Twenty years after developing an increasingly mature security architecture, organizations are opposed to difficult truths. Tools and technology alone are not enough to mitigate cyber risk. As the high-tech stack became more refined and more capable, the attackers changed their focus. They no longer focus solely on infrastructure vulnerabilities. Instead, they are increasingly exploiting human behavior. In most modern violations, the initial attack vector is not an exploitation of zero-day technology. It harnesses people’s vulnerabilities.
The data is well documented. For five years, Verizon’s data breach investigation report shows that human risk is the biggest factor in violations worldwide. The latest version of the report found that almost 60% of all violations in 2024 were related to the human element. However, in that context, it is important to address common misconceptions. The phrase “people are the weakest link” means that an employee is at fault when a violation occurs. In most cases, that doesn’t matter. The user has not failed with security and the security environment is failing. Security is often unnecessary complicated. The concept is conveyed in a confused and overwhelming professional language while it is designed for auditors and lawyers rather than the average employee.
Second, effectively mitigate human risk is not a matter of technology adoption or policy enforcement. It is to foster a strong organizational security culture that simplifies and supports safe human behavior. Until security culture is treated with the same prioritization and investment as your security technology, human risk continues to undermine even the most designed technology programs.
Definition of security culture
Every organization already has a security culture in place. The key question is whether it is the security culture they actually want.
By definition, security culture is a common perception, belief, and attitude about cybersecurity across an organization. Do people believe security is important? Do they feel responsible? Do they consider themselves a target? When that belief structure is strong, actions continue. But when it is lacking, like when security is considered a barrier to other people’s work or productivity, the extent of your risk increases exponentially.
The problem isn’t that people don’t care about protecting their organization. It’s not built into how security works, instead being overlaid on top as something they would expect to navigate. If you want people to behave safely, you need to create conditions that support those actions. Employees adjust their actions based on what the environment rewards, enables and expects. Security is no exception. To enhance the security culture, the focus should be on designing the daily environment that shapes people’s perceptions and decisions.
In reality, this means assessing the four biggest driving forces of security culture: leadership signals, security team engagement, policy design and security training.
Leadership Signals: Culture starts at the top. A clear message will be sent when leaders treat security as a priority by linking it to budgeting, bonuses, or increasing CISO on their ORG charts. Otherwise, there is no amount of lip service that will change that perception. Security Team Engagement: It’s not just executives who shape the culture. The daily experience people have in security often depends on the security team itself. Is the security team useful or hostile? Are they clear or confused? Are they enablers or blockers? That’s all important. Policy Design: Policies are the constant point of interaction. If they are overly technical, difficult to follow, or full of friction, they erode trust. If they are simple and intuitive, it reinforces the idea that security is achievable. Security Training: This is often the most visible part of the program, but also the most misunderstood part. If training is boring, outdated, or unrelated, it shows that security is not really important. It builds the belief that when appealing and applied, it promotes behavior.
These four areas also provide a framework for measuring culture. Ask employees what they think and feel about leadership, security teams, policies and training. Their answers will tell you whether your culture works for you or is against you.
Adjust the four levers of security culture
Executive support may set tones, but security culture is defined by what employees encounter every day. If these living experiences contradict the message of leadership, beliefs break down. People may hear security is a priority, but if the policy is unknown, they may feel that training has been disconnected, or that security teams feel strict and inappropriate, or trust is quickly eroded.
This is why alignment across all four cultural levers is essential: leadership, security team engagement, policy, and training. It demonstrates strategic importance when leadership makes security visible through resources and accountability. But that message must be strengthened by how security teams interact with employees. If employees feel they are stoned when they are punished for mistakes or seeking support, they are less likely to become active participants in the organization’s advocacy.
Policy design plays an equally important role. If the policy is long, technical or unrealistic, employees default to convenience even if they introduce risk. Simpler and more intuitive guidance makes it easier to act firmly without slowing down business results. The same principle applies to training. If it’s outdated or common, it’s quickly becoming a box exercise. But when it is relevant and role-specific, it helps to reinforce security as part of the job.
Ready to operate a security culture?
Please join me this fall, in the fall of Sands Orlando Fall 2025. Here we will teach you the newly updated LDR521: Security Culture Leaders. This course provides a step-by-step framework for assessing current culture, identifying the greatest opportunities for change, and building an environment where safe behavior is standard. Take practical tools, real-world case studies, and leadership-ready playbooks back to your team.
Please register for Fall San Orlando in Fall 2025.
Note: This article was contributed by Lance Spitzner, Senior Instructor at SANS Institute. Find out more about his background and experience here.
Source link
