The majority of companies handle security as an infrastructure issue. Purchase the correct tools, set up the right firewalls, recruit the right IT staff – and your organization is secure. This assumption is the reason why the explanations for almost all breaches are so similar: the systems were adequate, but somebody screwed up.
Around 74% of all data breaches involve a human component, with mistakes, privilege abuse, stolen passwords, or social engineering. This number doesn’t change by adding another piece of software. It changes when an organization changes its culture.
Why Compliance Fails When It Lives Only in IT
Too often, business compliance efforts crumble in on themselves because they’re approached as an IT deliverable rather than a company-wide commitment. The security team writes the policies. The policies get neatly put in a drawer. Employees don’t read them. An auditor comes to visit. Everyone runs around like crazy.
It’s not the policies that are the issue. It’s that absolutely no one outside of IT has any ownership of them. When security is seen as not my job, every other department in the company is an automatic vulnerability. HR doesn’t bother to double-check on an access control review because that’s a tech thing. Sales passes around the creds to get a quicker client demo. Marketing opens a phishing link because they didn’t think there would be one.
Making security part of everyone’s job description – not down in the fine print, but right there in black and white as an actual expectation – changes who cares. When the business development manager knows that part of their gig is ensuring their team is completing access control reviews, suddenly it’s not an IT problem. It’s a team problem, which is where we believe the emphasis should lie.
Building The Infrastructure of a Security-Aware Workforce
Two factors strongly influence whether employees will behave in a secure manner: whether they believe there is a safe process for reporting mistakes, and whether there is a “Security Champion” nearby who can explain security concepts in a language that makes sense for their team.
The first factor seemingly has nothing to do with firewalls or encryption, but it’s critical. In a no-blame reporting culture, employees are assured they won’t be in trouble if they make an error in judgment such as clicking a phishing link. If employees do not trust that such a culture exists, they will be hesitant to report anything when a breach is still in its early stages. This gives the incident response team less time to respond before the threat actor achieves their goal. To encourage employees to report immediately instead of perfectly, they need to be told overtly, repeatedly, and from a high level that the organization values early reporting above all else.
The second factor is Security Champions. These are non-security staff located within a business department who have some extra training and act as a bridge between their team and the security department. You don’t have enough time to teach every single HR team member about cryptographic key management, but you only need to teach one. The Security Champion within HR then offers guidance on how to handle secure offboarding, and they understand its importance. The Champion role massively amplifies the effect of your training resources by translating your training requirements into the real work that each specific team does.
Mapping Culture to International Framework Requirements
Once you see cultural indicators improve, the next step is translating them back into formal control structures. Are your access controls, incident response plans, asset register, and supplier management process good enough? This is where iso 27001 compliance becomes relevant – not just as a certification target, but as a structural framework for organizing everything the culture needs to produce. Each area will require gradual cultural adjustments to ensure that the redesigned system is both stronger and harder to bypass than the last version.
C-Suite Buy-In Isn’t Optional
All of this is meaningless unless there is clear and visible commitment from the leadership. We’re not talking about their signatures on a document. But instead real commitment, such as allocating a budget, including security in the executive briefings, and having the leadership go through training just like all the other employees do.
Because when employees see that the people who decide how to allocate resources take security seriously, they understand that the company is serious as well. And when they see how security is being pushed back every time in the name of velocity, they get that message as well. The culture comes from the behavior. The leadership team sets the lowest bar for the entire organization.
The same with improvements. All of the international standards assume that security controls are being tested, reviewed, and upgraded. That’s because they also understand how the threats are evolving. A company that is used to the idea of security being not static – and not a project that eventually ends but an ongoing initiative – it’s much easier for them to cope with standards’ requirement to renew your certificate every three years.
Perfect technology will fail at some point. Technology where the question “What else can I do with what I have?” comes before “What more do I need to make it work?” – will hold much longer.
