Shape culture. Change behavior. Live security.
Culture Development
A strong security culture is the most effective defense against cyber threats. We help you measurably embed security awareness � from baseline assessment through culture development to continuous monitoring with KPIs and maturity models. Aligned with ISO 27001, DORA and NIS2.
- ✓Sustainable embedding of security awareness in the corporate culture
- ✓Strengthening resilience against modern cyber threats
- ✓Reduction of human error sources and security incidents
- ✓Development of a self-sustaining security community within the organization
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
Security Culture in Organizations: From Awareness to Embedded Practice
Our Strengths
- Combination of technical expertise and change management know-how
- Experience with successful cultural change projects across various industries
- Scientifically grounded methods and measurement approaches
- Comprehensive approach with integration into existing corporate culture
⚠
Expert tip
Culture development is not a one-time project, but a continuous process. The key to success lies in anchoring security in corporate values, active role modeling by leaders, and continuous reinforcement through integrated communication and measures.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
Our approach to developing a sustainable security culture is comprehensive, scientifically grounded, and individually tailored to your organization.
Our Approach:
Assessment and gap analysis of the current security culture
Joint development of a vision and strategy for the target culture
Design and implementation of culture development measures
Building internal capacities and multiplier networks
Continuous measurement, evaluation, and further development
"A sustainable security culture is more than awareness — it is a strategic investment in the resilience and future viability of the organization. When security becomes part of the corporate DNA, a unique competitive advantage emerges."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
Security Culture Assessment
Comprehensive analysis and assessment of the current security culture in your organization.
- Culture analysis using scientifically validated methods
- Identification of strengths, weaknesses, and development potential
- Benchmark comparison with best practices and industry standards
- Concrete recommendations for action and roadmap
Security Culture Transformation
Comprehensive support in the development and implementation of a sustainable security culture.
- Development of a tailored culture development strategy
- Design and implementation of culture development measures
- Building security communities and Champion networks
- Continuous measurement, evaluation, and further development
Our Competencies in Security Awareness
Choose the area that fits your requirements
Employee Training
Over 70% of all cyber attacks exploit the human factor. Our tailored security awareness training empowers your employees to recognize phishing, social engineering and ransomware � through realistic simulations, interactive modules and practical exercises that build lasting security habits.
Leadership Training
Executives bear personal responsibility for information security � under NIS2, they also face personal liability. With tailored security awareness training, we empower your board members, managing directors and C-level executives to strategically assess cyber risks, meet regulatory obligations, and champion a sustainable security culture across your organization.
Phishing Training
Phishing remains the most common attack vector against organizations. With professional phishing simulations and hands-on training, we sustainably reduce your employees click rates, strengthen security awareness, and meet regulatory requirements under DORA, ISO 27001, and NIS2.
Frequently Asked Questions about Culture Development
What makes a strong security culture and how is it developed?
🏛 ️ Characteristics of a strong security culture:
•
Shared values and beliefs that understand security as an integral part of business success.
•
Proactive rather than reactive security thinking at all levels of the organization.
•
Open communication about security topics without fear of consequences.
•
Clear responsibilities and accountability for security matters.
•
Continuous learning and adaptation to new threats and challenges.
👑 Leadership and role modeling:
•
Active demonstration of security-conscious behavior by management and leaders.
•
Consistent integration of security aspects into strategic decisions.
•
Provision of adequate resources for security initiatives.
•
Regular communication on the importance of information security.
•
Recognition and reward of security-conscious behavior within the organization.
🔄 Continuous development process:
•
Systematic analysis and assessment of the existing security culture as a starting point.
•
Development of a clear vision and strategy for the target culture.
•
Implementation of targeted measures for culture development at various levels.
•
Regular measurement and evaluation of culture development.
•
Continuous adaptation and further development based on feedback and results.
👥 Involvement of all stakeholders:
•
Active participation of all employees in the culture development process.
•
Building a network of Security Champions and multipliers.
•
Integration of security culture into onboarding, training, and development programs.
•
Consideration of different perspectives and needs within the organization.
•
Development of an inclusive security community within the organization.
💡 Expert tip:Developing a strong security culture requires a comprehensive approach that integrates leadership, processes, people, and technology. The key to success lies not in individual measures, but in a systematic cultural change that anchors security awareness in the DNA of the organization. Start with an honest stocktaking and develop a long-term culture development plan with clear milestones.
How can the effectiveness of culture development measures be measured?
📊 Culture assessments & surveys:
•
Conducting regular security culture assessments using validated instruments.
•
Using employee surveys to capture attitudes and perceptions.
•
Applying qualitative methods such as focus groups and interviews for deeper insights.
•
Comparison with industry benchmarks and best practices.
•
Tracking culture development over time through repeated measurements.
🧪 Behavioral observation & testing:
•
Conducting simulations and test scenarios such as phishing tests or social engineering.
•
Observing actual behavior in security situations.
