The certificate is framed on the wall. The policy documents are filed. The annual security awareness training has been ticked off. And then someone clicks a phishing link, a supplier's credentials are compromised, or a member of staff shares a sensitive file through an unapproved tool they have been using for months without anyone knowing.
This is the gap between compliance and culture. And in my experience leading information security across regulated financial services environments, it is the most dangerous gap in any organisation's security posture.
ISO 27001 certification, Cyber Essentials accreditation, GDPR compliance frameworks — these are necessary. They provide structure, establish baselines, and demonstrate to regulators and clients that you take security seriously. But they are a starting point, not a destination. The organisations that genuinely protect themselves are the ones that understand this distinction.
The Five Ways Security Culture Breaks Down
Staff clicking phishing links
Annual phishing awareness training does not change behaviour. A ten-minute e-learning module completed under duress before a deadline is forgotten within days. The organisations that reduce their phishing exposure are the ones that run regular, realistic simulations, treat every click as a learning opportunity rather than a disciplinary matter, and make security feel relevant to people's actual working lives.
Run simulated phishing campaigns quarterly. When someone clicks, redirect them immediately to a short, contextual learning moment rather than a reprimand. Track trends over time. Celebrate improvement publicly. Make it a team metric, not an individual failing.
Shadow IT and unapproved tools
When people use unapproved tools, it is almost never malicious. It is because the approved tools are too slow, too cumbersome, or simply not fit for the job. Shadow IT is a symptom of a usability problem, not a security awareness problem. Banning tools without addressing the underlying need simply drives the behaviour underground.
Create a fast, accessible process for staff to request tool approvals. When unapproved tools are discovered, start with curiosity rather than enforcement. Understand what need the tool was meeting and either approve a secure alternative or find a way to meet that need through approved channels. People work around security controls when security controls work against them.
Incident response failures
Most organisations have an incident response plan. Far fewer have tested it. The plan that looks thorough in a document can fall apart completely under the pressure of a real incident, when people are stressed, systems are behaving unexpectedly, and decisions need to be made quickly without complete information.
Tabletop exercises do not need to happen frequently to be effective. For most organisations, a realistic target is every two years, or sooner if there has been significant change in leadership, systems, or business processes. What matters more than frequency is quality. Include senior leadership, not just the technical team. Vary the scenarios. And treat each exercise as a genuine stress test, not a box-ticking exercise. An incident that escalates to board level needs board-level decision-making capability in place well before it happens.
The board not taking it seriously
Security briefings that lead with technical jargon and end with a request for budget rarely land well at board level. When boards do not engage meaningfully with cyber risk, it is usually because they have not been given information in a form that connects to what they care about: reputation, regulatory liability, operational continuity, and financial exposure.
Translate security risk into business language. Replace "we had 4,000 blocked intrusion attempts this month" with "three attempts this month matched the profile of attacks that caused significant operational disruption at comparable institutions last year. Here is what we have in place and what we still need." Give the board a decision to make, not a report to receive.
Third party and supplier risk
Your security posture is only as strong as your weakest supplier. In regulated environments particularly, third party risk is one of the most consistently underestimated exposures. Organisations invest heavily in securing their own perimeter while granting broad access to suppliers whose security practices they have never properly assessed.
Implement a tiered supplier assessment process based on access level and data sensitivity. For your highest-risk suppliers, annual questionnaires are not sufficient. Require evidence. Conduct reviews. Yes, this adds to the workload of an already stretched team, but the cost of a supplier-originated breach, in regulatory exposure, reputational damage, and operational disruption, will dwarf the investment many times over. Include security obligations in contracts with clear consequences. And revisit supplier access rights regularly. Many organisations discover that former suppliers still have active credentials long after the relationship has ended.
What Leading a Live Incident Teaches You
No training exercise, framework document, or risk register fully prepares you for the reality of leading a live security incident. I have been in that position, and what it revealed was not primarily a technology problem. It was a people and process problem.
I have led the response to a number of security incidents over the years, but one in particular has stayed with me. A senior executive's account had been compromised through credential stuffing, most likely via a personal device that had been used to access a third party site where the same password had been reused across their corporate account. The attacker did not announce themselves. They spent several days in a read-only state, quietly mapping email threads, relationships, and the language patterns of someone who had been in the organisation for years.
By the time we identified the intrusion, a carefully constructed payment instruction had already been sent to a member of the finance team. It was not a generic phishing attempt. It referenced real projects, real people, and real context. It was almost convincing. The thing that stopped it was not a security tool. It was a member of staff who felt something was slightly off and picked up the phone to verify.
That call saved the business a significant sum. But what it really exposed was how much we had relied on technology controls while underinvesting in the human layer. The attacker did not break through our perimeter defences. They walked through it using a door we had left open.
The human layer of cyber defence is consistently the most overlooked and the most underinvested. The good news is that it does not have to be expensive. There are excellent education platforms and simulation tools available at modest cost. Your staff are your best cyber defence. Treat them accordingly.
A security incident does not reveal your technical vulnerabilities. It reveals your organisational ones.
Building Culture, Not Just Compliance
The shift from compliance to culture is not a single initiative. It is a sustained commitment to making security feel like a shared responsibility rather than an IT department obligation. Here is what that looks like in practice:
- Security is a standing agenda item at leadership team level, not an annual review
- Near misses are reported and discussed openly, without blame, so the organisation learns from them
- New starters receive meaningful security induction, not just a policy to sign
- Security considerations are embedded into project and procurement processes from the start, not bolted on at the end
- The security team is seen as an enabler, not an obstacle — because they have worked to earn that reputation
None of this requires a large security team or an unlimited budget. It requires leadership commitment, consistent communication, and the willingness to treat security as a business priority rather than a compliance obligation.
The organisations I have seen build genuine security cultures all share one characteristic: their leaders talk about security regularly, visibly, and in terms the whole business understands. Culture flows from the top. Security culture is no different.
Is your security posture built on culture or just compliance?
If your organisation holds the certifications but still feels exposed, the gap is rarely technical. I work with leadership teams to assess security culture, strengthen governance frameworks, and build the organisational resilience that frameworks alone cannot provide.
Start a Conversation