Home / Blog / Awareness & Training
Awareness & Training

Security isn't a product, it's a culture

16 May 2026 · 6 min read
Security isn't a product, it's a culture

The Firewall Won't Save You

Walk into any mid-sized business in Nairobi and you will likely find a firewall, an antivirus subscription, and perhaps a VPN. The IT manager will point to these as evidence that the organisation takes security seriously. Then, three months later, someone clicks a phishing email disguised as an M-Pesa transaction alert — and the breach begins.

This is not a technology failure. The firewall worked exactly as designed. The antivirus had no signature for this particular attack. The problem was never the tools. The problem was that nobody taught the accounts assistant to pause before clicking, to question unexpected payment requests, or to report suspicious emails to IT without fear of embarrassment.

Security products create the illusion of safety. Security culture creates actual safety.

Why Products Alone Are Not Enough

The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, stolen credentials, or simple error. That figure has barely changed in a decade. Meanwhile, global cybersecurity spending continues to rise. Organisations are buying more protection than ever and still suffering the same human-driven breaches.

This is not a coincidence. Most security products are designed to stop known threats. They are reactive by nature — updated after new attacks are discovered, patched after vulnerabilities are found. But human behaviour is the attack surface that no product can fully cover. An employee who shares their password, opens a malicious attachment, or clicks a fraudulent link bypasses every technical control in your stack.

No product can fix a person who does not understand why security matters.

What Security Culture Actually Looks Like

A security culture is the set of shared values, behaviours, and habits that cause people across an organisation to make security-conscious decisions automatically — not because they are forced to, but because they understand the consequences of not doing so.

In practice, it looks like this:

  • A finance director who calls the supplier to verify an invoice before transferring funds, even when the email looks legitimate.
  • A receptionist who challenges an unfamiliar visitor requesting access to the server room, even when they look confident.
  • A developer who raises a security concern during a sprint review without fear of being dismissed as obstructive.
  • An employee who reports a suspicious email to IT within minutes — because they know it is the right thing to do and that they will not be blamed for almost falling for it.

These behaviours cannot be purchased. They are grown, over time, through deliberate effort.

Building It: Four Foundations

1. Leadership Sets the Tone

Security culture starts at the top. When a CEO dismisses the mandatory security awareness training as a waste of time for the senior team, that message travels fast. When the same CEO completes the training, shares what they learned, and visibly takes security seriously, the entire organisation notices.

Leadership must model the behaviours they expect from staff — using strong passwords, following clean desk policies, questioning unusual requests. Culture flows downhill.

2. Training That Changes Behaviour, Not Just Ticks a Box

Annual e-learning modules that employees click through in ten minutes achieve very little. Effective security training is:

  • Frequent — short sessions monthly rather than one long session annually.
  • Relevant — scenarios based on real threats your employees actually face: M-Pesa fraud, KRA impersonation, WhatsApp phishing.
  • Practical — phishing simulations, tabletop exercises, and social engineering awareness rather than slide decks.
  • Blame-free — employees who fall for simulated phishing receive additional coaching, not punishment.

3. Clear Policies, Plainly Written

A 40-page information security policy written in legal language and stored in a SharePoint folder nobody visits is not a policy — it is a liability shield. Policies must be readable, accessible, and regularly communicated.

Every employee should be able to answer: What do I do if I receive a suspicious email? What do I do if I lose my laptop? Who do I call if something seems wrong? If they cannot answer these questions quickly and confidently, the policy has failed.

4. Normalise Reporting

One of the most valuable indicators of a mature security culture is how quickly and willingly employees report incidents. In low-trust environments, employees hide mistakes because they fear consequences. In high-trust environments, they report them immediately because they know that speed of response matters more than the embarrassment of admitting an error.

Build reporting mechanisms that are simple — a dedicated email address, a Teams or Slack channel, a phone number — and respond without blame when they are used. The first few times an employee reports a near-miss and receives a positive response, they tell their colleagues. The behaviour spreads.

Measuring What You Cannot See

Security culture is difficult to measure, but not impossible. Useful indicators include:

  • Phishing simulation click rates over time — a declining trend is a positive sign.
  • Volume and speed of incident reports from staff.
  • Policy acknowledgement rates and training completion figures.
  • Results from periodic security awareness surveys.
  • Number of security-related helpdesk queries — employees asking before acting is a healthy signal.

These metrics will not appear on a dashboard next to firewall logs and SIEM alerts. But they are among the most meaningful signals of whether your organisation is genuinely secure — or merely defended.

The Long Game

Building a security culture takes time. It requires patience, repetition, and consistency. It means communicating the same messages across different channels, in different formats, to different audiences, for months and years.

It also requires accepting that people will make mistakes. The goal is not a workforce that never clicks the wrong link — it is a workforce that knows what to do when they do, and an organisation that learns from each incident rather than repeating it.

The organisations that get this right do not necessarily have better technology than those that do not. They have better habits. And in cybersecurity, habits are everything.

Security is not a product you buy. It is a culture you build — one decision, one conversation, and one well-reported near-miss at a time.

More Articles
Awareness & Training
Why Cybersecurity Awareness Is the Cheapest Control Your Business Isn't Taking Seriously
Most breaches in East African enterprises start with a single click, not a sophisticated exploit. Cybersecurity awareness training is the lowest-cost, highest-impact control you can deploy — yet most Kenyan businesses still treat it as a tick-box exercise.
21 May 2026 Read more →