Cybersecurity is no longer just ‘IT’s problem’. Every employee, from the CEO to the newest recruit, plays a role in protecting their organisation from cyber threats. While technology will block many attacks, human awareness is often the last – and, arguably, most important – line of defence.

The challenge that CISOs face is how to keep colleagues consistently engaged and motivated, so that organisations operate securely and avoid becoming complacent about cybersecurity.

One-off training or occasional campaigns aren’t enough. Companies need a structured approach to embed proactive cybersecurity and incident response into colleagues’ thinking every day.

A security-first culture

A company’s culture shapes how its people think and behave – and respond to risk. If cybersecurity is seen by colleagues as a box-ticking exercise, they won’t take it sufficiently seriously. Once security thinking is built into the company’s DNA and processes, people will start to recognise and respond to threats more readily.

Leading from the front - Leaders set the tone: if company executives talk about cybersecurity, attend training, and highlight best practice, it tells their workforce “this matters.” CISOs need leaders and line managers to collectively bring cybersecurity into everyday company conversations.

Collective responsibility - A strong cybersecurity culture is inclusive, with everyone from finance teams to facility managers understanding they have a role to play. This means CISOs and leaders making it clear that cyber security isn’t just IT’s job; it’s a shared business priority.

Security awareness shouldn’t be confined to a quarterly memo or email; executives need to bring it into team meetings, ‘town halls’, and daily discussions. Leaders can reinforce good security habits by recognising employees who have reported suspicious activity and sharing their stories of intelligent responses that averted potential incidents.

CISOs can even extend this empathy to cases where a mistake does lead to a breach, discussing the incident in generic terms to avoid undue distress or embarrassment, and providing specific incident learnings for colleagues to raise wider security standards.

Engaging training

While training is the backbone of security awareness, employees are more likely to apply it in everyday work if the content is interactive, relevant, and up to date. Engaging cybersecurity training focuses on real-life scenarios such as phishing emails and scammers’ tricks that colleagues might see at work.

Jargon-filled talks about ‘threat actors’ won’t hit home; companies need to highlight examples of hackers’ exploits and suspicious behaviours their people might realistically encounter. The more relatable the scenario, the more likely workmates are to spot it in real life.

Maximising reach - Since people don’t all learn the same way, training needs to combine different assets, such as online modules, in-person workshops, video clips and interactive quizzes. This strategy keeps learning sessions fresh and maximises audience reach.

As security threats rapidly evolve, training needs to be regularly updated, with twice-yearly refreshers as the minimum, backed by updates on emerging threats. This approach also ensures that people don’t act on outdated advice.

Practical not theoretical - Effective training sessions leave employees with clear actions: how to spot red flags and where to report them, so that all staff are security aware and can act quickly on their suspicions. The goal isn’t simply awareness, it is confident action.

Visible cybersecurity

Even with regular learning sessions, busy people need reminders. Clear and accessible communication is essential to keeping cyber security top of mind, and empowers colleagues to act quickly when something feels wrong. CISOs can freshen up training messages using different channels like newsletters, posters, and video clips.

Day one security - Proactive cybersecurity habits start on day one at work. HR and managers need to include training in onboarding processes, so that new joiners grasp expectations immediately. Effective learning will cover basics like password hygiene, safe use of company devices, not to let in the ID-less stranger holding two cups of coffee, and how to report potential incidents.

Focus on action - When a potential breach is flagged, employees don’t want to lose time figuring out who to tell. Companies must continually promote incident reporting channels – whether via a dedicated email address, hotline, or button in the email client – to flag phishing attempts or other suspicious behaviours.

Smart managers will recognise that busy people may skim read or ignore long-winded messages about new threats. Communication needs to be concise, use plain language, and focus on what colleagues need to do.

Championing security

IT and security teams can’t be everywhere. A powerful way to expand training’s influence with your workforce is to recruit ‘cybersecurity champions’ throughout the company.

Real-world messages - People are often more receptive to advice from someone they work with. ‘Cybersecurity champions’ are departmental volunteers, promoting security in the organisation, answering basic questions from colleagues, and encouraging teams to follow best practice. These evangelists become adept at tailoring security messages to workplace reality and spotting habits that might create security risks.

It’s good practice for security teams to furnish their champions with extra training and resources to share with their teams. Smart leaders will regularly recognise these ‘coalface’ contributions, to highlight these roles’ enduring value.

Champions not only encourage good security habits but also help instil peer-to-peer accountability and shared cyber security values across the business.

Building a cybersecurity culture

While cybersecurity awareness is an ongoing task, leaders taking ownership of security culture, engaging training that promotes best practices, keeping security visible, and departmental champions encouraging wider peer-to-peer involvement will all help embed an active approach across the entire organisation.

Cyber-attacks are constantly evolving but with the right security culture, companies can keep their people, and their data, safe.

Peter Jones Cyber Security Specialist ITGL