Building a strong security culture is essential for organizations to defend against cyber threats. In today’s episode of CISO Insights, Steve Winterfeld, Advisory CISO at Akamai, discusses the role of security culture in mitigating risks, the importance of balancing technology, processes, and people, and how organizations can foster continuous awareness. Winterfeld emphasizes that effective security culture goes beyond annual training, requiring proactive engagement, accountability, and adaptability to evolving threats like generative AI (GenAI).

Winterfeld believes that a strong security culture is the best defense against social engineering attacks. Winterfeld explains that when employees are consistently aware of security risks like phishing emails they become a proactive line of defense. Security should not be treated as a one-time training exercise but as an everyday mindset that is reinforced through continuous learning, engagement, and ownership.

While many companies aspire to build a security-conscious culture, they can struggle with implementation. Traditional security training primarily focuses on policies rather than behavior. Winterfeld says, “Whenever I hear somebody talk about security training, I have a feeling they probably don’t have a security culture—because they don’t talk about the attitude [of] making people aware.”

Because of these limitations, Winterfeld advocates for interactive approaches that go beyond compliance-based training. Gamification, hackathons, and real-world exercises can help make security awareness more engaging. Offering cybersecurity training that extends to employees’ families can also create a personal investment in security, reinforcing these habits in the workplace.

To build a strong security culture, Winterfeld outlines a three-part framework: people, technology, and processes. Employees need the right mindset and training to recognize risks, while organizations must establish clear processes for reporting and responding to security threats. Technologies like multi-factor authentication (MFA) and access segmentation also play a key role in enforcing security without overly restricting employees. However, Winterfeld warns against excessive monitoring, which can erode trust and hinder innovation.

Another key factor in building a strong security culture is accountability. Winterfeld stresses the need for both incentives and consequences, such as rewarding employees who demonstrate strong security practices while addressing those who repeatedly fail training or dismiss security responsibilities. Winterfeld underscores the need to use a balanced approach, ensuring employees are supported in improving their security awareness rather than being punished for honest mistakes.

Winterfeld also addresses the growing security risks posed by generative AI, from employees inadvertently exposing sensitive company data to the rise of AI-generated cyber threats. Protecting proprietary AI models is another emerging concern, and Winterfeld emphasizes that organizations must train employees on secure AI usage and continuously refine security strategies in response to these evolving challenges.

Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show: CISO Insights

This summary was written by Emily Nicholls.