Insights > What happens when you hack your CEO?
Interviews blog feature image of Vic Djondo

What happens when you hack your CEO?

Vic Djondo is the SRO for Security Culture and Education at the BT Group

A security leader’s risky bet and what finally moved the C-suite

Vic Djondo had five hours to prove his point to his new CEO, who had been in post for a few weeks.

Vic, who leads cyber security culture across a major telecommunications company, had a 1 PM presentation scheduled with her. At 8 AM that same morning, his team sent a simulated phishing attack to her office.

“It could have been career limiting,” he laughs now. “But I did it anyway.”

The attack worked and the CEO’s team fell for it. And when Vic walked into that afternoon presentation with the evidence of how easily her inner circle had been compromised, the CEO’s first response wasn’t defensiveness or anger. It was immediate action: “I want my entire office educated on this stuff. And I want it permeated throughout the whole organisation.”

This is a story about what it actually takes to make senior leaders invest in security – enough to change how they work, what they prioritise, and how they hold themselves accountable.

The Problem

Vic has spent over a decade building security cultures across major organisations. “Getting leaders to care – making it relevant and resonate for leaders in the first instance and then getting them to really set the tone of security to the business – that is probably the hardest piece,” he says.

Everything else in the security culture playbook is easier once you’ve secured leadership buy-in. You can have the best awareness campaigns, the most sophisticated training, a network of champions spread across the business. But if the C-suite doesn’t commit their resources, none of it sticks.

Leaders understand that security matters. The issue however is that security is one of fifty things competing for their attention, and most of those other things have clearer, more immediate consequences. Until something goes catastrophically wrong, security lives in the realm of theoretical risk. And theoretical risks are easy to deprioritise when you’re dealing with quarterly earnings, customer complaints, and the person who just quit taking half their team’s institutional knowledge with them.

Not only that, but most organisations, Vic believes, are still in their infancy when it comes to security culture. And it’s not because they don’t have the right policies or tools. It’s because culture takes time – a decade, sometimes longer. In big organisations, the C-suite can change every three to five years. “It can be very difficult to embed a culture that you want when you’re really talking about five to ten year shifts,” he says.

So how do you get leaders to invest in something that won’t fully mature during their tenure? How do you make the need for security culture real, impossible to ignore?

The League Table Strategy

Vic has a secret weapon, and he is “absolutely shameless” about using it (his words!).

“I’ll absolutely put that data front and centre,” he says. The data: phishing resilience metrics, training completion rates. All displayed in board meetings, with each C-suite member’s division ranked against their peers.

“Leaders never want to be second, and they never want to be last.”

This isn’t about shame, exactly. It’s about understanding what drives people at that level. Competitiveness is their superpower – it’s how they got to the C-suite in the first place – but it’s also a “way in” for Vic.

He says, “that embarrassment of being at the bottom of that league table is usually enough to get them moving even quicker than things like reputational or financial risk.”

Vic has seen this approach transform behaviour across functions. No leader wants to be the one dragging down the numbers while their peers excel.

But the more sophisticated part: when someone challenges the data – and they will – it opens up a conversation about why their numbers are worse. Sometimes a division performs poorly not because its staff doesn’t care, but because the security requirements don’t fit how that part of the business actually operates.

Vic gives the example of procurement teams who need to constantly open email attachments: invoices, purchase orders, contracts. If the security policy says “don’t open attachments,” procurement can’t do their jobs. “Then the way we’re trying to work securely doesn’t suit the procurement side of the business. So, we need to create a solution that does suit them.” The league tables start a conversation. Sometimes it’s about attitude and leadership. Sometimes it’s about security needing to adapt. Either way, systemic issues surface, and real change starts taking place.

In part two, we will explore with Vic what that change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick.

Published: Posted on by masterSOSlogin

What happens when you hack your CEO?

Vic Djondo is the SRO for Security Culture and Education at the BT Group

A security leader’s risky bet and what finally moved the C-suite

Vic Djondo had five hours to prove his point to his new CEO, who had been in post for a few weeks.

Vic, who leads cyber security culture across a major telecommunications company, had a 1 PM presentation scheduled with her. At 8 AM that same morning, his team sent a simulated phishing attack to her office.

“It could have been career limiting,” he laughs now. “But I did it anyway.”

The attack worked and the CEO’s team fell for it. And when Vic walked into that afternoon presentation with the evidence of how easily her inner circle had been compromised, the CEO’s first response wasn’t defensiveness or anger. It was immediate action: “I want my entire office educated on this stuff. And I want it permeated throughout the whole organisation.”

This is a story about what it actually takes to make senior leaders invest in security – enough to change how they work, what they prioritise, and how they hold themselves accountable.

The Problem

Vic has spent over a decade building security cultures across major organisations. “Getting leaders to care – making it relevant and resonate for leaders in the first instance and then getting them to really set the tone of security to the business – that is probably the hardest piece,” he says.

Everything else in the security culture playbook is easier once you’ve secured leadership buy-in. You can have the best awareness campaigns, the most sophisticated training, a network of champions spread across the business. But if the C-suite doesn’t commit their resources, none of it sticks.

Leaders understand that security matters. The issue however is that security is one of fifty things competing for their attention, and most of those other things have clearer, more immediate consequences. Until something goes catastrophically wrong, security lives in the realm of theoretical risk. And theoretical risks are easy to deprioritise when you’re dealing with quarterly earnings, customer complaints, and the person who just quit taking half their team’s institutional knowledge with them.

Not only that, but most organisations, Vic believes, are still in their infancy when it comes to security culture. And it’s not because they don’t have the right policies or tools. It’s because culture takes time – a decade, sometimes longer. In big organisations, the C-suite can change every three to five years. “It can be very difficult to embed a culture that you want when you’re really talking about five to ten year shifts,” he says.

So how do you get leaders to invest in something that won’t fully mature during their tenure? How do you make the need for security culture real, impossible to ignore?

The League Table Strategy

Vic has a secret weapon, and he is “absolutely shameless” about using it (his words!).

“I’ll absolutely put that data front and centre,” he says. The data: phishing resilience metrics, training completion rates. All displayed in board meetings, with each C-suite member’s division ranked against their peers.

“Leaders never want to be second, and they never want to be last.”

This isn’t about shame, exactly. It’s about understanding what drives people at that level. Competitiveness is their superpower – it’s how they got to the C-suite in the first place – but it’s also a “way in” for Vic.

He says, “that embarrassment of being at the bottom of that league table is usually enough to get them moving even quicker than things like reputational or financial risk.”

Vic has seen this approach transform behaviour across functions. No leader wants to be the one dragging down the numbers while their peers excel.

But the more sophisticated part: when someone challenges the data – and they will – it opens up a conversation about why their numbers are worse. Sometimes a division performs poorly not because its staff doesn’t care, but because the security requirements don’t fit how that part of the business actually operates.

Vic gives the example of procurement teams who need to constantly open email attachments: invoices, purchase orders, contracts. If the security policy says “don’t open attachments,” procurement can’t do their jobs. “Then the way we’re trying to work securely doesn’t suit the procurement side of the business. So, we need to create a solution that does suit them.” The league tables start a conversation. Sometimes it’s about attitude and leadership. Sometimes it’s about security needing to adapt. Either way, systemic issues surface, and real change starts taking place.

In part two, we will explore with Vic what that change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick.

Interviews blog feature image of Vic Djondo

Get in touch






    Back to top Back to Top
    Social Machines Logo 
    Culturlabs is part of Social Machines

    | A behavioural science research and innovation company.

    © 2026 Culturlabs. All Rights Reserved. Accessibility Statement

    Powered by
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    Powered by