•
Analyzing responses to security incidents and near-misses.
•
Evaluating compliance with security policies and processes.
•
Measuring participation in voluntary security initiatives and programs.
📈 Security metrics & incident analysis:
•
Tracking the number and severity of security incidents over time.
•
Analyzing causes and behavioral patterns in security incidents.
•
Measuring the time to detection and reporting of security incidents.
•
Recording the effectiveness of countermeasures and lessons learned.
•
Correlating security incidents with culture indicators.
🔄 System indicators & feedback loops:
•
Establishing continuous feedback mechanisms for security topics.
•
Measuring the number and quality of security reports and suggestions.
•
Recording participation in security communities and initiatives.
•
Tracking the use of security resources and tools.
•
Analyzing the integration of security aspects into business processes and decisions.
💡 Expert tip:Effective measurement of security culture requires a combination of quantitative and qualitative methods. Use a balanced set of indicators that capture both attitudes and perceptions as well as actual behavior and systemic aspects. What matters is not only data collection, but also continuous analysis, interpretation, and the derivation of concrete measures for culture development.
What role do Security Champions play in the culture development process?
🔗 Bridge builders & multipliers:
•
Acting as a link between the security team and the business units.
•
Translating security-relevant topics into the language and context of the respective department.
•
Multiplying security knowledge and awareness in the immediate work environment.
•
Conveying feedback and concerns from business units back to the security team.
•
Creating a low-threshold point of contact for security questions in daily work.
👁 ️ Role models & culture carriers:
•
Actively demonstrating security-conscious behavior in daily work.
•
Embodying the desired values and behaviors of the security culture.
•
Motivating colleagues through positive example and personal commitment.
•
Promoting open communication about security topics within the team.
•
Establishing security as a natural part of work routines and decision-making.
🛠 ️ Enablers & supporters:
•
Supporting colleagues in the practical implementation of security measures.
•
Providing assistance with security questions and challenges in daily work.
•
Promoting self-responsible action on security matters within the team.
•
Helping to integrate security aspects into work processes and projects.
•
Identifying and addressing practical obstacles to security-conscious behavior.
📡 Sensors & early warning system:
•
Detecting security-relevant developments and challenges at an early stage.
•
Identifying improvement potential and weaknesses in practice.
•
Collecting feedback and ideas for improving security measures.
•
Identifying resistance and acceptance issues and addressing them proactively.
•
Supporting the security team in the continuous improvement of the security culture.
💡 Expert tip:Security Champions are the key to successfully embedding a security culture in the organization. The success of a Champion network depends significantly on the right selection, empowerment, and continuous support of the Champions. Invest in a structured Champion program with clear roles, regular exchange, continuous training, and appropriate recognition of their commitment.
How can a Security Culture Assessment be conducted?
🔍 Preparation & planning:
•
Defining clear objectives and questions for the assessment.
•
Selecting appropriate methods and instruments for the culture analysis.
•
Ensuring management support and resources for implementation.
•
Developing a structured project plan with clear responsibilities.
•
Communicating the initiative to all stakeholders, emphasizing the positive objectives.
📋 Data collection & analysis:
•
Conducting employee surveys using validated instruments.
•
Organizing focus groups and interviews at various hierarchical levels.
•
Observing and analyzing security-relevant behavior in daily work.
•
Evaluating relevant documents, processes, and security incidents.
•
Comparing with industry benchmarks and best practices for context.
🧮 Evaluation & interpretation:
•
Systematic analysis of the collected quantitative and qualitative data.
•
Identification of strengths, weaknesses, and development potential of the security culture.
•
Structuring results along relevant cultural dimensions.
•
Analyzing differences between various areas of the organization.
•
Deriving concrete areas of action and priorities for culture development.
📑 Reporting & action planning:
•
Presenting results in a clear, action-oriented format.
•
Presenting and discussing findings with relevant stakeholders in the organization.
•
Jointly developing a cultural target vision and roadmap.
•
Deriving concrete measures for the identified areas of action.
•
Defining metrics and milestones for continuous success measurement.
💡 Expert tip:A successful Security Culture Assessment should not be seen as an isolated measure, but as the starting point of a continuous improvement process. Place particular emphasis on transparency, openness, and a positive attitude throughout the entire process. The goal is not to find fault, but to develop a shared understanding of the cultural baseline as a foundation for targeted development measures.
How can a sustainable security culture be integrated into the corporate culture?
🧩 Alignment with corporate values:
•
Identifying overlaps between security aspects and existing corporate values.
•
Integrating security aspects into the corporate mission statement and code of conduct.
•
Clarifying the contribution of security to overarching corporate objectives.
•
Creating congruence between security culture and general corporate culture.
•
Avoiding value conflicts between security and other corporate values.
👑 Top-down and bottom-up integration:
•
Active commitment and role modeling by senior management on security topics.
•
Embedding security aspects in leadership communication at all levels.
