The annual release of Microsoft’s Digital Defense Report is always a milestone moment for the cybersecurity industry. For us, as an organization deeply invested in reshaping how companies address human risk, it serves as both a benchmark of how we are all working to build effective cyber defenses. This year’s report, packed with insights on evolving threats, stands out to us for one key reason: it places a spotlight on the role of culture and human factors in building effective cyber defenses.
As Tom Burt, Microsoft’s Corporate VP, aptly puts it:
“We all can, and must, do better, hardening our digital domains to protect our networks, data, and people at all levels.”
This message resonates deeply with our work. While much of the industry focuses on tools and technology, the human layer—your organization’s culture and people—remains both the most significant vulnerability and the greatest untapped asset.
Unsurprisingly, the report paints a sobering picture of today’s cybersecurity landscape, with insights that are both familiar and deeply concerning:
AI-enabled threats are on the rise, with attackers leveraging generative AI to scale phishing and identity attacks.
Human-operated ransomware incidents surged by 2.75x year over year.
A staggering 600 million identity attacks are blocked daily by Microsoft’s systems.
Yet, amidst this flood of technological challenges, Microsoft highlights something profoundly human: culture matters. The report calls for greater focus on governance, accountability, and embedding cybersecurity as a shared responsibility across all levels of an organization. As it notes,
“The foundation of cyber resilience lies not just in technology, but in the culture of the organization.”
What stood out most was Microsoft’s emphasis on Risk-Aware Organizational Culture and the impact of human behaviors on resilience. Here's a few takeaways:
Radical accountability often feels like a leap of faith that many aren’t ready to take fully within an organization. To address critical issues effectively, we must foster a safe environment for problem-solving. Except in cases of clear malicious intent, unprofessional conduct, or gross negligence, the focus should remain on building a culture of accountability. Blame only drives defensiveness and disengagement, often deepening existing frictions and widening divides—a pattern many of us have witnessed firsthand.
What will start out as noise can turn into a signal if you know how to tune the dials of your people. Security insights often emerge from unexpected sources, critical thinking, and fresh perspectives. Organizations must establish mechanisms to capture and act on feedback and discoveries, wherever they originate.
Cybersecurity must be integrated into everyone’s role, from employees to board members. We call this developing a “risk mindset”—fostering an aware culture and promoting actions rooted in accountability and resilience. However, the gap between awareness and implementation is often far wider than organizations realize. Many hesitate even to measure it. Closing this gap requires not only cultivating basic cybersecurity literacy but also instilling personal responsibility and clearly defining individual roles within the broader security strategy.
Breaking habits is challenging, and effective communication often comes with what we call 'collaborative overhead' — perceived inefficiencies that show up in balance sheets and progress reports. However, this effort is essential for getting the wheels turning. Like assembling an engine, success doesn’t come from a single new process or tool; it requires consistent effort and integration over time. Organizations should invest in ongoing training and reinforcement to help teams break old patterns and collaborate seamlessly.
These insights reflect a growing industry consensus: cybersecurity isn’t just about securing endpoints or deploying the latest tools. It’s about creating a culture where employees understand, engage with, and proactively contribute to security.
While Microsoft has done an excellent job calling out to the cultural layer of cybersecurity, this report is, obviously, a yearly highlight of all cyber defense, so that's enough ground to cover for sure!
However, when asking, “How do I get to a Risk-Aware Organizational Culture from where I am now?” many CISOs and Risk Executives struggle with finding actionable mechanisms for change. Where does the rubber actually hit the road? That’s where our approach to Human Resilience stands out.
We’ve developed a comprehensive framework grounded in organizational anthropology, psychology, and behavioral science. Here’s how our model compares:
Culture Warning Signs: We help organizations identify subtle yet critical indicators of cultural risks, such as disengagement, compliance fatigue, or misplaced priorities.
Human Resilience as a System: Instead of treating culture as abstract, we operationalize it—creating programs that embed resilience, accountability, and adaptability into daily workflows.
Measurable Impact: While many industry players stop at the “what,” we tackle the “how,” offering tools and strategies to track and improve cyber culture over time.
For example, our Risk Culture Model connects cultural insights to measurable behaviors, enabling leaders to see real progress toward their cybersecurity goals.
Here’s the challenge we often hear from leaders: “I know culture matters, but where do I start?”
Too often, advice on culture boils down to vague platitudes like “create a positive environment” or “empower your teams.” While these sound good in theory, they don’t help you answer the practical questions:
What should a Risk-Aware Organizational Culture look like for us?
How do we tailor our strategy to our organization’s unique dynamics?
Should we aim for a big bang cultural shift, or weave changes in over 12–24 months?
This is where expertise matters. We’ve worked with companies taking vastly different approaches—some prefer bold transformations, others thrive on calm, incremental shifts. The key is knowing what the right first step is for your organization and how to sustain progress.
It’s encouraging to see industry giants like Microsoft recognizing the importance of Human Factored Risk and Cybersecurity Culture Transformation. But knowing what to aim for isn’t enough. To truly address human risk, organizations need tailored, actionable strategies grounded in science and experience.
If your team is staring at a blank page wondering how to begin, let us help. With our expertise in anthropology, behavioral science, and risk culture, we can turn abstract cultural goals into measurable, impactful outcomes.
The question isn’t whether risk culture matters—it does. The question is how to make it work for your organization.
It’s never been quite so clear. Recent high-profile breaches and regulatory responses have amplified the urgent need for organizations to address and...
8 min read
Key Considerations for CISO’s in the wake of the CRSB’s Report on the MSFT Breach As we all know, the need for cybersecurity is still on the rise,...
8 min read
The New Frontline in Cybersecurity
4 min read
Team CM
