeaway

Digital self-defence is no longer optional — and it is no longer purely an IT problem.

CIOs are uniquely positioned to:

  • normalise good digital hygiene
  • translate enterprise risk thinking into human terms
  • replace fear-based security with informed judgement

If a shortcut would not be acceptable for your own family’s data, it probably should not be acceptable at work either.

That mindset scales — and it is one worth teaching.

Sharing is caring

Related reading