When the Culture’s Off, the Security Follows

There was a conversation at The-C2 this year that caught me off guard, not because the topic was unfamiliar, but because of how honest it was.

It wasn’t on the main stage, and it wasn’t part of a high-profile panel. It came during a smaller breakout where a handful of us were talking about supply chains and insider threats. Somewhere along the way, we stopped talking about attack surfaces and controls… and started talking about people. About how, in the end, culture makes or breaks your cyber resilience.

We Knew Better. We Still Got Breached.

One attendee, a senior security leader from a large UK-based firm, described how a phishing incident unfolded in their organisation. It wasn’t new. They’d done the awareness training. They had the tooling. The controls were in place. But the message still got through. It landed in the inbox of a senior executive, who clicked the link. Then forwarded it. Then… silence.

It wasn’t picked up immediately. No one wanted to be the one to cause a fuss. They weren’t sure if it was worth flagging. The culture, though it looked strong on paper, made people second-guess themselves.

“We had the tech,” he said, “but we didn’t have the trust. Not really.”

That stuck with me. How often do we confuse maturity with security? Boxes ticked. Reports filed. Dashboards green. But underneath, a workplace where people feel awkward putting their hand up.

Culture Isn’t a Campaign. It’s a Habit.

What came out, as we all swapped stories, was that most organisations still treat culture like a communications project. Something you build with slogans and intranet posts.

But a healthy security culture isn’t built in strategy decks. It’s built in corridor conversations, in how mistakes are handled, and in whether people believe they’re allowed to speak up without being punished or patronised.

It’s also reflected in what gets celebrated. If delivery speed is always praised but secure processes are quietly tolerated, then the message is clear, even if no one says it out loud.

One COO in the room put it plainly: “We don’t have a phishing problem. We have a psychological safety problem.”

When Leadership Is Quiet, People Follow

Another insight that came up is how powerful their own leadership behaviour is in shaping security outcomes.

Not their policies. Their behaviour.

An exec who privately bypasses MFA or grumbles about password managers sends a louder message than a hundred awareness videos. A leadership team that never raises security in board reviews is, in practice, saying it doesn’t matter.

Contrast that with a firm where senior leaders talk openly about their own near-misses, treat cyber as a shared responsibility, and respond to disclosures with curiosity, not criticism. That creates the kind of environment where issues are flagged early, before they become incidents.

It’s Not Just About Avoiding Mistakes. It’s About How You Handle Them.

Everyone in the room agreed: perfection isn’t the goal. People will click. They’ll forget. They’ll choose convenience when they’re under pressure. The real test is whether they feel safe to admit it when they do.

A lot of organisations get the messaging wrong. They talk about “zero tolerance” or “being the human firewall.” But humans aren’t firewalls. They’re complex, distracted, busy, and mostly trying to do their job.

The better approach, the one that builds resilience, is to make reporting normal, not exceptional. To make reflection part of daily work. To talk openly about real risks without shame.

Culture Is the Quiet Risk on Every Risk Register

By the end of the session, we’d all come to a similar conclusion. That behind almost every serious breach we’ve seen, there’s usually a moment where someone hesitated, stayed quiet, or assumed it wasn’t their job.

That hesitation? That silence? That’s the vulnerability.

It doesn’t show up in your threat model. But it’s there. Waiting.

And no tool can fix it for you. That work – the patient, deliberate, human work of building a culture where security is normal and speaking up is easy – has to be led. Modelled. Protected.

Because when the culture’s off, the security follows.