{"id":15886,"date":"2026-03-02T10:05:58","date_gmt":"2026-03-02T10:05:58","guid":{"rendered":"https:\/\/newestek.com\/?p=15886"},"modified":"2026-03-02T10:05:58","modified_gmt":"2026-03-02T10:05:58","slug":"a-scorecard-for-cyber-and-risk-culture","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15886","title":{"rendered":"A scorecard for cyber and risk culture"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Have you once watched a leadership team clap for their \u201csecurity culture month\u201d like they\u2019d landed a rover? Posters everywhere. Quizzes. A prize draw. Someone baked cupcakes with padlocks iced on top. Cute.<\/p>\n<p>Two weeks later, a product manager asked an engineer to \u201cjust share the admin credentials for an hour\u201d because the vendor demo was in thirty minutes and the CEO was joining. The engineer hesitated, then shrugged and sent them. Nobody wanted to be the person who ruined the moment.<\/p>\n<p>That is culture. People in action, not process \u2014 just people trying to help each other, with good intent and possibly very bad outcomes. Not just the cupcakes\u2026<\/p>\n<p>Awareness is what people can repeat. Ownership is what they do when the calendar screams and the boss stares. Your job is to turn the first into the second. Then prove it with numbers that mean something.<\/p>\n<h2 class=\"wp-block-heading\" id=\"what-culture-is-when-you-stop-romanticizing-it\">What culture is when you stop romanticizing it<\/h2>\n<p>Cybersecurity and risk culture isn\u2019t a vibe. It\u2019s a set of actions, behaviors and attitudes you can point to without raising your voice.<\/p>\n<p>Culture shows up in five places:<\/p>\n<ol class=\"wp-block-list\">\n<li>When someone asks for an exception.<\/li>\n<li>When a change goes in late.<\/li>\n<li>When an alert fires at 2 a.m.<\/li>\n<li>When a junior analyst spots something odd and wonders if it\u2019s worth escalating.<\/li>\n<li>When an executive wants speed, and the team wants safety.<\/li>\n<\/ol>\n<p>Ownership means people act like the risk is partly theirs. They don\u2019t outsource judgment to \u201csecurity.\u201d They don\u2019t hide behind process. They use the process as a tool.<\/p>\n<p>You can see ownership. It looks like this:<\/p>\n<ul class=\"wp-block-list\">\n<li>A developer uses the approved deployment path instead of the clever shortcut.<\/li>\n<li>A finance lead challenges a risky vendor clause because they know who bears the breach liability.<\/li>\n<li>A team flags a near-miss and expects a response, not punishment.<\/li>\n<li>A leader says, \u201cWe\u2019ll slip the release,\u201d and doesn\u2019t make a martyr out of the person who raised the red flag.<\/li>\n<\/ul>\n<p>You can\u2019t train people into that. You have to build an environment where that behavior makes sense, an environment based on trust and performance not one or the other<\/p>\n<h2 class=\"wp-block-heading\" id=\"why-awareness-stalls-and-ownership-never-arrives\">Why awareness stalls and ownership never arrives<\/h2>\n<p>Most organizations don\u2019t have a people problem. They have a system that trains people to behave badly and then acts surprised when they do. There are many examples, here are a few of our favorites:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Mixed rewards. <\/strong>Leaders say, \u201cBe secure,\u201d then celebrate only speed, cost and heroics. People learn fast. If the quickest route wins promotions, it becomes policy.<\/li>\n<li><strong>Foggy decision-making. <\/strong>Policies often read like a wish list. \u201cEnsure least privilege.\u201d \u201cMaintain secure configurations.\u201d Fine. But what do you do when a third party needs access today, the contract is vague and the project is already late? Real life lives in the gaps between policy sentences.<\/li>\n<li><strong>Friction tax. <\/strong>If the secure path requires three approvals and a sacrifice, people will take the unofficial path. Shadow IT isn\u2019t rebellion. It\u2019s survival.<\/li>\n<li><strong>Diffused accountability. <\/strong>\u201cSecurity is everyone\u2019s responsibility\u201d sounds noble. It also means nobody is responsible. Everyone becomes an audience member. Security becomes the clean-up crew.<\/li>\n<li><strong>Dead feedback loops. <\/strong>A junior person reports something suspicious. It disappears into a ticket queue. No acknowledgement. No learning. No change. Next time, they keep quiet. Your culture just taught them to.<\/li>\n<\/ul>\n<p>If you recognize yourself here, don\u2019t panic. It\u2019s normal. It\u2019s also fixable. But the fix isn\u2019t another awareness campaign. It\u2019s a redesign.<\/p>\n<h2 class=\"wp-block-heading\" id=\"redesign-the-operating-system-so-ownership-becomes-the-obvious-move\">Redesign the operating system so ownership becomes the obvious move<\/h2>\n<p>Ownership is a design outcome. Treat it like product design. Remove friction. Clarify choices. Make it hard to do the wrong thing by accident and easy to make the best possible decision.<\/p>\n<h3 class=\"wp-block-heading\" id=\"make-the-secure-path-the-easiest-path\">Make the secure path the easiest path<\/h3>\n<p>People choose defaults. Give them good ones.<\/p>\n<p>Create golden paths for common work. Secure templates. Approved tools. Automated guardrails. Self-service access with sane limits.<\/p>\n<p>If your secure path feels like an obstacle course, you are manufacturing risk and hurting culture.<\/p>\n<h3 class=\"wp-block-heading\" id=\"clarify-decision-rights-in-plain-language\">Clarify decision rights in plain language<\/h3>\n<p>Who can accept risk? Who must escalate? Who has the final call?<\/p>\n<p>Put it on one page. Add examples.<\/p>\n<p>\u201cAny request for privileged access outside the approved workflow triggers escalation to the control owner.\u201d That sentence beats a 10-page policy every day.<\/p>\n<h3 class=\"wp-block-heading\" id=\"embed-security-inside-the-workflow-not-at-the-end\">Embed security inside the workflow, not at the end<\/h3>\n<p>Late-stage gates create late-stage resentment.<\/p>\n<p>Shift checks into the delivery rhythm. Intake. Design. Build. Deploy.<\/p>\n<p>Keep each control point lightweight. One question. One evidence item. One decision.<\/p>\n<h3 class=\"wp-block-heading\" id=\"turn-everyone-into-someone\">Turn \u201ceveryone\u201d into \u201csomeone\u201d<\/h3>\n<p>Create local ownership roles where work happens. Product risk leads. Engineering champions. Business control owners.<\/p>\n<p>Give them time and authority. Don\u2019t make it a volunteer hobby for the already-busy.<\/p>\n<h3 class=\"wp-block-heading\" id=\"handle-consequences-like-adults-on-the-same-team\">Handle consequences like adults on the same team<\/h3>\n<p>Protect good-faith reporting. People won\u2019t raise their hand if you slap it.<\/p>\n<p>Also, address repeated bypass. Calmly. Consistently. Without drama.<\/p>\n<p>Culture hates inconsistency. It feeds on it.<\/p>\n<p>When you do this well, people stop fighting security. They start using it because it helps them ship with fewer landmines.<\/p>\n<h2 class=\"wp-block-heading\" id=\"measure-culture-without-turning-it-into-theatre\">Measure culture without turning it into theatre<\/h2>\n<p>If you can\u2019t measure the behavior, you can\u2019t claim the culture. You can claim a feeling. Feelings don\u2019t survive audits, incidents or Board scrutiny.<\/p>\n<p>We\u2019ve seen teams measure what\u2019s easy and then call the numbers \u201cmaturity.\u201d Training completion. Controls \u201cdone.\u201d Zero incidents. Nice charts. Clean dashboards. Meanwhile, the real culture runs beneath the surface, making exceptions, working around friction and staying quiet when speaking up feels risky.<\/p>\n<p>When interviewed at McKinsey, <a href=\"https:\/\/www.mckinsey.com\/featured-insights\/mckinsey-on-books\/author-talks-how-to-anchor-your-leadership-philosophy\">Richard Fain spoke about culture<\/a>. \u201cIt\u2019s not DNA. It\u2019s not magic. It\u2019s a daily effort, driven by leadership choices. If that\u2019s true, your metrics aren\u2019t a report. They\u2019re your steering wheel. They tell you what your leaders are really building. Not what they say they value.\u201d<\/p>\n<p>One of the most dangerous culture metrics is silence dressed up as success. \u201cZero incidents reported\u201d can mean you\u2019re safe. It can also mean people don\u2019t trust the system enough to speak up. The difference matters. The wrong interpretation is how organizations walk into breaches with a smile.<\/p>\n<p>Measure culture as you would safety in a factory. You don\u2019t celebrate that nobody pulled the emergency cord. You ask whether people would pull it if needed and whether the system would respond without disruption.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-5-metrics-that-move-you-from-awareness-to-ownership\">The 5 metrics that move you from awareness to ownership<\/h2>\n<p>These five aren\u2019t perfect. They\u2019re useful. They track whether people tell the truth early, whether the right owners act fast, whether you stop tolerating repeat risk and whether you learn by removing failure paths. That\u2019s ownership in measurable form. They also align with what research shows matters most. Employee behavior. Especially the extra-role behavior people choose when nobody forces them.<\/p>\n<h3 class=\"wp-block-heading\" id=\"1-speak-up-rate\">1) Speak up rate<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>What it is.<\/strong> The percentage of staff who raised a security concern or near miss in the last 90 days, per 100 employees.<\/li>\n<li><strong>Why it matters.<\/strong> It tests psychological safety with receipts. People don\u2019t report when they think it\u2019s pointless, risky or embarrassing. When they do report, they\u2019re signalling trust. Not just awareness.<\/li>\n<li><strong>Make it sharper<\/strong> by adding a quality tag. <em>Actionable<\/em> versus <em>FYI<\/em>. Actionable means it triggered a review, a mitigation or a decision. FYI means vague noise, or a handoff with no context. If your Speak up rate rises but everything is FYI, you haven\u2019t built ownership. You\u2019ve built a complaint channel.<\/li>\n<li><strong>What it replaces.<\/strong> \u201cZero incidents reported.\u201d That metric rewards silence. It trains people to keep problems invisible.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"2-time-to-escalation\">2) Time to escalation<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>What it is.<\/strong> The median time from the first signal. alert, anomaly, user report, to \u201cright owner engaged.<\/li>\n<li>\u201c<strong>Why it matters:<\/strong> This is decision velocity in a cyber suit. If escalation depends on a heroic individual noticing the right thing at the right time, your culture is brittle. A resilient culture routes signals to owners fast and reliably.<\/li>\n<li><strong>What it exposes.<\/strong> Fuzzy decision rights, weak handoffs and teams that spend hours arguing about whose problem it is. Those delays aren\u2019t technical. They\u2019re cultural.<\/li>\n<li><strong>How to measure properly.<\/strong> Track the median and the long tail. The tail is where breakdowns hide.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"3-repeat-exception-rate\">3) Repeat exception rate<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>What it is.<\/strong> The number of repeated policy exceptions per quarter, and the percentage with an approved end date.<\/li>\n<li><strong>Why it matters.<\/strong> Culture shows up in what you keep tolerating. One exception can be pragmatic. Repeated exceptions are a habit. Habits are culture. No end date means the exception became the real policy, just without the honesty of writing it down.<\/li>\n<li><strong>What it replaces.<\/strong> \u201c100% control completion.\u201d Controls can be \u201ccomplete\u201d while exceptions quietly hollow them out.<\/li>\n<li><strong>Use it as a lens, not a whip.<\/strong> split \u201cnew\u201d versus \u201crepeat\u201d exceptions. Then sort repeats by root cause: friction, vendor constraints, unclear ownership, unrealistic delivery pressure. The point isn\u2019t blame. The point is to fix the system that keeps producing the exception.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"4-phishing-reporting-ratio\">4) Phishing reporting ratio<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>What it is.<\/strong> User-reported phishing versus tool-detected phishing, plus the median time to report.<\/li>\n<li><strong>Why it matters.<\/strong> This metric captures vigilance, confidence and trust in one line. If users report fast, they believe reporting matters. They believe they won\u2019t be mocked. They believe something will happen. That\u2019s culture. If tools catch everything and users report nothing, you might still be protected, but you\u2019re running a passive workforce. Passive workforces don\u2019t surface near misses. They surface breaches.<\/li>\n<li><strong>What it replaces. <\/strong>Training completion and simulation click rates used as stand-alone evidence of culture. Those can be useful inputs. They are not proof of ownership.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"5-fix-forward-rate\">5) Fix-forward rate<\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>What it is.<\/strong> The percentage of recurring control failures eliminated at the root cause within 60 days. Not patched.<\/li>\n<li><strong>Why it matters.<\/strong> High-performing cultures remove failure paths. They don\u2019t babysit them. This is organizational learning you can\u2019t fake. It also protects you from the comforting lie of activity. You can close a thousand tickets and still keep the same failure alive. \u201cClosed on time\u201d can be theatre. Fix-forward asks a sharper question. Did the failure stop happening?<\/li>\n<li><strong>Make it ungameable.<\/strong> define \u201croot cause eliminated\u201d up front. If the same failure happens again, it wasn\u2019t eliminated. It was rescheduled.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"keep-the-scorecard-simple-and-test-the-signal\">Keep the scorecard simple, and test the signal<\/h2>\n<p>While the <a href=\"https:\/\/www.csoonline.com\/article\/4112124\/how-the-organizational-risk-culture-standard-can-supercharge-your-cybersecurity-culture.html\">ORCS standard<\/a> uses 5 levels, a good starting point is to use three levels. Basic. Managed. Predictive. Tie each level to evidence, not optimism.<\/p>\n<p>Then do one thing many teams skip. Validate signal quality. Ask whether improving these metrics reduces harm or speeds recovery. If the metric moves and nothing improves, kill it. Legacy metrics derail transformation because people optimize what you track. In cyber, that can turn measurement into misdirection.<\/p>\n<p>If you build around these five, you stop measuring culture as intention. You start measuring it as behavior, decision speed, tolerance for repeat risk and the ability to learn fast. That\u2019s the difference between \u201cwe care about security\u201d and \u201cwe act like we do.\u201d<\/p>\n<p>Keep the scorecard simple. Basic. Managed. Predictive. Tie each level to evidence, not confidence. \u201cWe think we\u2019re better\u201d is not a metric. It\u2019s a hope.<\/p>\n<h2 class=\"wp-block-heading\" id=\"turn-measurement-into-governance-that-changes-decisions\">Turn measurement into governance that changes decisions<\/h2>\n<p>Metrics without governance create cynical employees. They see numbers. They never see action. Then they stop caring. Be careful not to make compliance \u2018the culture\u2019 as it\u2019s what people do when no one is looking that counts.<\/p>\n<h3 class=\"wp-block-heading\" id=\"make-culture-a-leadership-routine\">Make culture a leadership routine<\/h3>\n<p>Review the culture scorecard monthly. Treat it like revenue. Like reliability. Like safety.<\/p>\n<p>Quarterly, go deeper on hotspots. Repeat failures. Friction points.<\/p>\n<h3 class=\"wp-block-heading\" id=\"assign-real-owners\">Assign real owners<\/h3>\n<p>Each metric requires someone who can change, adapt and influence the system. Not just report the number.<\/p>\n<p>Security can advise and enable. The business must own the risk and the trade-offs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"reward-the-right-stories\">Reward the right stories<\/h3>\n<p>Stop celebrating only heroic recoveries. Celebrate prevented incidents. Celebrate early escalation. Celebrate boring discipline.<\/p>\n<p>If you want ownership, reward the behaviors that create it.<\/p>\n<h3 class=\"wp-block-heading\" id=\"fund-friction-removal\">Fund friction removal<\/h3>\n<p>Budget is culture.<\/p>\n<p>Invest in automation, secure defaults, identity hygiene and vendor controls that make the safe path easy to follow.<\/p>\n<p>Defund theatre. The posters. The annual checkbox training that no one remembers by Friday.<\/p>\n<h3 class=\"wp-block-heading\" id=\"close-the-learning-loop-fast\">Close the learning loop fast<\/h3>\n<p>After an incident, don\u2019t ask \u201cwhat happened?\u201d forever.