Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigmz5y75njqivw6vdhvjhggk4q5asi6nor3be2fsd3tzhzph3qvmq",
    "uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mg3dvr3umqo2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiaiyhbhkgqi6ejuj43da3navnenbj42wyu6g5d4pqleaevcvcnzli"
    },
    "mimeType": "image/jpeg",
    "size": 1468781
  },
  "path": "/article/4138709/a-scorecard-for-cyber-and-risk-culture.html",
  "publishedAt": "2026-03-02T10:00:00.000Z",
  "site": "https://www.csoonline.com",
  "tags": [
    "IT Leadership, Risk Management, Security, Security Practices",
    "Richard Fain spoke about culture",
    "ORCS standard",
    "HBR shows the governance pattern that makes metrics live, and modern metrics must be embedded in routines and tied to ownership",
    "Want to join?"
  ],
  "textContent": "Have you once watched a leadership team clap for their “security culture month” like they’d landed a rover? Posters everywhere. Quizzes. A prize draw. Someone baked cupcakes with padlocks iced on top. Cute.\n\nTwo weeks later, a product manager asked an engineer to “just share the admin credentials for an hour” because the vendor demo was in thirty minutes and the CEO was joining. The engineer hesitated, then shrugged and sent them. Nobody wanted to be the person who ruined the moment.\n\nThat is culture. People in action, not process — just people trying to help each other, with good intent and possibly very bad outcomes. Not just the cupcakes…\n\nAwareness is what people can repeat. Ownership is what they do when the calendar screams and the boss stares. Your job is to turn the first into the second. Then prove it with numbers that mean something.\n\n## What culture is when you stop romanticizing it\n\nCybersecurity and risk culture isn’t a vibe. It’s a set of actions, behaviors and attitudes you can point to without raising your voice.\n\nCulture shows up in five places:\n\n  1. When someone asks for an exception.\n  2. When a change goes in late.\n  3. When an alert fires at 2 a.m.\n  4. When a junior analyst spots something odd and wonders if it’s worth escalating.\n  5. When an executive wants speed, and the team wants safety.\n\n\n\nOwnership means people act like the risk is partly theirs. They don’t outsource judgment to “security.” They don’t hide behind process. They use the process as a tool.\n\nYou can see ownership. It looks like this:\n\n  * A developer uses the approved deployment path instead of the clever shortcut.\n  * A finance lead challenges a risky vendor clause because they know who bears the breach liability.\n  * A team flags a near-miss and expects a response, not punishment.\n  * A leader says, “We’ll slip the release,” and doesn’t make a martyr out of the person who raised the red flag.\n\n\n\nYou can’t train people into that. You have to build an environment where that behavior makes sense, an environment based on trust and performance not one or the other\n\n## Why awareness stalls and ownership never arrives\n\nMost organizations don’t have a people problem. They have a system that trains people to behave badly and then acts surprised when they do. There are many examples, here are a few of our favorites:\n\n  * **Mixed rewards.** Leaders say, “Be secure,” then celebrate only speed, cost and heroics. People learn fast. If the quickest route wins promotions, it becomes policy.\n  * **Foggy decision-making.** Policies often read like a wish list. “Ensure least privilege.” “Maintain secure configurations.” Fine. But what do you do when a third party needs access today, the contract is vague and the project is already late? Real life lives in the gaps between policy sentences.\n  * **Friction tax.** If the secure path requires three approvals and a sacrifice, people will take the unofficial path. Shadow IT isn’t rebellion. It’s survival.\n  * **Diffused accountability.** “Security is everyone’s responsibility” sounds noble. It also means nobody is responsible. Everyone becomes an audience member. Security becomes the clean-up crew.\n  * **Dead feedback loops.** A junior person reports something suspicious. It disappears into a ticket queue. No acknowledgement. No learning. No change. Next time, they keep quiet. Your culture just taught them to.\n\n\n\nIf you recognize yourself here, don’t panic. It’s normal. It’s also fixable. But the fix isn’t another awareness campaign. It’s a redesign.\n\n## Redesign the operating system so ownership becomes the obvious move\n\nOwnership is a design outcome. Treat it like product design. Remove friction. Clarify choices. Make it hard to do the wrong thing by accident and easy to make the best possible decision.\n\n### Make the secure path the easiest path\n\nPeople choose defaults. Give them good ones.\n\nCreate golden paths for common work. Secure templates. Approved tools. Automated guardrails. Self-service access with sane limits.\n\nIf your secure path feels like an obstacle course, you are manufacturing risk and hurting culture.\n\n### Clarify decision rights in plain language\n\nWho can accept risk? Who must escalate? Who has the final call?\n\nPut it on one page. Add examples.\n\n“Any request for privileged access outside the approved workflow triggers escalation to the control owner.” That sentence beats a 10-page policy every day.\n\n### Embed security inside the workflow, not at the end\n\nLate-stage gates create late-stage resentment.\n\nShift checks into the delivery rhythm. Intake. Design. Build. Deploy.\n\nKeep each control point lightweight. One question. One evidence item. One decision.