Everyone's Responsibility: Building a Cybersecurity-Centric Culture

Cybersecurity leaders must go beyond checking a box and get creative to actually change behavior.


In today's digital age, fostering a savvy culture of cybersecurity is paramount to safeguarding sensitive information, protecting personal and organizational assets, and maintaining trust in online interactions. A cybersecurity-savvy culture is not just a necessity but a strategic imperative in today's interconnected and data-driven world. It requires continuous education, training, collaboration across teams, and a collective commitment to prioritize cybersecurity at all levels of an organization and within broader communities.

Employee mistakes cause about 90 percent of data breaches, making education a critical component of a security strategy. With so many people working from home and using work computers for personal tasks, the cybersecurity risk is higher than ever. Even the best company defenses can fail when a bad actor exploits your staff to gain unauthorized access. 

However, effective security training is easier said than done. The reality is attending a bland cybersecurity session or reading a standard handbook is not at the top of your employees' priority lists. Cybersecurity leaders must go beyond checking a box and get creative to actually change behavior. 

The following strategies help maximize your training's effectiveness and build an organizational culture of security. 

Personal and Relatable

Cybersecurity training should reach employees on a personal level, appealing to their desire to protect themselves. Start by preaching less about the threats to the business and more about the impact on individuals. Making cybersecurity personally relevant underscores that it's not just a workplace concern — it's a life skill. 

Design training that teaches employees how to apply cybersecurity practices in their personal lives. Topic examples include online shopping, public wifi, and QR code use. By addressing everyday scenarios, training becomes more relevant, applicable, and more likely to stick. You’re helping employees build good personal habits that will translate into improved cybersecurity practices at work. 

For example, at Model N, we publish monthly newsletters on personal cybersecurity. This approach gives employees in-depth, useful information and keeps best practices top of mind.

Each department uses technology for different purposes, so it makes sense that they face distinct risks and threats. For example, an IT person is not likely to act on an invoice phishing email, but they might fall for one about an urgent software update. Create tailored training for each department to specifically address the most pressing threats. This approach makes the material more relevant and engaging and allows people to focus on the aspects most critical to their position.

Change It Up

Only 10 percent of employees report remembering cybersecurity training. Delivering the same recorded seminar or distributing the same manual every quarter doesn’t capture attention or drive change. We all crave variety in our learning, so lean into that desire to build your program. 

In addition to our newsletter, my team delivers targeted, live presentations to increase engagement and allow for real-time discussions and questions. Holding smaller group sessions, such as department-specific meetings, facilitates better engagement. Consider lunch-and-learns, which entice participation by creating a casual environment that makes learning more enjoyable. 

Another technique is to gamify the experience, which is shown to enhance the learning experience and improve retention. You can create quizzes, games, or challenges and give away prizes. 

We held a cybersecurity session for kids at Model N. Parents who might not otherwise prioritize security training for themselves are more likely to show up and actively engage when the content is about protecting their kids. By capturing parents' attention and providing their families with practical tips, we plant the seeds of a security mindset across generations.

Monitoring engagement metrics, like how many people use a phishing reporting tool, helps gauge training effectiveness. Our team regularly conducts sophisticated phishing simulations to test our employees. By tracking clicks, we can pinpoint which departments or individuals need additional targeted training. We can also determine which scams are fooling people most often and adjust education accordingly. 

This monitoring also proves the value of your training program. You can measure the behavioral change over time by comparing the number of people who click on a phishing link to those who report it. 

Be a Partner, Not a Roadblock

Effective cybersecurity is not a hindrance to business operations. However, if employees view the security team as a bureaucratic roadblock with endless rules and restrictions, they're more likely to try to circumvent controls or tune out security advice altogether. You must position your team as a strategic partner rather than a rule enforcer. 

Focus on finding solutions instead of just saying no. When a business unit presents a new initiative or technology proposal, don't immediately shut it down because of potential security risks. Instead, work collaboratively with them to understand their goals and find a way to achieve them securely. 

This mindset requires building strong relationships across the organization. Make a point to regularly engage with different departments to understand their priorities and challenges. Security teams position themselves as valued consultants by building trust and demonstrating a genuine interest in supporting the business. Employees are more receptive to security guidance from someone they know has their best interests in mind. 

Security can't be an afterthought — it must be woven into the fabric of the organization. The most effective security leaders think beyond executing obligatory training and focus on fundamentally shifting mindsets and behaviors. By making security personal and engaging, you are more likely to drive lasting behavioral change. Through this holistic and human-centric approach, security becomes not just a priority, but a shared value. 

While security is often viewed as a protective measure, it is also a powerful business enabler that can drive innovation, build trust, and create competitive advantages. Security is not just a cost center, but a strategic investment enabling businesses to innovate, protect assets, build trust with stakeholders, comply with regulations, and thrive in a digital ecosystem.

By integrating security into business processes and culture, organizations can harness their potential as business enablers while mitigating risks effectively.

As the Global Information Security Officer & DPO at Model N, Chirag Shah’s primary objective is to ensure the company's adherence to security, compliance, and privacy obligations.        

More in Cybersecurity