For all the time, money and tools invested in cybersecurity, the biggest risk — and opportunity — still comes down to people.
“Culture is about how people feel. You can put all the right tech in place, but if people are scared to speak up, or don’t see security as their responsibility, the whole thing falls over,” says Camilla Potter, Cybersecurity Consultant at Datacom.
According to Datacom’s State of Cybersecurity Index 2025, the disconnect is clear:
While 71% of Australian security leaders say their people are confident in their ability to detect and report cyber threats, only 50% of employees agree. In New Zealand, the gap is even wider: 79% of leaders feel confident, compared to just 51% of employees.
The message? You can’t manage what your people don’t feel part of.
On what’s behind the gap between leadership perception and employee confidence, Potter explains, “There’s still a belief that once you’ve ticked the training box, you’ve done your job. But culture isn’t compliance — it’s comfort. People need to feel safe enough to report mistakes, ask questions and know they won’t be punished if something goes wrong.”
She explains that in many businesses, security still sits with IT — and that’s the first mindset shift that needs to happen.
“Security is still seen as someone else’s job. But when people care about security in their home life — things like Facebook Marketplace scams or phishing emails about their kids’ school — that’s when it starts to stick. That’s when it becomes real.”
Potter describes a security awareness training programme she ran that gradually moved from compliance to community:
“We started with traditional online training. But over time, we added phishing simulations, security newsletters, chocolate fish prizes for competitions, memes — fun, simple things that got people engaged. We made it personal. We ran a webinar on keeping your home Wi-Fi secure, and over 100 people joined. That kind of stuff spreads.”
The goal wasn’t just education. It was creating a shift in mindset and getting people to see the value for themselves.
“You have to meet people where they are. It’s not about forcing them to be security experts — it’s about giving them something that feels relevant. That’s what gets the best response.”
Q: How do you know if culture change is working?
CP: “It’s not just about surveys – it’s about how many people report suspicious things, how many join a session voluntarily, how often it’s coming up in conversation. You can measure interaction, but you also have to talk to people and ask how they feel about security. That’s what culture really is.”
Q: What role does leadership play?
CP: “Executive support is everything. If they’re not walking the walk, it doesn’t matter what you do. Culture has to come from the top but also be owned across the business, through steering committees, cross-team champions … whatever it takes for your employees to feel like they’re part of the journey.”
Q: Where should businesses start?
CP: “Start small. Culture change isn’t about launching a giant new programme. It’s about consistency. Maybe it’s a monthly article. Maybe it’s a short live session instead of an online module. Just make it relatable — and don’t stop.”
Want to move the dial? Here’s where Potter recommends starting:
“Culture change takes years. It’s not a tool you install. It’s a belief that’s shared and reinforced, again and again,” says Potter.
If you want a truly security-conscious culture, stop asking people to tick a box and start showing them why it matters.
Effective cybersecurity starts with more than just technology — it begins with a mindset. At Datacom, we combine innovative technology with expert guidance to help protect your systems, people and data. By addressing both the technical and cultural aspects of cybersecurity, we empower your organisation to reduce risks and build resilient, lasting defences against cyber threats.
