Cybersecurity training is vital, but it’s not enough on its own if your workplace culture discourages people from speaking up. Good corporate security awareness includes empowering employees to think critically, voice concerns and admit mistakes, without fear of reprisal.
The secret is something all parents who’ve gotten their children to admit when they’ve done something wrong already know.
Psychological safety is an underrated part of organisational cyber resilience and yet it’s essential if companies want to strengthen their cyber defences from within. “Psychological safety refers to an organisational environment where employees feel confident they can slow down to question suspicious activities, report security concerns, admit mistakes, and challenge instructions without fear of blame, punishment or professional retaliation,” explains Anna Collard, senior vice-president of content strategy at KnowBe4 Africa.
Jonah Berger writes in his book, Invisible Influence: The Hidden Forces that Shape Behavior: “Parents who react negatively when their children confess to something bad they’ve done are inadvertently training them to lie. If a child tells you they broke a vase and you get angry and punish them severely, they learn a simple lesson: admitting the truth leads to a bad outcome.”
The question organisations need to ask themselves, even when they have implemented industry-leading security awareness training (SAT), is this: “What happens to employees who admit their big cybersecurity mistakes? What do they expect to happen, regardless?”
What happens if employees don’t feel secure?
Collard believes there are several toxic dynamics in organisations that undermine security reporting. “The most notable is the blame-first culture,” she states. “Organisations that immediately ask: ‘Who did this?’ instead of ‘How can we prevent this?’ create defensive behaviours where employees hide incidents.” Instead of reporting concerns that could lead to early detection, employees become silent because they fear consequences.
Another unhealthy dynamic in workplaces is when managers suffer from perfectionism. “When security is presented as binary (perfect compliance versus failure), employees avoid admitting any uncertainties or mistakes,” asserts Collard.
Having a silo mentality can also be a stumbling block. “When security teams are seen as separate from business operations, employees view them as outsiders rather than partners,” she comments. This is especially true if IT personnel fail to take employees’ concerns seriously or dismiss them altogether.
Another dangerous phenomenon is when employees are confused by inconsistent messaging. “Staff don’t like it when leaders preach that security is everyone’s responsibility, but then exclude non-technical staff from security discussions or break the rules themselves,” Collard says.
Overcoming barriers to psychological safety
Fortunately, there are many courses of action that organisations can take to correct these unfavourable dynamics. “It’s really helpful when companies implement blameless post-mortems after security incidents,” she shares.
A good example is GitLab’s 2017 incident, when a systems administrator accidentally deleted a production database, resulting in six hours of lost data. The team responded transparently, live-blogging the recovery and treating it as a learning opportunity. “A culture of openness meant the issue was addressed immediately, with no blame or cover-ups – just quick action and prevention,” comments Collard.
She recommends integrating security champions across all departments and celebrating reporting and learning over perfection. “It also helps when leaders model vulnerability and continuous learning,” she emphasises.
Creating positive feedback loops
Instead of coming down hard on employees who mess up, managers should frame these incidents as valuable insights about attack sophistication rather than user failure. “This can be reinforced by creating positive feedback loops as a core part of human risk management,” Collard says. “Establish systems where reporting suspicious emails or activities is rewarded and celebrated, making reporting feel like a contribution rather than a confession – or even just perceived compliance burdens with no purpose.”
Her final piece of advice is for leaders to adopt a zero-trust mindset approach. “Zero-trust principles require continuous verification and questioning,” she asserts. “But this only works when people feel psychologically safe to voice their concerns.”
Digital mindfulness is another essential tool for strengthening the human layer within an organisation. “Fostering a culture of pausing and seeking help rather than rushing through work is hard in a world that moves at a relentless pace,” Collard concedes. “But it’s in those high-pressure moments that we need to be most grounded and focused to avoid mistakes.”
Ultimately, she believes the most secure organisations are not those that expect perfection, but those that enable people to speak up, learn and respond quickly when something goes wrong. “Psychological safety is a critical foundation for any organisation serious about cybersecurity resilience,” Collard concludes.