Three days after passing their annual security awareness training, a project manager at a defense contractor clicked a link in a phishing email that led to a six-figure incident response. The email had sailed past the spam filter, looked like it came from their primary subcontractor, and referenced a real program by name. The manager knew about phishing. They'd scored 95% on the training quiz. They clicked anyway.

I see this pattern repeatedly: organizations check the compliance box on security awareness training, then act surprised when human error remains the leading cause of incidents. The disconnect isn't hard to understand. A cybersecurity culture isn't built through annual training modules. It's built through incentives, leadership behavior, and psychological safety that makes reporting mistakes less painful than hiding them.

Most organizations don't have a cybersecurity culture problem because their people are careless. They have it because their systems, incentives, and leadership behaviors are misaligned with the security outcomes they claim to want.

Why Annual Training Fails

Compliance-driven security awareness training fails for structural reasons, not because the content is bad or employees aren't paying attention. The model itself is broken.

First, annual training treats security knowledge like a certification that expires every twelve months. You complete the module, pass the quiz, and you're "trained" until next year. This ignores how people actually learn and retain information, especially information they rarely use. Phishing techniques evolve weekly. Threat actors adapt faster than your annual training cycle can keep up.

Second, most training programs optimize for completion rates and documentation, not behavior change. The goal becomes "get everyone through the training before the audit" rather than "reduce the number of credential compromises." When your metric is a checkbox, you get checkbox behavior.

Third, these programs typically lack context. Generic examples about "suspicious emails" don't map well to the specific threats facing your organization. A healthcare provider faces different social engineering tactics than a defense contractor. Generic training produces generic awareness, which produces inconsistent behavior when employees face actual decisions.

The compliance theater becomes obvious during incident response. I've reviewed breaches where the initial compromise came from an employee who'd completed their training just weeks earlier. The training wasn't wrong—it covered the attack vector. But knowing something in the abstract and recognizing it in the moment, under pressure, with competing priorities, are entirely different things.

The Perverse Incentive Problem

Here's what actually happens in most organizations: an employee receives a suspicious email while juggling three urgent deadlines. Opening the attachment might be risky, but missing the deadline is definitely risky. Their performance review doesn't include a line item for "didn't click suspicious links." It does include delivery metrics for their project work.

The incentive structure tells employees that security is someone else's job, usually IT's job, and that their job is to deliver results. When security and productivity conflict—which they do, regularly—productivity wins. Not because employees don't care about security, but because that's what the organization actually rewards.

What a Cybersecurity Culture Actually Looks Like

Real cybersecurity culture shows up in daily decisions, not in training completion statistics. It's visible when an executive postpones a demo because the vendor hasn't completed their security review. It's visible when a sales team pushes back on a customer request that would create an unacceptable risk. It's visible when someone reports clicking a suspicious link and your first response is "thank you for reporting this quickly" rather than looking for someone to blame.

The organizations that get this right—and they're uncommon—treat security as a shared operating assumption rather than a specialized function. Security isn't what the CISO's team does while everyone else does "real work." It's embedded in how decisions get made across the organization.

Leadership Modeling

Culture flows from the top, and security culture is no exception. When your CEO uses their personal Gmail for business because it's "easier," you don't have a security culture. When your CFO demands exceptions to access controls because "trust me, I'm an executive," you don't have a security culture. When your board treats the cybersecurity update as the boring agenda item before lunch, you definitely don't have a security culture.

Leadership modeling means executives follow the same security policies everyone else does. It means they ask security questions during business reviews. It means they allocate budget to security improvements without waiting for a breach. It means they visibly use the approved tools rather than maintaining shadow IT because the approved solutions are inconvenient.

I worked with a healthcare organization where the CEO required all vendor presentations to include a slide on how the solution aligned with their HIPAA compliance program. Not buried in the appendix—up front, in the main deck. That's leadership modeling. It signaled to everyone in the room, including the vendors, that compliance wasn't an afterthought or a procurement checkbox.

