Pagoda Blog

Why Your Organization Needs a Cybersecurity Culture

June 16, 2022

Investing in company culture improves morale, productivity, collaboration, work performance, and job satisfaction. It also reduces stress and turnover. In fact, studies conducted by John Kotter, a Harvard Business School professor, revealed that companies with a strong workplace culture saw their revenues increase four times faster, profits climbed 750% higher, and customer satisfaction doubled. Let that sink in for a minute.


So, why does investing in a strong company culture have such a powerful impact on success? 


Companies with a strong workplace culture have clearly defined values and a clear mission that employees can get behind. They make every employee feel valued. All team members feel they play a critical role in ensuring the company fulfills its mission. Employees feel proud of what they do - and feel empowered to voice opinions and bring about change. A strong company culture results in everyone feeling invested in the company’s success and this has powerful benefits for the company as a whole. 


If culture is so critical to individual job performance and overall business success, it’s logical to conclude that approaching cybersecurity at a cultural level would have similar effects. A study by Osterman Research in 2020 provides evidence to support this theory. The study showed that the number of hours in cybersecurity training employees receive dictates how they see their role in mitigating cybersecurity threats. Those who receive little to no training, don’t see themselves as playing a role in protecting their company from cybersecurity threats. The more training they receive, however, the more critical they see themselves as a line of defense against cyberattacks. 


Investing in a culture of cybersecurity in today’s world is critical, especially when you look at the stats. A 2021 Verizon Data Breach Investigations Report found the human factor was involved in over 85% of breaches. These human factors included falling prey to a phishing attack, clicking on a malicious link or downloading a file that led to malware infections, or using weak passwords.


But what does it mean to create a “culture” of cybersecurity rather than just informing employees of the do’s and don'ts when it comes to cybersecurity threats? 


Cybersecurity culture vs cybersecurity policies

More companies are embracing cybersecurity trainings for their entire team and have defined policies or guidelines that lay out best practices all employees should follow. This is a step in the right direction, but trainings and guidelines alone won’t affect long-term behavior change. Explaining the context of cybersecurity best practices and how they align with your company’s goals, values, and mission can help employees understand their value and improve engagement, retention, and compliance. 


Related reading: How to Train Your Entire Team in Cybersecurity 


The goal is to incorporate cybersecurity into every aspect of your organization. Employees should consider cybersecurity when conducting any online activity, from checking their work email to connecting to Wi-Fi outside of the office. They should have the awareness, knowledge, and resources to easily spot and respond to cyber threats, and feel adept at mitigating these threats in the first place.    


Let’s look more in depth at why you need to create a cybersecurity culture within your business. 


Why do you need to cultivate a cybersecurity culture? 

A cybersecurity culture shifts an employee’s mindset from one of a passive bystander to an active participant. Each and every person on your team should feel personally responsible for protecting your company from cybersecurity threats. If they are clear on what role they play in this line of defense, they will be much more effective. When you cultivate a cybersecurity culture employees will … 


1. Create stronger passwords and store them securely 

2. Embrace two-factor authentication across account

3. Be more likely to incorporate best cybersecurity practices when working remotely, from always using an encrypted internet connection to updating their software and installing the latest security patches

4. Be better equipped to recognize phishing emails and other email threats

5. Be more likely to identify and report a suspected breach, allowing your IT team to react quickly and mitigate the damage

6. Comply with best practices and regulations to protect your customer data and privacy

7. Have an overall awareness of the cybersecurity threat landscape, better equipping them to avoid and respond to potential threats


Steps to create a strong cybersecurity culture

As we said before, creating a culture of cybersecurity at your organization is ultimately about behavior change, and that takes time. It also takes buy-in from your entire team. If your team doesn’t see the value in the training, they won’t integrate the best practices into their daily activities. This means they won’t change the way they create and store passwords, how they interact with emails, or how they connect to your company network. 


The below figure, adapted from the 2020 Osterman Research White Paper, illustrates the intended progress and end goal of cybersecurity training and creating a strong cybersecurity culture: 


Lack of awareness → Training/Increased awareness → Awareness/Understanding of value → Behavioral Change → Company culture shift 


Below are the steps required to go from lack of awareness to a company culture shift.


Step 1: Get buy-in from leadership 

In order to reach the company culture shift, it’s important for upper management to first shift their own mindset. Companies who view their employees only as part of the problem will never be able to create a strong cybersecurity culture. With this mindset a company must rely heavily on technology to mitigate cybersecurity threats, leaving itself open to a myriad of threats caused by human error and lack of awareness. 


Changing behaviors, attitudes, and beliefs across the company will require creativity and regular check-ins. It may be necessary for the CEO to implement training at the leadership level first and appoint someone at the head of each department to own the cybersecurity culture for that group of employees. 


Leadership might be encouraged to design cybersecurity awareness campaigns to better engage team members. This could take the form of a series of emails using inclusive, branded messaging with engaging visuals or a series of virtual meetings where employees can share questions and concerns regarding cybersecurity. These types of campaigns can help inform the kind of training - both in terms of format and content - that will be most effective for each department. 


Once the leadership perceives employees as part of the solution to mitigating cybersecurity threats, it’s time to implement a department-wide training program.  


Step 2: Launch your cybersecurity training program 

Creating your own cybersecurity training program from scratch is a daunting prospect and requires not only IT expertise but teaching expertise as well. The best approach is to leverage a cybersecurity training program that’s already been created and tested across industries. An effective training program should offer different formats - PDFs, webinars, and interactive demos/tests - and be customizable to your business. There are many aspects of cybersecurity training that apply to all businesses, but to keep employees engaged and interested, it’s important to ensure what they’re learning applies directly to their day-to-day activities.  


Step 3: Offer trainings on a regular basis 

Employees need to receive regular, ongoing training to become adept at spotting cybersecurity threats and taking the appropriate action to protect company data. The more hours of training received (up to a point, of course), the more effective it will be. As with any new skill, practice is key. Attending an hour-long cybersecurity webinar or even a half-day workshop just once a year is not enough to integrate critical security concepts into an employee’s daily habits. 


Consider the following data points from the Osterman Research White Paper: 


Users who spend more than 15 minutes per month in security awareness training are nearly twice as likely to use a unique password for every device and application as those who spend no more than five minutes per month in training.


74% of employees who spend more than 15 minutes per month on cybersecurity training perceive their role in the company’s cybersecurity as very important compared to just 25% who spend no more than 5 minutes per month. 


Set cybersecurity training as a top priority for your organization and remember to explain why. When employees understand why you’re asking them to take time away from their other responsibilities they’ll be more receptive to the trainings and more motivated to learn.   


Step 4: Get feedback 

As you implement the trainings, make sure to ask employees for feedback to better understand which types of trainings are most effective and how to improve. Some questions to ask include: 


  • What format do you prefer? 
  • What length do you prefer? 
  • Do you prefer attending trainings as a group or individually, on your own time? 
  • What area of cybersecurity would you like to learn more about? 
  • Where do you feel you are most proficient in cybersecurity? 
  • What are you most concerned about in terms of cybersecurity? 
  • What platform do you most often use for work? (Email, CRM system, social media, Slack/Discord, GSuite/Outlook, Other) 
  • How enjoyable would you rate the training you’ve received? (1-10)


Step 5: Keep it positive 

Employees will respond better to your call for behavior change if they associate the change with positive results. Consider offering financial incentives when an employee completes a certain number of training sessions or receives a high score on a simulated phishing attack. Of course, if an employee receives training and still refuses to comply with company guidelines, this should be dealt with accordingly. 


Overall, however, employees respond best to cultural shifts when they don’t feel forced or coerced. The shift should be a positive change for everyone. An effective shift will improve morale and job performance because employees will go from feeling intimidated or ignorant of the cybersecurity landscape to empowered to safely navigate it. 


Step 6: Don’t lose momentum 

Lastly, once you’ve rolled out the trainings, collected some feedback, and rewarded employees for changing their behaviors, don’t grow complacent. A cybersecurity culture needs to be constantly nurtured to keep up with the ever-evolving threat landscape and with your ever-evolving team. This is where it’s important to have a leadership team in place to help you keep existing employees engaged and ensure new employees are effectively brought into the cybersecurity culture you’ve worked so hard to create. 


Trainings, awareness campaigns, and check-ins should be ongoing, repeating at regular intervals for all employees. What worked in Q1 may no longer be effective in Q4. Be prepared to respond to employee feedback and try new approaches, as needed. 


An investment in your company’s future

Creating a cybersecurity culture at your workplace may seem daunting, but the return on investment is undeniable. With human error leading to the vast majority of data breaches, it’s imperative that you keep employees informed and equipped to deal with cybersecurity threats. No matter the size of your organization, a data breach can have devastating consequences, but a cybersecurity culture can greatly reduce the risk. 

Feature photo by Mapbox on Unsplash


Related reading: 

How to Measure the ROI of Your Cybersecurity Strategy 

Why the Most Successful Businesses Have a Cyber Resiliency Mindset

5 Cybersecurity Threats to Your Business and How to Prevent Them


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing



Want IT to serve you better?




About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn