Jan Babiak is a non-executive director with long experience and expertise in IT and cyber security, risk governance, and sustainability. She has served on the boards of Fortune 20 companies and FTSE 100 organisations.

Three strikes and you’re out. When senior executives kept clicking on phishing emails, Jan Babiak set a clear rule: the third time they do it, their names would go straight to the board. 

“Amazingly, things got much stronger once I put that rule in place,” she recalls. “Nobody wants to be reported to the board for something like this.”  

Jan Babiak is a veteran in the field. Trained as a chartered accountant, she moved early into technology and IT security, becoming a certified information systems auditor and a certified information security manager. She spent nearly three decades at a global management consulting firm, where she was a founder of their global IT/cyber security practice and later built its global climate change and sustainability practice. Over the years, she has served on boards ranging from Fortune 20 companies to FTSE 100s and a $1.5 trillion North American bank as well as private equity and privately owned companies. Her observations apply to all of them. 

Her philosophy for transforming an organisation, centres on accountability. “You can’t take it on faith,” she says. “Human nature is what it is, and people, unless they’re held accountable, rarely change.” This is because it is a fight against inertia. “If people have always done it that way, then most people resist change,” she observes. “What I find interesting is, everyone agrees things need to change…as long as it means they don’t have to change.”  She quotes John Maynard Keynes who said: “Faced with the choice between changing one’s mind and proving that there is no need to do so, almost everyone opts for the latter.”  

So sometimes leaders need to face an uncomfortable truth. “Every organisation has a culture. Let’s do an honest evaluation of the culture and decide whether that’s the culture we want. If it’s not, then let’s name what the culture is and what we want it to be and look at the steps to get there.”  

Take cyber security culture as an example. Jan says that too many companies treat cyber security as the sole responsibility of the IT and/or security team, instead of embedding it into the fabric of how the organisation operates. The problem, she argues, is one of misplaced trust. “Cultures are too trusting of the fact that cyber can deal with it, and everything will come out fine in the end.”  

She believes that “a problem defined is a problem half solved.” Leaders must name it, measure it, and make it visible. 

And it is also the leaders’ responsibility to drive that cultural shift. When it comes to selecting senior leaders, this is why Jan is “very much looking for enablers, not a police force.” They need to have the right balance of being supportive and nurturing, while holding people accountable even if it sometimes requires something harsh. As leaders, she believes they need to show ‘courage over comfort’ and they need to build a new culture into the system: set expectations, give people resources and opportunities to learn, and tie their behaviours to tangible outcomes. 

At one organisation with tens of thousands of employees, those who clicked on phishing tests had thirty days to complete remedial training. Miss that deadline, and they received a warning. Fail to comply after that, and the organisation would cut off all system access. 

“I’ve never been in a situation where we actually had to do it,” she notes, “because usually you can put enough peer pressure on and have management holding people accountable.” 

Accountability doesn’t stop at training modules. Internal audit has to look at who has administrative privileges, where controls are lax, where access is too broad. Managers who don’t attend to cyber vulnerabilities should see a penalty reflected in their performance assessment and even their pay cheque.  

Jan is also realistic about the limits of transforming people. After repeated attempts, it becomes clear some people just won’t budge. “If you can’t change the people, change the people,” she says. That is, either move them to roles better suited to their capabilities within the organisation or urge them to find employment elsewhere, perhaps where security is less important. It may sound severe, but she believes it’s a necessary course of action – considering the risks of letting things be. 

Her approach won’t appeal to everyone. But when you’ve overseen trillion-dollar banks and critical infrastructure, the stakes leave little room for softness. The adversaries aren’t gentle, and the threats aren’t theoretical. With emerging technologies, the cost of complacency only grows, and the threats are escalating with agentic AI and the reality that quantum computing will likely render current encryption protocols completely ineffective 

Sometimes, discomfort isn’t a side effect of culture change. It’s the catalyst.

In the second part of our interview with Vic Djondo (read Part 1 here) at the BT Group he explores what culture change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick. 

