Phishing, i.e., the act of manipulating people into sharing sensitive information online, remains one of the most persistent and costly cybersecurity threats, even as cybersecurity tools and training attempt to curb its impact.
Phishing’s success largely stems from human error, with credential theft via phishing emails often the first step. Despite the prevalence of this particular attack method, many organizations continue to overemphasize perimeter defenses and compliance frameworks, ultimately overlooking the need to focus their efforts on the risks in employee inboxes.
Some security leaders have recognized this need for a different approach, however, acknowledging that human behavior must be accounted for as much as any technological weakness, if not more so.
The Intersection of Human Psychology and Technical Defense
Olivier Adamczyk, an entrepreneur and Chief Information Security Officer (CISO) who currently leads security at a Top 50 US startup, has spent nearly a decade working at the intersection of human psychology and technical defense. Much of this experience comes from leading his cybersecurity firm, Midway Security, which develops practical tools to reduce phishing risk.
Adamczyk’s work reflects a broader movement within the cybersecurity industry, one that seeks to address how attacks succeed in real-world environments.
“Phishing works because it exploits normal behavior,” he explains. “People are busy, they trust familiar brands, and attackers design messages to look routine rather than suspicious. If your defenses assume perfect user behavior, they are already flawed.”
Using Anti-Phishing Technology as a Security Measure
With this view in mind, organizations have since begun reassessing the effectiveness of traditional security awareness training. Many have found that standard approaches, such as annual training and simulated phishing emails, can improve awareness, but they do not eliminate risk outright.
As such, even well-trained employees can make mistakes under pressure, especially when attackers tailor messages to personal or organizational context. To address this common issue, Olivier Adamczyk has focused on prevention at the moment of decision. His latest application of this approach is his patented anti-phishing technology, a browser-based defense layer that intercepts phishing attempts before users enter credentials.
The concept for this invention came from Adamczyk’s experience building and running security programs across multiple industries; while doing so, he observed that post-incident response often came too late to prevent damage.
“Once credentials are stolen, the organization is already in a reactive position,” Adamczyk says. “The goal should be to stop the theft from happening in the first place, not just detect it after the fact.”
The technology was tested in operational environments, including during phishing simulations. Olivier Adamczyk notes that, in one documented case, the solution prevented roughly 18.5% of employees from entering their credentials into malicious sites during a simulated attack. While it is worth noting that no single control can eliminate phishing, results like Adamczyk’s have drawn attention within a field that now increasingly prioritizes measurable outcomes over theoretical forms of protection.
The Importance of Risk Assessments
Before founding Midway Security, Olivier Adamczyk worked as a Cybersecurity Risk Expert within Credit Suisse’s CISO organization. Here, he conducted risk assessments of critical banking applications and global infrastructure changes, an experience that Adamczyk states reinforced the importance of scalable, practical security controls. This proved even more valuable given Credit Suisse’s position as one of the world’s largest financial institutions at the time, which necessitated strict regulatory scrutiny and complex threat models.
“In large enterprises, security has to function across thousands of users and systems,” Adamczyk adds. “You learn quickly that controls must be both effective and operationally realistic. If they slow the business down too much, they will be bypassed or ignored.”
This mindset of practical operational realism carried over into Adamczyk’s later work at high-growth startups, whose operational environments posed unique challenges for speed and scale.
Protecting Personal Data
As CISO, Olivier Adamczyk has been responsible for protecting millions of personal data records while supporting rapid organizational expansion. According to him, maintaining security in these environments requires close alignment between leadership, engineering, and risk management.
“Security cannot be an afterthought, especially in startups handling sensitive customer data,” he notes. “A single data incident can jeopardize trust and threaten the viability of the business.”
By applying this approach to his projects, Adamczyk found that, under the security programs he designed and led, his organizations experienced no data breaches. He adds that, while no environment is immune to risk, his focus on threat-informed defense and controls helped address absolute attack paths, contributing to his success in protecting employees from direct manipulation.
As phishing attacks persist, the cybersecurity industry has gradually recognized the need for new definitions of operational success, particularly amid novel techniques such as real-time credential harvesting, artificial intelligence, and increasingly convincing impersonation tactics.
“Reducing risk is not about chasing the latest buzzword,” Adamczyk argues. “It is about understanding how attackers operate and putting controls in place where they are most likely to succeed.”
Expanding Reach and Creating a Measurable Impact
To provide organizations with tools that complement existing security programs rather than replace them outright, Olivier Adamczyk aims to expand the reach of his anti-phishing technology to additional US businesses through Midway Security. He notes that he plans to support companies that lack the resources of large enterprises.
“Smaller and mid-sized businesses are often targeted precisely because they have fewer defenses,” he insists. “They need solutions that are effective without requiring massive security teams.”
Since phishing is and will likely remain a dominant threat vector, voices like Adamczyk’s will become all the more valuable as they reflect broader industry conversations about the need for practical accountability and measurement in cybersecurity. Rather than relying solely on awareness campaigns or downstream detection, the field’s focus is instead shifting toward controls that intervene before damage occurs.
“In the end, security should enable people to do their jobs safely,” Olivier Adamczyk concludes. “If we can reduce the likelihood of human error leading to compromise, we raise the security baseline for everyone.”
The cybersecurity industry is one often defined by its complex frameworks and abstract risk models. While these tools have their place, more leaders within the industry are recognizing the need for applied defense and measurable impact. As organizations continue to grapple with the human element of security, approaches that consider both behavior and technology are likely to play an increasingly central role.
