A scorecard for cyber and risk culture – CSO Online

Have you once watched a leadership team clap for their “security culture month” like they’d landed a rover? Posters everywhere. Quizzes. A prize draw. Someone baked cupcakes with padlocks iced on top. Cute.

Two weeks later, a product manager asked an engineer to “just share the admin credentials for an hour” because the vendor demo was in thirty minutes and the CEO was joining. The engineer hesitated, then shrugged and sent them. Nobody wanted to be the person who ruined the moment.

That is culture. People in action, not process — just people trying to help each other, with good intent and possibly very bad outcomes. Not just the cupcakes…

Awareness is what people can repeat. Ownership is what they do when the calendar screams and the boss stares. Your job is to turn the first into the second. Then prove it with numbers that mean something.

What culture is when you stop romanticizing it

Cybersecurity and risk culture isn’t a vibe. It’s a set of actions, behaviors and attitudes you can point to without raising your voice.

Culture shows up in five places:

1. When someone asks for an exception.
2. When a change goes in late.
3. When an alert fires at 2 a.m.
4. When a junior analyst spots something odd and wonders if it’s worth escalating.
5. When an executive wants speed, and the team wants safety.

Ownership means people act like the risk is partly theirs. They don’t outsource judgment to “security.” They don’t hide behind process. They use the process as a tool.

You can see ownership. It looks like this:

• A developer uses the approved deployment path instead of the clever shortcut.
• A finance lead challenges a risky vendor clause because they know who bears the breach liability.
• A team flags a near-miss and expects a response, not punishment.
• A leader says, “We’ll slip the release,” and doesn’t make a martyr out of the person who raised the red flag.

You can’t train people into that. You have to build an environment where that behavior makes sense, an environment based on trust and performance not one or the other

Why awareness stalls and ownership never arrives

Most organizations don’t have a people problem. They have a system that trains people to behave badly and then acts surprised when they do. There are many examples, here are a few of our favorites:

• Mixed rewards. Leaders say, “Be secure,” then celebrate only speed, cost and heroics. People learn fast. If the quickest route wins promotions, it becomes policy.
• Foggy decision-making. Policies often read like a wish list. “Ensure least privilege.” “Maintain secure configurations.” Fine. But what do you do when a third party needs access today, the contract is vague and the project is already late? Real life lives in the gaps between policy sentences.
• Friction tax. If the secure path requires three approvals and a sacrifice, people will take the unofficial path. Shadow IT isn’t rebellion. It’s survival.
• Diffused accountability. “Security is everyone’s responsibility” sounds noble. It also means nobody is responsible. Everyone becomes an audience member. Security becomes the clean-up crew.
• Dead feedback loops. A junior person reports something suspicious. It disappears into a ticket queue. No acknowledgement. No learning. No change. Next time, they keep quiet. Your culture just taught them to.

If you recognize yourself here, don’t panic. It’s normal. It’s also fixable. But the fix isn’t another awareness campaign. It’s a redesign.

Redesign the operating system so ownership becomes the obvious move

Ownership is a design outcome. Treat it like product design. Remove friction. Clarify choices. Make it hard to do the wrong thing by accident and easy to make the best possible decision.

Make the secure path the easiest path

People choose defaults. Give them good ones.

Create golden paths for common work. Secure templates. Approved tools. Automated guardrails. Self-service access with sane limits.

If your secure path feels like an obstacle course, you are manufacturing risk and hurting culture.

Clarify decision rights in plain language

Who can accept risk? Who must escalate? Who has the final call?

Put it on one page. Add examples.

“Any request for privileged access outside the approved workflow triggers escalation to the control owner.” That sentence beats a 10-page policy every day.

Embed security inside the workflow, not at the end

Late-stage gates create late-stage resentment.

Shift checks into the delivery rhythm. Intake. Design. Build. Deploy.

Keep each control point lightweight. One question. One evidence item. One decision.

Turn “everyone” into “someone”

Create local ownership roles where work happens. Product risk leads. Engineering champions. Business control owners.

Give them time and authority. Don’t make it a volunteer hobby for the already-busy.

Handle consequences like adults on the same team

Protect good-faith reporting. People won’t raise their hand if you slap it.

Also, address repeated bypass. Calmly. Consistently. Without drama.

