Cyber Culture: See Something – Say Something!

Cyber culture and your people’s behaviour is critical to your organisation’s cyber resilience. While organisations invest heavily in cybersecurity technologies, strengthening the behavioural security layer is equally vital. A positive cyber culture, where employees feel responsible for security and empowered to act, is a crucial defence against cyber risks.

What is Cyber Culture?

Cyber culture is the collective mindset, behaviours, and attitudes toward cybersecurity within an organisation. It determines whether employees recognise threats, adhere to security policies, and proactively report weaknesses. Studies show that organisations with a mature cyber culture experience fewer security incidents and faster response times. ENISA[1] research finds that most data breaches are the result of human action. The UK´s National Cyber Security Centre[2] emphasises that a “positive cyber security culture is essential because it’s people that make an organisation secure, not just technology and processes”. Yet, many organisations struggle to shift from a compliance-driven approach to one where security is embedded into everyday actions and decisions. 

What are the missing links?

A culture of psychological safety[3] is essential for strengthening cyber resilience. Employees must feel safe to admit mistakes, report security concerns, and challenge unsafe practices without fear of blame or punishment. If employees hesitate to report a phishing attempt, or that they fell for or a misconfigured system due to fear of repercussions, vulnerabilities remain hidden, and risks escalate.

Rituals—structured, repeated behaviours—can reinforce positive cybersecurity habits. High-intensity experiences like cyber incident simulations create lasting awareness, while routine cyber hygiene checks ingrain secure behaviours into daily workflows. These methods shift cybersecurity from an abstract technology problem to a shared business responsibility.

How can your board foster a positive Cyber Culture?

Boards play a critical role in shaping cyber culture by setting the tone at the top. Here are five actionable steps directors can mandate to strengthen organisational cyber resilience:

1.     Foster psychological safety by ensuring there are safe and anonymous for reporting security concerns, following the “See Something – Say Something” slogan, possibly using your whistleblowing process as a template. Encourage executives to model openness about security mistakes to build trust.

2.     Embed cybersecurity into daily routines, for example by implementing cyber hygiene breaks, where teams dedicate time to updating passwords or verifying multi-factor authentication (MFA) is used.

3.     Introduce a cyber tip of the week, reinforcing best practices through regular communication.

4.     Make security policies employee-centric, by ensuring policies are practical and aligned with business operations rather than overly restrictive.

5.     Consider leveraging security champions across departments to advocate for cyber awareness and to bridge the gap between the technology and business teams. One good practice for security champions is hosting storytelling sessions where employees share security mishaps and lessons learned, normalising learning over blame.

Boards have a powerful role in shaping a positive cyber culture by setting clear expectations, offering support, and leading by example. Directors are key in ensuring that a positive cyber culture is integrated throughout the organisation, facilitating collaboration between business and technology teams. Changing your organisation’s cyber culture will be a gradual process, achieved through small, consistent steps. Ultimately, you will be rewarded with a workforce that practices "See something – Say something" and contributes to cyber resilience with confidence.

[1] European Union Agency For Network and Information Security, ENISA, Cyber Security Culture in

Organisations, 2017, https://www.enisa.europa.eu/sites/default/files/publications/WP2017%20O-3-3-1%20Cyber%20Security%20Cultures%20in%20Organizations.pdf

[2] National Cyber Security Centre - Cyber Security Toolkit for Boards, Developing a positive cyber security culture,  https://www.ncsc.gov.uk/collection/board-toolkit/developing-a-positive-cyber-security-culture

[3] The Fearless Organization: Creating Psychological Safety in the Workplace for Learning, Innovation, and Growth, Amy C. Edmondson, 2018