•
Simultaneously promoting bottom-up initiatives and employee engagement.
•
Creating space for self-responsible action on security matters.
•
Balancing central governance and decentralized implementation of security topics.
🔄 Integration into processes and systems:
•
Anchoring security aspects in HR processes from recruiting to development.
•
Integration into performance management and incentive systems.
•
Consideration of security in decision-making processes and governance structures.
•
Establishing security as a quality criterion in development and innovation processes.
•
Creating organizational structures for continuous security culture development.
🌱 Growth and evolution:
•
Developing an evolutionary roadmap for the security culture.
•
Continuous learning and adaptation based on experience and feedback.
•
Regular review and further development of the security culture strategy.
•
Promoting innovation and new ideas in the area of security culture.
•
Using success stories and best practices as catalysts for cultural change.
💡 Expert tip:Sustainable integration of security culture is best achieved when security is understood not as a separate initiative, but as an integral part of the general corporate culture. Avoid building an isolated security subculture and instead look for natural connection points with the existing cultural landscape. The key lies in anchoring security aspects in all dimensions of corporate culture — from values and beliefs, through leadership behavior and systems, to artifacts and symbols.
Which behavioral change strategies are particularly effective in developing a security culture?
🧠 Behavioral economics & nudging:
•
Using default settings and choice architecture to promote security-conscious behavior.
•
Applying framing effects for the positive presentation of security topics.
•
Reducing friction points for security-conscious behavior in daily work.
•
Creating timely and concrete feedback loops for security behavior.
•
Using social norms and comparisons to reinforce desired behavior.
🎯 Motivation & incentive systems:
•
Promoting intrinsic motivation by emphasizing autonomy, competence, and belonging.
•
Developing extrinsic incentives for security-conscious behavior in line with corporate culture.
•
Recognition and appreciation of positive security contributions.
•
Integration of security aspects into performance management and career development.
•
Balancing individual and team-based incentives for security topics.
📋 Habit formation & routines:
•
Identifying key behaviors for the security culture.
•
Using triggers and anchor points for new security habits.
•
Integrating security routines into existing work processes and workflows.
•
Promoting micro-habits for continuous security behavior.
•
Creating positive reinforcement and feedback for newly established habits.
🔄 Learning & adaptation processes:
•
Developing a continuous learning cycle for security behavior.
•
Using various learning formats for different behavioral aspects.
•
Promoting peer learning and social support during behavioral changes.
•
Creating safe learning environments for trying out new behaviors.
•
Integrating reflection and feedback processes for collective learning.
💡 Expert tip:Successful behavioral change in security culture is based on a balanced mix of strategies that address rational, emotional, and social aspects of behavior. Avoid an overly strong focus on rules and control — instead, rely on positive empowerment through enablement, motivation, and the design of supportive conditions. Remember: sustainable behavioral change is a marathon, not a sprint — plan accordingly with a long-term perspective and patience.
How can communication about security topics be designed to promote culture?
📣 Strategic communication:
•
Developing a comprehensive communication strategy for security topics.
•
Integrating security communication into general corporate communications.
•
Using various communication channels for maximum reach and impact.
•
Coordinating the timing and frequency of communication for optimal reception.
•
Balancing continuous baseline communication and event-driven campaigns.
🎨 Effective messages & formats:
•
Focusing on positive, solution-oriented messages rather than fear and threat.
•
Using storytelling and concrete examples to create emotional connections.
•
Developing clear, action-oriented messages with direct relevance.
•
Employing visual and interactive formats for greater attention and engagement.
•
Adapting language and tone to the corporate culture and target audiences.
👥 Dialogic communication:
•
Promoting open dialogue on security topics at all levels.
•
Creating feedback channels and opportunities for exchange.
•
Actively listening and responding to concerns and ideas from employees.
•
Incorporating various perspectives into communication on security topics.
•
Using peer-to-peer communication through Security Champions and multipliers.
🎯 Target audience orientation:
•
Segmenting and analyzing relevant target groups within the organization.
•
Adapting messages and formats to specific needs and roles.
•
Considering different levels of prior knowledge and information needs.
•
Developing role-specific communication packages and materials.
•
Balancing broad mass communication and targeted audience outreach.
💡 Expert tip:Effective security communication goes far beyond conveying information — it creates meaning, motivates action, and promotes continuous dialogue. Invest in strategic, target audience-oriented communication that positions security not as a burdensome obligation, but as a shared value and collective responsibility. Particularly important is consistency between communication and actual behavior at all levels — nothing undermines a security culture faster than perceived double standards.
How can resistance to cultural change in the area of information security be overcome?
🧠 Understanding & acceptance:
•
Systematic analysis of the causes and patterns of resistance.
•
Actively listening and acknowledging legitimate concerns and perspectives.
•
Creating understanding of the necessity and benefits of the change.
•
Communicating a clear and compelling vision for the desired security culture.
