Cybersecurity training is vital, but it’s not enough. Your organization’s most critical defense is often overlooked: the workplace culture. If your employees don’t feel safe speaking up, your security training is built on a shaky foundation.
True corporate cyber resilience requires empowering employees to think critically, voice concerns, and, most importantly, admit mistakes without fear of reprisal.
According to Anna Collard, SVP of Content Strategy at KnowBe4 Africa, psychological safety refers to:
An organizational environment where employees feel confident they can slow down to question suspicious activities, report security concerns, admit mistakes, and challenge instructions without fear of blame, punishment or professional retaliation.
It’s the secret every good parent knows: if you punish confession, you teach people to lie. Similarly, if employees are blamed for a security incident, they learn a simple lesson: hiding the truth leads to a better outcome than admitting it.
When employees don’t feel secure, the organization is left vulnerable. Several toxic dynamics destroy psychological safety and stop security reporting:
- Blame-First Culture: Organizations that immediately ask, “Who did this?” instead of “How can we prevent this?” drive incidents underground. Employees will hide concerns that could lead to early detection.
- Perfectionism and Binary Security: Presenting security as strictly “perfect compliance versus failure” makes employees afraid to admit any uncertainties or small mistakes.
- The Silo Mentality: When security teams are seen as separate outsiders, rather than partners, employees are less likely to share concerns, especially if IT has a history of dismissing non-technical staff.
- Inconsistent Messaging: Leaders who preach that “security is everyone’s responsibility” but then break the rules themselves or exclude non-technical staff from discussions create confusion and resentment.
Fortunately, organizations can actively correct these dynamics and strengthen their human layer.
- Implement Blameless Post-Mortems: Adopt the practice of blameless post-mortems after security incidents. Frame these events as valuable insights into attack sophistication, not user failure.
Example: When GitLab accidentally deleted a production database in 2017, they didn’t point fingers. Instead, they transparently live-blogged the recovery and treated it as a learning opportunity. This culture of openness allowed for quick action and prevention without cover-ups.
- Create Positive Feedback Loops: Managers should stop coming down hard on errors and start rewarding honest reporting.
- Establish systems where reporting suspicious emails or activities is celebrated.
- Make reporting feel like a contribution rather than a confession or a compliance burden.
- Model the Right Behavior: Security isn’t just an IT problem; it’s a leadership challenge.
- Integrate Security Champions across all departments.
- Celebrate learning over perfection.
- Leaders must model vulnerability and continuous learning, showing that it’s okay to ask questions and admit mistakes.
Collard advises two final, foundational concepts:
- Digital Mindfulness: Foster a culture of pausing and seeking help rather than rushing through high-pressure tasks. These are the moments when we are most likely to make mistakes.
- Adopt Zero Trust Principles: Zero-trust requires continuous verification and questioning. However, this rigorous approach only works when employees feel psychologically safe to voice their concerns and suspicions.
The most secure organizations are not those that demand perfection. They are the ones that enable people to speak up, learn, and respond quickly when something inevitably goes wrong. Psychological safety is truly the critical foundation for lasting cybersecurity resilience
