Cultivating Security Culture across the Enterprise - with Daisy Wong
In a world where cyber risk is now a boardroom issue, the oft-repeated mantra that “security is everyone’s responsibility” has never been more relevant — yet it is frequently misunderstood in practice. In a this episode of the Enterprise Tech Talk podcast, Saumitra Kalikar had the opportunity to host Daisy Wong, Head of Security Culture and Awareness at Medibank, for a rich and candid discussion on what it truly means to cultivate security culture across an enterprise.
The conversation went beyond traditional notions of compliance training and explored how organisations can meaningfully shape behaviour, build psychological safety, and align security awareness with real business risk.
From Technology to People: Reframing Security
Daisy’s own career journey sets the tone for the discussion. Coming from a marketing background, she did not enter cybersecurity through a technical pathway. Instead, her early work in penetration testing at a major Australian bank positioned her as a translator — bridging highly technical security findings with business risk in language executives could understand. This experience ultimately led her to specialise in security culture and awareness.
Her core insight is simple yet profound: cybersecurity is not just about technology — it is fundamentally about people, processes, and behaviour.
While organisations invest heavily in technical controls, the “human layer” often remains underdeveloped. Daisy challenges the industry’s common framing that “humans are the weakest link,” arguing instead that people should be empowered to be “politely paranoid” — alert, curious, and confident in reporting potential risks without fear of blame.
Beyond Checkbox Training: Moving from Compliance to Culture
A central theme of the discussion was the evolution of security awareness from compliance-driven training to genuine culture-building.
Historically, many organisations treated security awareness as an annual regulatory requirement — a mandatory e-learning module completed once a year. While necessary, this approach does little to change behaviour.
Daisy outlined a maturity progression:
Compliance — ensuring mandatory training completion.
Awareness — communicating threats and risks in more engaging ways.
Culture — embedding security into everyday decision-making and behaviour.
She emphasised that effective security awareness must be relevant, relatable, and contextual. Employees are far more receptive when they understand how security practices protect not only the organisation, but also their personal lives, families, and communities.
Tailoring Security Awareness to Real Enterprise Risk
One-size-fits-all training is insufficient. Daisy highlighted the importance of aligning awareness programs with actual threat data, working closely with Security Operations teams to understand:
Which employees are most frequently targeted?
What tactics are attackers using?
Where are the organisation’s real vulnerabilities?
Equally important is tailoring messaging to different cohorts. For example, finance teams may respond strongly to examples of CEO impersonation scams, while clinical staff may better relate to real-world incidents where cyberattacks impacted patient safety. Storytelling, rather than instruction, is the most effective tool for engagement.
How Do You Measure Security Culture?
Measuring the impact of security culture is inherently challenging, but Daisy outlined several meaningful indicators:
Baseline assessments before launching programs.
Phishing reporting rates (more important than click rates).
Increase in reported security incidents — a positive sign of awareness, not failure.
Employee confidence surveys regarding risk identification and reporting.
Engagement metrics, such as attendance at security events and participation in cyber champion programs.
For technical teams, more concrete metrics — such as reductions in code vulnerabilities — can also be tracked over time.
Executive Sponsorship: The Critical Enabler
Security culture cannot be built from the bottom up alone. Strong executive sponsorship is essential.
Daisy shared a powerful example of a CEO who openly admitted to falling for a phishing email in a town hall meeting. This transparency signalled to employees that mistakes are human — and that reporting incidents would not lead to punishment. This kind of leadership is instrumental in fostering psychological safety and trust.
Managing Change and Resistance
Resistance to security controls often stems from a lack of understanding. Daisy stressed the importance of explaining the “why” behind security policies, rather than simply dictating rules.
Equally important is providing practical alternatives when restricting behaviour. If employees are told they can no longer use personal email for work, they must be given a secure, workable alternative — otherwise they will create risky workarounds.
The Role of Technology in Security Awareness
While security culture is fundamentally human-centred, technology plays an enabling role. Daisy pointed to emerging tools such as:
Voice-based phishing simulations.
Human risk management platforms with executive dashboards.
AI-assisted content creation for awareness videos.
These tools can help scale programs, visualise risk for executives, and keep training materials fresh and relevant.
Key Lessons for Organisations
As the conversation concluded, Daisy offered three practical takeaways:
Be patient — cultural change takes time.
Prioritise high-risk groups first rather than spreading resources too thin.
Do fewer things well — depth matters more than breadth.
Final Reflections
This discussion reinforced a critical reality: cybersecurity is no longer solely a technical domain — it is a leadership, cultural, and organisational challenge.
As enterprises continue to digitise, adopt AI, and expand their ecosystems of partners and vendors, building a resilient security culture will be just as important as deploying the latest technical controls.
Cultivating security culture is not a program — it is an ongoing journey.