•
Transparent communication about the goals, processes, and expected impacts of the change.
👥 Participation & ownership:
•
Early and continuous involvement of those affected in the change process.
•
Creating opportunities for co-design and active roles in the cultural change.
•
Promoting bottom-up initiatives and local adaptations of the change.
•
Building ownership and responsibility for cultural change across all areas.
•
Forming change coalitions and winning opinion leaders as supporters.
🛠 ️ Practical support:
•
Providing necessary resources, tools, and support for the change.
•
Developing specific competencies and skills for the new security culture.
•
Removing obstacles and barriers to security-conscious behavior.
•
Creating quick wins and early successes to strengthen change momentum.
•
Continuous support and coaching throughout the entire change process.
⚖ ️ Balance & integration:
•
Balanced consideration of security requirements and operational necessities.
•
Integrating security aspects into existing processes rather than creating additional requirements.
•
Developing practical, everyday solutions for security challenges.
•
Focusing on enablement and empowerment rather than control and restriction.
•
Creating a positive balance between security, usability, and efficiency.
💡 Expert tip:Resistance to cultural change is natural and can provide valuable indications of necessary adjustments. Rather than combating resistance, use it as feedback and integrate it constructively into the change process. Particularly important is a balanced approach that addresses both the rational and emotional dimensions of change and creates a clear bridge between the current and the desired culture.
How can the effectiveness of a security culture be promoted in a hybrid work environment?
🌐 Location-independent security culture:
•
Developing location-independent values and principles for information security.
•
Creating a shared understanding of security regardless of the place of work.
•
Integrating security aspects into remote and hybrid work policies.
•
Developing clear expectations and guidelines for secure working in all locations.
•
Promoting a consistent security culture across different work contexts.
🔄 Adapted processes & tools:
•
Developing hybrid security processes that function regardless of location.
•
Providing suitable tools and technologies for secure working in various locations.
•
Establishing efficient digital collaboration and communication channels for security topics.
•
Creating smooth transitions between different work environments.
•
Automating and simplifying security processes for better usability.
👥 Virtual community & cohesion:
•
Building a virtual security community across locations and work models.
•
Conducting virtual security events and activities to foster a sense of community.
•
Creating opportunities for exchange and networking on security topics.
•
Using gamification and social elements to strengthen engagement.
•
Developing an inclusive approach that equally incorporates different work arrangements.
📊 Adapted measurement & feedback:
•
Developing specific methods for measuring security culture in hybrid work models.
•
Creating continuous feedback loops for different work contexts.
•
Adapting assessments and evaluations to the challenges of hybrid work.
•
Considering context-specific factors when evaluating the security culture.
•
Using digital tools for the continuous capture of culture indicators.
💡 Expert tip:In a hybrid work environment, it is essential to create a balance between consistent security principles and context-specific flexibility. Avoid a one-size-fits-all approach and instead focus on developing an adaptive security culture based on shared values that accommodates different work arrangements. Particularly effective are community-building measures that promote connectedness and mutual support across physical distances.
What role do leaders play in the development of a security culture?
👁 ️ Role modeling & authenticity:
•
Consistently demonstrating security-conscious behavior in one's own leadership practice.
•
Demonstrating the personal importance of information security through words and actions.
•
Adhering to security policies even under pressure and in exceptional situations.
•
Openly addressing one's own questions, challenges, and learning processes in the security domain.
•
Authentic commitment to the further development of the security culture.
🧭 Strategic leadership & prioritization:
•
Integrating security aspects into strategic decisions and planning.
•
Providing necessary resources for security initiatives and measures.
•
Actively prioritizing security topics in meetings and management agendas.
•
Promoting a long-term perspective in the development of the security culture.
•
Establishing clear governance structures and responsibilities for security topics.
📢 Communication & meaning-making:
•
Regular and compelling communication on the importance of information security.
•
Establishing connections between security topics and corporate objectives and values.
•
Creating a shared vision and narrative for the security culture.
•
Using various communication formats for different target audiences.
•
Promoting open dialogue on security topics at all levels.
🤝 Empowerment & enablement:
•
Creating room for maneuver and personal responsibility for security topics.
•
Promoting bottom-up initiatives and innovations in the security domain.
•
Supporting and coaching employees in the development of security competencies.
•
Recognizing and appreciating commitment and contributions to the security culture.
•
Building Security Champions and change agents at various levels.
💡 Expert tip:The role of leaders is decisive for the success of any culture development initiative. Particularly important is the congruence between official statements and actual behavior — nothing undermines a security culture faster than perceived double standards or empty lip service. Invest in the development of security competencies at the leadership level and create mechanisms for regular feedback on the leadership role in the security culture.
How can gamification support the development of a security culture?
🎮 Gamification mechanisms & elements:
•
Using points, badges, and leaderboards to reinforce security-conscious behavior.
•
Developing missions and challenges on various security topics.
