Building a Cybersecurity Culture: People First, Then Technology
Year after year, global reports point to the same truth: the overwhelming majority of successful breaches begin with human error — a phishing email, a reused password, or access shared with an untrusted party. Yet many organizations still spend ninety percent of their security budget on technology and only ten percent on the human sitting behind the screen. This inverted equation is precisely why building a cybersecurity culture is a priority equal to any technical investment.
Why Traditional Awareness Campaigns Fail
The mandatory annual slideshow that employees click through to collect an attendance certificate changes no behaviour. Relying on fear alone produces denial rather than vigilance: an employee who fears punishment hides the incident instead of reporting it — and there the damage multiplies, because the first minutes after a breach are the most valuable. Campaigns that serve identical content to everyone fail too; the risks facing an accountant differ from those facing a developer or a receptionist, and each needs to rehearse their own scenarios.
A genuine security culture starts at the top. When the CEO uses multi-factor authentication without complaint and reports a suspicious email in front of the team, the message lands more powerfully than a thousand awareness posters. And when the organization rewards those who report their own mistakes instead of punishing them, errors stop being buried secrets and become accumulated institutional lessons.
From Awareness to Behaviour
Moving from employees who know to employees who act requires repeated practice in realistic context. Regular phishing simulations — run in a spirit of learning rather than entrapment — build the muscle memory of verifying before clicking. Short, in-the-moment nudges at the point of risky behaviour outperform a long lecture months later. In our specialized programs we rely on live scenario workshops: what do you do in the first ten minutes after discovering a breach? Whom do you notify? What do you shut down? Crises grant no one time to read the policy manual.
Measuring culture matters as much as building it, but beware the deceptive metric: a falling click rate on simulated phishing alone is not enough. The truer indicator is a rising reporting rate and reporting speed, because it measures initiative rather than avoidance. Add metrics such as MFA adoption, incident response time, and periodic behavioural assessment results, and you have a dashboard that honestly reflects cultural maturity.
The bottom line: technology is a necessary condition for cybersecurity, but not a sufficient one. The truly resilient organization is the one where every individual — from the security guard to the CEO — acts as the first line of defence, out of awareness, skill, and confidence rather than fear.
Dr. Saleh Al-Saleh
Strategy, Governance & Business Intelligence Consultant
An assistant professor of computer science at King Saud University, holding a PhD in computer science focused on big data and business intelligence from Queensland University of Technology, Australia. His leadership roles include Assistant Deputy Minister for School Affairs at the Ministry of Education and business intelligence advisor to the Saudi Customs Authority, where he oversaw data governance, business process automation, and ISO 9001 quality system implementation projects. A certified PRINCE2 project management practitioner, he delivers training programs in strategic planning, process modeling and automation, and knowledge discovery and management.
View profile