“We’ve invested millions in so-called bleeding-edge technologies—how are we still losing the battle?,” vented one CEO as executives assembled to respond to a third high-impact breach within 12 months. These frustrations are commonplace, yet boards and executives keep focusing on the wrong problem.
While most point to misconfigured perimeter defenses and endpoint security tools, the root cause sat right there at the table: lax governance that trickled down the ranks and weakened the cybersecurity culture.
This is what I learned, having closely studied the success and failure of numerous IT and security projects over the last 15 years: Most impactful cyber breaches have very little to do with technology – it’s leadership that is out of sync with the culture it’s supposed to guide.
The Crisis Hiding in Plain Sight
Most high-impact data breaches echo the same governance lapses. At Colonial, attackers accessed the network through a VPN account that remained active despite no longer being required, ultimately forcing a shutdown of its entire 5,500-mile fuel pipeline. In September 2022, cyber criminals pilfered more than 10 million private records from Optus, one of Australia’s largest telecommunications companies, after exploiting a misconfigured API. The internet is awash with telling case studies.
Unfortunately, organizations continue to pile up tools, falsely believing these flashy technologies will shield them from brazen and well-funded threat actors. There is a crucial missing link. Without strong leadership and a cyber-savvy culture, cyber resilience remains elusive to many organizations. Cyber resilience is more about maintaining a strong operational rigor, decisive leadership and culture than it is about technology. This was asserted by a recent Verizon study, which revealed that 68% of breaches involve human error, such as misconfigurations or falling victim to phishing.
Think about your own organization. Every day, your employees make hundreds of micro-security decisions. Click or don't click. Report or stay quiet. Each decision flows from the culture and values leadership models, whether intentionally or not.
And here’s the hard part: revamping culture isn’t about posters or policies. It’s about confronting the real friction—conflicting priorities, fear of slowing down business, and leadership habits that say one thing but model another. Cyber resilience posture weakens when security feels like “someone else’s job,” when management rewards speed over safety, or when briefings are treated like background noise.
I've witnessed this cascade in real-time: a CEO who skips nearly every security briefing, instead delegating to lower-level management. Executives who constantly bypass protocols “to get things done.” And this isn’t unusual—despite 96% of CEOs saying cybersecurity is vital to growth, only 15% hold dedicated board or C-suite discussions about it.
Security isn’t IT’s job. It’s everyone’s job. However, that only works when leadership makes it a reality—when cybersecurity becomes embedded in your culture, not bolted on as an afterthought. Here are three practical ways to fix it:
Step 1: Model What Matters
Strong cybersecurity requires visible leadership actions, not just policy signatures. Here are three ways to role model expected behaviors:
- Make your security actions visible. Report suspicious emails to the security team and own up when you mess up, instead of brushing risks under the carpet. Additionally, openly discuss security concerns in leadership meetings, challenge the adequacy of response measures and hold senior managers responsible for closing material gaps. When executives see their CEO treating security as business-critical, they are bound to uphold the same virtues.
- Build security into your decision framework. Embed cyber risk into the enterprise’s DNA, ensuring that new projects, suppliers and material technology changes undergo rigorous security assessments and controls are implemented from the start, not treated as an afterthought.
- Publicly reward positive behaviors. Acknowledge employees who go above and beyond the norm to defend the organization against cyber threats, such as volunteering for the cyber ambassador program or actively identifying cyber threats. Recognition drives repetition.
Leadership is about action, role-modelling expected behaviors, embedding security deeply into business operations and creating a healthy culture that prioritizes the carrot rather than the stick.
Step 2: Engage, Don’t Enforce
Create an environment where staff can own up to their mistakes without fear of negative judgment or other repercussions.
Here are three practical ways to achieve this:
- Make reporting easy and judgment-free. Establish a friction-free reporting channel—something as simple as a dedicated chat space—where employees can easily report suspicious activity. Additionally, foster a blame-free culture where employees feel psychologically safe to report incidents and near misses without fear of retribution. This encourages early disclosure, accelerates threat containment, and transforms mistakes into valuable learning opportunities.
- Use real-world examples during team meetings and leadership forums to bring cyber risks to life. Share anonymized “near-miss” stories or incident case studies during town hall sessions to normalize open dialogue, reinforce lessons learned, and embed a culture of transparency and collective responsibility.
- Celebrate internal security wins. Give a small shoutout—or even a gift card—when someone spots a risk before IT does. Make those moments as visible as when someone lands a big client.
The idea is to transform security from something employees endure to a vital part of their roles that they feel proud to execute with distinction.
Step 3: Share the Weight
Your CISO shouldn’t be the only one losing sleep over security. True cybersecurity leadership demands emotional intelligence to guide teams through complex threats, and that responsibility extends all the way to the board.
When boards take ownership and shape security culture from the top, cybersecurity stops being a single person’s problem and becomes a shared mission across the enterprise.
Here’s how forward-thinking organizations are sharing the weight:
- Tie cybersecurity directly to board accountability. Equifax achieved this by having the new CISO report to the CEO and present regularly to the board, ensuring cybersecurity was treated as a business risk, not just a technical issue.
- Establish cross-functional cyber committees. Some organizations build cyber community committees, where executives from risk, technology, HR, legal, and operations meet regularly with security teams to discuss risks, share insights, and ensure that security policies reflect real business workflows.
- Run cyber crisis simulations with executive participation. Conduct tabletop exercises where board members and senior leaders role-play breach scenarios, helping them understand decision-making under pressure and align on responsibilities before a real incident occurs.
Research demonstrates that when cybersecurity leadership succeeds at this cultural level, it directly increases the implementation of cyberattack prevention measures across the organization.
The Bottom Line
Leadership disengagement, not advanced exploits, is at the root of many cyber incidents. Technical measures have their place but cannot foster cyber resilience by themselves. The positive news is that culture can shift quickly when leaders consistently model the right behaviors, create psychological safety, and lead by deeds, not words.
