Insights > The Long Game of Changing Corporate Behaviour
Interviews blog feature image of Vic Djondo

The Long Game of Changing Corporate Behaviour

In the second part of our interview with Vic Djondo (read Part 1 here) at the BT Group he explores what culture change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick. 

When asked about what a successful security culture looks like in practice, Vic points to something unprecedented that happened a couple of years into a culture change programme. The Chief Networks Officer in his organisation, a long-tenured C-suite member, changed his job title. Not because he was promoted or moved roles: he proactively expanded his existing title from “Chief Networks Officer” to “Chief Security Officer and Chief Networks Officer.” 

Same salary. Broader accountability. And he put “Chief Security Officer” first. 

“When people at that level are willing to grow their accountability to such an extent, you know you’re winning,” Vic says. 

You can’t mandate that kind of ownership. It comes from a genuine shift in how leaders see their responsibility, a shift that took years to achieve. One move in particular changed everything. 

Vic wrote a recommendation into his security culture strategy: every single one of the top 700 leaders in the organisation should have a security objective in their personal performance goals. Not the security team’s goals, nor aspirational company values. Their own individual targets, the ones tied to their bonuses and career progression. 

The first CEO endorsed it. When the new CEO came in, she rubber-stamped it again (…and then Vic phished her office, read What happens when you hack your CEO? the first article in this interview series). “It’s part of what we do now,” Vic says. 

The Stuff That Actually Changes Behaviour 

Senior leaders wearing their security badges used to be a problem. A few very senior people simply refused because it wasn’t convenient for them. 

“That was a few years back. None of them behave that way now because the culture has changed, whereby they feel slightly embarrassed if they are called out for not having their pass or not having it on display.” 

This is embedded culture: you’ve created a social norm where not wearing your badge makes you an outlier. The group polices itself. 

But getting there requires relentless, multi-year consistency. “You can’t just do it for a couple of weeks and move on,” Vic emphasises. In the shorter term, Vic focuses on creating outputs: platforms where people can speak up confidentially, panels that review cases on their merits, education programs, clear policies. These are the visible structures of psychological safety. 

The deeper cultural shift however, the one where people genuinely feel safe to raise concerns and speak up, and where security is truly “the way we do things around here”, takes a generation of consistent leadership modelling the right behaviours. And that’s why Vic built a network of 250 security champions spread throughout the organisation. 

Breaking Down the Silos 

In any large organisation, teams work in silos. Different divisions, different functions, different ways of operating. It’s one of the biggest barriers to building a cohesive culture. 

Security champions help solve this in two critical ways. 

First, they translate. Central security messages need to land differently for people who sit in ivory towers all day versus people who drive vans and go “up poles and down holes” versus retail staff selling phones. The champions understand their local context – the language people use, the pressures they face, the constraints they work under. They take the core message and make it resonate locally. 

But the second function is even more important: they surface problems back up. 

“They’re our eyes and ears on the ground,” Vic explains. When security policies aren’t working for a particular part of the business, the champions are the ones who see it first. They bring that intelligence back to the security team before it becomes a bigger problem. 

And crucially, those champions talk to each other. “It’s not just about them landing comms for us – it’s those natural conversations they have right across the organisation, right across that network, that starts to break down some of the barriers and silos.” 

When a champion in procurement is struggling with the same issue as a champion in finance, they can compare notes. They can share solutions. They can push back on security together if something genuinely doesn’t work. The network creates horizontal connections across an organisation that might otherwise never communicate. 

It’s culture building from the ground up, not just the top down. And it means that when leadership sets the tone, there are 250 people throughout the business ready to carry it forward in ways that actually fit how their teams work. 

What Security Culture Actually Is 

“Security culture is simply the way we do things around here,” Vic says. It’s not just about how you do the work – how you drill a hole, how you submit files, how you configure a firewall. It’s about how you treat people. How you talk to colleagues. How you lead teams. How you interact with customers. 

And when it comes to security specifically, culture directly impacts risk. There’s a measurable cause-and-effect relationship between employee engagement and security incidents. 

“If somebody is feeling bullied and not listened to at work, they are perhaps more likely to not engage as well or not pay attention as much. Therefore, they might leave workspaces or buildings insecure,” Vic explains. “And equally, even good, well-meaning honest people might be more easily swayed by somebody tempting them to do nefarious things when they’re unhappy – whether that’s financial stress from stagnant wages, or feeling undervalued.” 

The metrics bear this out. Organisations with poor cultures see higher rates of insider threats, more security incidents, more people leaving – which means constant recruitment and training costs. It becomes a vicious cycle. 

Good culture creates a virtuous one: people stay longer, they’re more engaged, they spot and report problems earlier, they’re less vulnerable to social engineering. And from a purely financial standpoint, reduced turnover alone pays for the investment in building that culture. 

The work of building security culture is never finished. It’s not something you achieve and then maintain on autopilot. It requires constant reinforcement, adaptation as the business changes, and vigilance as people move on and new leaders arrive. 

But when you can see a C-suite executive voluntarily expand their job title to put security first, when wearing a security badge becomes a social norm that the group itself upholds, when 250 champions are having conversations across silos that break down barriers – you know something fundamental has shifted. The culture isn’t just policy or posters anymore. It’s become the way people actually work. 

That’s when security stops being theoretical risk and becomes simply the way we do things around here. 

The Long Game 

Four years ago, when Vic wrote his security culture strategy, the organisation wasn’t doing this work in any structured way. His team has only been together for three years. In that time: security objectives in 700 leaders’ goals, a network of 250 champions, culture shifts that make senior leaders feel embarrassed about not wearing badges, buy-in from two CEOs, and a C-suite member voluntarily expanding his title to include security. 

But Vic knows three years is nothing in the context of real cultural change. “We need to pay very close attention to what the group corporate strategy is, and then put in place a security culture programme that fits neatly into that strategic direction,” he explains. “Then group corporate affairs are more likely to pick up your key messages, your narratives, and run with it.” 

It’s strategic, political, psychological work. The way we do things around here isn’t written in a policy document, it’s written in a thousand small moments every single day. Vic’s job is to make sure those moments add up to something that keeps people safe, keeps the business secure, and makes the organisation somewhere people actually want to work. 

Published: Posted on by masterSOSlogin

The Long Game of Changing Corporate Behaviour

In the second part of our interview with Vic Djondo (read Part 1 here) at the BT Group he explores what culture change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick. 

When asked about what a successful security culture looks like in practice, Vic points to something unprecedented that happened a couple of years into a culture change programme. The Chief Networks Officer in his organisation, a long-tenured C-suite member, changed his job title. Not because he was promoted or moved roles: he proactively expanded his existing title from “Chief Networks Officer” to “Chief Security Officer and Chief Networks Officer.” 

Same salary. Broader accountability. And he put “Chief Security Officer” first. 

“When people at that level are willing to grow their accountability to such an extent, you know you’re winning,” Vic says. 

You can’t mandate that kind of ownership. It comes from a genuine shift in how leaders see their responsibility, a shift that took years to achieve. One move in particular changed everything. 

Vic wrote a recommendation into his security culture strategy: every single one of the top 700 leaders in the organisation should have a security objective in their personal performance goals. Not the security team’s goals, nor aspirational company values. Their own individual targets, the ones tied to their bonuses and career progression. 

The first CEO endorsed it. When the new CEO came in, she rubber-stamped it again (…and then Vic phished her office, read What happens when you hack your CEO? the first article in this interview series). “It’s part of what we do now,” Vic says. 

The Stuff That Actually Changes Behaviour 

Senior leaders wearing their security badges used to be a problem. A few very senior people simply refused because it wasn’t convenient for them. 

“That was a few years back. None of them behave that way now because the culture has changed, whereby they feel slightly embarrassed if they are called out for not having their pass or not having it on display.” 

This is embedded culture: you’ve created a social norm where not wearing your badge makes you an outlier. The group polices itself. 

But getting there requires relentless, multi-year consistency. “You can’t just do it for a couple of weeks and move on,” Vic emphasises. In the shorter term, Vic focuses on creating outputs: platforms where people can speak up confidentially, panels that review cases on their merits, education programs, clear policies. These are the visible structures of psychological safety. 

The deeper cultural shift however, the one where people genuinely feel safe to raise concerns and speak up, and where security is truly “the way we do things around here”, takes a generation of consistent leadership modelling the right behaviours. And that’s why Vic built a network of 250 security champions spread throughout the organisation. 