Making Security Part of How Work Gets Done

Security can't be bolted onto existing processes as an afterthought. It needs to be integrated into how work happens. This means security considerations in project planning, not just at the end. It means security review is part of the vendor selection process, not something that happens after Legal and Finance have already committed to a vendor. It means architecture reviews that include threat modeling, not just performance and scalability discussions.

The pattern I see in organizations with mature cybersecurity cultures: security is boring. It's just how things get done. Nobody treats it as special or unusual to include security requirements in a project plan. Nobody needs convincing that access reviews matter. The controls are normalized.

Speaking on Security Culture to Leadership Teams

Carl delivers keynotes and workshops on building security culture for boards, executive teams, and organizational leaders—practical frameworks drawn from work with healthcare systems, defense contractors, and regulated industries.

Book Carl to Speak
Inline article illustration

Psychological Safety and Incident Reporting

The fastest way to destroy any hope of a functional cybersecurity culture is to punish people for reporting security incidents. Yet organizations do this constantly, often without realizing it.

An employee clicks a suspicious link, realizes their mistake, and now faces a choice: report it and face consequences, or stay quiet and hope nothing bad happens. In most organizations, the path of least resistance is silence. Reporting means explaining yourself to IT, probably to your manager, maybe to senior leadership. It means becoming "the person who clicked the phishing link" in a culture that treats security incidents as personal failures rather than systemic information.

The irony is obvious: the organizations that most need fast incident reporting—because early detection dramatically reduces breach impact—are often the ones that make reporting most painful. The employee who clicked the link and reported it within ten minutes gives you options. The employee who clicked, stayed silent, and let you discover the breach two weeks later through your SIEM alerts gives you an incident.

Blameless Reporting Systems

Blameless reporting doesn't mean no accountability. It means treating most security incidents as learning opportunities rather than disciplinary events. The person who falls for a particularly sophisticated phishing attack probably isn't the problem—the fact that the attack got through your email filters and looked convincing enough to fool a trained employee indicates systemic gaps.

Organizations with mature cultures separate the individual incident from the pattern. One person clicking one link is an incident to contain. Twenty people clicking similar links over six months is a pattern that indicates your training, your technical controls, or your communication isn't working.

The best system I've seen: a simple Slack channel where anyone could report "I just did something that might be a security issue" and get an immediate, standardized response thanking them for reporting and asking for specific details. No judgment in the response, no public shaming, no automatic escalation to their manager. The security team would investigate, provide feedback, and look for patterns. People actually used it because the cost of reporting was low and the response was professional.

Incentivizing Good Security Behavior

What gets measured gets managed, and what gets rewarded gets repeated. If you want people to prioritize security, you need to make security part of how you evaluate and reward performance.

This doesn't mean adding "completed security training" to everyone's annual review—that's still checkbox thinking. It means evaluating how people handle security-relevant decisions in their actual work. Did the product manager include security requirements in the initial design spec, or were they an afterthought during the security review? Did the business development team qualify security requirements during the sales process, or did they commit to something that implementation can't deliver securely? Did the project manager allocate time for security testing, or was it squeezed out by deadline pressure?

These behaviors are observable and evaluable. They're also much better predictors of security outcomes than training completion rates. When you start evaluating them, and especially when you start rewarding them, you signal what the organization actually values.

Making Security Reporting Easier Than Hiding It

Psychological safety matters, but so does practical friction. If reporting a potential security incident requires filling out a five-page form, scheduling a meeting, and writing an incident summary, people won't report. If reporting means sending a quick message to a known channel and getting a fast response, they might.

The best reporting systems I've seen are simple: one communication channel, clear ownership, fast acknowledgment, and reasonable follow-up. The employee who reports something gets thanked, not interrogated. They get information about next steps and, when appropriate, a follow-up on what was learned. They don't get a disciplinary letter or a mandatory remedial training session that feels like punishment.

