Changing the Security Narrative: From IT Blockers to Trusted Partners

In some companies, IT or security teams are seen as the "department of no" of the organization.

Or worse: Big Brother. People just want to get their work done.

They don't want extra hurdles, red tape, or complicated policies to slow them down.

But here’s the problem: many of those "meddling" actions are what stand between the company and a breach.

And if your employees don’t feel that security is on their side, they’ll tune you out - no matter how serious the threat.

I've seen this first-hand.

At one large retail company with over 150,000 employees, security had a branding problem. The perception was either "security is boring and not important" or "security is a blocker." Here are a few quotes I remember hearing:

• We’re just making t-shirts.”
• “Security will take care of it. It’s not my job.”
• “They say no to everything.”

This was more than a communication issue. It was a cultural issue. And if we wanted our training, communications, or technical policies to land, we had to fix it.

‍

Step one: Make security human and Positive

The first thing we had to do was shift attitudes. How people feel about security is a major driver of behavior. If they see it as irrelevant, annoying, or fear-based, they’ll ignore it.

To shift attitudes, we focused on making security feel human, positive, and empowering.

Talk about benefits, not just risks

Too often, security messaging leads with threats. But fear alone doesn’t change behavior—it often backfires.

Instead of focusing on what could go wrong, explain what’s in it for employees:

• "By taking this training, you help protect our company, our customers, and even your family."

• “You can use this knowledge to protect your personal life—your kids, your parents, your own accounts.”

Showing the benefits of secure behavior, both professionally and personally, helps people connect. It also makes security feel more like a shared goal than a top-down mandate.

And when people feel like their actions matter—not just in protecting the company, but in their daily lives—they’re far more likely to engage.

Promote what people can do

Most awareness content focuses on what people shouldn’t do. Don’t click this. Don’t share that. But framing messages around what employees can do makes a big difference.

When we tell people what positive action they can take, it's much easier to drive behavior change. Encouraging secure habits - rather than just forbidding insecure ones - gives people a sense of control and capability.

This sense of self-efficacy is critical for behavior change.

Research shows that when people feel capable and empowered, they are more likely to take action. According to Albert Bandura, a key driver of behavior change is the belief in one’s ability to succeed.

Teach people how to act securely, step-by-step. Make it easy. Reinforce their progress. And highlight those doing it well.

Keep it short and simple

Drop the jargon. Avoid technical acronyms and compliance-heavy language. If you want people to engage, write in plain, human language.

One trick I use: after writing an email, I re-read it and ask, would my mom understand this?

Make sure the action is clear, the reason is clear, and the tone is supportive.

Use storytelling to make risks real

In one of my early campaigns, we shared real internal incidents - told not by the security team, but by the employees who experienced them.

These stories were transparent, emotional, and concrete.

The goal wasn’t to scare people. It was to make the risk relatable, and to always include what employees could do to prevent it from happening again.

Make it feel different

Corporate communications tend to blend together. In my previous role at H&M, to stand out, we tried something bold: we launched a campaign with unicorn pugs and bright visuals.

It broke the mold, made people smile, and most importantly, made them pay attention.

That campaign became a turning point: people began to think of security as approachable.

Fun, even. The unicorn pug ended up on cakes, swag, even employee selfies.

Side note: Avoid the "gotcha" trap with phishing simulations

One mistake I often see - especially in large organizations - is using overly difficult phishing simulations right from the start. I’ve worked with companies where phishing emails were so hard that people felt tricked, not trained.

The result? A negative perception of the program, and by extension, the entire security team. People felt frustrated and even embarrassed.

In one organization I worked with, this led to widespread resentment toward the simulation program. It wasn't building resilience - it was eroding trust.

So we hit pause, rebooted the initiative, and started again with easy simulations, gradually increasing difficulty over time.

Today, 18 months later, the simulations are actually more advanced than they were before the reboot - but people enjoy them now.

They talk about the challenges. They compare experiences.

They’ve bought into the journey, because we made it feel like a path for growth, not a trap.

At Hoxhunt, our adaptive training follows this same principle:

• Simulations are individually adapted for each person

• They increase in complexity over time, based on performance

• And they’re often fun—even silly—to keep engagement high

I’ve heard employees say things like:

“Ohhh, you’re the team behind those Hoxhunt emails? They’re so cool. I almost clicked one yesterday - it was really good. I’ve got the leather shield now!”

This kind of feedback doesn’t happen by accident. It happens when learning is approachable, progressive, and even enjoyable.

‍

Step two: Embed security in the culture

Changing how people feel about security is a great first step.

But to truly shift the culture, you need leadership support, a recognizable brand, a shared mindset about empathy and psychological safety, and a network that extends beyond the core security team.

From working with many organizations, I’ve found five key cultural levers that make the biggest difference:

1. Leadership sets the tone

Security shouldn’t just be a topic in the IT team’s weekly sync. It should be part of the language used by the CEO, board, and business unit leaders.

I've worked with companies where security was mentioned in every all-hands meeting, where the board asked regularly about human risk posture, and where cybersecurity was listed as a core company value.

This sends a clear signal: security isn’t an obstacle. It’s part of how we protect what matters.

2. Find and support your allies

In larger organizations, leadership is critical—but it isn’t enough. You need relays. Allies. Champions at every level who actively promote security messages and share back what they’re hearing from the ground.

