A Fortune 500 Company Got Breached by a Phone Call
In September 2023, a threat actor called MGM Resorts' IT help desk, impersonated an employee found on LinkedIn, and convinced a technician to reset credentials. The result? Over $100 million in losses, days of operational chaos, and a stock price hit that lingered for weeks. No zero-day exploit. No sophisticated malware. Just a phone call and a culture that wasn't ready for it.
This is what happens when security lives in the IT department instead of in the DNA of an organization. Building a cybersecurity culture isn't about buying another tool or running a checkbox compliance exercise. It's about fundamentally changing how every person in your organization thinks about risk, every single day.
I've spent years watching companies throw money at firewalls and endpoint detection while ignoring the human layer. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, credential theft, misuse, or simple error. That number has barely budged in years. Technology alone won't fix a people problem.
What "Cybersecurity Culture" Actually Means
Let me cut through the corporate jargon. A cybersecurity culture exists when your employees make secure choices without being told to — when the receptionist questions an unusual badge request, when a developer flags a suspicious API call, when an accountant double-checks a wire transfer request by phone before clicking send.
It's not a policy document. It's not an annual slideshow. It's a set of shared behaviors, norms, and reflexes that protect your organization from social engineering, ransomware, data breach incidents, and insider threats. Think of it like a safety culture in manufacturing — nobody needs to remind workers to wear hardhats after it becomes "just how we do things here."
Why Most Organizations Get This Wrong
Here's what actually happens at most companies: HR schedules a once-a-year security awareness training. Employees click through slides as fast as possible. They pass a quiz they barely read. A checkbox gets marked. Everyone goes back to reusing passwords and clicking suspicious links.
That's not building a cybersecurity culture. That's building a compliance artifact. And threat actors know exactly how to exploit the gap between compliance and actual security.
The $4.88 Million Reason to Get This Right
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. But here's the number that matters more: organizations with high levels of security training and a mature security culture saved an average of $1.5 million per breach compared to those without.
That's not a rounding error. That's the difference between a survivable incident and an existential one, especially for mid-size companies. Building a cybersecurity culture is the single highest-ROI investment your organization can make — and it costs a fraction of the tools you're already paying for.
Seven Practical Steps to Build a Cybersecurity Culture
I've helped organizations of all sizes work through this. Here's what actually moves the needle, based on what I've seen succeed in the real world.
1. Leadership Has to Go First — Visibly
If your CEO isn't talking about security in all-hands meetings, your culture initiative is dead on arrival. Employees take cues from leadership. When the CFO uses multi-factor authentication and talks about it openly, when the COO shares a phishing email they almost fell for, it normalizes security as everyone's responsibility.
I've seen organizations transform overnight when the CEO starts forwarding suspicious emails to the security team — publicly. That one action says more than any policy memo.
2. Replace Annual Training With Continuous Learning
Annual training is the bare minimum. It doesn't change behavior any more than a single gym session changes your fitness. You need consistent, short, relevant touchpoints throughout the year.
A strong cybersecurity awareness training program delivers content in bite-sized modules that employees can absorb in 5-10 minutes. Topics rotate: credential theft one month, social engineering the next, then physical security, then ransomware awareness. This keeps security top of mind without causing fatigue.
3. Run Phishing Simulations That Teach, Not Punish
Phishing simulations are one of the most effective tools for building a cybersecurity culture — but only if you do them right. I've seen companies use simulations as a "gotcha" exercise, publicly shaming employees who click. That destroys trust and drives reporting underground.
Instead, use simulations as teachable moments. When someone clicks a simulated phish, immediately redirect them to a short training module explaining what they missed. Track improvement over time. Celebrate teams that improve their click rates. A well-designed phishing awareness training program for organizations turns every simulation into a learning opportunity that strengthens your human firewall.
4. Make Reporting Easy and Rewarded
Your employees are your largest sensor network. But they'll only report suspicious activity if the process is dead simple and the response is positive. Every organization I've seen with a strong security culture has a one-click reporting button in their email client and a security team that responds to every single report with a thank-you.
Some organizations gamify it — leaderboards for departments that report the most suspicious emails, small incentives for catching real phishing attempts. The goal is to make reporting feel like a contribution, not a chore.