When asked about what a successful security culture looks like in practice, Vic points to something unprecedented that happened a couple of years into a culture change programme. The Chief Networks Officer in his organisation, a long-tenured C-suite member, changed his job title. Not because he was promoted or moved roles: he proactively expanded his existing title from “Chief Networks Officer” to “Chief Security Officer and Chief Networks Officer.” 

Same salary. Broader accountability. And he put “Chief Security Officer” first. 

“When people at that level are willing to grow their accountability to such an extent, you know you’re winning,” Vic says. 

You can’t mandate that kind of ownership. It comes from a genuine shift in how leaders see their responsibility, a shift that took years to achieve. One move in particular changed everything. 

Vic wrote a recommendation into his security culture strategy: every single one of the top 700 leaders in the organisation should have a security objective in their personal performance goals. Not the security team’s goals, nor aspirational company values. Their own individual targets, the ones tied to their bonuses and career progression. 

The first CEO endorsed it. When the new CEO came in, she rubber-stamped it again (…and then Vic phished her office, read What happens when you hack your CEO? the first article in this interview series). “It’s part of what we do now,” Vic says. 

The Stuff That Actually Changes Behaviour 

Senior leaders wearing their security badges used to be a problem. A few very senior people simply refused because it wasn’t convenient for them. 

“That was a few years back. None of them behave that way now because the culture has changed, whereby they feel slightly embarrassed if they are called out for not having their pass or not having it on display.” 

This is embedded culture: you’ve created a social norm where not wearing your badge makes you an outlier. The group polices itself. 

But getting there requires relentless, multi-year consistency. “You can’t just do it for a couple of weeks and move on,” Vic emphasises. In the shorter term, Vic focuses on creating outputs: platforms where people can speak up confidentially, panels that review cases on their merits, education programs, clear policies. These are the visible structures of psychological safety. 

The deeper cultural shift however, the one where people genuinely feel safe to raise concerns and speak up, and where security is truly “the way we do things around here”, takes a generation of consistent leadership modelling the right behaviours. And that’s why Vic built a network of 250 security champions spread throughout the organisation. 

Breaking Down the Silos 

In any large organisation, teams work in silos. Different divisions, different functions, different ways of operating. It’s one of the biggest barriers to building a cohesive culture. 

Security champions help solve this in two critical ways. 

First, they translate. Central security messages need to land differently for people who sit in ivory towers all day versus people who drive vans and go “up poles and down holes” versus retail staff selling phones. The champions understand their local context – the language people use, the pressures they face, the constraints they work under. They take the core message and make it resonate locally. 

But the second function is even more important: they surface problems back up. 

“They’re our eyes and ears on the ground,” Vic explains. When security policies aren’t working for a particular part of the business, the champions are the ones who see it first. They bring that intelligence back to the security team before it becomes a bigger problem. 

And crucially, those champions talk to each other. “It’s not just about them landing comms for us – it’s those natural conversations they have right across the organisation, right across that network, that starts to break down some of the barriers and silos.” 

When a champion in procurement is struggling with the same issue as a champion in finance, they can compare notes. They can share solutions. They can push back on security together if something genuinely doesn’t work. The network creates horizontal connections across an organisation that might otherwise never communicate. 

It’s culture building from the ground up, not just the top down. And it means that when leadership sets the tone, there are 250 people throughout the business ready to carry it forward in ways that actually fit how their teams work. 

What Security Culture Actually Is 

“Security culture is simply the way we do things around here,” Vic says. It’s not just about how you do the work – how you drill a hole, how you submit files, how you configure a firewall. It’s about how you treat people. How you talk to colleagues. How you lead teams. How you interact with customers. 

And when it comes to security specifically, culture directly impacts risk. There’s a measurable cause-and-effect relationship between employee engagement and security incidents. 

“If somebody is feeling bullied and not listened to at work, they are perhaps more likely to not engage as well or not pay attention as much. Therefore, they might leave workspaces or buildings insecure,” Vic explains. “And equally, even good, well-meaning honest people might be more easily swayed by somebody tempting them to do nefarious things when they’re unhappy – whether that’s financial stress from stagnant wages, or feeling undervalued.” 

