By
Published: 04 Jun 2025 18:13
Security leaders accustomed to the time-worn cliché of being the guy in IT whose job it is to say no can from today avail themselves of new National Cyber Security Centre (NCSC) guidance on creating effective cyber security cultures among those people they are tasked with protecting in the workplace.
With end-users the frontline in any cyber defence strategy through which threat actors must pass, organisations that work to foster a strong sense of security within the business have been proven to be more resilient to cyber attacks, and better able to respond to and recover from those that slip through.
Yet the culture of security is both a hard concept for technical security suppliers to sell and for security leaders to embed within their workforces, so too often the idea plays second fiddle to security products and services.
The NCSC describes cyber security culture as the “collective understanding of what is normal and valued in the workplace with respect to cyber security … [setting] sets expectations on behaviour and relationships, influencing people’s ability for collaboration, trust and learning”.
NCSC chief technology officer Ollie Whitehouse said: “Business leaders must recognise cyber security as a foundation for success, and this should start with taking decisive action to embed a strong security culture across their organisations.
“Without a culture that makes security accessible, desirable and relevant to all staff, risks may go unrecognised – leaving the door open for malicious actors to exploit an organisation’s technology and systems, with potentially devastating and long-lasting impact.
“This latest NCSC guidance details six clear principles to help overcome barriers to establishing a positive cyber security culture, leading from the top and embedding it within every organisation,” said Whitehouse.
Six core principles
The NCSC has published a list of six core principles that it believes will help security leaders create the optimal conditions where a security culture that values security behaviours and enables people to feel safe engaging with it can thrive.
It said it hoped to help build workforces that are both high-performing and cyber secure, noting of course that all businesses are unique to some degree, and no one-size-fits-all approach can possibly cover off all the bases.
In order, the cyber security culture principles are as follows:
- Cyber leaders should endeavour to frame security as something that enables a business to achieve its core goals. People should be encouraged to understand how important cyber is in keeping their day-to-day IT running and their data available, and how their own behaviours contribute to this. It is also important to try to frame security policies and processes as things that don’t block people from doing their jobs properly. Those working in the security function should be taught to be aware of how they might do this, and empowered to work to reduce possible negative impacts, for example, problems arising from blocking access to a third-party tool that core workers have embedded in their workflows, without first standing up an alternative, for example.
- Cyber leaders should work to build safety, trust and processes to encourage openness. Here, ‘good’ looks like creating a psychologically safe environment where people feel comfortable talking about cyber security, with quick and accessible routes to asking questions or reporting problems. Incident investigations, where needed, should be run from the perspective of learning and improving, not blaming, and innocent mistakes should never be punished.
- Cyber leaders should work to embrace change to manage new threats, and take advantage of opportunities to improve resilience. Resilient organisations are, at their hearts, adaptive, and this holds true for security cultures, which should be positive about change, but cautious when rushing into making changes that may prove disruptive. People on the receiving end of new security policies should feel supported in working through their impact.
- Cyber leaders should try to ensure social norms within their workplaces promote secure behaviours. Many businesses talk a good game but when push comes to shove, unwritten rules about what shortcuts are fine to take, and where the security team turns a blind eye, often render the security function essentially pointless. Simply asking people not to do something silly, like taking confidential files home with them on a USB stick, is not enough, leaders need to put in the work to get to the heart of the norm and address the underlying company values – in this example, this could be pressure to get work done out of hours or on weekends – that make them ‘acceptable’.
- Cyber leaders should encourage their organisations’ wider leadership teams to take responsibility for the impact their actions have on security cultures, agreeing and communicating shared purposes and making these central to decision-making. The C-suite must be leant on to model secure behaviours and positively influence the business’ social norms, and disincentivise problematic behaviour that they may have inadvertently deemed acceptable.
- Finally, cyber leaders should provide well-maintained security rules and guidelines that are accessible and easy-to-understand. Rules should be tested to ensure they are effective, contribute meaningfully, are usable, accessible and inclusive, and aligned with the business’ shared purposes. It is particularly important to enable people to understand the difference between rules that must be followed and mere guidelines that give advice. Feedback must be constantly sought and incorporated into policies, and changes should be widely communicated with out-of-date material expunged from onboarding packs or company intranets.
