Lessons from the Field
Establishing a strong and sustainable security culture remains a big challenge across industries and organisations. Despite the investment in security programmes, many initiatives fail to gain lasting traction. The issue is not usually a lack of effort, but rather a disconnect between well-meaning strategies and the day-to-day realities of the people they are intended to support.
I’ve been around the block a bit and I’m drawing on experience from having run workshops, focus groups and cultural assessments to identify recurring pain points and highlight practices that are helping organisations shift from friction to trust.
Common Barriers to Building a Security Culture
Consistent themes emerge when listening to staff across different business units:
- “It’s hard to understand the policies and processes we’re expected to follow.”
- “Security doesn’t always align with how our teams actually work.”
- “We care about security, but doing the secure thing often feels harder.”
- “There’s so much training, and we’re already overloaded.”
- “If I make a mistake, I worry about the consequences of reporting it.”
- “Phishing simulations feel more like traps than learning opportunities.”
- “Security? That’s someone else’s job.”
These comments reflect a broader issue: people often experience security as something imposed upon them, rather than something that works for them and supports their work.
Compliance isn’t culture
In response, some organisations double down on training and awareness. However, more modules, more simulations, and more mandatory sessions do not necessarily lead to meaningful behavioural change.
The key question to ask is: are these efforts actually changing behaviour, or simply ticking compliance boxes? In fact, the phrase “behaviour change” doesn’t sit well with me. I prefer to use “influence” or “shift” a behaviour.
What Works in Practice
Organisations making genuine progress tend to focus on one critical area: reducing friction. When security controls create unnecessary obstacles or disrupt workflows, they become sources of quiet resistance and alternate ways of working – hello shadow IT and shadow security! Training alone doesn’t counteract this.
Security practices are more likely to succeed when they are designed to integrate into the flow of work. From my experience, the following priorities are proving effective:
- Making secure behaviour intuitive and low-effort
- Involving staff in shaping policies and controls
- Creating safe spaces to ask questions and report mistakes
- Offering support orientated guidance rather than punitive messages
Trust grows when security is seen as helpful rather than obstructive. You have to do the work to adapt and modify the environment to facilitate the behaviours you want.
Where to Begin
To lay the foundations for a healthier security culture, I suggest the following actions:
- Identify key friction points in the current security experience
- Engage directly with staff across departments to understand their daily challenges
- Evaluate whether existing controls align with real world working practices
- Collaborate to create solutions that make secure behaviour the easiest path, not the most difficult
If I Was a CISO
Building trust in security is not about more rules or more training. It is about listening, reducing friction, and designing with empathy. In my experience, a strong security culture is not imposed from the top down, but cultivated from the ground up.
Ultimately, if the goal is widespread adoption of secure habits, the user experience needs be a central consideration. In fact, one practical shift could be to reframe traditional ‘awareness and culture’ teams as Security User Experience teams. I think it’s a subtle but powerful repositioning, signalling a move from educating users to designing with them and for them. If I was a CISO I would take that approach – from awareness through to the ideal security user experience.
