Cybersecurity training is vital, but it’s not enough on its own if your workplace culture discourages people from speaking up. Good corporate security awareness includes empowering employees to think critically, voice concerns and admit mistakes, without fear of reprisal.
The secret is something all parents who’ve gotten their children to admit when they’ve done something wrong already know.
Psychological safety is an underrated part of organisational cyber resilience and yet it’s essential if companies want to strengthen their cyber defences from within.
“Psychological safety refers to an organisational environment where employees feel confident they can slow down to question suspicious activities, report security concerns, admit mistakes, and challenge instructions without fear of blame, punishment or professional retaliation,” says Anna Collard, SVP of Content Strategy at KnowBe4 Africa.
The question organisations need to ask themselves, even when they have implemented industry-leading security awareness training (SAT), is this: “What happens to employees who admit their big cybersecurity mistakes? What do they expect to happen, regardless?”
What happens if employees don’t feel secure?
Collard believes there are several toxic dynamics in organisations that undermine security reporting.
“The most notable is the blame-first culture. Organisations that immediately ask: ‘Who did this?’ instead of ‘How can we prevent this?’ create defensive behaviours where employees hide incidents,” she says.
Instead of reporting concerns that could lead to early detection, employees become silent because they fear consequences.
Another unhealthy dynamic in workplaces is when managers suffer from perfectionism. “When security is presented as binary (perfect compliance versus failure), employees avoid admitting any uncertainties or mistakes,” says Collard.
Having a silo mentality can also be a stumbling block.
“When security teams are seen as separate from business operations, employees view them as outsiders rather than partners,” she says. This is especially true if IT personnel fail to take employees’ concerns seriously or dismiss them altogether.
Another dangerous phenomenon is when employees are confused by inconsistent messaging.
“Staff don’t like it when leaders preach that security is everyone’s responsibility, but then exclude non-technical staff from security discussions or break the rules themselves,” Collard says.
Overcoming barriers to psychological safety
Fortunately, there are many courses of action that organisations can take to correct these unfavourable dynamics. “It’s really helpful when companies implement blameless post-mortems after security incidents,” she says.
A good example is GitLab’s 2017 incident, when a systems administrator accidentally deleted a production database, resulting in six hours of lost data. The team responded transparently, live-blogging the recovery and treating it as a learning opportunity.
“A culture of openness meant the issue was addressed immediately, with no blame or cover-ups – just quick action and prevention,” says Collard.
Collard recommends integrating security champions across all departments and celebrating reporting and learning over perfection. “It also helps when leaders model vulnerability and continuous learning,” she says.
Creating positive feedback loops
Instead of coming down hard on employees who mess up, managers should frame these incidents as valuable insights about attack sophistication rather than user failure.
“This can be reinforced by creating positive feedback loops as a core part of human risk management. Establish systems where reporting suspicious emails or activities is rewarded and celebrated, making reporting feel like a contribution rather than a confession – or even just perceived compliance burdens with no purpose,”Collard says.
Her advice is for leaders to adopt a zero-trust mindset approach. “Zero-trust principles require continuous verification and questioning. But this only works when people feel psychologically safe to voice their concerns,”she says.
Digital mindfulness is another essential tool for strengthening the human layer within an organisation. “Fostering a culture of pausing and seeking help rather than rushing through work is hard in a world that moves at a relentless pace. But it’s in those high-pressure moments that we need to be most grounded and focused to avoid mistakes,” Collard says.
Ultimately, she believes the most secure organisations are not those that expect perfection, but those that enable people to speak up, learn and respond quickly when something goes wrong.
“Psychological safety is a critical foundation for any organisation serious about cybersecurity resilience,” Collard says.