The following is an article written by Optiri's Senior Director, Security, and Technology Consulting, Barry Lewis, CISSP. It originally appeared on CUInsight.com.
In an era where credit unions reported 892 cyber incidents between September 2023 and May 2024, with approximately 73% involving third-party services, the importance of a robust security culture has never been more critical. As cybercriminals increasingly exploit human vulnerabilities rather than technology gaps, credit unions must recognize that their greatest defense lies not just in firewalls and encryption, but in the attitudes, beliefs, and behaviors of every employee.
What is Security Culture?
Security culture represents far more than annual training sessions or posted policies. The European Union Agency for Network and Information Security (ENISA) defines cybersecurity culture as "the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cybersecurity and how they manifest themselves in people's behavior with information technologies."
In practical terms, security culture encompasses the shared understanding across your entire organization about the importance of protecting member data and institutional assets. It reflects whether employees view security as a shared responsibility or "someone else's job." When security culture is strong, protective behaviors become second nature—employees naturally question suspicious emails, safeguard credentials, and report potential threats without fear of blame.
Recent research confirms that security culture should not be viewed solely as a technical challenge but as a management priority requiring top leadership involvement, role modeling, and full organizational support for desired employee behaviors.
The Business Case: Why Security Culture Matters
The financial stakes are substantial. According to IBM's Cost of a Data Breach 2024 report, the average breach cost for financial institutions reached $6.08 million: 22% higher than the global average of $4.88 million. For credit unions operating with constrained budgets and limited IT staff, a single breach can be financially devastating.
Beyond direct financial losses, breaches erode member trust. A 2025 Harris Poll survey found that 90% of credit union members express significant concern about identity theft's impact on themselves or their families. In 2024 alone, Americans reported losing over $12 billion to fraud—an increase of more than $2 billion from 2023.
The human factor drives these losses. For five consecutive years, Verizon's Data Breach Investigations Report has identified human risk as the greatest driver of breaches globally, with nearly 60% of all breaches in 2024 involving a human element. Research published in Harvard Business Review noted that in the U.S., annual cybercrime damage increased by 33% to $16 billion in 2024, with the vast majority of breaches resulting from human failure such as system misconfiguration, information mishandling, or manipulation by attackers.
Yet this vulnerability also represents opportunity. If humans are the weakest link, they can also be the strongest defense. Research consistently shows that when organizations invest in building human-centered security cultures, they significantly reduce breach risk while stretching already-thin IT budgets.
Characteristics of a Strong Security Culture
Credit union boards and executives should recognize these hallmarks of healthy security cultures:
1. Visible Leadership Commitment
In strong security cultures, leadership treats cybersecurity as a strategic priority, not merely a compliance checkbox. This commitment manifests through adequate security budgets, elevating the CISO's organizational position, tying security metrics to executive performance and consistently communicating security's importance.
Research from the Enterprise Strategy Group and ISSA found that 60% of Chief Information and Security Officers (CISOs) believe improving their organization's cybersecurity program requires creating a better cybersecurity culture throughout the organization. The same research revealed concerning gaps: 40% of CISOs characterized their working relationship with the board as "fair or poor," a harmful and risky situation.
2. Security as a Shared Responsibility
Organizations with mature security cultures distribute responsibility across all roles and levels. Every employee understands they play a vital part in protecting the institution and its members. Security isn't something only the IT department worries about—it's embedded in how everyone works.
The KnowBe4 Security Culture framework identifies seven critical dimensions: Attitudes, Behaviors, Cognition, Communication, Compliance, Norms, and Responsibilities. Organizations mature in their security culture demonstrate strength across all dimensions, not just policy compliance.
3. Psychological Safety for Reporting
Perhaps most critically, strong security cultures encourage employees to report security concerns without fear of punishment. When an employee clicks a suspicious link, the first question shouldn't be why they failed to notice the warning signs—it should be how that email bypassed protective filters in the first place.
Organizations where employees hesitate to self-report incidents have broken security cultures. Comprehensive security requires non-punitive incident reporting systems where employees feel safe admitting mistakes.
4. Continuous Learning and Adaptation
Mature security cultures recognize that cybersecurity is an evolving challenge requiring continuous education. However, effective programs move beyond annual compliance training to engage employees with relevant, timely information presented in accessible ways. Organizations with strong cultures spend more than twice as much (43% vs. 19%) of their cybersecurity budgets on training and tools compared to organizations reporting significant cultural gaps.
5. Security Team as Enablers, not Blockers
In healthy cultures, security teams partner with other departments to find secure ways to accomplish business objectives rather than simply saying "no." When security is perceived as a roadblock to productivity, employees find workarounds that introduce new risks. Effective security teams ask, "How can we help you do this securely?" rather than "Why are you doing this?"
6. Integration with Daily Operations
Strong security cultures embed protective practices into daily workflows rather than layering security on top as something employees must navigate around. Security becomes "how we do things here" rather than an extra burden. This integration requires designing environments that make secure behaviors the easy, default choice.
Red flags: Warning Signs of Poor Security Culture
Credit union boards and executives should watch for these indicators of weak or toxic security cultures:
1. Blame-Focused Incident Response
When security incidents occur, does leadership immediately seek someone to punish? Organizations that respond to breaches by looking for scapegoats rather than systemic improvements have toxic cultures. This approach discourages reporting and prevents learning from mistakes.
Research indicates that the "zero-intrusions-allowed" mindset damages security culture. Organizations with this perspective expect absolute perfection and blame security teams even when threats are successfully detected and mitigated. In today's threat landscape, intrusions will occur. Strong cultures reward defenders for their response and resilience rather than punishing them for uncovering problems.
2. Absence of Reported Incidents
Paradoxically, having zero reported security incidents may indicate a cultural problem rather than strong security. If employees never report suspicious emails, potential policy violations, or near-misses, they likely fear consequences or don't understand their reporting responsibilities.
Organizations should expect regular reporting of potential incidents from security-aware employees. Absence of reports suggests either unrealistic expectations creating fear or inadequate security awareness.
3. High Security Team Turnover
When skilled security professionals leave repeatedly, it signals burnout, unsupportive environments, or leadership that ignores security concerns. High turnover in security roles indicates deeper cultural problems that compromise the institution's protective capabilities.
Additional warning signs include treating training budgets as expendable, investing heavily in security tools while neglecting the professionals who operate them and cutting education opportunities while claiming to support development.
4. Security as Compliance Theater
Organizations treating security as mere compliance requirements rather than fundamental risk management weaken their resilience. This approach leads to bare-minimum adherence where security measures exist on paper but lack operational commitment. Threats are more likely to slip through, and employees hesitate to report risks for fear of blame.
5. Poor Communication Between Security and Business Units
When security teams and other departments don't communicate effectively, it creates confusion and misunderstandings about security protocols. Research shows that 40% of frontline workers feel management is disconnected from their roles based on received messages.
Ineffective communication manifests as unclear security directives, inconsistent policy enforcement, security being seen as hostile or unhelpful rather than supportive, and decisions made without understanding business needs.
6. Cynicism and Presenteeism
Widespread cynicism about security initiatives or management indicates distress and a sense that people lack control over outcomes they're held accountable for. Presenteeism—doing just enough to get by—signals that the security environment has become toxic, with deteriorating follow-through and attention to detail.
7. Lack of Resources or Strategic Plan
Organizations without documented cybersecurity culture management plans or policies describing security objectives, education requirements, and personal responsibilities lack foundation for building strong cultures. According to ISACA research, 42% of organizations in 2018 lacked such plans-representing a critical gap.
8. Overemphasis on Technology Solutions
While technology is essential, organizations that invest predominantly in security appliances while neglecting the skilled professionals needed to operate them demonstrate misaligned priorities. Many companies procure tools but fail to resource the human expertise required to use them effectively.
Building and Sustaining Strong Security Culture
For credit union boards and executives committed to strengthening security culture:
- Start with leadership: Demonstrate visible commitment through adequate budgets, strategic positioning of security leadership, meaningful performance metrics, and consistent communication about security's importance to the organization's mission.
- Develop clear policies and plans: Create comprehensive, documented cybersecurity culture management plans describing security objectives, education requirements, and individual responsibilities at all levels.
- Invest in people: Resist the temptation to address security gaps by simply adding more staff. Instead, invest in developing existing employees through training, tools, and support.
- Create psychological safety: Establish non-punitive reporting systems where employees can report concerns or mistakes without fear. Respond to incidents by examining systemic issues rather than seeking scapegoats.
- Measure what matters: Regularly assess security culture through employee surveys about their perceptions of leadership support, security team engagement, policy clarity, and training effectiveness. These assessments reveal whether culture is working for or against security objectives.
- Ensure board engagement: CISOs recommend increasing their participation in executive management and board discussions, including involvement in all business planning and strategy. Strong board-CISO relationships are essential for mature security cultures.
- Align with business objectives: Frame security initiatives in terms business executives understand—financial stability, operational resilience, brand reputation and competitive advantage. This alignment builds support and resources.
Conclusion: Culture as Competitive Advantage
For credit unions serving 139 million Americans, strong security culture isn't optional, it's essential for protecting members' financial well-being and maintaining the trust that defines the credit union difference. As cyber threats grow more sophisticated and regulatory expectations intensify, institutions that invest in developing mature security cultures will be better positioned to defend against attacks, maintain member confidence, and thrive in an increasingly digital financial services landscape.
The choice is clear: credit unions can view security culture as another compliance burden, or they can recognize it as a strategic investment that protects their most valuable assets: member data, institutional reputation, and the trust that members place in their financial partners. Organizations that choose the latter path, supported by engaged boards and committed leadership, will build the resilience necessary to navigate tomorrow's cybersecurity challenges.