Compare this to the pattern I see in organizations with poor security cultures: an employee reports a potential incident and disappears into a black hole. They don't hear back. They don't know if anyone is handling it. They don't know if they did the right thing. Next time they face a similar situation, they're less likely to report. Why would they? Reporting had costs—time, anxiety, uncertainty—with no visible benefit.

The feedback loop matters enormously. People need to see that reporting leads to action, that their reports are taken seriously, and that the system learns from incidents. When employees see that their phishing report led to a updated email filter rule, or that their observation about a security gap led to a control improvement, they learn that reporting has value. When they see nothing happen, they learn that reporting is theater.

Inline article illustration

Integration with Broader Risk Management

Cybersecurity culture doesn't exist in isolation from your organization's broader risk culture. If your organization handles operational risk, financial risk, and compliance risk with maturity and discipline, you have a foundation for security culture. If your organization treats all risk as something to be minimized in reports while maximized in practice, you're working uphill.

The organizations that struggle most with cybersecurity culture are often the ones that struggle with risk management generally. They make commitments without evaluating feasibility. They operate with unclear ownership and accountability. They treat problems as individual failures rather than systemic issues. These patterns show up everywhere, including security.

The organizations that excel at cybersecurity culture tend to excel at risk management broadly. They have clear decision-making processes. They evaluate trade-offs explicitly rather than optimistically assuming they can have everything. They learn from failures rather than hiding them. The security culture is an extension of these broader organizational patterns. You can read more about how cybersecurity fits into broader board-level risk discussions and what that integration looks like in practice.

Security as Business Enablement

The final piece of a mature cybersecurity culture is treating security as business enablement rather than business prevention. This sounds like marketing speak, but there's a real distinction.

Organizations with poor security cultures treat security as the team that says no. Want to use this new tool? Security says no. Want to launch this feature? Security says it's not ready. Want to close this deal? Security has concerns. This creates an adversarial dynamic where business teams learn to route around security to get things done.

Organizations with mature security cultures treat security as the team that figures out how to say yes safely. The question isn't "can we do this?"—the answer is almost always technically yes. The question is "what do we need to do this with acceptable risk?" That's a different conversation. It assumes the business objective is legitimate and looks for ways to achieve it rather than reasons to block it.

This requires security teams that understand business context and business teams that understand risk. When the sales team wants to close a deal that requires deploying in the customer's environment, the security team's job isn't to recite policy. It's to evaluate the specific situation, identify the gaps between current controls and required controls, and present options with their risk profiles. Maybe the answer is "no, this creates unacceptable risk." But often the answer is "yes, if we implement these additional controls" or "yes, for this customer tier with these limitations."

Keynotes on Building Security-Aware Organizations

Carl speaks on security culture, leadership accountability, and board-level cyber risk for conferences, executive retreats, and industry events. See all keynote speaking topics or reach out about your event.

Book Carl for Your Event

Technical Controls Still Matter

None of this means technical controls don't matter. Culture doesn't replace technical security—it amplifies it. The best phishing training in the world won't stop a zero-day exploit. Multi-factor authentication, email filtering, endpoint protection, and network segmentation remain essential. But technical controls are more effective when they're supported by culture rather than working against it.

Consider multi-factor authentication. Technically, it's straightforward. Culturally, it's a daily friction point. In an organization with poor security culture, MFA becomes something people complain about, route around when possible, and resent as an obstacle. In an organization with good security culture, MFA is just how you log in—normalized, expected, not worth commenting on.

The same pattern repeats across every control. Access reviews are bureaucratic compliance theater or they're a routine part of joiner-mover-leaver processes. Vulnerability management is a fight with development teams or it's integrated into the release process. Incident response is a crisis everyone hopes to avoid or it's a practiced capability with clear ownership.

Culture determines which version you get. The technology is the same either way.

Measuring What Matters

If you want to know whether you're building cybersecurity culture, look at behaviors and outcomes, not training metrics. Completion rates tell you whether people clicked through the modules. They don't tell you whether they'll recognize a phishing attempt or report a suspicious activity.

