Technical controls are necessary but not sufficient. The organisations with the strongest security outcomes are those where security is embedded in how people actually work — not just what systems are deployed.
Every major cyber incident analysis arrives at the same conclusion: the technical controls were either bypassed, misconfigured, or simply absent in the one place that mattered. Behind almost every meaningful breach is a human decision — a click, a configuration, a shortcut, a gap between policy and practice.
This isn't an argument against technical controls. Patching, MFA, application hardening, and network segmentation are non-negotiable. But organisations that treat cyber security as primarily a technology problem consistently underinvest in the thing that most reliably determines outcomes: security culture.
What security culture actually is
Security culture is not security awareness training. It's not the annual phishing simulation or the compliance module that staff click through to satisfy a checkbox. Those activities can contribute to culture — but they are not the thing itself.
Security culture is the sum of shared values, behaviours, and norms that shape how an organisation's people actually respond to security in their day to day work. It's visible in whether staff report suspicious emails or delete them quietly. Whether they work around multi-factor authentication because it's inconvenient, or accept it as a reasonable expectation. Whether the executives who set the tone treat security policies as applying to everyone — including themselves.
Culture is the difference between an organisation that talks about security and one that practises it.
Why it's hard to measure
The challenge with security culture is that it's genuinely difficult to assess with confidence. Unlike a technical control, you can't run a scan and get a result. You can observe indicators — reported incidents, phishing simulation response rates, policy compliance data, security-related help desk volumes — but these metrics are proxies, not measures.
What actually works is a combination of structured staff surveys, behavioural observation, and contextual interviews that surface the gap between stated policy and actual practice. This kind of assessment requires genuine independence — staff won't tell you the real story if they think the answer will be used against them.
The three behaviours that matter most
In our cultural assessment work across councils, medical practices, and education providers, we consistently find that three behaviours explain the majority of human driven risk:
**Reporting behaviour.** Whether staff report suspicious activity, near misses, and mistakes — or suppress them out of fear of consequences. Organisations with strong reporting cultures identify threats faster and contain incidents more effectively.
**Authority response.** How staff respond to urgent, authoritative requests — particularly those that bypass normal process. Business email compromise, invoice fraud, and social engineering attacks all exploit the tendency to comply with apparent authority under time pressure.
**Shadow IT tolerance.** Whether staff use unsanctioned tools, cloud storage, or applications to work around controls that feel burdensome. Shadow IT is both a security risk and a signal — it tells you where your legitimate technology environment is failing to meet actual working needs.
Where to start
The most productive starting point is honest diagnostic work — not training, not a simulated phishing campaign, but a structured assessment of where behavioural risk is actually coming from and why. That means understanding context: what pressures staff are under, what tools they're using instead of approved systems, and what the real barriers to security-conscious behaviour are.
From there, targeted intervention — whether role-based training, process redesign, or leadership behaviour modelling — can address the specific drivers of risk rather than applying blanket programmes that staff disengage from quickly.
Security culture isn't built through campaigns. It's built through consistent leadership behaviour, systems that make the right thing easy, and an environment where reporting is rewarded rather than penalised. That takes longer than deploying a control — but it lasts longer too.