Reducing cyber security risk in a global retail bank

The CISO of a major international retail bank reframed cyber security as an enterprise issue, not just a technology issue.

This case study explains how PYXIS helped the bank map causal risk factors beyond technology, prioritise high-impact interventions, and engage the board with a clearer, organisation-wide view of cyber security risks.

Client challenge

Cyber risk was seen as a technology silo, not a business issue.

The bank’s Chief Information Security Officer (CISO) struggled to get support from other functions because cyber security was viewed primarily as a technology problem. Traditional cyber briefing documents were too detailed and technical for business leaders and the board, and cyber budgets were nested within the broader Technology budget. Trust and customer loyalty were at risk due to ongoing breach costs and long detection times.

Reframing cyber security

The CISO shifted the narrative to enterprise-wide responsibility.

Recognising that human and organisational factors drive most security failures, the CISO engaged PYXIS to help reframe cyber security as a shared business responsibility. This reframing set the stage for a broader culture change agenda and stronger collaboration across functions.

Mapping cyber security causal factors

A facilitated workshop uncovered hidden risks.

PYXIS guided the bank’s cyber leadership team through a three-hour workshop to identify organisational causal factors that drive employee actions on cyber security.

Beyond training and phishing exercises, the team identified factors including:

• Complex internal IT and cyber policies

• Cumbersome work processes

• Supervisor demands for cost control

• Peer pressure not to report mistakes

• Weak third-party cyber practices

• Poor oversight of access management

• Lack of alignment between physical, IT and cyber security

• Limited support from senior leadership and the board

This ecosystem view revealed risk drivers that traditional assessments often miss.

Identifying systemic cyber risks

Quantitative and qualitative data strengthened the model.

To build a rigorous, data-driven model, the team spent a week gathering internal company data including historical cyber metrics and employee engagement surveys. A tailored cyber security

culture assessment was sent to managers and supervisors, and the PYXIS algorithm generated numerical and colour-coded scores for each causal factor, as well as an overall cyber security effectiveness score.

Scenario planning and prioritisation

Modelling interventions supported evidence-led decisions.

The PYXIS platform includes a library of best practices linked to specific risk causal factors. The bank’s team used the platform’s scenario planning function to model potential cyber security improvements and calculate estimated ROI for each.

Initiatives selected for focus included:

• Strengthening engagement with business leadership

• Increasing oversight of third-party suppliers and contractors

• Improving risk management practices

• Revising cyber policies and processes for easier compliance

This prioritisation process helped the bank focus resources on changes that would have the most impact.

Linking culture to business metrics

Visibility into performance supported governance.

The platform also linked the cyber security culture map to key business metrics. This capability allowed the bank to track internal practices relative to outcomes and adjust focus as needed. By showing metrics that mattered to leaders, the bank could monitor progress and keep cyber security aligned with broader business performance goals.

Engaging the board and senior leaders

Visual maps made discussions more effective.

With the visual culture maps, the CISO was able to communicate cyber security risk in business terms, avoiding dense technical reports. Boards and senior leaders could see where vulnerabilities were emerging and prioritise strategic conversations around risk mitigation. This deeper engagement helped move cyber security from a cost centre to a business-partner function supporting enterprise goals.

Outcomes and impact

Cyber security became a shared organisational priority.

The bank achieved a shift in how cyber security was understood internally:

• Clearer alignment between cyber priorities and business goals

• Better prioritisation of interventions based on systemic risk drivers

• Enhanced board oversight with metrics leaders could interpret

• A stronger enterprise approach to risk that extended beyond technology

This case illustrates how addressing cultural drivers and causal factors can materially improve an organisation’s cyber resilience.

Key topics covered in this article

• Reframing cyber security as an enterprise risk, not a technology issue

• Identifying hidden causal factors behind cyber risk

• Using scenario planning and analytics to prioritise improvements

• Linking culture drivers to business performance metrics

• Engaging boards with visual risk and culture maps

• Turning cyber security into a shared organisational priority

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organisations understand and improve the cultural drivers of conduct risk, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organisations close the gap between strategy and everyday behaviour.

Our approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement.

• We link your cyber security culture to business financial metrics, showing a clear ROI for strengthening your cyber security culture.

Download the full case study here.

Connecting the dots

For more information or to request a demo on how mapping culture drivers can improve business results, contact us here.