After two decades of developing increasingly mature security architectures, organizations are running up against a hard truth: tools and technologies alone are not enough to mitigate cyber risk. As tech stacks have grown more sophisticated and capable, attackers have shifted their focus. They are no longer focusing on infrastructure vulnerabilities alone. Instead, they are increasingly exploiting human behavior. In most modern breaches, the initial attack vector is not a zero-day technology exploit. It’s exploiting vulnerabilities in people.
The data is well-documented. For five years running, Verizon’s Data Breach Investigations Report has shown that human risk represents the greatest driver of breaches globally. The latest version of the report found that nearly 60% of all breaches in 2024 involved a human element. However, in that context, it’s important to address a common misconception. The phrase “people are the weakest link” implies that employees are at fault when breaches arise. In most cases, that isn’t the issue. Users aren’t failing at security, their security environment is failing them. Too often, security is made unnecessarily complex. Concepts are communicated in a confusing and overwhelming technical language while policies are designed for auditors and lawyers, not the average employee.
In turn, effectively mitigating human risk isn’t a matter of just more technology adoption or policy enforcement. It’s about cultivating a strong organizational security culture that simplifies and supports secure human behavior. Until security culture is treated with the same prioritization and investment as your security technology, human risk will continue to undermine even the best-designed technical programs.
Defining Security Culture
Every organization already has a security culture in place. The key question is if it’s the security culture they actually want.
Security culture, by definition, is the shared perceptions, beliefs, and attitudes about cybersecurity across the organization. Do people believe security is important? Do they feel responsible? Do they see themselves as a target? When that belief structure is strong, behavior follows. But when it’s missing, like when security is seen as someone else’s job or an obstacle to productivity, your degree of risk grows exponentially.
The problem isn’t that people don’t care about protecting their organization. It’s that security isn’t embedded into how they work, instead layered on top as something they’re expected to navigate around. If we want people to behave securely, we need to create conditions that support those behaviors. Employees adjust their behavior based on what the environment rewards, enables, and expects. Security is no different. To strengthen security culture, the focus should be on designing a day-to-day environment that shapes people’s perceptions and decisions.
In practice, this means evaluating the four biggest drivers of your security culture: leadership signals, security team engagement, policy design, and security training.
- Leadership signals: Culture starts at the top. If leaders treat security as a priority by budgeting for it, tying it to bonuses, or elevating the CISO in the org chart, it sends a clear message. If they don’t, no amount of lip service will change that perception.
- Security team engagement: It’s not just executives who shape culture. The day-to-day experience people have with security often depends on the security team itself. Is the security team helpful or hostile? Are they clear or confusing? Are they enablers or blockers? All of that matters.
- Policy design: Policies are a constant point of interaction. If they’re overly technical, hard to follow, or full of friction, they erode trust. If they’re simple and intuitive, they reinforce the idea that security is achievable.
- Security training: This is often the most visible part of a program, but also the most misunderstood. If your training is boring, outdated, or irrelevant, it signals that security doesn’t really matter. When engaging and applicable, it builds belief that drives behavior.
These four areas also provide a framework for measuring your culture. Ask your employees what they think and feel about leadership, the security team, policies, and training. Their answers will tell you whether your culture is working for you or against you.
Aligning the Four Levers of Security Culture
Executive support may set the tone, but security culture is defined by what employees encounter day to day. If those lived experiences are inconsistent with leadership’s message, belief breaks down. People may hear that security is a priority, but if policies are unclear, training feels disconnected, or security teams are rigid and unapproachable, trust erodes quickly.
This is why alignment across all four cultural levers – leadership, security team engagement, policy, and training – is essential. When leadership visibly prioritizes security, through resourcing and accountability, it signals strategic importance. But that message needs to be reinforced by how the security team interacts with the workforce. If employees feel punished for mistakes or stonewalled when they ask for support, they are less inclined to be active participants in defending the organization.
Policy design plays an equally important role. When policies are long, technical, or impractical, employees will default to convenience even if it introduces risk. Simpler, more intuitive guidance makes it easier to act securely without slowing down business outcomes. The same principle applies to training. If it’s outdated or generic, it becomes a check-the-box exercise. But when it’s relevant and role-specific, it helps reinforce that security is part of the job—not an add-on to it.
Ready to Operationalize Your Security Culture?
Join me this fall at SANS Orlando Fall 2025, where I’ll be teaching the newly updated LDR521: Security Culture for Leaders. This course offers a step-by-step framework to assess your current culture, identify the top opportunities for change, and build an environment where secure behavior is the norm. You’ll leave with practical tools, real-world case studies, and a leadership-ready playbook you can take back to your team.
Register for SANS Orlando Fall 2025 here.
Note: This article was contributed by Lance Spitzner, Senior Instructor with the SANS Institute. Learn more about his background and experience here.