The metrics bear this out. Organisations with poor cultures see higher rates of insider threats, more security incidents, more people leaving – which means constant recruitment and training costs. It becomes a vicious cycle. 

Good culture creates a virtuous one: people stay longer, they’re more engaged, they spot and report problems earlier, they’re less vulnerable to social engineering. And from a purely financial standpoint, reduced turnover alone pays for the investment in building that culture. 

The work of building security culture is never finished. It’s not something you achieve and then maintain on autopilot. It requires constant reinforcement, adaptation as the business changes, and vigilance as people move on and new leaders arrive. 

But when you can see a C-suite executive voluntarily expand their job title to put security first, when wearing a security badge becomes a social norm that the group itself upholds, when 250 champions are having conversations across silos that break down barriers – you know something fundamental has shifted. The culture isn’t just policy or posters anymore. It’s become the way people actually work. 

That’s when security stops being theoretical risk and becomes simply the way we do things around here. 

The Long Game 

Four years ago, when Vic wrote his security culture strategy, the organisation wasn’t doing this work in any structured way. His team has only been together for three years. In that time: security objectives in 700 leaders’ goals, a network of 250 champions, culture shifts that make senior leaders feel embarrassed about not wearing badges, buy-in from two CEOs, and a C-suite member voluntarily expanding his title to include security. 

But Vic knows three years is nothing in the context of real cultural change. “We need to pay very close attention to what the group corporate strategy is, and then put in place a security culture programme that fits neatly into that strategic direction,” he explains. “Then group corporate affairs are more likely to pick up your key messages, your narratives, and run with it.” 

It’s strategic, political, psychological work. The way we do things around here isn’t written in a policy document, it’s written in a thousand small moments every single day. Vic’s job is to make sure those moments add up to something that keeps people safe, keeps the business secure, and makes the organisation somewhere people actually want to work. 

An interview with Emma W, Head of Cyber Essentials at the UK’s National Cyber Security Centre

A senior software engineer receives yet another internal phishing simulation. He knows exactly how the test works at his company, so he has a system. Every simulated phish goes into a special folder. Time to time, he opens the folder and clicks through everything, just to make sure he comes up as the “worst liability” at his company.

And then he waits. But no one follows up with him.

“Stop with the bad phishing training!” Emma, who leads the Cyber Essentials scheme at the National Cyber Security Centre (NCSC), is exasperated with harmful phishing simulations.

Emma has worked for the government for 23 years in a variety of roles, specialising in people-centred security, security culture and security communications. She worked on the NCSC Password Guidance, People: The Strongest Link, phishing guidance, government security culture guidance and many more. (NB. Links to this best practice guidance are listed at the end of this interview.)

The software engineer is her friend, who, like many discerning employees, has figured out how to game the system. He’s even prodding the security team to do something about his “bad” behaviour. But nothing happens, and so this exercise is a waste of time.

Another way that phishing simulations can hurt is by distancing the very people you’re trying to engage. Emma says that the fastest way to ruin cyber security culture is by treating people like they’re liabilities. Cyber security has long been about catching people doing something wrong and hoping that the sting of “gotcha” will make them learn.

Well, people do learn, but often the wrong lesson. What they’re learning is:

“I can’t trust you.”

“You’re not on my side.”

“You’re not a safe team to approach if I’m unsure or – heaven forbid – if I made a mistake.”

Now they’re afraid to tell you when things really go wrong.

Welcome the calls for help

You need people to tell you when things go wrong – or better yet, about to go wrong. They are valuable “human sensors” that help you monitor the health of the organisation.

But this doesn’t mean they need to be security experts.

Emma says it’s actually great that most people don’t think about cyber security constantly: “we don’t need a whole organisation of security experts.” You want people to be great at their own jobs.

A healthy culture, Emma says, is one that asks everyone to build a broad sense of what’s OK and what’s not OK when it comes to cyber security. They need to understand when and how to raise concerns. And know that whenever they’re not sure, they can ask for help without being shamed.

