Cyber security culture: enterprise accountability, not technology alone

Cyber security remains costly and ineffective when it’s viewed purely as a technology problem.

This case study shows why human and organisational factors — leadership accountability, embedded risk practices and cultural drivers — are central to cyber resilience, and how a systems-oriented culture model helps leaders prioritise action and reduce risk.

The gap in traditional cyber security approaches

Technology spending hasn’t reduced cost or risk.

In 2020, global spend on cyber security technologies exceeded $132 billion while the cost of cybercrime reached nearly $6 trillion. Ransomware payments alone touched $1 trillion in the first half of 2021. These figures show that technology investment alone is not delivering the reductions in risk leaders expect.

Viewing cyber security as a business asset

Every function must become cyber-responsible.

A key theme in the PDF is that cyber security must be treated as an enterprise business issue — not just a CISO or IT concern. As one expert quoted in the study notes:

This reframing helps leaders shift from “fixing technology” to improving the conditions that shape secure behaviour.

Why culture drives risk outcomes

Organisations are mirrors of their leaders.

Culture determines how decisions get made under pressure, how policies are followed in practice, and how risks are reported and escalated. When leaders view cyber security as everyone’s responsibility, they help embed risk awareness across functions and elevate it to operational governance.

This is reflected in the report’s framework: leaders should move beyond training and controls to address causal factors that shape everyday decisions.

The PYXIS systems approach to cyber culture

Analytics reveal hidden risk drivers.

The report lays out a systems analytics approach that combines internal data, expert review and proprietary modelling to map the cultural ecosystem influencing cyber security.

This includes:

• Identification of systemic cyber risksUnderstanding where hidden drivers are amplifying exposure.

• Board commitment and oversightEnsuring that the board has a foundational understanding of cyber risk and governance expectations.

• Engaging business leadersMoving cyber from IT into the operational lexicon of business unit leaders.

• Risk management design for securityEmbedding secure practices into core processes.

• Internal communication rhythmsImproving cross-functional clarity and risk awareness.

• Secure supply chainTreating third-party risk as integral to organisational cyber posture.

• Employee care and trainingExtending responsibility from leaders to every employee, including hybrid/home working environments.

• Linking cyber security to business prioritiesEnsuring that cyber strategy maps clearly to organisational goals.

The result is a visual cyber culture map that helps leaders identify where risk is being created and where interventions will have the greatest impact.

Practical steps for leaders

Board training and accountability matter.

The PDF emphasises practical measures leaders can take to strengthen cyber culture, such as:

• Provide board members with cyber security training so they understand their oversight role.

• Engage business unit leaders in risk conversations, not just technical briefings.

• Facilitate cross-functional collaboration to break down silos and slow response times.

• Use tabletop exercises involving executives and managers to build rapid response capabilities.

• Integrate secure design practices into products and services from day one.

• Improve cyber supply chain oversight by involving security functions in partner/third-party decisions.

The emphasis is on embedding security into organisational routines and incentives.

Expert endorsement

Culture and performance are inseparable.

The PDF includes expert commentary reinforcing the approach:

This underscores how culture analytics can be a differentiator for leaders committed to improving outcomes.

What leaders should take from this

Cyber security effectiveness grows from culture drivers.

For executives and boards, the key lessons include:

• See cyber security as an enterprise responsibility, not just a technology domain.

• Use analytics to reveal causal drivers and hotspots.

• Engage leadership beyond IT and involve the board in governance.

• Track leading indicators and general risk conditions, not just incidents.

This approach aligns strategy, governance and behaviour in pursuit of resilient cyber security.

Key topics covered in this article

• Why technology spending alone has not reduced cyber risk

• Reframing cyber security as an enterprise business issue

• Systems analytics for identifying causal cyber risk drivers

• Practical leadership accountability steps for boards and executives

• Expert endorsement of culture analytics for cyber resilience

• Embedding secure practices into organisational routines

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organisations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organisations close the gap between cyber strategy and everyday behaviour.

Our approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement.

• We link your cyber security culture to business financial metrics, showing a clear ROI for strengthening your cyber security culture.

Download the full case study here.

Connecting the dots

For more information or to request a demo on how mapping culture drivers can improve business results, contact us here.