These could be local champions, influential team leads, or department managers who are respected by their peers. Identify them early. Equip them with toolkits, messaging templates, and regular updates. Make it easy - and rewarding - for them to be your ambassadors.

Some of the most successful programs I’ve seen are ones where security awareness isn’t just “from HQ.” It’s shared by a network of trusted internal advocates who make the message real for their teams.

3. Build a recognizable brand

Internal programs that succeed tend to have their own look and feel—a logo, a tagline, a style. But more importantly, they are consistent. Whether it’s posters, intranet articles, or phishing simulations, employees recognize it and look forward to it.

At Hoxhunt, we encourage teams to develop an internal identity for their security program. Something that’s memorable, positive, and distinctly theirs.

4. Build a foundation of usability and communication support

It's not just about how we communicate - it's about how we design.

Security tools, policies, and processes should be easy to understand and use. Too often, even well-intentioned teams roll out systems that are complicated, confusing, or out of step with how work actually gets done.

Think about the user experience of security holistically. Would someone with five open tabs and back-to-back meetings know what to do? Would it feel intuitive?

Also, remember that everyone in security wants to influence behavior - but not everyone is a communicator.

That’s why your human risk team should support all security communications. Act as a partner. Help others land their message clearly and effectively.

Security succeeds when it’s easy to do the right thing and when people feel guided rather than judged.

5. Cultivate psychological safety

People won’t report incidents if they’re afraid of blame or punishment.

That’s why security teams need to act more like coaches than enforcers.

Psychological safety means creating a climate where people feel safe expressing themselves, asking questions, and reporting mistakes - without fear of punishment or embarrassment.

This matters deeply in cybersecurity, as Dr. Jessica Barker says: “If people don’t feel safe reporting, they avoid it - or worse, hide it. That’s when things spiral.”

A just culture is the foundation here: where the incident, not the individual, is investigated. Where the first response is always to help and understand, not punish.

That doesn’t mean no consequences ever. Repeated risky behavior or negligence should be addressed. But fairness, transparency, and coaching must come first.

Psychological safety isn’t just a “soft” concept. It’s the difference between catching a breach early—or discovering it when it’s too late.

‍

Step three: Measure what matters

Culture change is hard to measure, but not impossible.

Here’s the framework I use:

• Awareness (Knowledge): What people know about security. Do employees know what to do? (quizzes/training answers)

• Behavior: What people do when it comes to security. Are employees doing the right things? Metrics like phishing simulation reporting and password hygiene, or incident reporting tell this story.

• Attitudes: How people feel about security. Do people believe security is a shared responsibility? Surveys and cultural signals (like peer accountability) reveal this.

• And, optionally, Engagement: Are people participating willingly? Event attendance, voluntary actions, etc.

• It’s not enough to say "95% completed the mandatory training." You want to show how many people are actually changing behaviors, how many feel confident and supported, and how many are voluntarily engaging with your content.

‍

A real-world example: How AES engaged 5x more employees

One of the best examples I’ve seen of this mindset in action is at AES, a Fortune 500 global energy company.

Like many organizations, AES wanted to lower the human factor in cyber risks.

But they didn’t take the fear-based, checkbox approach.  

Instead, they focused on something much more powerful: making security feel personal, engaging, and even fun.

They rolled out a program with Hoxhunt that adapted to each employee - meeting people where they were and growing with them over time.  

The idea was simple: make learning feel like progress, not punishment.  

Build a journey that’s challenging but encouraging.

And use positive reinforcement instead of shame.

Here’s what happened:

• People actually enjoyed the simulations - and kept coming back.

• Phishing resilience went up. Way up.

• Reporting rates increased, too - not just because they were told to, but because they understood why it mattered.

• And maybe most importantly, employees started seeing themselves as part of the solution.

The culture shifted. Security wasn’t seen as “someone else’s job” anymore. It became a shared responsibility - something that mattered not just to the company, but to each person’s role in protecting it.

AES proved that when you focus on behavior, not just knowledge - and when you make security approachable, not punitive - you get results that last.

‍

Final thoughts

Changing a security culture - especially in a large organization - won’t happen overnight.

It’s messy. It’s layered. And it touches everything: how you train, how you communicate, how you enforce policies, and how you show up when something goes wrong.

If you're struggling to shift the culture at your organization, you're not alone.

But don’t despair! Shifting a company’s perception of security is possible.

I’ve seen IT and Security teams go from being feared or ignored to being seen as trusted advisors.

I’ve seen campaigns that employees talk about at the coffee machine.

I’ve seen policies that make sense and get followed.

The organizations that get it right don’t rely on a single campaign or a one-time initiative. They work on multiple levels:

• They make security human and positive. They don’t rely on fear—they empower people, connect behaviors to real-life benefits, and keep the message short, clear, and empathetic.

• They embed security in the culture. Leaders set the tone. Allies amplify the message. Communications are supported, and policies are designed with usability in mind.

• They invest in psychological safety. People are treated fairly. Mistakes are handled with care. Reporting is encouraged—not penalized.

• They measure what really matters. Not just completions, but engagement. Not just knowledge, but behavior change.

Ultimately, people want to do the right thing.

But we need to meet them where they are. Make the secure way the easy way. Help them understand why it matters. And make them feel like it’s their success too.

If you're in the middle of this work, or just getting started, I hope this gave you some perspective - and some ideas to try.

And if you’ve found an approach that worked in your context, I’d love to hear it.

Let’s build security cultures people actually want to be part of.