\n\n### Turn “everyone” into “someone”\n\nCreate local ownership roles where work happens. Product risk leads. Engineering champions. Business control owners.\n\nGive them time and authority. Don’t make it a volunteer hobby for the already-busy.\n\n### Handle consequences like adults on the same team\n\nProtect good-faith reporting. People won’t raise their hand if you slap it.\n\nAlso, address repeated bypass. Calmly. Consistently. Without drama.\n\nCulture hates inconsistency. It feeds on it.\n\nWhen you do this well, people stop fighting security. They start using it because it helps them ship with fewer landmines.\n\n## Measure culture without turning it into theatre\n\nIf you can’t measure the behavior, you can’t claim the culture. You can claim a feeling. Feelings don’t survive audits, incidents or Board scrutiny.\n\nWe’ve seen teams measure what’s easy and then call the numbers “maturity.” Training completion. Controls “done.” Zero incidents. Nice charts. Clean dashboards. Meanwhile, the real culture runs beneath the surface, making exceptions, working around friction and staying quiet when speaking up feels risky.\n\nWhen interviewed at McKinsey, Richard Fain spoke about culture. “It’s not DNA. It’s not magic. It’s a daily effort, driven by leadership choices. If that’s true, your metrics aren’t a report. They’re your steering wheel. They tell you what your leaders are really building. Not what they say they value.”\n\nOne of the most dangerous culture metrics is silence dressed up as success. “Zero incidents reported” can mean you’re safe. It can also mean people don’t trust the system enough to speak up. The difference matters. The wrong interpretation is how organizations walk into breaches with a smile.\n\nMeasure culture as you would safety in a factory. You don’t celebrate that nobody pulled the emergency cord. You ask whether people would pull it if needed and whether the system would respond without disruption.\n\n## The 5 metrics that move you from awareness to ownership\n\nThese five aren’t perfect. They’re useful. They track whether people tell the truth early, whether the right owners act fast, whether you stop tolerating repeat risk and whether you learn by removing failure paths. That’s ownership in measurable form. They also align with what research shows matters most. Employee behavior. Especially the extra-role behavior people choose when nobody forces them.\n\n### 1) Speak up rate\n\n  * **What it is.** The percentage of staff who raised a security concern or near miss in the last 90 days, per 100 employees.\n  * **Why it matters.** It tests psychological safety with receipts. People don’t report when they think it’s pointless, risky or embarrassing. When they do report, they’re signalling trust. Not just awareness.\n  * **Make it sharper** by adding a quality tag. _Actionable_ versus _FYI_. Actionable means it triggered a review, a mitigation or a decision. FYI means vague noise, or a handoff with no context. If your Speak up rate rises but everything is FYI, you haven’t built ownership. You’ve built a complaint channel.\n  * **What it replaces.** “Zero incidents reported.” That metric rewards silence. It trains people to keep problems invisible.\n\n\n\n### 2) Time to escalation\n\n  * **What it is.** The median time from the first signal. alert, anomaly, user report, to “right owner engaged.\n  * “**Why it matters:** This is decision velocity in a cyber suit. If escalation depends on a heroic individual noticing the right thing at the right time, your culture is brittle. A resilient culture routes signals to owners fast and reliably.\n  * **What it exposes.** Fuzzy decision rights, weak handoffs and teams that spend hours arguing about whose problem it is. Those delays aren’t technical. They’re cultural.\n  * **How to measure properly.** Track the median and the long tail. The tail is where breakdowns hide.\n\n\n\n### 3) Repeat exception rate\n\n  * **What it is.** The number of repeated policy exceptions per quarter, and the percentage with an approved end date.\n  * **Why it matters.** Culture shows up in what you keep tolerating. One exception can be pragmatic. Repeated exceptions are a habit. Habits are culture. No end date means the exception became the real policy, just without the honesty of writing it down.\n  * **What it replaces.** “100% control completion.” Controls can be “complete” while exceptions quietly hollow them out.\n  * **Use it as a lens, not a whip.** split “new” versus “repeat” exceptions. Then sort repeats by root cause: friction, vendor constraints, unclear ownership, unrealistic delivery pressure. The point isn’t blame. The point is to fix the system that keeps producing the exception.\n\n\n\n### 4) Phishing reporting ratio\n\n  * **What it is.** User-reported phishing versus tool-detected phishing, plus the median time to report.\n  * **Why it matters.** This metric captures vigilance, confidence and trust in one line. If users report fast, they believe reporting matters. They believe they won’t be mocked. They believe something will happen. That’s culture. If tools catch everything and users report nothing, you might still be protected, but you’re running a passive workforce. Passive workforces don’t surface near misses. They surface breaches.\n  * **What it replaces.** Training completion and simulation click rates used as stand-alone evidence of culture. Those can be useful inputs. They are not proof of ownership.\n\n\n\n### 5) Fix-forward rate\n\n  * **What it is.