What you want to be hearing is:

“I don’t know how to do this. Can you remind me?”

“This email looks ropey. Can you help me sort out if it’s a bad one or not?”

Cyber Essentials: A culture starter pack?

Emma is passionate about her work with Cyber Essentials. At its core, Cyber Essentials simply sets a minimum standard for cyber security: Five technical controls designed to defend against the most common cyber security threats.

But it can also teach us a few things about building a healthy culture.

Emma says that for many small and medium organisations, cyber security is all about fear. They hear horror stories. They know they should do something. But they don’t know what. When people feel scared and helpless, they turn away. They avoid the topic, postpone decisions, and hope bad things don’t happen.

Cyber Essentials acts as an entry point. A way to turn fear into action. And starting small builds self-efficacy. Once organisations see that they’re capable of tackling their problems, they feel more in control and more willing to take the next steps. She feels that through her work with Cyber Essentials, she and her team are making tangible improvements in cyber resilience across the UK, every day. A minimum standard isn’t the landing point. It’s a springboard.

Entering an ecosystem of support

But culture doesn’t build itself from just a few technical controls. Emma says that the “secret sauce” of Cyber Essentials is that it’s also a step into a support ecosystem: NCSC-assured assessors and highly trained expert advisors that give people hands-on support. A group of people you can trust.

Emma shares a story about the first steps toward building this relationship.

Through IASME – the official Cyber Essentials Delivery Partner – the NCSC started offering small and medium organisations a free 30-minute consultation with its cyber advisors to help them towards Cyber Essentials certification. One day, a local food bank called in. When the cyber advisor on the line realised that the food bank had absolutely no money to spare, he stayed on the phone for 4 hours to help them with every step to make them secure. At the end of the call, he says,

“Anything else you need, call me.”

It’s not just your expertise that will get people to ask you for help. You need to spend time with them to show that their problems matter to you.

What is our priority? Show, don’t (just) tell

Organisations are often very good at stating their priorities and values.

But just saying that something is a priority doesn’t make it so. It may be no more than good intentions. If an organisation says “security is important to us” but doesn’t have any mandatory security training and awareness for new employees – or even an introduction to the security team – then people quickly learn that security isn’t a real priority around here.

The most reliable indicator of real priorities is where you ask people to spend their time. Any declared priority that has no resourcing attached to it, isn’t actually a priority.

Emma says, “if you want culture to be a priority, then you have to treat it in the same way. You have to put some explicit focus on it.”

A time in the diary for people to have honest conversations about culture.

“How are we working together as a team?”

“Is there anything we want to change?”

And maybe go knock on the door of that senior software engineer who’s clicking on all the phishing emails. He probably has something to say about how we do things here!

Links to the NCSC best practice outlined above:

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

https://www.ncsc.gov.uk/collection/board-toolkit/principle-c-people/developing-a-positive-cyber-security-culture

https://www.ncsc.gov.uk/guidance/phishing

https://www.ncsc.gov.uk/guidance/phishinghttps://www.security.gov.uk/policy-and-guidance/improving-security-culture/

David Brown is an executive and non-executive director with a proven track record in leading large, multi-site and multi-discipline commercial and public sector organisations.

Culture, Change and the Boardroom

David Brown, the CEO of a large enterprise business, was sitting in his office wading through emails. His personal assistant was nearby, so David asked whether she had sent his note to the local managers.

She did, but made a few changes before she sent it. Her edits aligned with a decision the leadership team had recently made: everyone, regardless of their position, should be referred to as “colleagues.” The idea was to move away from a hierarchical culture. David agreed he had inadvertently reverted to the old ways and his original note didn’t support the new culture.

David tells this story when people ask him about building a positive culture. He spent decades in leadership roles across transportation, energy, and infrastructure, and he’s now the Chair of Renew Holdings and TripShift. He has the kind of CV that usually insulates a person from being corrected by anyone.

