In 2025, cyber threats will accelerate in complexity as organizations scramble to stay ahead of more sophisticated phishing attempts, advanced ransomware techniques and AI-driven threats like deepfakes. Public sector organizations and government systems remain a high-value target for both nation-state actors and criminal enterprises.
A safe and resilient cyber culture begins internally. In fact, in a recent review of implementation efforts for the Executive Order on Improving the Nation’s Cybersecurity, the Government Accountability Office emphasized that federal agencies must create “a culture that prioritizes cybersecurity as an essential mission component.”
Such a cultural approach, which includes people’s mindsets, behaviors and practices, is a leading indicator of an effective cybersecurity strategy, according to the Cybersecurity and Infrastructure Security Agency, and is “a crucial aspect of building long-term resilience against cyber threats.”
Here are three keys to building a resilient cyber culture:
Demonstrate leadership commitment
The fundamental driver of a strong enterprisewide cybersecurity culture is leadership commitment. Leaders need to be on top of the latest challenges, such as where the new threat vectors are, the risks that AI poses, and the opportunities that deploying a zero trust architecture creates.
But more than just talking the talk, leaders need to walk the walk. When they do so, they credibly create a culture that emphasizes total ownership — one that includes all employees, from the top level of the organization to apprentices and everyone in between. To that end, make cybersecurity an evaluated factor in each employee’s annual performance. Setting appropriate security performance goals fosters accountability and shared responsibility.
Rewards and recognition also play a role. Incentivize and reward employees who demonstrate strong cybersecurity practices and who willingly take the time to be vigilant and report potential threats to the enterprise.
Set clear expectations
A strong cyber culture requires setting clear expectations from the outset, including during the onboarding of new employees and subcontractors. And it doesn’t stop there.
Ongoing employee awareness training should foster a real understanding of the risks and equip employees with specific steps they should take when they encounter a potential threat to the organization. Training comes in a variety of forms. There are computer-based learning modules, as well as practical exercises to help employees recognize the social engineering attempts that are a common driver of cyber risk.
Training and awareness should be part of a robust communication plan for enterprise policies that clearly establish what’s considered right and wrong. The plan should include easily accessible procedures regarding how to report concerns and incidents immediately without fear of reprimand.
Communication around security expectations needs to be relevant to the entire internal audience. One of the biggest mistakes organizations make is using industry buzzwords and jargon that don’t resonate with all people. Make sure messaging is understandable, relatable and applicable to every level of the organization.
Continually improve
In a cyber-resilient culture, constant evaluation is needed to continually improve. With regular updates and ongoing feedback from across the organization, leaders can ensure that security efforts stay current with emerging threats. To drive continuous improvement, organizations should measure key performance indicators such as:
- Measuring the dwell times of a successful attack before identification.
- Tracking the number of cyber breaches per year.
- Tracking the total cost of cyber incidents per year.
- Measuring phishing test success rates.
- Measuring security-training completion rates.
- Assessing device and software compliance.
To continually improve, you should also have a solid understanding of what good cyber hygiene looks like in your organization and how to be prepared for the next generation of cyber threats.
Staying flexible
While constantly prioritizing security, leaders also need to recognize where flexibility may be required. If the culture is so rigid that policies prohibit the adoption of new technologies, people tend to resort to workarounds which can open new areas of vulnerability. With generative AI, for example, there’s a likelihood that a small percentage of employees will access these tools with or without permission.
Cyber leaders need to have their pulse on how to implement such new technologies securely and responsibly, with easy-to-follow usage guidelines, but policies must also be flexible enough to accommodate ensuring employees can still perform their roles with excellence, equipped with the latest innovative tools and technologies.
Cybersecurity’s weak link will remain people and the way they behave. By creating a culture that emphasizes leadership commitment, setting clear expectations, continuous improvement and enabling flexibility as needed, organizations empower every individual within to take an ownership role in mitigating risks during this era of rapid technological evolution.
Amanda Satterwhite is Accenture Federal Services’ managing director for cyber mission and enablement for its defense and intelligence portfolio.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