•
Creating level systems for continuous competency development.
•
Using storytelling and narrative elements to contextualize security topics.
•
Integrating feedback mechanisms and progress indicators for motivation.
🧠 Motivational psychology foundations:
•
Using intrinsic motivational factors such as autonomy, competence, and belonging.
•
Balancing extrinsic incentives and intrinsic motivation.
•
Considering different player types and motivational structures.
•
Integrating flow experiences and optimal challenge.
•
Creating meaningful experiences rather than superficial gamification.
🤝 Social dimension & collaboration:
•
Promoting team spirit and cooperation through collaborative challenges.
•
Creating positive social pressure and norms for security-conscious behavior.
•
Developing community-building elements and shared goals.
•
Promoting knowledge exchange and mutual support.
•
Balancing healthy competition and cooperative elements.
🔄 Sustainable integration & evolution:
•
Embedding gamification elements into existing processes and systems.
•
Continuously developing and adapting the gamification strategy.
•
Balanced mix of short- and long-term incentives and goals.
•
Integrating reflection and learning cycles into the gamification mechanisms.
•
Creating a sustainable gamification ecosystem rather than isolated measures.
💡 Expert tip:Successful gamification goes far beyond the superficial implementation of points and badges and focuses on creating meaningful, motivating experiences. Particularly important is a balanced approach that combines entertaining elements with serious learning objectives and appeals to different motivation types. Ensure that the gamification elements support the actual security objectives and do not become an end in themselves.
How can a security culture be established in different corporate cultures and contexts?
🧩 Cultural adaptation & contextualization:
•
Analyzing and considering existing cultural patterns and values within the organization.
•
Adapting the security culture strategy to specific organizational contexts and cultures.
•
Considering industry-specific characteristics and requirements in culture development.
•
Contextualizing security messages and measures for different areas of the organization.
•
Developing a flexible framework rather than a one-size-fits-all approach.
🌍 Multicultural & international aspects:
•
Considering cultural differences in international and multicultural organizations.
•
Adapting communication and interventions to local cultural contexts.
•
Creating a cross-cultural shared understanding of security.
•
Balancing global consistency and local adaptation of security measures.
•
Using cultural diversity as a resource for effective security approaches.
🔄 Transformation & change management:
•
Considering the organization's readiness and capacity for change.
•
Adapting the pace of change to the cultural dynamics of the organization.
•
Identifying and using cultural levers and catalysts for change.
•
Developing tailored change strategies for different organizational contexts.
•
Considering the organization's history and experience with previous changes.
⚖ ️ Balance & integration:
•
Balanced relationship between security culture and other corporate objectives and values.
•
Integrating security aspects into existing cultural practices and rituals.
•
Harmonizing security culture and operational requirements in the specific context.
•
Considering conflicting objectives and their context-specific resolution.
•
Developing a security culture that fits and complements the DNA of the organization.
💡 Expert tip:The key to successfully establishing a security culture in different organizational contexts lies in understanding the cultural baseline and purposefully adapting the culture development strategy. Avoid universal blueprints and instead develop a context-sensitive approach that addresses the specific cultural conditions, challenges, and strengths of the organization. Particularly successful are approaches that position security culture not as a foreign element, but as a natural evolution and enrichment of the existing corporate culture.
How can new employees be integrated into the security culture?
🚪 Onboarding & first impression:
•
Integrating security topics as a central component of the onboarding process.
•
Conveying the importance of security from the very first day of work.
•
Creating positive first experiences with the organization's security culture.
•
Personal welcome and introduction by Security Champions or leaders.
•
Providing a structured introduction to the security aspects of one's own role.
🧭 Mentoring & accompaniment:
•
Assigning security mentors or buddies to new employees.
•
Gradually introducing new employees to the security practices of the team and organization.
•
Regular feedback and coaching on security-relevant behavior.
•
Creating a safe space for questions and uncertainties in the security domain.
•
Continuous accompaniment during the first months in the organization.
🎓 Targeted competency development:
•
Conducting specific security training as part of the onboarding program.
•
Developing role-specific learning paths for security competencies.
•
Combining various learning formats for different learning types and preferences.
•
Creating practical application opportunities for newly acquired knowledge.
•
Continuous development of security competencies beyond onboarding.
👥 Cultural integration & belonging:
•
Actively involving new employees in the security community and initiatives of the organization.
•
Promoting a sense of belonging to the security culture of the organization.
•
Creating opportunities for new employees to contribute their own ideas and perspectives.
•
Integrating into security-related activities and events of the team/department.
•
Encouraging active participation in the continuous development of the security culture.
💡 Expert tip:Integrating new employees into the security culture is a critical moment that determines long-term attitudes and behavior. Invest particularly in this phase and create positive, empowering first experiences rather than overwhelming floods of rules. Particularly effective is a balanced approach that conveys security not as an isolated topic, but as an integral part of the corporate culture and one's own role.
