Throughout my journey in different organisations over the past two decades, one thing has stayed stubbornly consistent: the decisive factor in cybersecurity is rarely the tooling. It’s culture. You can buy world-class controls, build immaculate architectures, and hang your walls with policies and certifications… and still get flattened because the organisation behaves in a way that makes security impossible to sustain.

That’s not a dig at people, either. It’s just reality. Security is a human system running inside a business system, and the human system has moods, habits, pressure, fatigue, and deadlines. If you want resilience—the kind where the organisation bends when it gets hit and doesn’t snap—then you’re not just designing controls. You’re shaping behaviour.

Understanding the human factor

Cybersecurity isn’t merely a matter of implementing policies, getting an ISO badge, and installing firewalls around everything. It’s about nurturing an environment where everyone is aware, vigilant, and willing to act when something feels off. The most resilient organisations I’ve seen aren’t the ones with the most expensive stack. They’re the ones where security is treated as normal business hygiene, not an IT ritual performed in a back room.

The awkward question is: how do you actually build that?

The honest answer is that it’s never one magic programme. It’s a set of reinforcing behaviours that, over time, become “how we do things here”. And when it isn’t working, it’s usually because one of those reinforcements is missing.

Leadership commitment is the real starting point

It starts at the top, and it has to be visible. Leaders don’t need to become technical, but they do need to show—consistently—that security matters. That means talking about it in the same breath as operational resilience and business risk. It means asking sensible questions after incidents, not blame-heavy ones. And it means being held to the same standard as everyone else.

People notice hypocrisy instantly. If the exec team treats security controls as optional friction, the organisation will do the same. If leadership treats security as a core part of how the business protects itself, the tone shifts surprisingly fast.

Training that doesn’t feel like punishment

Education is essential, but the format matters more than most people admit. If your “awareness training” is a dreary video that staff run in the background while answering emails, it’s not training—it’s compliance theatre.

The best approach I’ve seen is onboarding training quickly—within the first few weeks, and ideally in the first week—then reinforcing it regularly in small, relevant bursts. New joiner sessions run live by the security team are particularly effective because people can ask questions and you can correct misunderstandings immediately, rather than hoping an e-learning module somehow changes behaviour by osmosis.

Refreshing the content every six to twelve months keeps it from becoming wallpaper. And if you want people to actually learn, add simple checks for understanding. Not to catch people out—just to make sure it wasn’t a box-ticking exercise.

Open dialogue beats “security silence”

A culture of silence around security issues is one of the most expensive things an organisation can accidentally create. If people fear embarrassment, blame, or repercussions, they will hide mistakes. And hidden mistakes are where breaches grow legs.

The goal is simple: make it safe to speak up early.

That doesn’t mean “no accountability”. It means there’s a clear difference between a genuine mistake reported quickly and reckless behaviour repeated after coaching. If the organisation treats every incident as a witch-hunt, people will stop reporting—and you’ll only hear about problems once they’ve already gone nuclear.

Practical things help: regular forums where people can raise concerns, clear guidance on what to report and how, and—where it makes sense—an anonymous channel so people can flag issues without social risk. The biggest change, though, is how leaders react when someone says “I think I messed up”. If the reaction is calm and constructive, people report more. If it’s punitive, they go quiet.

Simulate reality, not fantasy

There’s nothing quite like hands-on experience for building resilience. Drills and simulations give people muscle memory. They also expose gaps you won’t spot in a policy document—unclear ownership, bad escalation paths, slow decision-making, or simply the absence of the right people at the right moment.

It’s rarely practical to run full-scale simulations across the whole organisation, but it is absolutely practical to drill the key players: crisis management, IT operations, comms, legal, and senior leadership. When those people can operate calmly in a high-pressure scenario, the organisation as a whole becomes more resilient by default.

Reward the right behaviour

Most organisations track failure relentlessly. Click rates. Policy breaches. Training non-completion. The dashboards are always full of “who did it wrong”.

But what about the people and teams who do it right?

Recognising proactive behaviour works. It doesn’t have to be cheesy. It can be as simple as acknowledging a team that reported a suspicious email quickly, or calling out a project group that raised a security concern early rather than dumping it on security at the last minute. If you want a culture where people speak up, reward speaking up.

Bake security into the business

The most resilient organisations don’t “add security” at the end. Security is part of onboarding, part of procurement, part of change management, part of product delivery. It’s woven into the way work happens, so it’s harder to forget and easier to sustain.

This is also where policies finally become useful. Policies that aren’t reviewed are just historical fiction. The cyber landscape changes, your systems change, your business changes—so policies need to evolve too. After every incident or near miss, one of the best questions you can ask is brutally simple: did our standards actually help here, or did they get in the way, or did they say nothing useful at all?

So where can you begin?

The question I get most often from leadership is about ransomware and data theft. Boards see the headlines, and they want reassurance that “it won’t happen to us”. When that’s the dominant conversation, it’s often a sign the organisation hasn’t yet built confidence in its fundamentals.

The most effective programmes I’ve seen start with phishing, because it’s a common entry point and it’s tangible. The key is to make it modern and engaging—interactive modules, realistic simulations, and short bursts of reinforcement rather than annual “cyber boredom week”.

Mock phishing tests can be useful if they’re handled like coaching rather than humiliation. When people fail, re-engage them, help them learn, and keep the tone constructive. Make the difference between spam and phishing clear, because a surprising number of people still treat them as the same thing, and that confusion costs you time when real threats land.

Monthly comms help too, if they’re written like humans speak and they stay relevant to what the organisation is actually seeing. And if you want reporting to increase, you need to make reporting feel worthwhile—quick feedback, visible action, and occasionally a bit of recognition for the people who are doing the right thing.

That’s how resilience grows: not through one grand initiative, but through repeated signals that security is everyone’s business, and that the organisation will back you when you do the right thing.

You may have different experiences, and some things to add—get in touch and tell me what you’d include. I’m always interested in what genuinely works in the real world.