Organizations continue to pour budget into security technology. SIEM platforms, endpoint detection and response tools, email security gateways, vulnerability scanners — the stack grows year over year. And yet, breach reports show the same patterns: a credential phished from an employee, a link clicked in a convincing email, a contractor with excessive access, a developer who committed a secret to a repository.
The tools were there. The tooling did not prevent the breach.
This is not an indictment of security technology — tools are necessary and valuable. It is an observation about where the actual leverage is. Organizations that build genuine security culture consistently outperform those that substitute technology for behavior change.
The phishing simulation plateau
Many security teams run annual phishing simulations and declare victory when click rates drop from 30% to 18%. That number looks good in a board report. It is not meaningful security progress.
What phishing simulation data actually shows, when tracked over multiple years, is that initial campaigns produce dramatic click rate drops — people become more cautious because they know simulations are running. After 18 to 24 months, rates plateau. They rarely reach zero. The people who get phished in year three are often the same roles as year one: accounts payable processing invoices, executives whose assistants manage their inbox, new hires in their first week.
The simulation created awareness but not a change in mental model. A person who knows phishing exists but has never genuinely internalized the threat pattern will eventually click on a well-crafted lure. Repeated simulation without context, feedback, and role-specific practice treats awareness as the endpoint when it is only the starting point.
What board-level engagement actually looks like
Security culture starts at the top, but “starts at the top” is often interpreted as the CISO presenting a risk dashboard to the board annually. That is not culture. That is reporting.
Genuine board-level engagement looks different: board members who ask questions that go beyond “are we compliant?” — who want to understand the threat model, who probe the assumptions behind a risk rating, who have experienced a tabletop exercise and understand what an actual incident response looks like under pressure. This requires security teams to invest in educating the board as a stakeholder, not just reporting to them as an audience.
When board members develop genuine security literacy, the organizational effects are measurable. Approval cycles for security investments shorten. Trade-off decisions between speed and security get made more accurately. The implicit signal to the rest of the organization — that security is something leadership takes seriously enough to engage with — changes behavior at every level.
Security champions: the mechanism that actually scales
A security team of five cannot change the culture of an organization with 500 people. The math does not work. What does work is a security champions program: identifying and empowering individuals embedded in engineering, operations, finance, and HR who serve as culture carriers within their teams.
A good security champion is not a part-time auditor. They do not run compliance checks on their colleagues. They answer questions, model good behavior, translate security concepts into terms that make sense for their function, and surface emerging risks from inside a team before they reach the security team as incidents.
The investment required is modest: a few hours per month of coordination, access to information before it becomes policy, recognition, and inclusion in security decisions that affect their team’s work. The return is a distributed security awareness layer that no product can replicate.
How to measure security culture operationally
Measuring culture is harder than measuring click rates, but it is not impossible. Useful signals include:
Voluntary reporting rates. When employees believe they will be supported rather than blamed, near-miss reporting rates increase. An organization where people report “I almost clicked something” has better security culture than one where identical incidents go unreported because of fear of consequences.
Time to report. How long does it take between an employee noticing something suspicious and security being notified? Mature security cultures produce fast reporting loops. Immature ones produce multi-day delays because people are unsure who to tell, fear embarrassment, or assume someone else has already reported it.
Security friction acceptance. When security controls add friction — MFA prompts, approval workflows, data handling restrictions — the quality of workaround behavior reveals culture. Organizations with strong culture see low workaround rates even when controls are inconvenient. Organizations with weak culture see widespread shadow IT, shared credentials, and unapproved tools regardless of what the policy says.
Engagement in security communications. Open rates on security bulletins, attendance at optional security briefings, and quality of questions during mandatory training all signal genuine interest versus compliance theater.
Where to start
Culture cannot be purchased. It is built through consistent action over time. A few things that have operational impact:
Make security information easy to access. If people have to navigate a SharePoint labyrinth to find the phishing reporting address, they will not report. A simple, memorable reporting path removes friction at the moment of highest motivation.
Respond visibly when people do the right thing. If an employee reports a suspicious email and hears nothing back, they will not report the next one. A brief “thank you, we investigated, here is what we found” closes the loop and reinforces the behavior.
Remove blame from security incidents. A post-incident review that focuses on what failed in the system rather than who failed as a person generates better intelligence and a higher willingness to report future incidents honestly.
Invest in role-specific context. Generic phishing training has diminishing returns after the first campaign. Finance teams face targeted invoice fraud. Developers face supply chain attacks through dependencies. Executives face business email compromise. Each of these requires different mental models and different defensive behaviors. The training that sticks is specific.
Security culture is not a sentiment survey. It is the sum of the decisions your people make every day when no one is watching. The organizations that get this right do not do it through better tooling — they do it through deliberate, sustained investment in the human side of security.
If you are working on building a security awareness program that goes beyond annual training boxes and actually changes how your organization behaves, let’s talk.