However, the interaction above is “one of the things I always want to aim for” David explains. “I want people to voice their opinion. I want people to feel they’re involved. I want people to actually contribute in a positive way”.  This is not because he’s proud of writing the perfect email – but because it’s important to him that people in his company would feel safe enough to stop him from sending the wrong message – “where people aren’t just keeping quiet for fear of having their heads chopped off”.

Why should you care?

For David, building a strong culture is about creating an environment where people voice their opinions without fear, they can contribute in a positive way and thrive in their work. We spend approximately one third of our lives at work, and so, David says: “Why wouldn’t you want a better place to work?

But beyond having a good workplace, David believes it’s good for business. First, a good culture is essential to decision making. Those at the senior level need to communicate with their people at all levels of the company to know what is going on. “You don’t want people hiding. You don’t want people not telling you the truth. ‘Truth to power is very important.” Senior leaders are only as good as the information they get – and in most organisations, bad news gets filtered, softened, or buried completely before it reaches the top. David explains that when people aren’t afraid to speak up, he can hear what really needs fixing before systems break and catastrophes happen.

Another benefit of culture is its connection to purpose and meaning that motivates and unite employees. There is strength in numbers and the feeling of comradery gained from working together. David remembers telling his teams: “we’re affecting the quality of people’s lives”, making sure to repeatedly reinforce that connection between what they do and why it matters. That’s what keeps people from jumping ship when things are hard; a shared vision means employees are more likely to stay with their organisation.

The final and perhaps most important point is that a strong culture is a differentiator for an organisation. When things inevitably go sideways – because they always do – clients notice the difference. They notice when everyone in the organisation, from top to bottom, is trying to do the right thing. They give you the benefit of the doubt.

A Continuous Process of Improvement

Culture isn’t just a quick fix or poster on the wall. It’s not just the Friday afternoon workshop where everyone shares their feelings and then goes back to their desks.

“It needs to be embedded in everything,” David says. “In the recruitment, the language, every policy, every communication, every way you deal with people, the way you reward your managers.”

For David, culture is built through storytelling. He’s learned to look for the small moments where culture lives or dies, and to take every opportunity to embed and solidify culture in the organisation. For example, when the company wins a big contract, he doesn’t just send a congratulations email. He explains how their values and their culture allowed them to grasp that success.

He does this constantly. “You can’t just do it for a couple of weeks and move on.”

The good news? Once you’ve built the kind of place where people speak up, the culture starts to reinforce itself. Acting in accordance with the culture becomes intuitive and innate. No one is perfect, and everyone should be comfortable in looking out for when the culture isn’t being reflected accurately. An assistant having the confidence to suggest improvements to a senior’s email – that’s the culture being alive.

Culture is multidirectional

David is blunt about this: “If I went around saying I want openness and transparency but didn’t listen to people and didn’t care what they have to say – it’s just not authentic,” if there’s no trust and openness in the board, those values won’t trickle down throughout the organisation. “Any leader should be authentic.” But most leadership teams say they want honesty while operating as though they are in a performance where everyone’s playing a role, this doesn’t work, “people can smell inauthenticity from a mile away.” The board must model the behaviours they want to see. They can’t be anonymous entities, detached from the business, showing up quarterly to nod at PowerPoints before disappearing again.

At the same time, culture can’t be imposed onto everyone else. It must also grow from the ground up. David’s approach is simple: listen to what people across the organisation say about their culture, then play those words back to them. “If you’re saying things that they believe themselves, then you don’t get pushback. They feel part of it.”

When he was leading a group of subsidiary companies, he let different cultures flourish in different places – so long as they all connected back to the core. Some variation isn’t just acceptable, it’s necessary. It means that the people at those companies ‘bought into [the culture] and felt that it was important to them’. David explains that what matters is that people feel it’s real. He remembers the subsidiaries with a particular fondness: “They had this ‘can-do’ attitude – and I believed it too. When there was a crisis, they were the people I wanted with me, because they’d roll up their sleeves and get stuff done.”

The Unfinished Work

David talks about his organisations the way people talk about something they helped build with their hands. There’s pride, yes, but also care. A strong culture is something you recommit to, every day, in small and big choices.