** The percentage of recurring control failures eliminated at the root cause within 60 days. Not patched.\n  * **Why it matters.** High-performing cultures remove failure paths. They don’t babysit them. This is organizational learning you can’t fake. It also protects you from the comforting lie of activity. You can close a thousand tickets and still keep the same failure alive. “Closed on time” can be theatre. Fix-forward asks a sharper question. Did the failure stop happening?\n  * **Make it ungameable.** define “root cause eliminated” up front. If the same failure happens again, it wasn’t eliminated. It was rescheduled.\n\n\n\n## Keep the scorecard simple, and test the signal\n\nWhile the ORCS standard uses 5 levels, a good starting point is to use three levels. Basic. Managed. Predictive. Tie each level to evidence, not optimism.\n\nThen do one thing many teams skip. Validate signal quality. Ask whether improving these metrics reduces harm or speeds recovery. If the metric moves and nothing improves, kill it. Legacy metrics derail transformation because people optimize what you track. In cyber, that can turn measurement into misdirection.\n\nIf you build around these five, you stop measuring culture as intention. You start measuring it as behavior, decision speed, tolerance for repeat risk and the ability to learn fast. That’s the difference between “we care about security” and “we act like we do.”\n\nKeep the scorecard simple. Basic. Managed. Predictive. Tie each level to evidence, not confidence. “We think we’re better” is not a metric. It’s a hope.\n\n## Turn measurement into governance that changes decisions\n\nMetrics without governance create cynical employees. They see numbers. They never see action. Then they stop caring. Be careful not to make compliance ‘the culture’ as it’s what people do when no one is looking that counts.\n\n### Make culture a leadership routine\n\nReview the culture scorecard monthly. Treat it like revenue. Like reliability. Like safety.\n\nQuarterly, go deeper on hotspots. Repeat failures. Friction points.\n\n### Assign real owners\n\nEach metric requires someone who can change, adapt and influence the system. Not just report the number.\n\nSecurity can advise and enable. The business must own the risk and the trade-offs.\n\n### Reward the right stories\n\nStop celebrating only heroic recoveries. Celebrate prevented incidents. Celebrate early escalation. Celebrate boring discipline.\n\nIf you want ownership, reward the behaviors that create it.\n\n### Fund friction removal\n\nBudget is culture.\n\nInvest in automation, secure defaults, identity hygiene and vendor controls that make the safe path easy to follow.\n\nDefund theatre. The posters. The annual checkbox training that no one remembers by Friday.\n\n### Close the learning loop fast\n\nAfter an incident, don’t ask “what happened?” forever.\n\nAsk, “What will change by Friday?” Then track it. Publicly.\n\nWhen people see changes land, they keep reporting. When they don’t, they stop.\n\n## Sustain ownership when the novelty wears off\n\nCulture doesn’t fail in the first month. It often fails in month seven, when priorities shift and the organization becomes fatigued. HBR shows the governance pattern that makes metrics live, and modern metrics must be embedded in routines and tied to ownership.\n\n### Build micro-habits that survive stress\n\nAdd a two-minute risk pause to major change approvals.\n\nRemember to use breathing to help manage stress\n\nRun pre-mortems before big releases. “How could this go wrong?” sounds simple. It saves you later.\n\nGive managers escalation scripts. People freeze when they need words. Give them words with aligned meaning.\n\n### Tell better stories\n\nMost security stories start with shame. They end with blame.\n\nTell stories about good judgment. About near-misses caught early. About a leader who chose safety and still shipped. Celebrating good news not just bad news is very important.\n\nStories travel faster than policies. They also train identity. “This is who we are.”\n\n### Rebuild ownership during onboarding\n\nEvery hire is a culture reset.\n\nTeach new joiners how decisions really work. Who to call. What gets escalated? What does good look like in daily work?\n\nRole-based scenarios delivered with passion beat generic slides; every time.\n\n### Equip middle managers\n\nMiddle managers translate strategy into Tuesday — they are the oil and glue of the system.\n\nIf they don’t model ownership, nobody will. Give them tools, not slogans. Trade-off language. Decision rules. Support when they push back on risky demands.\n\n### Stress-test the system\n\nRun exercises that test decisions, not just technical response.\n\nInclude product, legal, comms, procurement and key vendors.\n\nAsk one hard question. “Who can accept this risk right now?” If the room goes quiet, your culture just confessed.\n\n## The road ahead\n\nAwareness is polite. Ownership is personal.\n\nAwareness says, “I attended.” Ownership says, “I changed how I work.”\n\nYou build ownership by making it possible to care without getting punished.\n\nSo, pick three behaviors you want to see. Make the secure path easier than the shortcut. Assign owners. Measure the signal. Review it monthly. Fix friction fast.\n\nThen, the next time someone asks for admin credentials “just for an hour,” you won’t need a cupcake to say no. Make cultural high performance the foundation of great security!\n\n**This article is published as part of the Foundry Expert Contributor Network.\nWant to join?**",
  "title": "A scorecard for cyber and risk culture"
}