No security tool can prevent an employee from wiring a million dollars to a fraudulent account because an urgent email appears to come from the chief executive officer (CEO). No firewall stops someone from granting an AI agent full access to their browser, email, and password manager without a second thought. The most sophisticated technical defenses in the world are consistently outmaneuvered by the same vulnerability, people who were never given a reason to think carefully about what they were doing.
Tracy R. Reed, Director of Cybersecurity Practice at Unrisk, cybersecurity auditor, and virtual chief information security officer (vCISO), has spent his career arguing that culture is the most powerful security control an organization can build, and the one most consistently neglected. “Having a culture of security where people are educated, informed, and incentivized to care about security really addresses the issue at its root level,” Reed states. “Tools alone cannot replicate that.”
Make the Threat Feel Real, Not Theoretical
Annual security awareness training produces employees who can recite password requirements. It does not produce employees who treat security as a personal concern. The gap between compliance and commitment comes down to whether people can viscerally understand why the threat matters, not in the abstract, but in terms they can connect to their own experience.
Reed draws on a principle from behavioral psychology to explain what actually changes employee behavior. The availability heuristic holds that people assign greater importance to risks they can easily recall. Plane crashes appear in the news with dramatic visuals and emotional weight, which is why many people fear flying despite driving being statistically far more dangerous. The same mechanism works in cybersecurity.
Organizations that share stories of competitors devastated by breaches, treat internal incidents and near misses as teachable moments, and communicate the real financial and client consequences of security failures give employees the concrete mental images that make threats feel personal and probable rather than distant and unlikely. “Exploit that availability heuristic,” Reed advises, “so that they will assign a higher risk to cybersecurity incidents and not just blow them off as ‘never going to happen.'” Monthly security emails from the director of security, covering recent incidents, near misses, and industry events relevant to the organization’s sector, sustain that awareness without relying on the annual video that nobody remembers by the following week.
When a Breach Happens, the Accountability Flows Upward
When an employee clicks a malicious link, some leadership teams react by treating it as an individual failure. Reed challenges that framing directly. Even if the immediate cause is a single employee’s error, that error always traces back to inadequate training, poor education programs, or a hiring decision, all of which fall within management’s responsibility. “You can sometimes delegate authority to someone below you in the corporate structure,” Reed notes, “but you can never delegate responsibility. All the responsibility flows to the top.”
Punishing individual contributors for security mistakes is both unfair and strategically counterproductive. It discourages people from reporting incidents and near misses, exactly the information an organization needs to improve its security posture. Leadership accountability for security outcomes is not a philosophical position. It is the structural reality of how organizations work.
AI Agents Are Already Inside, Policy Needs to Catch Up
The most urgent emerging security challenge is one that most organizations have not addressed at all.
Employees are independently downloading and deploying AI agents, granting them access to browsers, email accounts, and password managers without any governing policy in place. The consequences range from data leaks to complete corruption of critical systems: one concrete example Reed cites is an employee who gave an AI agent unrestricted access to a customer relationship management (CRM) system and had it entirely wrecked as a result. “If you do not have a policy regarding AI, including agentic AI, when all of your employees can download and run one, you are way behind the curve,” Reed states plainly.
The same urgency applies to AI-powered social engineering. Voices, emails, and increasingly video appearances can be convincingly faked, making phone and digital authorization protocols unreliable for high-stakes decisions. The answer is to establish and clearly communicate, before an attack occurs, that certain sensitive actions, such as wire transfers and privilege escalations, will only be authorized face-to-face.
A culture that instills healthy skepticism toward unusual requests, combined with clear, established procedures, is what holds the line as deception technology keeps improving. Security teams that build this culture are not the department of ‘no’. They are the functions that enable the business to operate at full capacity with the least preventable risk.
Follow Tracy R. Reed on LinkedIn for more insights on building security cultures, cybersecurity governance, and the organizational practices that actually prevent breaches.
