Improving cyber security in a multinational consumer goods company

Cyber security was treated as a technology issue, not a business issue.

The Head of Cyber Security Strategy in a $55bn multinational consumer goods company wanted to identify the hidden cultural and organisational levers that would improve cyber security.

This case study explains how PYXIS helped reframe cyber security as an enterprise issue, map causal factors across the organisation, prioritise improvements using scenario planning, and strengthen board-level oversight.

Client snapshot

A global consumer goods company with a strong sales and cost-control culture.

The organisation operated across 18 countries and faced growing exposure to global cybercrime. Internally, cyber security was largely seen as an IT responsibility, with budget and ownership sitting inside the Technology function.

The challenge

Cyber security needed enterprise support, but functions were not engaged.

The Head of Strategy believed every function had a role to play, but efforts to engage Finance, Risk, HR, Communications and business lines gained little support. The issue was not awareness of cyber threats; it was a lack of shared accountability and a limited view of what was driving risk day to day.

Why a different approach was needed

Technology investment was not reducing losses or human-driven breaches.

The case study highlights the gap between spending and outcomes: in 2020 the world spent $132bn on cyber security technology and services, while global losses to cybercrime were nearly $6tn. It also notes that the majority of successful attacks result from human mistakes and errors.

What PYXIS did

PYXIS built a roadmap for a stronger cyber security culture across the footprint.

PYXIS helped the organisation reframe cyber security as a business and cultural issue that gained senior leadership attention, then worked with the internal cyber team to identify and prioritise the causal factors shaping cyber outcomes across the multinational footprint.

Mapping causal factors

Interviews across countries and functions revealed hidden drivers.

After conducting over 50 interviews with cyber experts and business managers across 18 countries, PYXIS and key employees identified multiple causal factors impacting cyber security. This went beyond training and phishing exercises to include drivers such as complicated policies, cumbersome processes, cost-control pressures, peer norms around speaking up, third-party practices, access management oversight, and physical security.

Modelling and measurement

The platform created a scored map and linked it to business metrics.

Using internal data, the PYXIS platform generated a visual map of causal factors with numerical and colour-coded scores, along with an overall cyber security effectiveness score. Historical and current business metrics were linked to the culture map, creating a practical foundation for prioritisation and governance.

Scenario planning and prioritisation

Best-practice libraries and modelling supported evidence-led focus.

The platform’s best-practice library was adapted to local requirements, and scenario planning was used to model which initiatives would deliver the strongest improvements and return on investment. The team selected three priorities: Greater engagement with business leadership, More oversight of third-party suppliers and contractors, And stronger oversight of access management.

Board and leadership engagement

Visual maps made cyber risk discussions clearer and more actionable.

With the visual cyber security maps, the team could communicate to the board and senior leaders that cyber security is an enterprise issue rather than a technology issue. The map made vulnerabilities easier to spot and supported more effective discussion than traditional quarterly cyber reports, helping reposition cyber security from a cost centre to a business partner.

What changed

Cyber security became more governable across the organisation.

By making causal drivers visible and prioritising change, the organisation improved its ability to align functions around cyber security, focus resources on high-impact interventions, and track progress through linked metrics. As the case study puts it:

What leaders should take from this

Strong cyber security culture is built through shared accountability and prioritised change.

This case illustrates that improving cyber resilience depends on more than controls and awareness. Leaders can strengthen outcomes by treating cyber security as a business issue, mapping drivers and root causes, prioritising interventions with evidence, and using leading indicators and metrics to sustain improvement. Learn more about cyber security culture or book a demo.

Key topics covered in this article

• Reframing cyber security as a business and cultural issue

• Mapping cyber security causal factors across a multinational footprint

• Identifying hidden drivers beyond training and phishing exercises

• Scenario planning and best-practice improvements to prioritise action

• Linking culture drivers to business metrics for governance

• Improving board engagement using visual cyber security maps

• Strengthening third-party oversight and access management

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between cyber strategy and everyday behaviour.

Our approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement.

• We link your cybersecurity culture to business financial metrics, showing a clear ROI for strengthening your cybersecurity culture.

Download the full case study here.

Connecting the dots

For more information or to request a demo on how mapping culture drivers can improve business results, contact us here.