Culture hates inconsistency. It feeds on it.

When you do this well, people stop fighting security. They start using it because it helps them ship with fewer landmines.

Measure culture without turning it into theatre

If you can’t measure the behavior, you can’t claim the culture. You can claim a feeling. Feelings don’t survive audits, incidents or Board scrutiny.

We’ve seen teams measure what’s easy and then call the numbers “maturity.” Training completion. Controls “done.” Zero incidents. Nice charts. Clean dashboards. Meanwhile, the real culture runs beneath the surface, making exceptions, working around friction and staying quiet when speaking up feels risky.

When interviewed at McKinsey, Richard Fain spoke about culture. “It’s not DNA. It’s not magic. It’s a daily effort, driven by leadership choices. If that’s true, your metrics aren’t a report. They’re your steering wheel. They tell you what your leaders are really building. Not what they say they value.”

One of the most dangerous culture metrics is silence dressed up as success. “Zero incidents reported” can mean you’re safe. It can also mean people don’t trust the system enough to speak up. The difference matters. The wrong interpretation is how organizations walk into breaches with a smile.

Measure culture as you would safety in a factory. You don’t celebrate that nobody pulled the emergency cord. You ask whether people would pull it if needed and whether the system would respond without disruption.

The 5 metrics that move you from awareness to ownership

These five aren’t perfect. They’re useful. They track whether people tell the truth early, whether the right owners act fast, whether you stop tolerating repeat risk and whether you learn by removing failure paths. That’s ownership in measurable form. They also align with what research shows matters most. Employee behavior. Especially the extra-role behavior people choose when nobody forces them.

1) Speak up rate

• What it is. The percentage of staff who raised a security concern or near miss in the last 90 days, per 100 employees.
• Why it matters. It tests psychological safety with receipts. People don’t report when they think it’s pointless, risky or embarrassing. When they do report, they’re signalling trust. Not just awareness.
• Make it sharper by adding a quality tag. Actionable versus FYI. Actionable means it triggered a review, a mitigation or a decision. FYI means vague noise, or a handoff with no context. If your Speak up rate rises but everything is FYI, you haven’t built ownership. You’ve built a complaint channel.
• What it replaces. “Zero incidents reported.” That metric rewards silence. It trains people to keep problems invisible.

2) Time to escalation

• What it is. The median time from the first signal. alert, anomaly, user report, to “right owner engaged.
• “Why it matters: This is decision velocity in a cyber suit. If escalation depends on a heroic individual noticing the right thing at the right time, your culture is brittle. A resilient culture routes signals to owners fast and reliably.
• What it exposes. Fuzzy decision rights, weak handoffs and teams that spend hours arguing about whose problem it is. Those delays aren’t technical. They’re cultural.
• How to measure properly. Track the median and the long tail. The tail is where breakdowns hide.

3) Repeat exception rate

• What it is. The number of repeated policy exceptions per quarter, and the percentage with an approved end date.
• Why it matters. Culture shows up in what you keep tolerating. One exception can be pragmatic. Repeated exceptions are a habit. Habits are culture. No end date means the exception became the real policy, just without the honesty of writing it down.
• What it replaces. “100% control completion.” Controls can be “complete” while exceptions quietly hollow them out.
• Use it as a lens, not a whip. split “new” versus “repeat” exceptions. Then sort repeats by root cause: friction, vendor constraints, unclear ownership, unrealistic delivery pressure. The point isn’t blame. The point is to fix the system that keeps producing the exception.

4) Phishing reporting ratio

• What it is. User-reported phishing versus tool-detected phishing, plus the median time to report.
• Why it matters. This metric captures vigilance, confidence and trust in one line. If users report fast, they believe reporting matters. They believe they won’t be mocked. They believe something will happen. That’s culture. If tools catch everything and users report nothing, you might still be protected, but you’re running a passive workforce. Passive workforces don’t surface near misses. They surface breaches.
• What it replaces. Training completion and simulation click rates used as stand-alone evidence of culture. Those can be useful inputs. They are not proof of ownership.

5) Fix-forward rate

• What it is. The percentage of recurring control failures eliminated at the root cause within 60 days. Not patched.
• Why it matters. High-performing cultures remove failure paths. They don’t babysit them. This is organizational learning you can’t fake. It also protects you from the comforting lie of activity. You can close a thousand tickets and still keep the same failure alive. “Closed on time” can be theatre. Fix-forward asks a sharper question. Did the failure stop happening?
• Make it ungameable. define “root cause eliminated” up front. If the same failure happens again, it wasn’t eliminated. It was rescheduled.

Keep the scorecard simple, and test the signal

While the ORCS standard uses 5 levels, a good starting point is to use three levels. Basic. Managed. Predictive. Tie each level to evidence, not optimism.

Then do one thing many teams skip. Validate signal quality. Ask whether improving these metrics reduces harm or speeds recovery. If the metric moves and nothing improves, kill it. Legacy metrics derail transformation because people optimize what you track. In cyber, that can turn measurement into misdirection.

If you build around these five, you stop measuring culture as intention. You start measuring it as behavior, decision speed, tolerance for repeat risk and the ability to learn fast. That’s the difference between “we care about security” and “we act like we do.”

Keep the scorecard simple. Basic. Managed. Predictive. Tie each level to evidence, not confidence. “We think we’re better” is not a metric. It’s a hope.

Turn measurement into governance that changes decisions

Metrics without governance create cynical employees. They see numbers. They never see action. Then they stop caring. Be careful not to make compliance ‘the culture’ as it’s what people do when no one is looking that counts.

Make culture a leadership routine

Review the culture scorecard monthly. Treat it like revenue. Like reliability. Like safety.

Quarterly, go deeper on hotspots. Repeat failures. Friction points.

Assign real owners

Each metric requires someone who can change, adapt and influence the system. Not just report the number.

Security can advise and enable. The business must own the risk and the trade-offs.

Reward the right stories

Stop celebrating only heroic recoveries. Celebrate prevented incidents. Celebrate early escalation. Celebrate boring discipline.

If you want ownership, reward the behaviors that create it.

Fund friction removal

Budget is culture.

Invest in automation, secure defaults, identity hygiene and vendor controls that make the safe path easy to follow.

Defund theatre. The posters. The annual checkbox training that no one remembers by Friday.

Close the learning loop fast

After an incident, don’t ask “what happened?” forever.

Ask, “What will change by Friday?” Then track it. Publicly.

When people see changes land, they keep reporting. When they don’t, they stop.

Sustain ownership when the novelty wears off

Culture doesn’t fail in the first month. It often fails in month seven, when priorities shift and the organization becomes fatigued. HBR shows the governance pattern that makes metrics live, and modern metrics must be embedded in routines and tied to ownership.

Build micro-habits that survive stress

Add a two-minute risk pause to major change approvals.

Remember to use breathing to help manage stress

Run pre-mortems before big releases. “How could this go wrong?” sounds simple. It saves you later.

Give managers escalation scripts. People freeze when they need words. Give them words with aligned meaning.

Tell better stories

Most security stories start with shame. They end with blame.

Tell stories about good judgment. About near-misses caught early. About a leader who chose safety and still shipped. Celebrating good news not just bad news is very important.

Stories travel faster than policies. They also train identity. “This is who we are.”

Rebuild ownership during onboarding

Every hire is a culture reset.

Teach new joiners how decisions really work. Who to call. What gets escalated? What does good look like in daily work?

Role-based scenarios delivered with passion beat generic slides; every time.

Equip middle managers

Middle managers translate strategy into Tuesday — they are the oil and glue of the system.

If they don’t model ownership, nobody will. Give them tools, not slogans. Trade-off language. Decision rules. Support when they push back on risky demands.

Stress-test the system

Run exercises that test decisions, not just technical response.

Include product, legal, comms, procurement and key vendors.

Ask one hard question. “Who can accept this risk right now?” If the room goes quiet, your culture just confessed.

The road ahead

Awareness is polite. Ownership is personal.

Awareness says, “I attended.” Ownership says, “I changed how I work.”

You build ownership by making it possible to care without getting punished.

So, pick three behaviors you want to see. Make the secure path easier than the shortcut. Assign owners. Measure the signal. Review it monthly. Fix friction fast.

Then, the next time someone asks for admin credentials “just for an hour,” you won’t need a cupcake to say no. Make cultural high performance the foundation of great security!

This article is published as part of the Foundry Expert Contributor Network.
Want to join?