5. Embed Security Into Business Processes
Culture isn't built through training alone. It's built through process. If your accounts payable team can wire $50,000 based on a single email, you don't have a training problem — you have a process problem.
Bake security into workflows: dual approval for financial transactions over a threshold, out-of-band verification for password resets, mandatory MFA for any system touching customer data. When secure behavior is the default path, you don't have to rely on individual judgment calls under pressure.
6. Adopt a Zero Trust Mindset Organization-Wide
Zero trust isn't just a network architecture. It's a philosophy: never trust, always verify. When you teach this mindset to non-technical employees, it clicks immediately. "Don't trust that email just because it looks like it's from the CEO. Verify." "Don't hold the door open for someone without a badge. Verify."
CISA has excellent resources on implementing zero trust principles at an organizational level. I recommend using their maturity model as a framework for assessing where your culture currently stands.
7. Measure What Matters
You can't improve what you don't measure. Track these metrics monthly:
- Phishing simulation click rate — should decrease over time
- Reporting rate — should increase as culture matures
- Time to report — how quickly employees flag suspicious activity
- Training completion rates — not just attendance, but engagement scores
- Incident volume from human error — the ultimate outcome metric
When leadership sees these numbers on a dashboard every month, security stays a strategic priority — not a backburner afterthought.
What Is the Biggest Barrier to Building a Cybersecurity Culture?
The single biggest barrier is treating security as IT's problem instead of a business risk. When security lives exclusively in the IT department, every other department sees it as someone else's job. A cybersecurity culture only takes root when security is framed as a shared organizational responsibility — owned by leadership, supported by IT, and practiced by everyone from the front desk to the boardroom.
The NIST Cybersecurity Framework explicitly calls out governance and organizational context as foundational elements. Security isn't a technical function bolted onto the side of your business. It's a core operating discipline.
Real-World Culture Wins I've Seen
One mid-size healthcare company I worked with had a phishing click rate of 31% when they started their program. Within 12 months of continuous training, monthly simulations, and visible leadership engagement, they brought it down to 4.2%. More importantly, their reporting rate went from near-zero to over 70% of employees actively forwarding suspicious emails.
That didn't happen because of a single training session. It happened because they committed to culture change. They made security part of onboarding. They added a security moment to the start of every team meeting — just 60 seconds on a current threat or tip. They recognized employees who caught real phishing attempts in their monthly company newsletter.
Small, consistent actions. That's what builds a cybersecurity culture.
The Role of Accountability Without Blame
This is where a lot of organizations stumble. You need accountability — people must understand that security lapses have consequences. But a blame-heavy culture drives incidents underground. Employees who are afraid of punishment will hide mistakes instead of reporting them, and unreported incidents are the ones that become catastrophic breaches.
The best approach I've seen is a "just culture" model borrowed from aviation safety. Honest mistakes reported promptly are treated as learning opportunities. Willful negligence or repeated failures after training are escalated. This distinction gives employees psychological safety to speak up while maintaining clear expectations.
Stop Thinking in Projects. Start Thinking in Habits.
Building a cybersecurity culture isn't a project with a start date and an end date. It's a permanent operating posture. The threat landscape shifts constantly — ransomware tactics evolve, social engineering gets more sophisticated with AI-generated voice clones, and credential theft techniques adapt to new defenses.
Your culture has to evolve with those threats. That means refreshing training content regularly, updating phishing simulation templates to reflect current attack trends, and keeping leadership engaged quarter after quarter.
Start with an honest assessment. Where does your organization actually stand? Not where your last audit report says you stand — where do your people actually stand when a convincing phishing email lands in their inbox at 4:47 PM on a Friday?
If you're not confident in the answer, that's your starting point. Invest in continuous security awareness training that meets employees where they are. Layer in realistic phishing simulations that build muscle memory. Get your leadership team visibly involved. Measure progress relentlessly.
The organizations that survive the next major attack won't be the ones with the biggest security budgets. They'll be the ones where every employee — from intern to executive — instinctively pauses before clicking, questions before trusting, and reports before ignoring. That's what a cybersecurity culture looks like. And it's yours to build.