Which metrics and KPIs are suitable for measuring the security culture?
🧠 Perception & attitude metrics:
•
Regular measurement of security awareness and attitudes through surveys.
•
Measuring the perceived importance of security within the organization.
•
Capturing trust in security measures and processes.
•
Measuring self-efficacy and competence to act on security matters.
•
Tracking changes in attitudes and perceptions over time.
👣 Behavioral & action metrics:
•
Measuring compliance with security policies and processes.
•
Recording proactive security contributions and initiatives.
•
Tracking the reporting rate for security incidents and observations.
•
Measuring response speed to security incidents and warnings.
•
Recording participation in voluntary security activities and training.
📊 Outcome & impact metrics:
•
Tracking the number and severity of security incidents over time.
•
Measuring the time to detection and resolution of security incidents.
•
Recording the effectiveness of security measures and controls.
•
Measuring resilience against simulated attacks and tests.
•
Tracking the costs of security incidents and their resolution.
🔄 Process & system metrics:
•
Recording the integration of security aspects into business processes.
•
Measuring the quality and efficiency of security processes.
•
Tracking the use of security tools and resources.
•
Recording the maturity and effectiveness of security management.
•
Measuring the speed and quality of security improvements.
💡 Expert tip:Effective measurement of a security culture requires a multidimensional approach that encompasses both quantitative and qualitative indicators. Avoid overemphasizing individual metrics, particularly pure incident counts, as these can provide an incomplete or distorted picture. Instead, develop a balanced dashboard with leading and lagging indicators that reflects the various aspects of the security culture and supports continuous improvement.
How can a sustainable security culture be developed in times of digital transformation?
🚀 Integration into the transformation strategy:
•
Anchoring security culture as an integral part of the digital transformation strategy.
•
Developing a Security-by-Design culture for all transformation initiatives.
•
Integrating security aspects into new ways of working and methods.
•
Considering cultural aspects when implementing new technologies.
•
Creating a balance between the pace of innovation and sustainable security awareness.
🧩 Adaptive security culture:
•
Developing an agile, adaptable security culture for dynamic environments.
•
Promoting continuous learning and experimentation in the security domain.
•
Creating mechanisms for rapid adaptation to new threats and requirements.
•
Developing resilience against unexpected changes and disruptions.
•
Balancing stability and flexibility in the security culture.
🔄 Continuous evolution:
•
Establishing continuous improvement processes for the security culture.
•
Regular review and adaptation of security practices and norms.
•
Integrating security topics into retrospectives and lessons learned of the transformation.
•
Developing an evolutionary approach rather than large, effective changes.
•
Creating a learning organization in the area of information security.
💬 Collaboration & co-creation:
•
Promoting cross-departmental and cross-functional collaboration on security topics.
•
Joint development of security solutions by IT, business, and security.
•
Integrating different perspectives and expertise into culture development.
•
Creating platforms for the exchange and co-creation of security practices.
•
Building a broadly based Security Champion network across all transformation areas.
💡 Expert tip:In times of digital transformation, an adaptive security culture integrated into the transformation is essential for sustainable success. Avoid an isolated approach that positions security as a separate initiative or even as a brake on transformation. Instead, develop a security culture that enables innovation while remaining resilient against new threats. Particularly effective are collaborative approaches that establish security as a shared responsibility of all transformation participants.
How can employees be developed into Security Ambassadors and Champions?
🔍 Identification & recruitment:
•
Systematically identifying potential Champions with interest and commitment to security topics.
•
Using various recruitment channels such as self-nomination, leadership recommendations, or targeted outreach.
•
Establishing a clear selection process with defined criteria and expectations.
•
Creating an inclusive network with diversity in terms of roles, departments, and hierarchical levels.
•
Considering both professional expertise and social influence factors in the selection.
🎓 Enablement & development:
•
Conducting specific training and workshops for Security Champions.
•
Building both technical and communicative and pedagogical competencies.
•
Creating a continuous development journey with clear learning paths.
•
Regular exchange and knowledge transfer within the Champion network.
•
Access to expert resources, current information, and best practices.
🔄 Roles & responsibilities:
•
Defining clear roles and responsibilities for Security Champions.
•
Creating structured activities and tasks within the Champion role.
•
Balancing formal tasks and freedom for own initiatives.
•
Integrating Champion activities into regular work processes and schedules.
•
Aligning expectations between Champions, leaders, and the security team.
⚡ Motivation & recognition:
•
Developing a recognition and appreciation system for the Champions' commitment.
•
Creating visibility and opportunities for impact for Champions within the organization.
•
Promoting intrinsic motivation through autonomy, competency development, and a sense of belonging.
•
Considering Champion engagement in performance reviews and career development.
•
Regular evaluation and feedback on the effectiveness and satisfaction in the Champion role.
