Culture over checklists: Redefining cyber security as a core business value

Tony Christodoulou, Founder, CIO/CISO at Cyber Dexterity and Adjunct Faculty for GIBS Business School. (Image: Supplied)

---

At a time when cyber threats are evolving in sophistication, approach and frequency, many organisations have been driven to take swift action to improve their security posture. However, much of the focus has been on meeting compliance standards, ticking boxes and implementing rigid processes that look good in theory and on paper, but often miss the mark when it comes to creating a truly secure environment or is thrown to the waste side when dealing with a real breach.

While compliance is undeniably important as a priority and can improve maturity through its focus and execution, it falls far short of developing a culture that embraces security at its core and, more importantly, has the reflex to respond when it matters.

When the approach to cyber security is compliance-driven, cyber execution becomes superficial, leaving companies vulnerable to threats that exploit the very vulnerabilities not covered by compliance checklists. What's needed is a culture that goes beyond compliance – one that makes cyber security personal, engaging and integral to the way people work every day. If you get the culture right and get everyone to see cyber security as a business imperative, then being ‘compliant’ is achieved as a natural transition of doing good business.

This press release explores the importance of aligning security practices with individual digital self-security. By making security personally relevant, organisations can create an environment where protection becomes second nature and is seen as an integral part of each person's role in the ecosystem.

For many organisations, cyber security learning and development initiatives focus on compliance as an intended outcome rather than a skillset to be developed. Employees are often required to complete annual or bi-annual type training regimes that cover the basics of cyber security principles: password management, phishing awareness and data handling practices. While informative, these sessions are rarely engaging, lose relevance due to the nature of the evolving landscape and often leave attendees with little more than a fleeting sense of responsibility to pass a quiz as the measure of success. As the threat landscape evolves, they will prove less effective and fail to provide the organisation with the resilience it needs.

Companies that are solely compliance driven are missing a significant opportunity. A compliance-centric mindset tends to treat cyber security L&D efforts as a milestone to be achieved, rather than a skillset to be developed and a journey to be taken. As a result, employees may comply in the moment, but fail to internalise the lessons learned and, more importantly, apply them when it really matters, rendering the entire exercise ineffective in real-world scenarios. The learning process and experience must be fresh, relevant, personalised and strategically delivered to foster a robust safety culture.

Ask yourself what your true measure of success is. For example, is it the number of people who have completed your learning programme, or is it that your phishing resilience index (assuming you measure this and regularly simulate phishing in your ecosystem) has decreased since the last time you measured it (you should see a downward curve over time)?

When cyber security is viewed as a company requirement (even though it is), it often feels like just another box to tick. But when individuals see it as a way to protect their own digital lives, identities, finances, social circles and families, it becomes personal. This then facilitates the shift from obligation to personal interest and ownership of one's transformation journey.

This shift from 'protecting the company' to 'protecting yourself' can have a profound effect. When employees see that their organisation cares about their digital well-being, they naturally become more invested in the company's overall security posture. Then we see the narrative shift so that people don't just follow policies, they internalise them and really treat them as a business imperative. Framing cyber hygiene as a personal imperative sparks real engagement and makes safe habits stick, leading to the desired adoption.

This approach also benefits third-party stakeholders and customers, as employees who are security-conscious in their personal lives are less likely to engage in risky behaviours that could lead to breaches at work.

A security culture cannot be built on generic content. It requires an approach that resonates with the specific context of people's roles, the business processes they are involved in and the data they handle daily. By framing security in a way that speaks to their everyday activities, employees are more likely to understand their role in the larger security ecosystem.

For example, a marketing professional who regularly handles customer data should receive training that highlights the importance of data privacy, the potential threats they may encounter in their communications and best practices to ensure that customer information is protected. Similarly, a developer should be educated on secure coding practices and the risks of inadvertently introducing vulnerabilities during the software development life cycle.

By tailoring security training to an individual's experience, coupled with exposure to the real consequences of these breaches and the way in which they're initiated, companies can foster a deeper connection and understanding of why cyber security is important – both to the business and to the individual.

