Bad actors usually target an organization’s most vulnerable touch points to gain access to sensitive data. And too often, these weak links are the organization’s employees. 

Although security leaders recognize the importance of establishing a security culture, 45% of employees don’t know who they should report security incidents to, and nearly a third don’t think they play a role in maintaining their organization’s security. 

Clearly, something is wrong. 

Despite leaner budgets and a shortage of cybersecurity experts, improving security culture should be every CISO’s top priority. By fostering an environment in which security is a shared responsibility, CISOs can lighten the load on IT and limit the costs that accompany unforeseen security incidents.

What does a weak security culture look like?

Suppose an employee, Jerry, receives a seemingly innocuous email from a co-worker asking them to fill out a survey. Jerry clicks the link, unaware that it’s actually a phishing email, and IT has to scramble to intervene. Later, the CISO points out misspellings in the email copy and the foreign email address, and reprimands Jerry for missing these warning signs. 

Sound familiar? While this example may seem simplistic, it happens every day — and it demonstrates how an anemic security culture can contribute to increased risk for the organization.

The CISO placed sole responsibility for the problem on Jerry, ignoring the fact that the organization’s spam interrogation engine and content filtering software failed to flag the email before it got to the employee. Additionally, Jerry was unaware of the warning signs of a phishing email until after the damage was done. 

Employees like Jerry, who are berated for making a mistake, are unlikely to share security concerns in the future. This hesitation creates a vicious cycle in which CISOs criticize employees for blunders, and employees make more mistakes and leave CISOs in the dark about potentially disastrous security threats.

A weak security culture — one that works against employees, not with employees — has serious business implications: the global average cost of a data breach hit $4.35 million in 2022, and the U.S. average totaled a whopping $9.4 million. In addition to the cost of a data breach, the need to repeatedly rectify security blunders impacts productivity. Nearly three-quarters of IT decision-makers agree that attending to pressing cybersecurity needs takes time away from their team’s ability to focus on IT innovation. 

Concerns about a potential recession also bring to mind the massive increase in online fraudulent activity that took place during the 2008 recession. This elevated threat level comes as organizations are already struggling to recruit experienced cybersecurity professionals. 

Fortunately, a strong security culture — one that positions security as a shared responsibility for all employees — can help minimize these repercussions. A company-wide commitment to security reduces the likelihood of a costly data breach and allows CISOs to stretch already thin IT budgets without having to overspend on recruitment or expensive security retooling. 

Build a strong security culture from the ground up

Without widespread awareness, an organization is at risk for significant financial losses, reputational damage and legal liabilities — as well as losing the trust of customers. 

CISOs must lead the charge in making this goal a reality. Here are four steps security leaders can take to improve an organization’s security culture:

1) Ensure security tools do their jobs 

When an employee reports a phishing incident, the first question shouldn’t be why they clicked the link — it should be how the email arrived in their inbox in the first place. Think of employees as the airbag for company-wide security. A functional airbag is a last resort. It’s there to save drivers when disaster strikes. But if drivers are relying on an airbag to save them on a regular basis, it may be a sign they need to fix the mirrors, turn signal and brake lights first. 

In a security context, this could mean assessing the effectiveness of an organization's DKIM enforcement and anti-phishing filters. It might also mean ensuring the IDPS equipment is monitoring actual network traffic. Effective tools will reduce the number of opportunities employees have to make a costly mistake. 

2) Don't make security just another obligation

Many cybersecurity insurance agreements require businesses to educate their employees on cybersecurity best practices. While meeting these requirements is important, completing annual modules for compliance is hardly motivational for a non-technical employee. 

Instead, remind employees they each play a pivotal role in keeping their workplace secure and profitable, and communicate in terms non-technical employees can understand. For example, employees across all departments have customers they must satisfy. To build a strong security culture, employees must treat their organization’s security the same way they do when working with customers.

But taking security seriously doesn’t mean security education should be a joyless affair. Experiment with ways to make cybersecurity education more engaging. Incorporate security trivia games, make presentations interactive, celebrate employees who call out signs of fraudulent activity — anything security leaders can do to keep security from feeling like just another obligation is a win for the employees and the business.

3) Establish a clear reporting structure

Beyond promoting employee buy-in for security, leaders also need to establish clear reporting guidelines. A lack of clarity about who employees should reach out to with security concerns creates confusion and incentivizes team members to decide reporting concerns isn’t worth their time. 

Ultimately, employees need to understand the appropriate course of action to take if they fall victim to a scam, and it’s the CISO’s responsibility to create an accessible, judgment-free atmosphere. When mistakes happen, employees must trust that leadership won’t berate or shame them for it.


 4) Follow up on incidents and reassess

If security leaders have no reported incidents, they don’t want to make the mistake of believing their security posture is airtight. It’s more likely that the employees aren’t speaking up. When employees fail to self-report incidents, it’s a sign that the security culture is broken. 

To identify areas for improvement in a security culture, reflect on the incidents that employees reported in the last 90 days and what happened after they reported them. Did the security leaders update the anti-phishing software or rewrite a policy? Was the employee who self-reported disciplined in any way? Asking for input from the employees involved can help identify gaps in the processes. 

Security is an organization-wide mission

Comprehensive security tools and in-house security professionals are table stakes for every organization. But as the risk of cyber threats continues to rise, an organization can no longer get by without the help of the non-technical staff — especially as budgets decrease and skilled security professionals grow scarcer.

A strong security culture bridges the gap between IT and other departments, transforming security education from a tedious obligation into a company-wide mission.