Better metrics include: time from incident occurrence to incident reporting, percentage of security incidents reported by employees versus detected by tools, number of security-related questions raised during project planning, participation rates in voluntary security programs, and results from realistic phishing simulations.

Track how often security is involved early in decision-making versus late. Track how often security concerns lead to changed decisions versus overridden concerns. Track how long it takes to remediate identified vulnerabilities. Track repeat incidents—not to punish, but to identify where your culture and controls aren't working.

These metrics tell you whether security is actually integrated into how your organization operates. Training completion tells you whether people opened the training module. The pattern I see in organizations with strong security cultures: their metrics focus on decision quality and response speed, not on checking boxes. When you measure behavior change, you tend to get behavior change. When you measure compliance, you get compliance theater.

The Social Engineering Reality

The threat landscape has evolved in ways that make culture more important, not less. Modern social engineering attacks are sophisticated, personalized, and difficult to distinguish from legitimate communication. Attackers use information from data breaches, social media, and public sources to craft convincing messages. They understand your organization's communication patterns, vendor relationships, and internal processes. Some attacks now include AI-powered deepfakes that can mimic voices and video.

Technical controls catch the unsophisticated attacks. Culture determines how your organization handles the sophisticated ones—the attacks that make it through your filters, that look legitimate, that target specific individuals with contextualized information. These attacks succeed or fail based on whether the target recognizes something is wrong and whether they feel empowered to slow down and verify rather than responding immediately.

This comes back to psychological safety and incentives. If your culture punishes people for slowing down to verify, or rewards responsiveness above accuracy, sophisticated social engineering will succeed. If your culture makes it acceptable to say "this seems urgent, but I'm going to verify through a separate channel before taking action," you have a fighting chance.

I've seen this play out in incidents where the initial target suspected something was wrong but felt pressure to respond anyway. Maybe the email appeared to come from a senior executive and demanded immediate action. Maybe the caller claimed to be from IT and said they needed access to resolve a critical issue. Maybe the message arrived during a high-stress period when the target was already overwhelmed. The technical security awareness was there—the person recognized warning signs. But the cultural and situational pressure overrode it. Understanding lessons from how recent breaches actually unfolded makes this dynamic clear: culture gaps, not knowledge gaps, enable most successful attacks.

Building Culture in Regulated Industries

Organizations in regulated industries face additional complexity. You're building cybersecurity culture while also managing compliance obligations, audit requirements, and regulatory expectations. The risk is that compliance becomes the goal rather than the floor.

In healthcare, HIPAA compliance is non-negotiable. But a culture that treats HIPAA as the target—"we're compliant, we're done"—misses the point. HIPAA establishes minimum requirements. A mature security culture treats those requirements as baseline assumptions and asks what additional protections make sense given your specific risks. When your primary metric is "would this pass an audit?" rather than "would this protect our patients' information?", you've optimized for the wrong outcome.

The same pattern appears in defense contracting with CMMC, in financial services with various regulatory frameworks, and in any industry with meaningful compliance obligations. Compliance provides structure and requirements, which can actually help build culture—clear expectations, documented controls, regular reviews. But compliance can also create a checkbox mentality that undermines culture if you're not careful.

The organizations that get this right treat compliance as a floor, not a ceiling. They use regulatory requirements as a foundation and build on it based on their actual risk profile. They involve security in business decisions not because regulations require it but because it produces better outcomes. They measure security effectiveness, not just compliance documentation.

Starting From Where You Are

If you're reading this and recognizing that your organization doesn't have a mature cybersecurity culture, you're not alone. Most organizations don't. Building culture is long-term work that requires sustained leadership commitment, not a quarterly initiative.

Start by examining your incentive structures. What do you actually reward? What behaviors do your performance management systems encourage? If you want people to prioritize security, that needs to show up in how you evaluate and compensate them.

Look at your incident response and reporting systems. Are they designed for learning or for blame? When someone reports a potential incident, what happens next? Is the experience positive or negative? Would someone who reported once want to report again?

Evaluate how leadership models security behavior. Do executives follow the same policies they expect employees to follow? Do they ask security questions in business reviews? Do they allocate resources to security improvements proactively or only in response to incidents?

Assess where security fits in your business processes. Is it integrated early or bolted on late? Does the security team have the context and access they need to enable business outcomes, or are they disconnected from business operations until there's a problem?

None of this is quick. Cultural change takes years, not quarters. But it compounds. Each improved process, each positive interaction, each visible example of leadership prioritizing security makes the next change easier. You're building organizational muscle memory around how security decisions get made.

The CISO's Role in Culture Building

As a CISO or senior security leader, you can't build cybersecurity culture alone. But you can't build it without security leadership either. Your role is part technical expert, part change agent, part teacher.

The technical expert part is table stakes—you need to understand threats, controls, and risk. But the change agent part is where culture gets built or broken. You're helping the organization change how it thinks about and handles security decisions. This requires understanding the business context, building relationships with leaders outside the security function, and communicating in terms that resonate with business priorities.

The teaching part means helping people understand not just what the rules are but why they exist. Security policies that seem arbitrary produce resentment and workarounds. Security policies that people understand and agree with produce compliance and often improvement suggestions.

This is also where external perspective can help, whether through a vCISO engagement, advisory work, or board-level consulting. Sometimes the patterns are easier to see from outside the organization, and sometimes the message lands differently when it comes from someone without organizational baggage.

The most effective security leaders I know spend less time on technical architecture than you might expect and more time on organizational dynamics. They understand that a mediocre technical solution that people actually use beats a perfect technical solution that people route around. They focus on making security the path of least resistance rather than an obstacle course.

Culture and Technology Evolution

The technology landscape keeps changing—cloud adoption, remote work, AI integration, mobile devices, IoT, whatever comes next. Each new technology creates new security challenges. But the cultural foundation remains consistent.

Organizations with mature cybersecurity cultures adapt to technology changes more effectively because they have processes for evaluating risk, integrating security into adoption decisions, and learning from problems. They don't need to rebuild their entire security program every time technology shifts. They extend existing patterns to new contexts.

Organizations with weak security cultures struggle with each new technology wave. They adopt first and ask security questions later. They underestimate risks. They skip security reviews because they're too slow. They treat each technology shift as a special case rather than a pattern.

As AI tools proliferate, this dynamic becomes particularly visible. Organizations with strong security cultures are asking questions about data handling, model training, access controls, and compliance implications before they deploy AI tools at scale. Organizations with weak security cultures are discovering those questions during the audit. The technology is new, but the pattern is familiar.

Why This Matters for Leadership

Cybersecurity risk is business risk. The incidents that become board-level problems—data breaches, ransomware, business disruption, regulatory action—rarely happen because your organization lacked the technical capability to prevent them. They happen because someone made a decision that prioritized something else over security, or because the organization's culture and incentives didn't support secure behavior.

Building cybersecurity culture is a leadership responsibility, not a technical function's responsibility. The CISO can't create culture without leadership support, aligned incentives, and sustained attention. This means cybersecurity needs to be part of how leadership teams think about business operations, not a specialized topic that gets isolated in IT.

When boards ask about cybersecurity posture, the conversation needs to go beyond "are we compliant?" and "what tools do we have?" to "how do security decisions get made?" and "what behaviors do we reward?" Those cultural questions are better predictors of whether you'll have a significant incident than your technical architecture is.

The organizations that handle cybersecurity well have leadership teams that understand this distinction. They invest in technical controls, absolutely. But they invest equally in the organizational systems, incentives, and behaviors that make those controls effective. They treat security culture as a strategic asset, not a compliance obligation. And when they face sophisticated attacks—which everyone does eventually—their culture gives them resilience that technical controls alone can't provide.

📖
Related Reading
AI-Powered Cyber Threats: Deepfakes and the New Social Engineering → Cybersecurity Lessons from Recent Breaches →