How to build a cybersecurity culture in your organisation

Written by
RMI Team (P)

Of the many business risks that every leader should plan for, cybersecurity risk is a major threat skyrocketing to the top of agendas.

A study by Accenture found that 68%i of business leaders feel their cybersecurity risks are continually increasing, with information theft being the costliest consequence of cybercrime.

While due in large part to recent accelerations in digital transformation and the increasing shift toward hybrid work models, cybersecurity risks are also on the rise due to the increasing sophistication of attacks, including the highly popular phishing technique.

It may come as a surprise to many, then, that one of the strongest defences against cyber threats isn’t better or newer technology. It’s having a strong cybersecurity culture.

What is cybersecurity culture and why does it matter?

According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. Whether by accident, negligence or malicious intent, people are still the weakest link in the cybersecurity chain.

When it comes to managing cybersecurity, most organisations are comfortable dealing with the technology side of things. Buy a new security software, install a more advanced firewall, invest in machine learning techniques to improve threat detection – these solutions are relatively straightforward.

Dealing with human beings, on the other hand, can be more complicated. Building a strong cybersecurity culture – one that embeds safe behaviour and digital vigilance in the company’s values, beliefs and attitude – is supremely powerful in ensuring cybersecurity readiness, responsibility and responsiveness.

The big question is: how can leaders implement the right mechanisms to change their people’s attitudes, beliefs and values regarding cybersecurity, at every organisational level?

3 tips for building a strong cybersecurity culture in your organisation

Ensure the C-suite are fully committed

Leaders have tremendous impact on strengthening an organisation’s risk culture. While the chief information officer or chief information security officer may be at the helm of strategy, non-cyber executives including members of the board of directors have equally important roles to play.

An effective way to get the rest of the C-suite on board with committing to a cybersecurity culture – and taking responsibility for strengthening it within their own departments – is to make it relevant to them in business terms.

The chief marketing officer, for example, needs to understand the impact of a cyber breach on customer trust and loyalty, and have clear oversight over how customer data is collected, stored and shared within the organisation.

On the other hand, chief financial officers need to be aware of the importance of proactively reporting cyber breaches and security risks to investors and stakeholders, and the costs (seen and unseen) such breaches will have on the company’s financial statements.

Make security training more human-centric

One of the key barriers to strengthening cybersecurity awareness within organisations is that security is perceived as being “boring”, “troublesome” or “complicated”.

According to Jinan Budgeiii, principal analyst at Forrester Research, that’s why it’s important to design security awareness initiatives that create an emotional connection between employees and cybersecurity.

“Unless people feel positive about the topic of security, the capabilities of your team and you as a leader, you will struggle to get them to truly buy into the need for security,” she explains.

Leaders can start by making cybersecurity training more human-centric. Give actionable advice that’s relatable and influence change by nudging employees at certain high-risk behaviour points.

Use language that resonates, and make awareness initiatives fun and rewarding, such as through the use of micro- and nano-learning platforms or gamification to improve retention. It’s possible to use fun and humour to engage employees while conveying a serious message.

Evaluate employees, but avoid a culture of shame

Some organisations have started implementing cybersecurity as an official component of their employee evaluations. The principle is that with formal evaluation, employees understand the importance and gravity of cybersecure behaviours and know what’s expected of them. Coupled with rewards and consequences, this provides a powerful driving force for behavioural change.

For example, employees can submit testimonials of colleagues who went above and beyond to promote a cybersecurity culture, with official recognitions awarded every quarter.

On the other hand, those who failed a “spot the phishing email” exercise could be given a refresher course, or those who consistently score poorly on evaluations can be given greater support in awareness or training.

At the same time, it’s important to ensure that these evaluations and their results are handled responsibly. Cybersecurity evaluations should never be used to promote shame or blame, otherwise they will backfire.

Without psychological safety in the workplace – and an environment where people feel comfortable asking for help, making mistakes and learning from them – cybersecurity threats will become even harder to detect.


A strong, healthy and positive cybersecurity culture means employees are more knowledgeable about cyber threats, are personally committed to behaving safely, and feel motivated to change their habits in order to protect themselves, their colleagues and the organisation.

But making cybersecurity a part of your organisation’s fabric is not a one-and-done deal. As with all things related to organisational culture, consistency, leadership and follow-through are key.

With people as your first and final line of defence against cyberattacks, your organisation will be significantly better prepared to manage one of today’s biggest security risks.