IT Brief Ireland - Technology news for CIOs & IT decision-makers
Ireland
Marc van zadelhoff
#
Data Protection
#
Endpoint Protection
#
Phishing

'Human Risk' takes centre stage - Mimecast CEO

Wed, 25th Mar 2026
Author image
By Donovan Jackson, Interview Editor

In Australia for the company's Elevate customer conference, Mimecast CEO Marc van Zadelhoff describes human risk as the critical 'eighth layer' of cybersecurity, warning that malicious insiders are now outpacing negligent ones for the first time.

Founded 24 years ago as an email-security specialist, Mimecast has evolved into one of the world's top 15 cybersecurity companies, approaching US$1 billion in annual revenue. "We started with email because that's where 80-90% of breaches still begin," van Zadelhoff points out, since expanding through strategic acquisitions into a unified human-risk management platform spanning email, collaboration tools, browsers, SaaS applications and data-loss prevention (DLP).

At its core is a "measure-train-control" strategy designed to protect organisations from both accidental mistakes and deliberate data theft.

Van Zadelhoff defines human risk as the behaviour layer that sits above traditional technology stacks encapsulated in the 7-layer OSI model. "It's the human who sees an email and thinks, 'I've got to click that URL'," he says.

This eighth layer encompasses three drivers: curiosity, sophisticated social engineering by attackers, and – increasingly – malicious intent inside the organisation.

Citing Mimecast's latest State of Human Risk research, van Zadelhoff reveals that malicious insider incidents in Australia have increased by 42%, overtaking negligence-based threats for the first time, which rose by 38%.

Managing the trouble has proven difficult owing to the fabled logic of 'you can lead a horse to water, but can't make it drink': getting people to notice anything is an uphill struggle.

Mimecast understands that, and so within its platform negligence is handled through real-time behavioural nudges and training. When a user attempts a risky action, the up pops up an immediate advisory message, along with a two-minute training module (along with blocking the move). "It's not a two-hour annual compliance course," van Zadelhoff explains. "It's a learning moment right when the mistake is about to happen."

Malicious activity is addressed via the company's insider-risk and DLP tools. These detect unauthorised or risky actions (such as employees copying source code to personal GitHub accounts, emailing customer lists to personal Gmail, or exfiltrating data during layoffs) and spur action. "Once our insider product goes in, people cannot unsee the real risk they're facing," van Zadelhoff says. "Suddenly seeing everything that's leaving the building is often quite revealing."

Not, as you might imagine, in a good way.

The Mimecast platform does not replace humans; it meets them at the exact moment of risk, continues van Zadelhoff. "We pop up and say, 'This doesn't look right;  are you sure?' or 'You're moving data into an unsanctioned app; here's a quick training module'," van Zadelhoff explains. The approach combines AI-driven detection, instant education, and hard controls (URL rewriting, blocking unsanctioned apps) so employees either learn or are stopped before damage occurs.

In something of a supercharge of the Pareto Principle (the 80/20 rule), he says "Eight per cent of users drive 80% of the risk," with the tricky bit being identification. "You just didn't know which 8%. Until now." 

The system updates continuously, flagging spikes during restructures, layoffs or geopolitical events that can turn previously safe employees into higher-risk profiles.

When asked about emerging cybersecurity trends, van Zadelhoff placed human and insider risk at the top of the list for 2026, alongside platform consolidation and the rapid rise of agentic AI. "It's self-serving to say, but human risk is the layer that actually moves the needle," he says.

Self-serving, maybe, but perennially accurate. Hackers know that people are the weakest link owing to our good nature and notorious fallibility. And sometimes our curiosity works against us, particularly if there's something salacious or titillating at play, as those who remember the 'I love you' bug will confirm.

Van Zadelhoff is in the country for Mimecast's Elevate conference in Melbourne (with follow-on sessions in Sydney) and a customer advisory board where Australian and New Zealand customers tell the company what they are seeing, and what they need from their security vendor. He first visited Australia shortly after becoming CEO two years ago and credits some local customers with driving Mimecast's product roadmap.  

Although not asked directly, van Zadelhoff's remarks point to the value of the US-style platform approach: treating human risk as a dedicated category rather than a scattered set of point solutions. By consolidating email security, insider detection, DLP and real-time training under one AI-powered platform, organisations avoid the skill gaps and coverage holes that multi-vendor environments create, a model Mimecast has refined over the years.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Dropbox launches three apps inside ChatGPT for work

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment