There’s a phrase making the rounds in security leadership circles right now that deserves more attention than it gets: “Cyber is 20% technology and 80% behaviour.”
It sounds almost heretical from a profession built on firewalls, SIEMs, and zero-trust architectures. But the most respected CISOs in 2026 aren’t saying it to downplay technical rigour — they’re saying it because they’ve lived the lesson the hard way. You can build the most sophisticated security stack on the planet and still watch your organisation suffer a breach because one employee clicked a link, reused a password, or shared credentials over Slack.
Technology is the floor, not the ceiling. Culture is where security programmes either take root or quietly die.
When it comes to security, our weakest link is unfortunately us. We can spend millions bolstering your security posture with tools and software, but it only takes one employee to click on a “Free Apple Watch” phishing link to bring it all down.
The Role Has Changed. Have You?
For most of cybersecurity’s history, the CISO role was defined by what you protected: networks, endpoints, data. Reporting lines ran through the CTO or CIO. Board interactions were infrequent, technical, and often uncomfortable for everyone in the room.
That world has ended.
In 2026, the most forward-thinking organisations have elevated their CISOs to decision-makers with specific veto and approval powers over high-risk technology decisions. Directors now discuss cyber risk with the same financial scrutiny applied to liquidity ratios and supplier concentration. The conversation has changed — and if CISOs haven’t changed with it, they’re already behind.
The Evanta 2026 CISO Leadership Survey identified three competencies that define standout security leaders today: deep business understanding, AI fluency, and — ranked as the most differentiating — the ability to shape and influence organisational culture. Technical certifications remain table stakes. Culture-building is the new competitive advantage.
Why Culture Is Now a Security Control
Here’s the uncomfortable arithmetic of modern security: the average enterprise runs hundreds of security tools, employs dozens of analysts, and invests millions in controls. Yet the majority of significant incidents still trace back to human behaviour — phishing clicks, misconfigured cloud resources, shadow IT, and employees who find security friction so annoying they route around it.
You cannot patch human nature. But you can shape it.
The organisations pulling ahead in 2026 are those that have moved beyond compliance-checkbox security training — the annual 20-minute video that everyone clicks through while checking email — and into genuine cultural transformation. Security becomes a lived experience woven into how people make decisions daily, not a periodic reminder of policies they mostly ignore.
This shift requires CISOs to develop skills that weren’t in the traditional job description: change management, organisational psychology, executive communication, and the patience to influence rather than mandate. It requires showing up differently — as a business partner who happens to specialise in risk, not as the person who says no.
Speaking the Language of the Boardroom
The transition from CISO to culture architect starts with language. Technical security metrics — CVEs patched, mean time to detect, alert volume — are important operationally, but they don’t land in the boardroom the way business metrics do.
The CISOs gaining real influence in 2026 have learned to translate. Instead of “we detected 2,400 phishing attempts last quarter,” they say “we prevented an estimated $14 million in potential fraud and business disruption.” Instead of “our vulnerability remediation rate improved 18%,” they say “we reduced our window of exposure from 12 days to 4 days — which is the difference between catching a threat and cleaning up after a breach.”
This reframing isn’t spin. It’s accuracy. Security’s value has always been denominated in business outcomes — we just weren’t always communicating it that way. When directors hear security language they understand, they engage differently. They ask better questions. They approve budgets. They sponsor the culture programmes that actually work.
What Building Security Culture Actually Looks Like
Culture change isn’t a campaign. It’s not a poster in the break room or a new policy in the employee handbook. It’s a sustained effort to make secure behaviour the path of least resistance for every person in the organisation.
The CISOs doing this well in 2026 are doing a few things differently:
They make security visible at the top. When the CEO and CFO visibly follow security protocols, check before clicking, and speak about security as a shared responsibility rather than an IT problem, employees notice. Behaviour cascades downward from leadership.
They reward, not just reprimand. Traditional security culture was built on fear: click the wrong link and attend mandatory retraining. High-performing security cultures celebrate the employee who reported the suspicious email, the developer who flagged the API vulnerability before it shipped, the manager who pushed back on a vendor with weak security practices.
They measure what matters. Security culture can be measured — through phishing simulation trends, policy exception rates, voluntary security reporting, and employee perception surveys. If you’re not measuring culture, you’re not managing it.
They design for humans, not policies. The best security programmes reduce friction rather than adding it. Single sign-on, passwordless authentication, easy-to-use tools — these aren’t conveniences, they’re security controls. When the secure path is the easy path, compliance becomes the default, not the exception.
The CISO-to-CSO Transition
A structural signal worth watching: the accelerating transition from CISO to CSO (Chief Security Officer) titles across mature organisations. This isn’t cosmetic. It reflects a broadening mandate that unites all security domains — physical, cyber, personnel, and operational — under a single unified leadership role.
For aspiring security leaders, the implication is clear: the next generation of senior security roles will require fluency across domains that were once siloed. The leaders who will occupy those seats are developing business acumen, communication skills, and cultural intelligence now — not after they get the promotion.
The Strategic Imperative
If you’re a CISO reading this and your primary identity is still technical, I’d encourage you to ask one honest question: when did you last have a meaningful conversation with your HR lead, your internal communications team, or your business unit heads about what security means to their people?
The answer to that question tells you more about your security programme’s future resilience than any penetration test result.
The firewall matters. The culture matters more. The best CISOs in 2026 have stopped choosing between them — and started building both.