The Importance of Culture Driven Security Programs

Cameron Chadwick | Sep 25, 2025 min read
The Importance of Culture Driven Security Programs

⚠️ Why Should a Security Program Align With The Culture of an Organisation?

Whilst on paper it makes sense to create the most ‘air-tight’ and impenetrable security program for every client we work with, this is actually a fatal mistake and could even cause their pre-existing security posture to go into meltdown.

After taking on a new client and getting that hard-earned support from management, it may feel like it’s time to throw the kitchen sink and really bolster their security posture to the max.

But sometimes going All-In and implementing controls like:

  • Separation of Duties
  • Fully redundant network topologies like Full Mesh
  • Configuring biometric authorisation controls with a high sensitivity threshold

… and so on.

These may feel like the best way to provide value to the client, but if their corporate culture doesn’t align with these controls then the security program will be about as robust as a house of cards on a windy beach.

🧑‍🍳 To illustrate this, let me cook up an example…

💳 Example: John’s Fintech Startup

John owns a Fintech startup and is trying to penetrate the market. The startup has a high risk appetite and their USP is users can open a bank account in under 60 seconds.

John wants to obtain more market share by expanding into untapped Eastern Europe, which means his startup must be compliant with ISO 27001 and DORA. He hires a cybersecurity consultancy to implement a security program that will achieve this.

The consultancy creates a plan that appears flawless (on paper):

  • Strict separation of duties
  • Biometric authentication at every workstation and within the office
  • Redundant full mesh network with fault tolerance

🚨 What Happened Next

John approved the plan and rolled it out across the organisation.

Within weeks problems surfaced.

Separation of Duties

Junior staff did not have sufficient privileges to complete the entire account onboarding process. They had to escalate approvals to their manager.

This resulted in new users waiting up to 20 minutes to open a bank account on the platform — a far cry from the claimed 60 seconds.

The outcome: a 20% drop in the startup’s userbase.

Biometric Authentication

At workstations, biometrics introduced constant friction. Because the system was set to a high sensitivity to prevent any unauthorised users from mistakenly being authorised, it also rejected authorised employees at a high rate and this left staff locked out during peak hours.

Employees responded by:

  • Sharing fallback credentials to bypass workstation biometric authentication
  • Propping open doors protected by biometric authentication

Unfortunately, these employee behaviours designed to foster convenience defeated the very controls that were intended to improve security.

Full Mesh Network

As the startup expanded into Eastern Europe, network complexity grew exponentially.

  • A large portion of investor funds was diverted into maintaining the network rather than improving the user experience
  • Teams lacked expertise to maintain the infrastructure as the nework grew.
  • As the network scaled, the misconfigurations that arose created more risk than the topology mitigated

📉 The Consequences

Eventually management disabled large portions of the security program.
John was unable to obtain more funding from investors due to:

  • The declining userbase
  • High expenditure on a botched security program

Instead, he was left with:

  • A frustrated workforce
  • A broken security posture
  • And very few investor funds remained.

✅ The Lesson

The consultancy’s mistake was failing to design a security program around the organisation’s speed-driven culture and high risk appetite.

They should not have implemented restrictive enterprise-style controls.

Instead, they should have aligned the program with the company’s operational goals, tactical goals, and strategic objectives.

Alternative Controls

  • Biometric Authentication For Sensitive Facilities Only such as Main Distribution Frames. At workstations require 2FA with an asynchronous cryptographic device. This allows for biometric authentication systems to be configured with a high sensitivity, without introducing a level of friction that harms the organisation's operational goals.

  • Threshold-Based Separation of Duties for example, if a user applied from a sanctioned country, then junior staff must require approval from a manager. For all other users, junior staff would be able to complete onboarding independently.

  • Partial Mesh Network provides redundancy and security benefits of full mesh without scalability issues.

Hopefully that has provided some insight on the importance of a culture-driven security program.

As always, for this post please let me know any improvements I could make — whether it’s about the flow, readability, content etc. My goal is to make each post better than the last. 😊