How to Build a 12-Month NCSC Cyber Security Culture Roadmap

Ok. Here's where we are. You’ve read the NCSC cyber security culture guidance. You’ve nodded along with the six principles. You might even have a few initial cyber culture improvement projects underway.

But when someone asks:

“Okay, so what’s the actual plan for the next year?”

…things get fuzzy fast. (and not the good kind of fuzzy, like our puppets.) 

Do you start with training? Policies? Leadership? AI? Metrics?
Do you try to tackle all six principles at once?
How do you sequence the work so it’s realistic, not fantasy?

Good news. We're here to help. This article walks you through a 12-month NCSC-aligned culture roadmap you can adapt to your organization:

• Quarter by quarter

• Principle by principle

• With clear milestones for CISOs, awareness leads, and HR / People teams

We’ll also show where our HumanOS™, culture model, and organizational dynamics model slot in, so the plan isn’t one-size-fits-all. This is your culture, it's unique, and your Human Risk Management Program must always be both aligned and in concordance. 

Why You Need a 12-Month Roadmap (Not Just “More Culture Stuff”)

What we've found from working with both global enterprises and midsized organizations in their Human Risk Management maturity journey is that without a roadmap, culture efforts tend to:

• Get stuck in one-off campaigns (“Cyber Awareness Month! Again!”)

• Over-index on training and phishing, under-invest in leadership and process

• Drift from NCSC’s principles into a random grab-bag of activities

• Struggle to show progress to the board or auditors (this is a big one, read more here) 

A simple 12-month roadmap helps you:

• Prioritize what matters most

• Sequence work so people aren’t overwhelmed

• Make NCSC’s culture principles visible and actionable

• Turn “we’re working on culture” into “here’s what happens in Q1, Q2, Q3, Q4”

You’re not locking yourself into a rigid plan; you’re giving yourself a default path you can adapt as you learn.

The Big Picture: Four Phases in 12 Months

Think of the year as four phases (if you say four seasons it sounds like Vivaldi, so for clarity, we'll say phases) :

1. Q1 – Discover & Align

   • Baseline where you are.

   • Pick your focus principles.

   • Stand up governance.

2. Q2 – Quick Wins & System Fixes

   • Deliver visible wins.

   • Start fixing high-friction processes.

   • Begin leadership and norms work.

3. Q3 – Deep Integration

   • Embed culture work into projects, HR, and operations.

   • Mature your measurement.

   • Expand into more principles.

4. Q4 – Prove, Learn & Plan the Next Cycle

   • Show impact with data and stories.

   • Course-correct.

   • Set up an even stronger year two.

We’ll go phase by phase. Use this as a template and tweak based on your risk, sector, and internal politics. 

Q1 – Discover & Align (Months 1–3)

 Goal: Get an honest picture of where you are and align key players on what you’re doing and why.

1. Baseline your cyber culture and human risk

You don’t need a 60-question survey and a year-long ethnography. You do need some structured insight into:

• • How people think and feel about security

  • What they actually do day to day

  • How your systems and leadership support (or sabotage) them

Mix methods where you can:

• • A short NCSC-aligned culture pulse (10–20 questions)

  • A handful of interviews or focus groups in key teams

  • A quick review of existing data: training completion, phishing results, incident / reporting patterns, pain-point processes (access, approvals, etc.)

This is where we often plug in and run a baseline using:

• HumanOS™ – habits, attention, emotions, thinking patterns

• Cyber Safety & Digital Risk culture model – how you “do” security in real workflows

• Organizational dynamics model – who you are structurally and culturally

You end Q1 with a simple, honest diagnostic, not a 200-page report.

2. Choose 1–2 NCSC principles as your first focus

Trying to “fix all six” in 12 months is a recipe for burnout. Instead, look at your baseline and ask:

• • Where are our biggest risks?

  • Where are our clearest signals of pain?

  • Where is there energy and sponsorship?

Typical first-wave picks:

• • Principle 2 – Trust, Safety & Openness
    if you see fear, silence, late reporting, and cover-ups.

  • Principle 5 – Leadership Ownership
    if leaders say the right words but don’t model the behaviors.

  • Principle 6 – Usable Rules & Guidance
    if workarounds and “I have no idea what I’m supposed to do” are everywhere.

Circle 1–2 principles for year one, and be explicit:

“This year, our priority is to improve [Principle X and Y] across the organization, while maintaining the basics on the others.”

3. Stand up a small security culture working group

In Q2 you’ll need people to own decisions, resources, and trade-offs. Before that, in Q1, set up:

• • A core group (CISO/security, HR/People, Comms, 1–2 business leaders, maybe Risk)

  • A simple charter:

    • own the NCSC culture roadmap

    • prioritize and sponsor interventions

    • review metrics quarterly

This is the group that will turn “someone should do this” into “we’re doing this.”

4. Draft your “what good looks like” statements

For your chosen principles, write 2–3 short statements that describe the culture you want 12–18 months from now.

Example for Trust & Openness (Principle 2):

• • “People feel safe admitting cyber mistakes and near misses early.”

  • “We treat incidents as opportunities to improve the system, not to blame individuals.”

You’ll use these everywhere: to design interventions, to pick metrics, and to talk to leadership and the board.

Q2 – Quick Wins & System Fixes (Months 4–6)

Goal: Show visible progress, reduce friction, and prove that this is more than another awareness campaign.

Your Q2 mantra:

“Change the system in at least one meaningful way, not just the slide deck.”

1. Deliver 2–3 visible quick wins per focus principle

For each chosen principle, design small but concrete changes that people can feel.

Examples:

• • Principle 2 – Trust & Openness

    • Change incident response language to explicitly support no-blame reporting.

    • Launch a “near miss of the month” recognition in internal comms.

  • Principle 6 – Usable Rules

    • Rewrite one confusing process (e.g., access requests) into a clear, plain-English playbook.

    • Add a “If you’re not sure, do this…” box on your intranet security page.

Keep them tightly scoped, fast to implement, and aligned with your “what good looks like” statements.

2. Fix at least one high-friction process

Hashtag hard truth: Nothing destroys security culture faster than a process that forces good people into bad choices.

In Q1 you probably heard comments like:

• • “It takes weeks to get access the ‘proper’ way.”

  • “The policy is impossible to follow if you want to hit your deadline.”

  • “The only practical way to work with this vendor is to bypass X.”

Pick one of those hot spots and treat it as a mini redesign project:

1. 1. Map the current process from a user’s perspective.

   2. Identify steps that are slow, confusing, or redundant.

   3. Work with the owners to simplify, clarify, or automate.

   4. Communicate the new, better way of working.

Then tell that story:

“We heard you. We fixed it. Here’s how this supports safer, easier work.”

This is culture work. It proves security is an enabler, not just a messenger.

3. Start nudging leadership behavior

You don’t need a giant leadership program in Q2. You do need visible signals that leaders are part of this. Here are some practical steps: 

Lightweight moves:

• • Ask 3–5 key leaders to record a 60–90 second video:
    “Why security culture matters here, and one behavior I’m committing to.”

  • Add a standing culture & human risk slot to a leadership or risk meeting agenda once a quarter.

  • Give managers a one-page conversation guide to use in team meetings:

    • “What would make you feel safe reporting something?”

    • “What’s the hardest part of ‘doing security’ in our team?”

4. Stand up your first simple metrics

You don’t need a full dashboard yet. By the end of Q2, you should have:

• • 3–5 perception metrics (survey items) for your focus principles

  • 3–5 behavior/operations metrics (reporting trends, process times, early engagement, etc.)

Agree a simple format (slide, dashboard, doc) and a quarterly cadence where the culture group looks at: what’s moving? What’s stuck? What did we learn from Q2 interventions? (Our favorite: who needs coffee?! Dashboards are always better with coffee.) 

Q3 – Deep Integration (Months 7–9)

 Goal: Move from “projects and campaigns” to embedded practices across the organization.

This is where you scale and mature.

1. Embed NCSC principles into project and change processes

Work with your PMO, product, or change teams to integrate culture questions into:

• • project initiation / business cases

  • change boards

  • risk assessments

Examples:

• • Add a small section:
    “How will this project support or impact the NCSC culture principles, especially [your focus principles]?”

  • Require early consultation with security for high-impact changes – and make that consultation helpful.

Now culture isn’t just something you train; it’s a design constraint for how change happens.

2. Integrate with HR, People, and L&D

To make culture stick, it has to show up where people: join, grow, and get evaluated.

In Q3, co-design with HR / L&D:

• • Onboarding elements that explain:

    • “Here’s how we think about cyber security culture,”

    • “Here’s what we expect from you,”

    • “Here’s how we support you.”

  • Manager development content on:

    • running psychological safety in security conversations,

    • responding to reports constructively,

    • modeling secure behavior.

  • One or two light-touch performance expectations:

    • e.g., for leaders: “Supports a culture of early, non-punitive incident reporting.”

3. Mature your content and campaigns

You’ve done some quick wins in Q2. In Q3:

• • Align your training, simulations, and campaigns explicitly with the NCSC principles:

    • “This campaign is focused on building [Principle 2] and [Principle 4].”

  • Segment your audiences: high-risk roles (finance, customer service, admins), managers vs ICs, geographies or business units with specific patterns from your baseline. (or use a tool such as our CLX Platform) 

  • Use more storytelling, humor, and real scenarios, not just rules. (Need some creative fire? Try Change.)

This is where Cybermaniacs’ creative engine often comes in: we build the characters, stories, and experiences that make dry principles feel real.

4. Strengthen your measurement and feedback

In Q3, upgrade your measurement from “initial signals” to a more robust scorecard:

• • For each of your focus principles, define:

    • 2–3 perception items (from repeated pulses)

    • 2–3 behavioral/operational metrics

  • Start tracking trends, not just snapshots:

    • quarter on quarter, per key business area

Add qualitative feedback:

• • Short interviews with managers and staff about what’s changing

  • Insights from incident reviews, HR, and service desks

Your culture group should now be running a predictable loop:

see signal → interpret → tweak interventions → see what happens next

Q4 – Prove, Learn & Plan the Next Cycle (Months 10–12)

 Goal: Tell a coherent story about what changed, what didn’t, and what you’ll do in year two.

1. Package your NCSC culture story for leadership and the board

By Q4, you want to be able to answer, clearly:

• • What NCSC means by security culture (and why it matters to your risk).

  • What your starting point was (baseline).

  • What you focused on this year (principles, outcomes).

  • What you did (key interventions).

  • What changed (metrics + stories).

  • What you learned and what comes next.

Turn that into a simple board / exec pack, not a 60-slide epic. This is where Blog 8 (CISO & board Q&A) comes in handy – it’s basically your script.

2. Do a lightweight “after action review” of your roadmap

With your culture group, ask:

• • Where did we have the most impact?

  • Which interventions actually shifted behavior or sentiment?

  • Where did we get blocked (budget, politics, capacity)?

  • Did we pick the right principles for year one?

Be honest about:

• • “We shipped X but nothing changed.”

  • “We learned that [this process] is the real bottleneck, not [that training].”

This isn’t about blame; it’s about tuning your operating model for year two.

3. Decide how to evolve your focus for year two

You have a few options:

• • Deepen the same principles
    if you see progress but still lots of risk.

  • Add one new principle into focus
    e.g., you nailed Trust & Openness and Usable Rules → next year you add Social Norms or Adapt & Learn.

  • Shift emphasis to a new area
    if you’ve materially improved your initial priorities and other risks are now more urgent.

Update your “what good looks like” statements and metrics accordingly.

4. Refresh your 12-month roadmap and communicate it

Now you basically repeat the loop:

• • Q1: New baseline (or pulse), re-alignment

  • Q2: New wave of quick wins and system fixes

  • Q3: Deeper integration

  • Q4: Prove, learn, and set up the next cycle

Share a simple summary with stakeholders:

• • “Here’s where we started, what we changed, and what we’re doing next.”

That’s how NCSC culture principles turn into a living program, not a PDF on a shelf. 

Where Cybermaniacs Typically Plug Into a 12-Month Roadmap

We’ve run this kind of roadmap with a lot of organizations. The pattern is usually:

• Q1 – Discover & Align

  • We run an NCSC-aligned baseline using HumanOS, culture, and org dynamics models.

  • We help you pick your first-year principles and write “what good looks like.”

• Q2 – Quick Wins & System Fixes

  • We co-design interventions (including process fixes) and bring creative campaigns that make them land.

  • We support leadership messaging and initial measurement.

• Q3 – Deep Integration

  • We help embed NCSC principles into projects, HR, and L&D.

  • We mature your scorecard and feedback loops.

• Q4 – Prove, Learn & Plan

  • We help you build the board / exec story.

  • We facilitate retrospectives and plan the next cycle.

The goal isn’t to park a consulting team forever. It’s to stand up a culture operating model that your own teams can run and evolve.

A One-Page 12-Month NCSC Culture Roadmap (Template View)

If you like seeing things at a glance, here’s a simple template you can adapt:

Q1 – Discover & Align

• Run baseline (pulse + interviews + data).

• Pick 1–2 NCSC principles to focus on.

• Stand up security culture working group.

• Write “what good looks like” per focus principle.

Q2 – Quick Wins & System Fixes

• Deliver 2–3 quick wins per focus principle.

• Redesign at least one high-friction security process.

• Kick off basic leadership engagement.

• Stand up initial perception + behavior metrics.

Q3 – Deep Integration

• Embed NCSC principles into project/change processes.

• Integrate with HR, onboarding, and manager development.

• Mature campaigns and training, aligned to principles and segments.

• Build a simple culture scorecard and quarterly review rhythm.

Q4 – Prove, Learn & Plan

• Build an NCSC culture story for leadership/board.

• Run a retrospective with the culture group.

• Decide focus principles and priorities for year two.

• Refresh the roadmap and communicate the plan.

Key Takeaways

If you want NCSC cyber security culture principles to be more than “a thing we read,” you need:

• A 12-month roadmap that sequences the work, not just a long wish list

• A focus on 1–2 principles at a time, not all six everywhere

• A willingness to change systems and processes, not just comms and training

• Simple, NCSC-aligned metrics and a quarterly feedback loop

Most importantly: you don’t have to do it perfectly. You just have to start! 

To dive deeper into the NCSC Cyber Security Culture Principles, check out our comprehensive guide here.