Rick Hutchinson is the CTO at VikingCloud. He has 17-plus years of experience as an accomplished executive and visionary leader.
The more you spend, the more secure you feel. That’s the trap.
Chief information security officers (CISOs) spend most of their time in meetings discussing what cyber tools will ensure security, from endpoint detection and AI monitoring to advanced threat intel and more. But here’s the uncomfortable truth: CISOs believe their cyber perimeter is secure with technology, yet the real threat is walking through the front door.
That’s because the weakest link isn’t in your tech stack; it’s your people.
Human error causes 95% of breaches. What’s worse? Most cyber incidents result from preventable employee mistakes, like clicking malicious links, reusing credentials, selecting weak passwords and mishandling sensitive data.
Despite all the tech, people remain your most common (and most costly) security gap. As cyberattacks grow in frequency and intensity, that gap only gets riskier. Your organization needs a culture reset. Here’s how to get started.
Not All Human Risk Is Accidental
Yes, human error is the leading cause of breaches. But there’s a quieter, more concerning risk to your organization’s security posture: intentional silence.
40% of cybersecurity professionals admit they’ve underreported incidents to avoid job-related fallout. That silence isn’t carelessness—it’s culture.
When teams are stretched thin, reporting lines blur. When the same people setting the security protocols are also responsible for reporting incidents, objectivity breaks down. Add alert fatigue and organizations are left with blind spots hidden behind dashboards. Sixty-three of security teams spend over 208 hours a year chasing false positives, and one in three professionals say real threats get missed because of it.
These visibility challenges create an inaccurate picture of cyber risk, and awareness of vulnerabilities grows dimmer the closer you get to the corner office. According to research from my company, VikingCloud, while 74% of C-suite cyber leaders rate their security posture as strong, only 29% of frontline managers agree. Worse, just 13% of C-level executives believe underreporting happens compared to 58% of managers who know it does.
And here’s the kicker: The next time you ask for additional budget to invest in the latest cyber tech for your fortress, you may get denied, all because the C-suite shares this false sense of security.
Culture: Your First Line Of Defense
If people don’t feel safe reporting issues—or don’t see themselves as part of the defense—your risk surface stays wide open. Cybersecurity strategy needs a culture shift alongside tech advancements.
Here are the top five requirements for a culture reset action plan.
1. Continuous Security Awareness Training
Cybersecurity training isn’t a one-time event or a box to check. Employees need regular, engaging education to stay sharp against evolving threats. Teach them to spot phishing attempts, protect credentials and understand how their actions impact the organization’s overall risk profile.
Gamified training, real-world simulations and tabletop exercises don’t just engage teams—they expose weak links before the attacker does, helping identify employees who may need extra support. Think of it as stress-testing the human firewall before the inevitable occurs.
2. Eliminating The Fear Factor
Fear creates silence, and silence breeds risk. If employees worry about punishment, they won’t report quickly—or at all. Build reporting channels that are confidential, clear and supportive.
Be sure to reward transparency and respond constructively as well. A non-punitive environment where quick reporting is encouraged and supported is key. When people feel safe to speak up, small issues stay small.
3. Making Security Everyone’s Job
Cybersecurity doesn’t belong solely to IT. It belongs to the entire organization, from interns to the CEO. Executives must lead by example, modeling secure behavior and keeping security a visible, ongoing priority.
Closing the communication gap between the front lines and the C-suite is also critical. When leaders get real-time, unfiltered feedback from the front lines, they make better decisions and deploy smarter resources.
For example, Microsoft’s Secure Future Initiative (SFI) underscores the impact of leadership in transforming security culture. By integrating security objectives into employee performance reviews and dedicating substantial resources to cybersecurity, Microsoft set a precedent for leadership-driven security enhancement.
4. Augmenting Human Awareness With Tech
Even your best-trained employees will miss something. That’s where your tech fortress comes into play. By developing a strategy for implementing AI-powered tools, you can better detect anomalies, block phishing attempts and flag risky behavior in real time. When people and technology work together, security outcomes improve dramatically.
5. Adopting A “Never Done” Mentality
Threats evolve, which means defenses should too. Revisit policies often, stress-test response plans and keep people informed about new risks and best practices. Cybersecurity isn’t static—it’s a muscle built over time.
When Culture Clicks, Security Works
Security-first cultures respond faster, report earlier, fall for fewer phishing attempts and earn more trust from stakeholders. But this isn’t a culture that can be bought; you have to build it. This starts by recognizing that cybersecurity isn’t just a tech issue—it’s a people issue.
So stop relying on tech tools alone. Empower your people, normalize reporting and make security a shared responsibility. Because the next breach likely won’t come from a sophisticated hack. It’ll come from silence. Change the culture before it costs you.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
