Beyond the checkbox: embedding cyber security into organisational culture to improve resilience
Cyber security is no longer one person or one team's responsibility, it is everyone's. Threat actors aren't trying to directly 'Hack the Mainframe', they are looking for the easy targets, employees. Commenting on its recent cyber-attack, M&S CEO Stuart Machin said: "I have learnt everyone is vulnerable. The hackers only need to be lucky once". Yet, many organisations continue to treat cyber security training as a quick win box-ticking exercise, offering annual compliance modules that do little to build actual awareness of how employees can protect themselves or create behavioural change.
The challenge: compliance over culture
In many organisations, cyber security culture is driven by compliance requirements to satisfy certifications such as ISO 27001, SOC 2 and Cyber Essentials. While short videos pushed out on an annual basis or some refreshed policies tick the box for the regulatory standards, they rarely resonate with the employees longer than the videos they have watched. Instead, they are just another task to complete with minimal engagement or understanding. This does little to foster a holistic awareness of protecting an organisation from cyber threats that is needed.
The result? An inherently false sense of security for the organisation, and a workforce that remains largely unprepared to deal with real-world threats like phishing, social engineering, and data handling risks.
This approach also reinforces the misconception that security is someone else's job, usually the IT or cyber security team. When security is seen as a standalone function rather than a shared organisational value, vulnerabilities and risks multiply. Employees will continue to use weak passwords, click on suspicious links in emails, ignore software updates, or fail to report suspicious activity - simply because they believe it's not part of their job.
The change: from obligation to ownership
To counter this, organisations must move beyond annual compliance and adopt a culture where cyber security is seen as a shared responsibility and an organisational value. Security should be embedded in daily behaviours, decision-making processes, and employee mindsets, not just in policies and procedures.
This cultural shift requires senior leadership to take a top-down approach. Cyber aware Directors and Executives should actively engage in discussions about security risks, participate in training exercises, and consistently follow the same cyber security policies as the broader workforce. This reinforces the idea that security is not an optional requirement, it's a priority.
Organisations also need to start making cyber security training more engaging, and more relevant to employees. It must move away from a one-size-fits-all annual course and becomes relevant to reflect real threats employees might face both in and outside of the workplace.
For example, cyber security specialists can explain about the risk of receiving a QR code in their work email prompting them to reset their passwords or multi-factor authentication, and explain how threat actors are placing QR code stickers over car parking machines and scamming many out of hundreds of thousands of pounds.
Educating employees using a variety of methods such as deploying phishing simulations whereby employees can learn what happens if they follow through on phishing email, or holding cyber security desktop exercises for senior leaders to simulate what happens after an attack are just two examples that can provide real-time feedback and make training more impactful and memorable.
Building a culture of shared responsibility
Creating a security-conscious culture requires continuous reinforcement, not just waiting for Cyber Security Awareness month to roll around each year. Organisations should establish ongoing awareness campaigns, encourage open dialogue about security concerns, and recognise employees and teams that demonstrate strong security practices.
When someone reports a phishing attempt or identifies a vulnerability, they should be celebrated and openly communicated; and employees who click on a simulated phishing link shouldn't be berated. Instead, as Cyber Security Professionals need to educate and engage C-suite as to why employees are clicking on the simulated phishing links and adjust the training to minimise the risks of it happening again. Positive reinforcement helps to normalise security focused behaviour and encourages others to follow suit.
Additionally, security teams should strive to be approachable and collaborative. Rather than individuals or teams that say 'no' to everything, they should work with departments across the organisation to embed security into projects from the outset. Building these types of partnerships can be hard in environments where a cyber security presence needs to evolve with the times and challenges but it can equally be extremely rewarding when silos are broken down and teams actively consider cyber security risk as part of the project planning and development process.
The payoff: resilience and trust
Shifting from a box-ticking mindset to a culture of ownership is not just about reducing risk, it's about creating an environment where security is second nature. In this kind of environment, every employee acts as a line of defence, not because they must, but because they understand why it matters.