💡 Expert tip:The success of a Security Champion program depends significantly on the continuous support and appreciation of the Champions. Invest in regular impulses, community building, and the visibility of the program within the organization. Particularly important is the official recognition of the role by leaders and the provision of necessary resources and time allocations. Continuously develop the program and create mechanisms for regular feedback and improvements.
How can security culture be promoted across organizational boundaries?
🌐 Ecosystem & supply chain:
•
Developing a security culture strategy for the entire corporate ecosystem.
•
Integrating partners, suppliers, and service providers into security culture initiatives.
•
Establishing shared security values and standards within the ecosystem.
•
Creating transparency and trust on security matters across organizational boundaries.
•
Promoting the exchange of best practices and lessons learned within the network.
🤝 Collaboration & knowledge transfer:
•
Creating platforms for cross-organizational exchange on security topics.
•
Conducting joint workshops, training, and awareness measures.
•
Establishing community structures for security officers from various organizations.
•
Promoting mutual learning and continuous improvement within the network.
•
Developing collaborative approaches for shared security challenges.
⚖ ️ Governance & alignment:
•
Establishing clear governance structures for cross-organizational security collaboration.
•
Developing shared metrics and KPIs for measuring security culture across the ecosystem.
•
Aligning security policies and processes across organizational boundaries.
•
Creating mechanisms for handling security incidents within the ecosystem.
•
Balancing standardization and consideration of organization-specific characteristics.
🚀 Joint innovation:
•
Promoting joint innovations and pilot projects in the area of security culture.
•
Developing new approaches for cross-organizational and cross-industry security challenges.
•
Using different perspectives and experiences for creative solutions.
•
Joint testing and evaluation of new security culture approaches.
•
Creating an innovation ecosystem for the continuous development of security culture.
💡 Expert tip:Promoting a security culture across organizational boundaries requires a balanced relationship between shared standards and consideration of specific organizational contexts. Particularly successful are approaches based on shared values and objectives, but allowing flexibility in implementation. Invest in building trust and transparent communication as the foundation for successful collaboration in the security domain.
How do regulatory requirements influence the development of a security culture?
⚖ ️ Compliance & culture development:
•
Integrating regulatory requirements as a foundation and catalyst for culture development.
•
Transforming compliance requirements into values-based cultural practices.
•
Using regulatory requirements as a minimum, not a maximum, of the security culture.
•
Developing a positive narrative connecting compliance and culture development.
•
Balancing adherence to regulations and promotion of intrinsic motivation.
🧩 Strategic integration:
•
Developing a comprehensive strategy that connects regulatory requirements and culture development.
•
Aligning compliance measures with the overarching security culture strategy.
•
Integrating regulatory requirements into existing cultural practices and processes.
•
Using regulatory impulses for the strategic further development of the security culture.
•
Creating a consistent overall picture rather than isolated compliance initiatives.
🔄 Dynamic adaptation:
•
Developing agile approaches for adapting to changing regulatory requirements.
•
Promoting a proactive attitude toward new regulations and standards.
•
Creating processes for continuous review and adaptation.
•
Integrating regulatory change management into the culture development strategy.
•
Balancing stability and flexibility in culture development.
💬 Communication & meaning-making:
•
Conveying the significance and benefits of regulatory requirements.
•
Creating understanding of the connection between regulation and security objectives.
•
Transparent communication about regulatory changes and their impacts.
•
Using various communication formats for different target audiences.
•
Developing a positive narrative on the importance of compliance in the security culture.
💡 Expert tip:Regulatory requirements can serve as an effective catalyst for the development of a security culture when they are understood not as an isolated compliance exercise, but as an integral part of culture development. The key lies in transforming external requirements into intrinsically motivated cultural practices through meaning-making communication, strategic integration, and the emphasis on shared values and objectives.
What role do storytelling and narratives play in the development of a security culture?
📚 Cultural narratives:
•
Developing compelling narratives on the importance of information security within the organization.
•
Creating a shared language and shared meanings for security topics.
•
Integrating security aspects into the overarching corporate story.
•
Using metaphors and symbols to illustrate abstract security concepts.
•
Promoting a positive, future-oriented narrative about security culture.
👥 Personal stories:
•
Collecting and sharing authentic experiences and stories from employees.
•
Using personal narratives from leaders to demonstrate commitment.
•
Creating emotional connections to abstract security topics through personal examples.
•
Promoting peer-to-peer storytelling in teams and communities.
•
Integrating different perspectives and experiences into the security narratives.
🎬 Formats & channels:
•
Developing various storytelling formats for different contexts and target audiences.
•
Using visual storytelling methods such as videos, comics, or infographics.
•
Integrating storytelling into various communication and training formats.
•
Creating platforms and channels for continuous storytelling.
•
Balancing digital and personal storytelling formats.
🔄 Evolution & co-creation:
•
Promoting the continuous further development and enrichment of security narratives.
•
Involving various stakeholders in the joint development of cultural stories.
•
Integrating new experiences, challenges, and successes into the evolving narrative.