Breaking Down the Silos 

In any large organisation, teams work in silos. Different divisions, different functions, different ways of operating. It’s one of the biggest barriers to building a cohesive culture. 

Security champions help solve this in two critical ways. 

First, they translate. Central security messages need to land differently for people who sit in ivory towers all day versus people who drive vans and go “up poles and down holes” versus retail staff selling phones. The champions understand their local context – the language people use, the pressures they face, the constraints they work under. They take the core message and make it resonate locally. 

But the second function is even more important: they surface problems back up. 

“They’re our eyes and ears on the ground,” Vic explains. When security policies aren’t working for a particular part of the business, the champions are the ones who see it first. They bring that intelligence back to the security team before it becomes a bigger problem. 

And crucially, those champions talk to each other. “It’s not just about them landing comms for us – it’s those natural conversations they have right across the organisation, right across that network, that starts to break down some of the barriers and silos.” 

When a champion in procurement is struggling with the same issue as a champion in finance, they can compare notes. They can share solutions. They can push back on security together if something genuinely doesn’t work. The network creates horizontal connections across an organisation that might otherwise never communicate. 

It’s culture building from the ground up, not just the top down. And it means that when leadership sets the tone, there are 250 people throughout the business ready to carry it forward in ways that actually fit how their teams work. 

What Security Culture Actually Is 

“Security culture is simply the way we do things around here,” Vic says. It’s not just about how you do the work – how you drill a hole, how you submit files, how you configure a firewall. It’s about how you treat people. How you talk to colleagues. How you lead teams. How you interact with customers. 

And when it comes to security specifically, culture directly impacts risk. There’s a measurable cause-and-effect relationship between employee engagement and security incidents. 

“If somebody is feeling bullied and not listened to at work, they are perhaps more likely to not engage as well or not pay attention as much. Therefore, they might leave workspaces or buildings insecure,” Vic explains. “And equally, even good, well-meaning honest people might be more easily swayed by somebody tempting them to do nefarious things when they’re unhappy – whether that’s financial stress from stagnant wages, or feeling undervalued.” 

The metrics bear this out. Organisations with poor cultures see higher rates of insider threats, more security incidents, more people leaving – which means constant recruitment and training costs. It becomes a vicious cycle. 

Good culture creates a virtuous one: people stay longer, they’re more engaged, they spot and report problems earlier, they’re less vulnerable to social engineering. And from a purely financial standpoint, reduced turnover alone pays for the investment in building that culture. 

The work of building security culture is never finished. It’s not something you achieve and then maintain on autopilot. It requires constant reinforcement, adaptation as the business changes, and vigilance as people move on and new leaders arrive. 

But when you can see a C-suite executive voluntarily expand their job title to put security first, when wearing a security badge becomes a social norm that the group itself upholds, when 250 champions are having conversations across silos that break down barriers – you know something fundamental has shifted. The culture isn’t just policy or posters anymore. It’s become the way people actually work. 

That’s when security stops being theoretical risk and becomes simply the way we do things around here. 

The Long Game 

Four years ago, when Vic wrote his security culture strategy, the organisation wasn’t doing this work in any structured way. His team has only been together for three years. In that time: security objectives in 700 leaders’ goals, a network of 250 champions, culture shifts that make senior leaders feel embarrassed about not wearing badges, buy-in from two CEOs, and a C-suite member voluntarily expanding his title to include security. 

But Vic knows three years is nothing in the context of real cultural change. “We need to pay very close attention to what the group corporate strategy is, and then put in place a security culture programme that fits neatly into that strategic direction,” he explains. “Then group corporate affairs are more likely to pick up your key messages, your narratives, and run with it.” 

It’s strategic, political, psychological work. The way we do things around here isn’t written in a policy document, it’s written in a thousand small moments every single day. Vic’s job is to make sure those moments add up to something that keeps people safe, keeps the business secure, and makes the organisation somewhere people actually want to work. 

Interviews blog feature image of Vic Djondo

Get in touch






    Back to top Back to Top
    Social Machines Logo 
    Culturlabs is part of Social Machines

    | A behavioural science research and innovation company.

    © 2026 Culturlabs. All Rights Reserved. Accessibility Statement

    Powered by
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    Powered by