It’s the looking out for each other. It’s the constant reinforcement of the story and values. It’s about how they came together – to celebrate and to tackle a crisis. These aren’t just milestones – they’re ongoing maintenance of something unique and precious to the company. The constant, unglamorous work of making sure that “openness and transparency” aren’t just words in a company mission statement, but the lived experience of everyone who works there.

Vic Djondo is the SRO for Security Culture and Education at the BT Group

A security leader’s risky bet and what finally moved the C-suite

Vic Djondo had five hours to prove his point to his new CEO, who had been in post for a few weeks.

Vic, who leads cyber security culture across a major telecommunications company, had a 1 PM presentation scheduled with her. At 8 AM that same morning, his team sent a simulated phishing attack to her office.

“It could have been career limiting,” he laughs now. “But I did it anyway.”

The attack worked and the CEO’s team fell for it. And when Vic walked into that afternoon presentation with the evidence of how easily her inner circle had been compromised, the CEO’s first response wasn’t defensiveness or anger. It was immediate action: “I want my entire office educated on this stuff. And I want it permeated throughout the whole organisation.”

This is a story about what it actually takes to make senior leaders invest in security – enough to change how they work, what they prioritise, and how they hold themselves accountable.

The Problem

Vic has spent over a decade building security cultures across major organisations. “Getting leaders to care – making it relevant and resonate for leaders in the first instance and then getting them to really set the tone of security to the business – that is probably the hardest piece,” he says.

Everything else in the security culture playbook is easier once you’ve secured leadership buy-in. You can have the best awareness campaigns, the most sophisticated training, a network of champions spread across the business. But if the C-suite doesn’t commit their resources, none of it sticks.

Leaders understand that security matters. The issue however is that security is one of fifty things competing for their attention, and most of those other things have clearer, more immediate consequences. Until something goes catastrophically wrong, security lives in the realm of theoretical risk. And theoretical risks are easy to deprioritise when you’re dealing with quarterly earnings, customer complaints, and the person who just quit taking half their team’s institutional knowledge with them.

Not only that, but most organisations, Vic believes, are still in their infancy when it comes to security culture. And it’s not because they don’t have the right policies or tools. It’s because culture takes time – a decade, sometimes longer. In big organisations, the C-suite can change every three to five years. “It can be very difficult to embed a culture that you want when you’re really talking about five to ten year shifts,” he says.

So how do you get leaders to invest in something that won’t fully mature during their tenure? How do you make the need for security culture real, impossible to ignore?

The League Table Strategy

Vic has a secret weapon, and he is “absolutely shameless” about using it (his words!).

“I’ll absolutely put that data front and centre,” he says. The data: phishing resilience metrics, training completion rates. All displayed in board meetings, with each C-suite member’s division ranked against their peers.

“Leaders never want to be second, and they never want to be last.”

This isn’t about shame, exactly. It’s about understanding what drives people at that level. Competitiveness is their superpower – it’s how they got to the C-suite in the first place – but it’s also a “way in” for Vic.

He says, “that embarrassment of being at the bottom of that league table is usually enough to get them moving even quicker than things like reputational or financial risk.”

Vic has seen this approach transform behaviour across functions. No leader wants to be the one dragging down the numbers while their peers excel.

But the more sophisticated part: when someone challenges the data – and they will – it opens up a conversation about why their numbers are worse. Sometimes a division performs poorly not because its staff doesn’t care, but because the security requirements don’t fit how that part of the business actually operates.

Vic gives the example of procurement teams who need to constantly open email attachments: invoices, purchase orders, contracts. If the security policy says “don’t open attachments,” procurement can’t do their jobs. “Then the way we’re trying to work securely doesn’t suit the procurement side of the business. So, we need to create a solution that does suit them.” The league tables start a conversation. Sometimes it’s about attitude and leadership. Sometimes it’s about security needing to adapt. Either way, systemic issues surface, and real change starts taking place.

In part two, we will explore with Vic what that change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick.