How Corporate Culture Shapes Cyber Security: Why Technology Alone Is Not Enough

Cyber Security: Big Spending, Bigger Losses

Organizations around the world spend enormous sums on cyber security.

Global investment reached roughly $212 billion in 2025 and continues to grow at double‑digit rates. With that level of investment, senior leaders could reasonably expect cyber risks to be under control.

Unfortunately, reality tells a very different story.

At the end of 2025, the global cost of cybercrime was nearly $10 trillion. Cybercrime is not limited to global banks or technology giants. In fact:

• 43% of cyberattacks target small and mid-sized businesses, many of which lack mature defenses.

• Hospitals and healthcare providers are increasingly under attack, where system outages can disrupt patient care—and in extreme cases, put lives at risk.

Despite ever more sophisticated tools, cybercrime continues to grow. This raises an uncomfortable but necessary question for leaders:

If technology spending keeps increasing, why are outcomes getting worse?

The Cyber Arms Race—and Why It Fails

Most organizations respond to cyber threats by adding more technology: AI-enabled tools, tighter controls, new systems.

But cyber criminals adapt just as quickly. Every new defense triggers a more creative attack.

The result is a never‑ending cycle—a kind of cyber “whack‑a‑mole”—where organizations are always reacting, rarely getting ahead.

The uncomfortable truth is this:

Cyber security cannot be strengthened by technology alone. Your cyber security culture must be strengthened as well.

Until leaders address the human and organizational side of cyber risk, investments in technology alone will continue to expose your organization to cyber attacks.

Culture: A Proven Driver of Business Outcomes

Senior leaders already understand that culture shapes behavior—and behavior drives results.

We have seen this repeatedly across industries.

• At Wells Fargo, a toxic sales culture contributed to employees opening more than one million fraudulent accounts to meet aggressive targets.

• At Volkswagen, a top‑down culture of arrogance and fear played a central role in the diesel emissions scandal.

By contrast, Southwest Airlines’ “Culture of LUV” has helped the company achieve decades of profitability in one of the toughest industries in the world.

Cyber security is no different. The same cultural forces that shape ethics, safety, and performance also shape how employees behave when it comes to cyber risk.

What Is Cyber Security Culture?

Cyber security culture is the set of organizational conditions that influence how people think about, prioritize, and act on cyber security—especially when no one is watching.

It is not a single policy or training course. Instead, it is an interconnected ecosystem of factors, including:

• Leadership behaviors and messaging

• Policies and procedures

• Training and onboarding

• IT usability and support

• Time pressure and performance targets

• Remote and hybrid work practices

• Third‑party and contractor management

• Informal norms and peer pressure

• These factors interact every day to either:

• Reinforce safe cyber behaviors, or

• Encourage shortcuts, silence, and risky workarounds

For example, in organizations where employees fear blame or punishment, people are far less likely to report suspicious emails or admit mistakes. That silence can turn a minor incident into a major breach.

Why Culture Is the Missing Link in Cyber Security

Many breaches do not occur because employees lack knowledge. They occur because the work environment (culture) makes the right behaviors difficult—or the wrong behaviors easy.

Common cultural risk patterns include:

• Leaders who talk about cyber security only after an incident

• Complex IT policies that slow work and encourage workarounds

• Unrealistic deadlines that reward speed over safety

• Limited feedback or recognition for good cyber behavior

Over time, these conditions normalize risky behavior. Employees do not intentionally put the organization at risk—they simply adapt to the system they work in.

Building a Strong Cyber Security Culture

The first step in improving cyber security culture is visibility. Leaders cannot manage what they cannot see.

A structured cyber security culture assessment allows organizations to:

• Identify cultural strengths that already support cyber resilience

• Reveal hidden risks that are not visible in technical audits

• Understand how leadership behavior impacts day‑to‑day cyber decisions

• Prioritize actions that will have the greatest impact

This approach looks at both primary drivers (such as leadership, security policies and training) along and enabling factors (such as direct supervision, IT support, hiring, onboarding, and work processes). Together, they determine how cyber security actually works in practice.

Just as importantly, culture analysis helps leaders understand trade‑offs.

For example, research consistently shows that visible leadership commitment—regularly reinforcing cyber priorities in meetings, town halls, and decision‑making—accounts for nearly 20% of your cybersecurity culture and has a disproportionate impact on employee behavior.

Yet in many organizations, cyber security is rarely mentioned outside of mandatory training or crisis response. And in Board discussions, it is often a minor agenda item, until there is an incident!

Leadership and IT: Two Critical Levers

Two factors consistently stand out as high‑impact drivers of cyber security culture:

1. Senior Leadership Behavior

Employees take their cues from what leaders say, do, and reward. When leaders visibly prioritize cyber security, employees follow. When leaders stay silent, other pressures—such as speed, cost, or convenience—fill the gap.

2. IT Management and Usability

Even the best policies fail if systems are difficult to use. Under‑resourced IT teams, budget pressure, and complex controls often push employees toward unsafe shortcuts. Cyber hygiene must be practical, supported, and realistic for daily work.

A Question for Leaders

Every organization has a cyber security culture—whether it is intentional or accidental.

The critical questions are:

• What behaviors does your culture encourage today?

• Where are the hidden risks no dashboard is showing you?

If you do not understand your culture, you do not fully understand your cyber risk.

Key Topics Covered in This Article

• Cyber security culture and human risk

• Leadership behavior and cyber resilience

• Organizational culture and cyber risk management

• Why cyber security technology alone fails

• How to build a strong cyber security culture

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between cyber strategy and everyday behavior.

Our approach is effective:

We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement

• We link your cybersecurity culture to business financial metrics, showing a clear ROI for strengthening your cybersecurity culture.

Connecting the dots

See how PYXIS models What-If scenarios to prioritise the fixes that move your numbers.

Download this article as a PDF.