🚨  NIS2 is now in effect. Security awareness is now legally required in the EU.

Check compliance
Start your free trial
Back to Resource Center

CISO guide: How to create a security awareness culture

Most security programs focus on technology and processes. For most CISOs, that’s the easy part. It’s what they were trained for.

The hard part, the part that breaks even the best-laid security strategies, is people.

People ignore password managers. People click phishing links. People leave laptops in cabs. And if you’re a CISO, you already know: no amount of tooling can patch a culture that doesn’t take security seriously.

This guide is about that harder part. It’s about building a real security awareness culture. Not one that checks a box, but one that actually changes behavior.

What is a security awareness culture?

Culture isn’t a mission statement, a policy doc or an annual training. It’s the sum of what people believe and how they behave, especially when no one’s watching.

In a company with strong security awareness culture:

  • Employees know which threats matter.
  • They understand what’s expected.
  • They act on that knowledge without needing to be told.

Why does this matter? Because nearly every breach — 95%, in fact — is tied to human error. Clicking the wrong link. Reusing the wrong password. Downloading the wrong file on the wrong Wi-Fi.

And the more distributed your workforce, the higher the stakes. You can’t enforce everything. You need people to care.

Security awareness culture turns passive risk into proactive defense. But it doesn’t happen by accident. It takes design.

Here’s how to build it.

1. Start at the top (or stop before you start)

Security culture begins where company culture begins: leadership.

If your CEO doesn’t talk about security, no one else will. If execs skip training, so will everyone else. And if your board sees security as a cost center, guess how they’ll view your initiatives?

That’s why your first job isn’t security awareness training. It’s internal buy-in.

Use a simple dashboard that shows how awareness is improving — or where it’s lacking. Report consistently on number of cyber risks reported, training participation, and which topics require the most attention. The goal is to make security culture a company-wide priority, not a side project.

Once leadership is aligned, go one level down. Department heads and team leads are your amplifiers. Give them visibility into their team’s performance. Ask for feedback. and make them co-owners of the outcomes.

Tip: If you’re managing dozens of stakeholders, use a simple tracker or stakeholder map. Don’t lose the thread.

2. Define your brand before others do

Every security program has a reputation — whether you’ve shaped it or not.

Some are seen as blockers. Others as allies. If you want your org to engage, define how you show up.

Create a security brand statement. This isn’t a slogan — it’s an internal guide that answers real questions:

  • Who do we call when something feels off?
  • How will security respond?
  • What are the behaviors we reward?

Then, instead of just broadcasting it, live it. As CISO Jadee Hanson puts it: “Don’t communicate it — celebrate it.” When someone reports a phishing attempt, say their name in Slack. When a team nails training scores, call them out in the all-hands. Social proof > policy doc.

Culture is contagious when it’s visible.

3. Train weekly (or don’t train at all)

Most companies run security training once or twice a year. Usually to check a compliance box, not because they really expect any tangible behavior change from their employees.

Real behavior change requires repetition. Research shows 90% of what people learn in a one-off session is forgotten within 24 hours, let alone in 4 weeks. You need to treat awareness like a muscle — something built over time.

The best programs are short, frequent, and focused on real-world scenarios:

  • Phishing & smishing
  • Safe remote work
  • CEO fraud
  • Software updates
  • Ransomware hygiene

Don’t rely on internal experts to deliver it manually. Teaching is its own skill — and most security teams don’t have time or experience to build engaging curricula.

Use a solution built for behavior change. For example, Guardey delivers weekly 3-minute gamified challenges, designed by security experts and educational specialists. It’s light, consistent, and measurable.

4. Over-communicate (then communicate again)

Security is only top of mind if you actively keep it there.

Just like a strong company culture requires repeating the same values over and over, a strong security culture needs ongoing, visible communication.

That means:

  • Sharing updates and wins in public channels
  • Highlighting team performance in training dashboards
  • Celebrating quick incident reporting
  • Answering questions publicly, not just in DMs

Example: “Peter spotted a suspicious email this week and reported it before anyone clicked. That kind of vigilance protects us all. 🙌”

At Royal Koopmans, they even handed out a trophy to the department that ended up on top of their security awareness platform’s leaderboard.

When people see that behavior gets recognized, they replicate it.

Also: Make your security team easy to reach. If someone’s unsure whether to report something, that hesitation could cost you.

5. Measure what matters (and what doesn’t show up in reports)

Most CISOs track participation rates, quiz scores, or phishing simulation click-throughs.

Those are useful — but they’re lagging indicators.

The more telling signals are often harder to track:

  • Are employees reporting more incidents over time?
  • Are teams flagging potential risks before they escalate?
  • Are you seeing organic conversations about security outside your department?

That’s the difference between compliance and culture. When your people start holding each other accountable — when they start asking questions before rolling out new tools — you’ve hit escape velocity.

Want to accelerate that insight? Run regular pulse surveys. Ask open-ended questions. Use what you learn to refine your training and communications.

Then close the loop. Show how employee feedback shaped your strategy.

Culture is the real firewall

Most companies still treat security culture like a side project. But the truth is: it’s your only sustainable defense.

Software evolves. Threats evolve. But if you build a culture where every employee takes responsibility, your chances of mitigating risks will be higher than average.

You can’t get there with once-a-year training. You get there with consistency, clarity, and leadership that leads by example.

Dinela Lokvancic
Dinela Lokvancic Marketing Specialist Dinela keeps Guardey's online presence up to date. She creates content that makes complex cyber security topics accessible, and helps organizations understand why security awareness training matters for their teams.
READY TO GET STARTED?

Join 500+ businesses already protecting their teams with Guardey

Start your free 14-day trial
14 days free · No credit card · Full access · Setup in 5 minutes
Or schedule a personalised demo