<\/p>\n<p>Ask, \u201cWhat will change by Friday?\u201d Then track it. Publicly.<\/p>\n<p>When people see changes land, they keep reporting. When they don\u2019t, they stop.<\/p>\n<h2 class=\"wp-block-heading\" id=\"sustain-ownership-when-the-novelty-wears-off\">Sustain ownership when the novelty wears off<\/h2>\n<p>Culture doesn\u2019t fail in the first month. It often fails in month seven, when priorities shift and the organization becomes fatigued. <a href=\"https:\/\/hbr.org\/2026\/02\/are-legacy-metrics-derailing-your-transformation\">HBR shows the governance pattern that makes metrics live, and modern metrics must be embedded in routines and tied to ownership<\/a>.<\/p>\n<h3 class=\"wp-block-heading\" id=\"build-micro-habits-that-survive-stress\">Build micro-habits that survive stress<\/h3>\n<p>Add a two-minute risk pause to major change approvals.<\/p>\n<p>Remember to use breathing to help manage stress<\/p>\n<p>Run pre-mortems before big releases. \u201cHow could this go wrong?\u201d sounds simple. It saves you later.<\/p>\n<p>Give managers escalation scripts. People freeze when they need words. Give them words with aligned meaning.<\/p>\n<h3 class=\"wp-block-heading\" id=\"tell-better-stories\">Tell better stories<\/h3>\n<p>Most security stories start with shame. They end with blame.<\/p>\n<p>Tell stories about good judgment. About near-misses caught early. About a leader who chose safety and still shipped. Celebrating good news not just bad news is very important.<\/p>\n<p>Stories travel faster than policies. They also train identity. \u201cThis is who we are.\u201d<\/p>\n<h3 class=\"wp-block-heading\" id=\"rebuild-ownership-during-onboarding\">Rebuild ownership during onboarding<\/h3>\n<p>Every hire is a culture reset.<\/p>\n<p>Teach new joiners how decisions really work. Who to call. What gets escalated? What does good look like in daily work?<\/p>\n<p>Role-based scenarios delivered with passion beat generic slides; every time.<\/p>\n<h3 class=\"wp-block-heading\" id=\"equip-middle-managers\">Equip middle managers<\/h3>\n<p>Middle managers translate strategy into Tuesday \u2014 they are the oil and glue of the system.<\/p>\n<p>If they don\u2019t model ownership, nobody will. Give them tools, not slogans. Trade-off language. Decision rules. Support when they push back on risky demands.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stress-test-the-system\">Stress-test the system<\/h3>\n<p>Run exercises that test decisions, not just technical response.<\/p>\n<p>Include product, legal, comms, procurement and key vendors.<\/p>\n<p>Ask one hard question. \u201cWho can accept this risk right now?\u201d If the room goes quiet, your culture just confessed.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-road-ahead\">The road ahead<\/h2>\n<p>Awareness is polite. Ownership is personal.<\/p>\n<p>Awareness says, \u201cI attended.\u201d Ownership says, \u201cI changed how I work.\u201d<\/p>\n<p>You build ownership by making it possible to care without getting punished.<\/p>\n<p>So, pick three behaviors you want to see. Make the secure path easier than the shortcut. Assign owners. Measure the signal. Review it monthly. Fix friction fast.<\/p>\n<p>Then, the next time someone asks for admin credentials \u201cjust for an hour,\u201d you won\u2019t need a cupcake to say no. Make cultural high performance the foundation of great security!<\/p>\n<\/p>\n<p><strong>This article is published as part of the Foundry Expert Contributor Network.<br \/><a href=\"https:\/\/www.csoonline.com\/expert-contributor-network\/\">Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Have you once watched a leadership team clap for their \u201csecurity culture month\u201d like they\u2019d landed a rover? Posters everywhere. Quizzes. A prize draw. Someone baked cupcakes with padlocks iced on top. Cute. Two weeks later, a product manager asked an engineer to \u201cjust share the admin credentials for an hour\u201d because the vendor demo was in thirty minutes and the CEO was joining. The&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15886\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15886","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15886"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15886\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}