•
Creating feedback loops to evaluate the effectiveness of storytelling approaches.
•
Balancing consistency of core messages and evolutionary further development.
💡 Expert tip:Storytelling is one of the most effective tools for developing a sustainable security culture, as stories create emotional connections, convey meaning, and remain in memory. Particularly effective are authentic, relevant stories that are grounded in the reality of the organization and have a clear connection to the values and objectives of the organization. Invest in the systematic collection, development, and dissemination of security stories at all levels of the organization.
How can a security culture be sustainably anchored in the long term?
🏛 ️ Structural anchoring:
•
Integrating security aspects into fundamental organizational structures and processes.
•
Anchoring security culture in governance structures and decision-making processes.
•
Establishing formal roles, responsibilities, and communication channels for security culture.
•
Creating organizational mechanisms for continuous culture development.
•
Developing institutional structures for long-term culture maintenance and development.
🧠 Cultural internalization:
•
Promoting the internalization of security values and beliefs at the individual level.
•
Transforming explicit rules into implicit beliefs and shared assumptions.
•
Developing intrinsic motivation for security-conscious behavior.
•
Creating an emotional connection to security topics beyond rational understanding.
•
Promoting ownership and personal identification with the security culture.
🔄 Continuous evolution:
•
Establishing mechanisms for the continuous review and further development of the security culture.
•
Promoting a learning organization in the area of information security.
•
Regular evaluation and adaptation of cultural practices to new challenges.
•
Balancing stability and adaptability in culture development.
•
Integrating continuous improvement processes into culture maintenance.
🌱 Long-term culture maintenance:
•
Developing a long-term strategy for maintaining and further developing the security culture.
•
Considering culture development in strategic planning and roadmaps.
•
Creating resources and capacities for continuous culture work.
•
Integrating security culture into long-term organizational development processes.
•
Establishing shared responsibility for long-term culture maintenance at all levels.
💡 Expert tip:The long-term anchoring of a security culture requires a comprehensive approach that addresses both structural and cultural dimensions. The key lies in the balance between formal institutionalization and a living, adaptive culture development. Particularly important is the continuous maintenance and renewal of the culture through regular impulses, shared rituals, and active engagement with new challenges and opportunities.
Latest Insights on Culture Development
Discover our latest articles, expert knowledge and practical guides about Culture Development
Informationssicherheit
EU AI Act Enforcement: How Brussels Will Audit and Penalize AI Providers — and What This Means for Your Company
March 17, 2026
7 min
On March 12, 2026, the EU Commission published a draft implementing regulation that describes for the first time in concrete detail how GPAI model providers will be audited and penalized. What this means for companies using ChatGPT, Gemini, or other AI models.
Informationssicherheit
NIS2 and DORA Are Now in Force: What SOC Teams Must Change Immediately
March 17, 2026
10 min
NIS2 and DORA apply without grace period. 3 SOC areas that must change immediately: Architecture, Workflows, Metrics. 5-point checklist for SOC teams.
Informationssicherheit
Control Shadow AI Instead of Banning It: How an AI Governance Framework Really Protects
March 17, 2026
8 min
Shadow AI is the biggest blind spot in IT governance in 2026. This article explains why bans don't work, which three risks are really dangerous, and how an AI Governance Framework actually protects you — without disempowering your employees.
Informationssicherheit
EU AI Act in the Financial Sector: Anchoring AI in the Existing ICS – Instead of Building a Parallel World
March 17, 2026
5 min
The EU AI Act is less of a radical break for banks than an AI-specific extension of the existing internal control system (ICS). Instead of building new parallel structures, the focus is on cleanly integrating high-risk AI applications into governance, risk management, controls, and documentation.
Informationssicherheit
The AI-supported vCISO: How companies close governance gaps in a structured manner
March 13, 2026
6 min
NIS-2 obliges companies to provide verifiable information security. The AI-supported vCISO offers a structured path: A 10-module framework covers all relevant governance areas - from asset management to awareness.
Informationssicherheit
DORA Information Register 2026: BaFin reporting deadline is running - What financial companies have to do now
March 10, 2026
12 min
The BaFin reporting period for the DORA information register runs from 9th to 30th. March 2026. 600+ ICT incidents in 12 months show: The supervisory authority is serious. What to do now.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Case Study
Results
Over 2 billion euros in annual revenue through digital channels
Goal to achieve 60% of revenue online by 2022
Improved customer satisfaction through automated processes
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Case Study
Results
Significant increase in production performance
Reduction of downtime and production costs
Improved sustainability through more efficient resource utilization
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Case Study
Results
Improved production speed and flexibility
Reduced manufacturing costs through more efficient resource utilization
Increased customer satisfaction through personalized products
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Case Study
Results
Reduction of AI application implementation time to just a few weeks
Improvement in product quality through early defect detection
Increased manufacturing efficiency through reduced downtime
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance