Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Leadership and ManagementLogical Security

Security culture is only as strong as the weakest link

By Matthew Rogers
laptop with password login screen

Image via Pixabay

June 20, 2023

Bad actors usually target an organization’s most vulnerable touch points to gain access to sensitive data. And too often, these weak links are the organization’s employees. 

Although security leaders recognize the importance of establishing a security culture, 45% of employees don’t know who they should report security incidents to, and nearly a third don’t think they play a role in maintaining their organization’s security. 

Clearly, something is wrong. 

Despite leaner budgets and a shortage of cybersecurity experts, improving security culture should be every CISO’s top priority. By fostering an environment in which security is a shared responsibility, CISOs can lighten the load on IT and limit the costs that accompany unforeseen security incidents.

What does a weak security culture look like?

Suppose an employee, Jerry, receives a seemingly innocuous email from a co-worker asking them to fill out a survey. Jerry clicks the link, unaware that it’s actually a phishing email, and IT has to scramble to intervene. Later, the CISO points out misspellings in the email copy and the foreign email address, and reprimands Jerry for missing these warning signs. 

Sound familiar? While this example may seem simplistic, it happens every day — and it demonstrates how an anemic security culture can contribute to increased risk for the organization.

The CISO placed sole responsibility for the problem on Jerry, ignoring the fact that the organization’s spam interrogation engine and content filtering software failed to flag the email before it got to the employee. Additionally, Jerry was unaware of the warning signs of a phishing email until after the damage was done. 

Employees like Jerry, who are berated for making a mistake, are unlikely to share security concerns in the future. This hesitation creates a vicious cycle in which CISOs criticize employees for blunders, and employees make more mistakes and leave CISOs in the dark about potentially disastrous security threats.

A weak security culture — one that works against employees, not with employees — has serious business implications: the global average cost of a data breach hit $4.35 million in 2022, and the U.S. average totaled a whopping $9.4 million. In addition to the cost of a data breach, the need to repeatedly rectify security blunders impacts productivity. Nearly three-quarters of IT decision-makers agree that attending to pressing cybersecurity needs takes time away from their team’s ability to focus on IT innovation. 

Concerns about a potential recession also bring to mind the massive increase in online fraudulent activity that took place during the 2008 recession. This elevated threat level comes as organizations are already struggling to recruit experienced cybersecurity professionals. 

Fortunately, a strong security culture — one that positions security as a shared responsibility for all employees — can help minimize these repercussions. A company-wide commitment to security reduces the likelihood of a costly data breach and allows CISOs to stretch already thin IT budgets without having to overspend on recruitment or expensive security retooling. 

Build a strong security culture from the ground up

Without widespread awareness, an organization is at risk for significant financial losses, reputational damage and legal liabilities — as well as losing the trust of customers. 

CISOs must lead the charge in making this goal a reality. Here are four steps security leaders can take to improve an organization’s security culture:

1) Ensure security tools do their jobs 

When an employee reports a phishing incident, the first question shouldn’t be why they clicked the link — it should be how the email arrived in their inbox in the first place. Think of employees as the airbag for company-wide security. A functional airbag is a last resort. It’s there to save drivers when disaster strikes. But if drivers are relying on an airbag to save them on a regular basis, it may be a sign they need to fix the mirrors, turn signal and brake lights first. 

In a security context, this could mean assessing the effectiveness of an organization's DKIM enforcement and anti-phishing filters. It might also mean ensuring the IDPS equipment is monitoring actual network traffic. Effective tools will reduce the number of opportunities employees have to make a costly mistake. 

2) Don't make security just another obligation

Many cybersecurity insurance agreements require businesses to educate their employees on cybersecurity best practices. While meeting these requirements is important, completing annual modules for compliance is hardly motivational for a non-technical employee. 

Instead, remind employees they each play a pivotal role in keeping their workplace secure and profitable, and communicate in terms non-technical employees can understand. For example, employees across all departments have customers they must satisfy. To build a strong security culture, employees must treat their organization’s security the same way they do when working with customers.

But taking security seriously doesn’t mean security education should be a joyless affair. Experiment with ways to make cybersecurity education more engaging. Incorporate security trivia games, make presentations interactive, celebrate employees who call out signs of fraudulent activity — anything security leaders can do to keep security from feeling like just another obligation is a win for the employees and the business.

3) Establish a clear reporting structure

Beyond promoting employee buy-in for security, leaders also need to establish clear reporting guidelines. A lack of clarity about who employees should reach out to with security concerns creates confusion and incentivizes team members to decide reporting concerns isn’t worth their time. 

Ultimately, employees need to understand the appropriate course of action to take if they fall victim to a scam, and it’s the CISO’s responsibility to create an accessible, judgment-free atmosphere. When mistakes happen, employees must trust that leadership won’t berate or shame them for it.


 4) Follow up on incidents and reassess

If security leaders have no reported incidents, they don’t want to make the mistake of believing their security posture is airtight. It’s more likely that the employees aren’t speaking up. When employees fail to self-report incidents, it’s a sign that the security culture is broken. 

To identify areas for improvement in a security culture, reflect on the incidents that employees reported in the last 90 days and what happened after they reported them. Did the security leaders update the anti-phishing software or rewrite a policy? Was the employee who self-reported disciplined in any way? Asking for input from the employees involved can help identify gaps in the processes. 

Security is an organization-wide mission

Comprehensive security tools and in-house security professionals are table stakes for every organization. But as the risk of cyber threats continues to rise, an organization can no longer get by without the help of the non-technical staff — especially as budgets decrease and skilled security professionals grow scarcer.

A strong security culture bridges the gap between IT and other departments, transforming security education from a tedious obligation into a company-wide mission.

KEYWORDS: CISO leadership cyber attack cyber attack response cybersecurity tools phishing phishing attack security culture

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Matthew Rogers is the global CISO at Syntax.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Gaps in Cybersecurity Programs

    The perfect storm: How hardware security is getting weaker as the industry changes its cybersecurity models

    See More
  • row of gaming chairs at long desk

    The solution to esports’ identity problem is as simple as a selfie

    See More
  • malware-cyber-crime-freepik.jpg

    Malware-as-a-service is the growing threat every security team must confront today

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing