Many organizations claim that "security is everyone's responsibility." But when a phishing email slips through and an employee clicks a malicious link, who actually owns the outcome? This ambiguity creates dangerous gaps that threat actors exploit daily.

The question of who is responsible for developing a cybersecurity culture has become increasingly urgent as attacks scale to unprecedented levels. Without clear accountability frameworks, security becomes nobody's job, even though it's everybody's concern.

This article draws from insights shared at Abnormal Innovate, featuring Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. Watch the full recording to explore how leading organizations are building resilient security cultures: Abnormal Innovate.

• Security professionals hold ultimate accountability for cybersecurity culture, while employees are responsible for following established practices

• Clear accountability frameworks clarify ownership across executives, security teams, and employees—eliminating the "everyone's responsibility" paradox

• Positive reinforcement dramatically outperforms punitive approaches in building sustainable security behaviors

• Approachability and trust between security teams and employees directly correlate with incident reporting rates

Cybersecurity culture encompasses the shared attitudes, beliefs, and behaviors around security that permeate an organization. It represents the difference between stated values displayed on posters and the lived practices employees demonstrate daily.

Many organizations post "security is everyone's responsibility" in break rooms while simultaneously creating environments where employees fear reporting mistakes. True cybersecurity culture emerges when users feel comfortable approaching security teams with concerns—when they trust that admitting "I clicked a weird thing, and I don't know what it means" will result in help rather than punishment.

A strong security awareness training program supports this culture, but training alone cannot create it. Culture requires clear ownership, consistent messaging from leadership, and systems that reinforce rather than undermine desired behaviors. Building an effective email security culture means ensuring employees understand their role in the broader defense strategy.

When ownership is unclear, accountability gaps emerge that directly lead to security failures. The "everyone's responsibility" mantra often creates a paradox: shared responsibility without clear ownership produces diffused accountability where critical tasks fall through the cracks.

As DeGrippo explained during the Innovate session: "Things have scaled so fast and so big that I think most people are sort of overwhelmed by the speed and scope and scale of what threat actors are doing today."

This scaling makes cultural clarity more critical than ever. Ransomware attacks can devastate operations within hours. Business email compromise (BEC) schemes cost organizations millions annually. These threats succeed not primarily through technical sophistication but by exploiting human behaviors that weak security cultures fail to address.

Email remains the dominant entry point for attacks that exploit cultural weaknesses. As DeGrippo noted, BEC is "the ultimate moneymaker" for threat actors because social engineering scales effortlessly through "mass communication methods, whether that's email or text messaging." When cultural gaps exist, employees become vulnerable to sophisticated email-based manipulation that bypasses technical controls entirely.

The scale of these attacks overwhelms human-only defenses. DeGrippo emphasized that threat actors now send "millions upon millions of messages a day in a campaign." No security team—regardless of size or vigilance—can manually review this volume. Culture must work alongside technology: employees need the awareness to report suspicious messages, while automated systems handle the impossible scale of initial detection and triage.

Consider a common scenario: employees in finance receive invoices daily. As DeGrippo explained, when they "get a bill in, what are they going to do? Everything looks right on the surface, they're gonna pay that bill." Without a strong email security culture that empowers employees to question and verify, these routine email interactions become exploitation opportunities.

The stakes compound at the corporate level. DeGrippo posed a critical question: "Would a threat actor rather have access to your personal bank account or your employer's bank account?" Credential phishing targeting corporate accounts delivers far greater returns, making organizational culture the primary defense against email-based credential theft.

One particularly dangerous scenario involves attackers who get "legitimately input into a vendor management system via social engineering over multiple emails" and can then "send invoices for months and months." This vendor email compromise pattern demonstrates why culture matters—employees who feel empowered to verify unusual requests and report concerns can interrupt these schemes before significant damage occurs.

When employees don't know who to contact about suspicious emails, or when they fear reporting mistakes, organizations lose their most valuable early warning system. The resulting delays in incident response compound damages exponentially.

One framework organizations can use to establish clear accountability is RACI—Responsible, Accountable, Consulted, Informed. Originally developed for project management and widely adopted in IT governance frameworks like COBIT and NIST, RACI provides a structured approach for eliminating ambiguity about who owns what in any organizational initiative, including cybersecurity culture development.

The framework's core value lies in distinguishing between those who do the work (Responsible), those who own the outcome (Accountable), those whose input shapes decisions (Consulted), and those who need awareness of progress (Informed).

DeGrippo's comments during the Innovate session illustrate why this distinction matters for security culture: "I don't think that means that security is not everyone's responsibility. It absolutely is and it is a team sport, but as security professionals it is our job and our responsibility and the buck stops with us."

This perspective aligns with how RACI assigns accountability: while many people may be responsible for executing security behaviors, ultimate accountability must rest with a defined owner.

Security teams are ACCOUNTABLE—the buck stops with them for program design, implementation, and outcomes. They cannot delegate ultimate ownership for whether the organization develops strong security practices.

Employees are RESPONSIBLE for following established practices, participating in training, and reporting suspicious activity. They execute the behaviors that security teams define.

Leadership is CONSULTED and must provide sponsorship, budget allocation, and visible support. Their buy-in legitimizes security initiatives across the organization.

All stakeholders are INFORMED of expectations, threats, and outcomes. Transparency builds trust and reinforces why security matters.

This framework resolves the paradox: security remains a team sport while clarifying who holds ultimate accountability for results.

Building effective culture requires coordinated action across organizational levels. Each role carries specific responsibilities that compound into organizational change.

Executives set the tone from the top. Their visible commitment—or lack thereof—signals whether security actually matters or merely receives lip service. This includes budget allocation, resource commitment, and personal modeling of security behaviors.

Security professionals must "partner" with organizational leadership rather than dictating from isolation. This partnership ensures security initiatives align with business objectives while receiving necessary support.

Security teams design and implement the culture-building program. This encompasses security awareness training development, metrics definition, and ongoing reinforcement activities.

Critically, security teams must build reputations as allies rather than adversaries. When employees view security as helpful rather than punitive, reporting rates increase dramatically. Detection engineering and threat intelligence capabilities inform this work, ensuring training addresses actual threats.

Employees actively participate in training and report suspicious activity. Their daily behaviors constitute the actual security posture regardless of written policies.

The goal is creating "deputized" employees who feel empowered to contribute to organizational defense through positive reinforcement rather than fear of punishment. DeGrippo provided a simple framework employees can use to identify potentially malicious emails: look for "emotion, habit, urgency." Messages designed to trigger emotional responses, exploit routine behaviors, or create artificial time pressure warrant extra scrutiny and reporting.

Traditional security awareness programs often rely on punishment for failures—shaming employees who click phishing simulations or publicly calling out departments with poor compliance. This approach backfires.

DeGrippo advocates the opposite: "Not punishment, not harsh critique, not criticisms, not a bad attitude, but I'm here to help you. Thank you for coming here."

The webinar mentions one organization that transformed its security culture through simple positive reinforcement. Security teams purchased cases of candy bars. Every employee who reported something suspicious—regardless of whether it was actually malicious—received immediate thanks and a candy bar.

The result? Employees felt "it's kind of fun and doesn't hurt" to report concerns. Reporting rates skyrocketed because the experience was positive rather than anxiety-inducing. This phishing reporting culture became self-reinforcing as employees shared positive experiences with colleagues.

Point systems, recognition programs, and similar reward structures create similar dynamics. When employees gain something from engaging with security rather than fearing interaction, they become active participants in organizational defense.

Security teams must invest in relationship-building across departments. This means responding helpfully to questions, thanking reporters regardless of outcome, and maintaining patience with repeated mistakes.

Organizations with approachable security teams detect incidents faster because employees share concerns earlier. Those with intimidating security cultures lose this early warning advantage. A healthy phishing reporting culture depends entirely on employees believing that reaching out helps rather than hurts them.

Several obstacles complicate clear accountability assignment.

Political challenges emerge when securing executive buy-in and budget. Security competes with revenue-generating initiatives, making continuous advocacy essential.

Scale challenges multiply in large organizations. As DeGrippo noted, security teams must "partner with them and make sure that they feel like we have their back" across thousands of employees spanning multiple locations and time zones.

Competing priorities create friction. Employees have "other work to do that isn't necessarily fully about security." Their primary jobs don't involve battling organized crime—security teams must respect this reality while still engaging effectively.

Maintaining momentum proves difficult. Initial enthusiasm fades without sustained reinforcement. Culture-building requires ongoing investment, not one-time campaigns.

Effective measurement tracks outcomes by stakeholder group, creating accountability at every level.

Executive KPIs include budget allocation trends, program sponsorship visibility, and incident response resource availability. Leadership commitment manifests in measurable resource decisions.

Security team KPIs encompass reporting rates, training completion, user satisfaction with security interactions, and time-to-detection for user-reported incidents. Teams accountable for culture should measure culture outcomes.

Employee KPIs track participation rates, simulation performance trends, and reporting behavior patterns. The ultimate success indicator? Employees feeling comfortable saying "I don't know. I clicked a weird thing" without fear.

These metrics inform continuous improvement while demonstrating program value to stakeholders requiring justification.

The question of who is responsible for developing a cybersecurity culture has a clear answer: security professionals hold ultimate accountability. This doesn't diminish employee responsibility for following practices or leadership's obligation to provide support. Rather, it clarifies that security teams cannot outsource ownership of outcomes.

Building this culture requires sustained investment in positive relationships, clear accountability frameworks, and systems that reward rather than punish engagement. When employees feel supported rather than policed, they become active participants in organizational defense.

As threat actors continue scaling operations and refining social engineering techniques, organizations with strong security cultures will prove most resilient. The investment in cultural clarity pays dividends through faster detection, better compliance, and employees who genuinely want to help.

Learn how leading security teams are building collaborative cybersecurity cultures with the right technology partnerships. Watch Abnormal Innovate to see how AI-powered email security supports your culture-building efforts by automating threat detection and freeing your team to focus on relationships that matter.