Team CM
Cyber Culture for CISOs: Questions the Board Will Ask (and How to Answer)
If you’re a CISO, you already know this: the board is suddenly very interested in “cyber culture.”
This is a quick deep dive into one of the NCSC cyber security culture principles, designed to help you understand what it actually means in plain English, why it matters in real organizations, and how to spot it in your own world.
If you’re looking for the bigger picture on NCSC culture and how to turn these principles into a real program, you might also like:
-
Our overview of the NCSC cyber security culture principles and why they matter
-
How to operationalize the NCSC culture agenda step by step
-
How to build a 12-month NCSC-aligned cyber security culture roadmap
-
Measuring cyber security culture with NCSC-aligned metrics that actually work
-
The NCSC Cyber Culture FAQ: 21 Questions Answered
Use this post to get your head around this principle quickly, then jump into the longer guides when you’re ready to design or evolve your culture program.
6. Clear, Usable Guidance & Processes
The sixth principle is the usability one: can people actually do what you’re asking? NCSC’s culture principles and related commentary emphasize clear, usable rules and guidance—policies and processes that are accessible, shaped by real-world input, and practical for everyday work. NCSC
The reason this made the cut is that a lot of “non-compliance” is really non-usability. If "the secure way" is buried in SharePoint, slow, or confusing, staff will invent their own version that actually fits the job. Over time, those workarounds become the real process. NCSC is effectively saying: if you don’t design for usability, your culture will design its own security—quietly, informally, and usually with more risk.
What this principle really means
NCSC is blunt about this: if your rules and processes aren’t usable, people will not follow them.
This principle is about:
-
clarity (“What do I do, in my job, in this situation?”),
-
usability (“Can I do that without jumping through flaming hoops?”),
-
and embedding guidance where and when decisions are made.
What goes wrong if you ignore it
When guidance is confusing or painful:
-
People guess, copy old emails, or ask a friend.
-
Workarounds become the “real process.”
-
Policy compliance looks fine on paper but fails in reality.
You end up with a culture where secure behavior feels impossible in the time and tools people have.
Quick self-diagnosis
Ask:
-
Could a new starter in Finance, Sales, or Ops explain how to handle a specific risky situation without digging through SharePoint?
-
How many steps does it take to do the “right thing” vs the workaround?
-
Are your most important security instructions written in human language, with concrete scenarios?
If secure = slow + confusing, you know what people will choose.
Practical shifts / quick wins
-
Rewrite one high-risk policy area (e.g., data sharing, access requests) as a short, scenario-based playbook.
-
Put micro-guidance where the action happens (in tools, forms, FAQs, chatbots), not just on your intranet.
-
Ask 3–5 frontline people to do a live walkthrough of a secure process and note every friction point.
Where Cybermaniacs fits
We make “usable” real:
-
Converting policies into stories, checklists, and scenarios people remember
-
Layering human, humorous guidance on top of your existing processes
-
Feeding what we learn from content engagement back into your NCSC “usable guidance” metrics