Culture is defined by "how we do things around here". It's not about sporadic training sessions, it's about embedding security into the fabric of the organisation. For this to happen, security must be woven into daily activities and decisions, rather than seen as an add-on or afterthought.

Achieving this integration requires consistency and reinforcement. Instead of a once-a-year training session, companies should implement continuous learning programmes that offer bite-sized, role-specific modules throughout the year. These modules could include interactive simulations, real-world scenarios and micro-learning experiences that take no more than 10 minutes to complete.

In addition, regular discussions about cyber security should be incorporated into team meetings, project kickoffs and performance reviews. This ongoing engagement helps reinforce the idea that security is not just the responsibility of IT, but a shared commitment across the organisation.

One of the key principles of building a strong security culture is to empower employees to take ownership of security. This can be achieved by creating channels of open communication where employees can ask questions, report suspicious activity and share best practices. Anonymity in reporting should be guaranteed to encourage people to come forward without fear of repercussions.

Recognition is also important. Employees who demonstrate good security behaviour – whether it's identifying a phishing attempt, following best practices or contributing to security discussions – should be recognised and rewarded. This can take the form of simple 'security champion' recognition, or more tangible rewards such as gift cards or extra paid time off. Such gestures reinforce positive behaviour and motivate others to follow suit.

A true culture of security thrives on collaboration. However, many organisations operate in silos, with security treated as the domain of a select few. Breaking down these silos is critical to building a holistic security culture.

Encouraging cross-functional collaboration can be done in several ways:

Cross-departmental workshops – Conduct workshops that bring together employees from different departments to discuss security topics relevant to each function. This promotes a shared understanding of how each team’s actions can impact the organisation’s security posture.

Security ambassadors – Appoint security ambassadors in each department who act as liaisons between their teams and the security function. These ambassadors can help translate security policies into department-specific practices and provide feedback to the security team on areas that need improvement.

Joint security exercises – Organise joint tabletop exercises where members from various teams participate in simulated security incidents. This helps build a collective response capability and reinforces the concept that security is a shared responsibility.

One of the biggest challenges in creating a culture of security is the perception that security is at odds with business objectives. This perception can only be changed by demonstrating how strong security practices enable business success.

For example, robust security measures can accelerate regulatory compliance, increase customer confidence and provide a competitive advantage. Project planning and decision-making processes should include security considerations from the outset to avoid disruptions down the line. By involving security professionals in these discussions, you can ensure that security is seen as a strategic enabler rather than an obstacle.

Trust is a fundamental element of any culture, and this is especially true of a security culture. Building trust requires transparency in communication about security risks, incidents and the steps being taken to address them.

We should strive to be open about the challenges they face and the steps they are taking to protect data and systems. This includes communicating security incidents, where appropriate, without creating fear or uncertainty. By keeping employees, customers and third parties informed, organisations can build a sense of shared responsibility and collective resilience.

Leadership plays a key role in defining and promoting a safety culture. Leaders need to embody the values they want to see in the company. When leaders prioritise security, it sends a clear message that it is a core value and not just a box-ticking exercise.

Leaders should also be visible champions of security initiatives. This can be done by attending security training, communicating the importance of security at company-wide meetings and leading by example – whether it's by complying with security policies themselves or supporting investment in security technology and talent.

Compliance might keep auditors content, but it won’t mean you're effective to prevent, detect and respond to cyber attacks. If cyber security lives only in policies, annual trainings or checklists, it dies in real-world scenarios.

To build real resilience, security has to move from being a box to tick to a behaviour embedded in how people think, work and collaborate.

That means making it personal. It means giving people the tools, context and motivation to care, not just about the company’s interests, but about their own digital lives. It means leadership showing up, not signing off. And it means shifting from one-off training to continuous engagement, from silos to shared responsibility.

Organisations that treat cyber security as a cultural mindset, one that is aligned with business objectives and driven by people, don't just stay compliant. They stay ready and relevant for the digital economy. In today's threat landscape, this difference is everything.

Author: Antonios (Tony) Christodoulou

Founder, CIO/CISO at Cyber Dexterity | Adjunct Faculty GIBS Business School (Gordon Institute of Business Science) | Former CIO at a Global Fortune500 Company, American Tower Corporation.