Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Knowledge & News

Security Culture: The Key to Sustainable Cybersecurity

June 6, 2025 |
Tags: DORA Information Security KI Security Podcast
Kategorie: News

Cybersecurity is not just about firewalls, policies, and tools. Above all, it thrives on an active security culture. But what does that mean in concrete terms? Why is it so crucial for companies? And how can you anchor security awareness in everyday work in the long term?

In the current podcast episode “Innovation Implemented”, Maximiliane Mayer (Head of Information Security Consulting, mgm security partners) and Julia Kirchner (Principal Consultant, mgm consulting partners) discuss exactly that: the role of change management, the connection between technology and behavior, and why security culture today is more than just annual training.

Why security culture is often the missing success factor

Many companies invest in technology but underestimate the human side of IT security. Studies show that even in 2024, over two-thirds of all security incidents can be attributed to human error, such as clicking on links in clever phishing emails.

The problem is rarely the technology, but rather a missing or weakly developed security culture. According to ENISA, the European cybersecurity agency, this refers to the shared knowledge, attitudes, beliefs, and behaviors related to security within the company.

In other words, security culture means that employees recognize risks, react correctly, and take responsibility as a matter of course in their daily work.

Technology + Behavior = Impact

This is where change management comes into play. It helps not only to establish rules but also to change behavior sustainably:

  • Managers as role models: When managers openly deal with mistakes and support security decisions, the entire corporate culture changes.
  • Positive reinforcement instead of control: Rewarding reports and making learning successes visible achieves more than mandatory training and controls.

Making security behavior measurable

The success of security initiatives can be measured through a combination of figures and cultural feedback:

  • Quantitative metrics such as click rates in phishing tests or reporting rates provide quick indications of behavioral changes.
  • Qualitative methods such as anonymous surveys or feedback discussions show how safe employees feel and whether they feel empowered to make security decisions.
  • Culture maturity models help to classify progress, similar to the evaluation of team maturity in project management.
  • A continuous improvement process, for example in the form of the well-known PDCA cycle („Plan – Do – Check – Act“), as also recommended by ENISA, is particularly effective. It ensures that companies react to new threats and can learn internally at the same time.

Looking to the future: New challenges, new opportunities

In the coming years, security culture will become even more important:

  • NIS2 and DORA place greater responsibility on managers; security is becoming a management obligation.
  • Artificial intelligence (AI) is increasing the pressure: attackers are using AI for new attack methods, while internal risks arise from uncontrolled AI projects.
  • Supply chain risks are increasing and cannot be secured solely through contracts. Partner companies must also cultivate a strong security culture.
  • The shortage of skilled workers confronts companies with the question: How do we maintain our security culture even with high employee turnover?

All of this demonstrates that a strong security culture is not just a "nice to have" but the foundation for digital resilience, i.e., the ability to remain secure and capable of acting even under pressure.

In conclusion: Security begins in the mind and requires structure.

If you want to make cybersecurity effective in the long term, you need more than technology and guidelines. You need people who think for themselves, take responsibility, and feel supported in doing so.

The key is to consider change management and security expertise together.

Looking for further inspiration?

Would you like to know how to establish or further develop a security culture in your company? Or are you looking for concrete approaches to combining technical security and change management?

Contact us! We will be happy to support you with experience, methods, and a clear view of what is essential.

Together, we will turn your security culture into a competitive advantage!

Podcast “Innovation Implemented
mgm consulting partners
Security culture in the company

The author

Maximiliane Mayer

Maximiliane Mayer has over 10 years of experience in IT security – from penetration testing to application security to information security and data protection. As Head of Information Security Consulting at mgm security partners GmbH, she supports companies in implementing their security requirements simply, flexibly, and efficiently.