1. A toxic work culture increases cybersecurity risks

Cybersecurity is fundamentally a people issue. If your company’s culture is high-stress, blame-heavy, and forces employees to operate in a constant state of burnout, your security posture is already compromised. Mistakes happen when people are exhausted. If employees feel undervalued or fear speaking up about security concerns, vulnerabilities go unreported. Over time, this erodes your entire risk management framework.

Rob Lee, Chief of Research and Head of Faculty at SANS Institute, puts it bluntly: high turnover in cybersecurity teams is a red flag. People don’t leave because they’re bad at their jobs—they leave because leadership isn’t listening. When security professionals burn out or feel ignored, they disengage. That’s when bad actors take advantage. Attackers thrive in environments where security teams are stretched thin and where risk reporting is met with skepticism or blame.

Leadership needs to fix this at the source. Security teams should operate in a culture that prioritizes collaboration, learning, and proactive risk mitigation. If employees aren’t confident they’ll be supported when raising concerns, they won’t bother—and that’s when major breaches happen.

2. Prioritizing tools over people weakens security

Security tools don’t run themselves. Yet, many companies throw money at new security technologies while ignoring the people who operate them. The assumption is that automation and AI will somehow compensate for a lack of skilled personnel. That’s a mistake. No matter how advanced a tool is, it requires experts who understand its full capabilities and limitations.

Rob Lee highlights a recurring pattern: companies invest in security products with the expectation that they’ll need fewer people. That’s a serious miscalculation. Without knowledgeable professionals in place, even the best security platforms will fail to prevent breaches. Attackers adapt quickly—so must your security teams.

The takeaway is simple. Investing in people is just as critical as investing in technology. A highly skilled team that understands security risks and knows how to respond is the best defense. If security spending focuses only on tools while neglecting workforce development, vulnerabilities will increase, not decrease.

3. A compliance-driven mindset undermines security

Checking boxes doesn’t mean you’re secure. Many organizations treat cybersecurity as a compliance requirement rather than a core function of risk management. This is a dangerous mindset. If the goal is just to meet regulatory standards instead of actually reducing risk, security measures become hollow. They look good on paper but don’t hold up against real-world threats.

Rob Lee points to the “zero-intrusions-allowed” mentality as a perfect example of this failure. Organizations that expect absolute security end up punishing their teams when breaches occur—despite the fact that breaches are inevitable. Instead of fostering resilience and rapid response, these companies create a culture of fear, where teams hesitate to report security threats because they’re afraid of being blamed.

Strong security culture is all about ensuring that when they do, the organization is prepared to detect, contain, and recover quickly. If security teams operate under a blame-based model, their effectiveness is compromised.

“Leadership needs to shift its perspective—security is a critical function that requires continuous adaptation and investment.”

4. Poor communication leads to greater security failures

If employees don’t feel safe reporting security issues, they won’t. That’s how small vulnerabilities turn into major security incidents. The biggest cybersecurity threats often are internal communication failures. If your workforce isn’t aligned on security protocols, you’re creating unnecessary risk.

Nicole Turner, Founder and Chief Culture Officer at The Culture Pro, highlights a crucial issue: disengaged employees are more likely to ignore security protocols. When employees feel undervalued or unappreciated, their motivation to follow security best practices drops. Worse, in some cases, resentment can lead to deliberate insider threats—data leaks, sabotage, or unauthorized access.

Leadership must create a culture of transparency and accountability, where employees feel empowered to report potential threats. If the security team is seen as punitive rather than supportive, people will keep quiet about mistakes. That’s when attacks happen. Security is a company-wide responsibility. The key to effective cybersecurity is simple: clear communication, trust, and a culture that encourages reporting issues before they escalate.

5. Leadership plays a critical role in cybersecurity culture

Executives set the tone for how cybersecurity is perceived across the organization. If leadership treats security as an afterthought, employees will too. The reality is, cybersecurity is a business issue. When executives take it seriously, it becomes part of the company’s DNA. When they don’t, security policies become a formality that no one follows.

Stu Sjouwerman, Founder and CEO of KnowBe4, warns that leadership inconsistency is one of the fastest ways to weaken a security culture. If executives openly complain about security policies or fail to follow them, employees see security as something done “for show” rather than as a necessity. The message is clear: if leadership doesn’t care, why should anyone else?

Security should be framed as a business enabler. When executives communicate the financial and operational benefits of strong security—protecting brand reputation, preventing costly breaches, and ensuring business continuity—buy-in improves across the organization. Security needs to be woven into the business strategy, not treated as a separate function.

6. Cybersecurity teams are prone to burnout without proper support

Cybersecurity is a high-pressure field. The constant threat of attacks, unrealistic expectations, and the demand for perfection create a burnout cycle that weakens security. If leadership doesn’t provide the necessary resources and automation to ease the workload, burnout becomes inevitable. And when security teams are burned out, they miss things. That’s when breaches happen.

Rob Lee makes it clear: not every security event is an emergency. Treating every alert as a crisis leads to fatigue and inefficiency. Automation should be used strategically to eliminate repetitive tasks and allow security professionals to focus on real threats. A well-supported team is far more effective than an overworked one.

Executives need to recognize that cybersecurity requires having the right tools or policies—it’s also about maintaining a team that can function effectively under pressure. Investing in automation, setting realistic priorities, and ensuring security teams have the resources they need is critical. If leadership ignores burnout, security will suffer.

7. Security culture can be assessed by leadership engagement

One of the best ways to evaluate an organization’s security culture is to examine leadership engagement. If security is only discussed in compliance meetings, that’s a problem. If past security incidents were handled through blame rather than improvement, that’s another warning sign.

Rob Lee advises professionals to ask direct questions: Is security part of strategic discussions? Does leadership proactively engage with security teams? If the answer is no, security is likely treated as a low priority. That mindset increases risk.

For executives, this is a moment of reflection. How involved are you in security strategy? Do you encourage open discussions about risk, or is security just another item on a checklist? Companies that integrate security into leadership discussions are far better positioned to handle evolving threats. Strong security culture starts at the top. When leadership prioritizes security, the entire organization follows.

Final thoughts

Cybersecurity is about people, leadership, and culture. Companies that ignore this reality leave themselves wide open to risk. Burned-out employees make mistakes. Poor communication allows threats to go unnoticed. A blame-heavy culture discourages proactive security. These are security failures waiting to happen.

Strong cybersecurity starts at the top. Leadership sets the tone for how security is prioritized, funded, and integrated into the business. A culture that values security isn’t built on fear or rigid compliance—it’s built on trust, collaboration, and investment in both people and technology. When employees feel supported, heard, and empowered to report risks, the entire organization becomes more resilient.

Security is a business enabler. The companies that understand this avoid breaches and build trust, protect their reputation, and position themselves for long-term success in an increasingly digital world. The threat landscape is evolving. The question is, will your organization evolve with it?

Tim Boesen

March 14, 2025

7 Min