No one understands the stakes of cyber security breaches better than CISOs themselves. Their voices reveal what works, which challenges remain, and where organisational focus (and budgets) must land next.
If you are a CISO looking to strengthen your employee cybersecurity awareness efforts, learning from peers is invaluable. While Blue Goose has 15+ years experience working with CISOs helping develop strategies and campaigns with their communications colleagues, we wanted to gather wider voices of what CISOs and senior executives see as their key challenges and priorities for the year ahead.
This article curates shared insights of leading cybersecurity executives. But before we launch into CISOs on the frontline the most sobering and pertinent call comes from Stuart Machin, CEO of Marks & Spencer, victim of the well-publicised cyber attack earlier this year, estimated to have cost the business up to £440m.
‘Cybersecurity is no longer one person or one team’s responsibility, it is everyone’s. I have learnt everyone is vulnerable. The hackers only need to be lucky once.’
His raw warning rings true across all industries. Attackers look for the simplest routes – phishing emails, weak passwords, untrained staff – rather than the mythical ‘hack the mainframe’ approach. CISOs must lead a culture shift so employees feel equipped, aware, and accountable at every level of the organisation.
Building Trust with Leadership Before Crisis
Matt Malone, a board director and former partner, Head of Risk Consulting at KPMG, shares a crucial lesson for CISOs: ‘Rapport isn’t built in a crisis. CISOs need to engage the board before an attack happens, educating them and establishing trust.’
Cybersecurity awareness campaigns don’t exist in a vacuum. They demand visible leadership sponsorship and ongoing dialogue with decision-makers. Without trust and shared understanding at the top, awareness campaigns risk being sidelined or underfunded. This engagement is the foundation on which all other efforts rest.
Cybersecurity as a Business Enabler, Not Cost
Myrna Soto, ex-CISO at Comcast, reframes how CISOs should position awareness internally: ‘CISOs need to frame cybersecurity as a business enabler, not just a cost centre. Show how security investments drive customer trust and long-term resilience.’
By highlighting the business value of security-conscious employees – from reducing breach risks to preserving brand reputation – CISOs can unlock executive support and foster a positive culture around cybersecurity efforts.
Lavonne Burke, Vice President Legal, Global Security & Resiliency at Dell, underlines how communication styles impact board buy-in: ‘CISOs must translate risk into a language the board understands. Instead of talking about encryption, explain how it prevents financial and reputational loss.’
Clear, business-focused messaging bridges the gap between technical teams and executive leadership.
Navigating the AI Frontier with Human Oversight
The rapid evolution of AI presents both unmatched opportunities and unprecedented risks. Timothy Youngblood, CISO of Astrix Security and former McDonald’s CISO, captures the balance this new era demands: ‘We are moving from AI as an efficiency tool to AI making autonomous security decisions. That shift is both powerful and risky. The future of cyber leadership will be about striking the right balance – trusting AI while maintaining human oversight.’
Awareness campaigns must evolve in kind – equipping employees not only to detect traditional phishing or social engineering but to understand AI’s growing role in threat landscapes and enterprise defenses.
Embedding Cybersecurity into Organisational DNA
Microsoft CEO, Satya Nadella, drives home a simple truth: ‘Cybersecurity is the backbone of digital transformation and must be embedded into every part of the organisation’s culture.’
This cultural embedding goes beyond training programs. It requires fostering empowerment and shifting away from fear of failure.
Jessica Barker CBE, advisory board member, UK Government Cyber Security Advisory Board, and cybersecurity awareness expert, emphasises this mindset shift: ‘Cybersecurity needs to shift from fear to empowerment; culture is the most powerful tool we have.’
Sunil Patel, Information Security Officer at River Island, says it has to start at the top: ‘The CEO or whoever has to go through the same process as everyone else, for example if they need a new identity badge.’
Culture is the Human Firewall
A thriving cyber-aware culture is not merely a bolt-on compliance necessity. It’s what transforms every member of staff from a vulnerability into the first line of defense. Proven, ongoing awareness programs can reduce errors, strengthen reporting, and unite IT with the wider workforce towards a common purpose.
Blue Goose, managing director and strategy director, Ben Watson, adds: ‘We know that ‘affective security’ – the desire to protect an organisation out of loyalty to it – is a powerful weapon when it comes to information security.
‘A business that has embedded a positive culture and belief in its purpose, can leverage that commitment to ask for support on a broader range of issues – including compliance and cyber security.’
Sunil Patel, Information Security Officer at River Island, supports this, adding: ‘Make sure your cyber culture is right. Be sure staff know the processes and understand why there will be security led questions. Do the basics right. Make the human element rock solid and protected as much as possible.’
However, Param Vig, CISO at Solventum, takes this further, saying: ‘Awareness alone does not equate to security. Organisations must go further by equipping users with the tools, training and support needed to act securely in an increasingly complex, AI-riddled digital environment.’
Where CISOs Need To Focus
There are several priorities for CISOs launching or refreshing cybersecurity awareness campaigns for employees and organisations:
- Engage leadership early and often: Foster trusted relationships with boards and executives, framing cybersecurity as strategic and customer-centric.
- Transform culture through empowerment: Move from fear-based messaging to building an inclusive, learning-focused environment.
- Clarity in communications: Translate risks into plain business impact stories relevant for auditors, regulators, and operational teams alike.
- Prepare for AI’s double-edged sword: Update awareness training to reflect new AI-driven threats and the importance of careful oversight.
- Embed awareness as organisational DNA: Secure commitment to ongoing, relevant cybersecurity education that reaches every employee, not just at work but in the family home too. The relationship between the two has never been closer or more critical. Secure the workplace by securing the home.
The security landscape will undoubtedly continue to grow more complex in 2026 – but CISOs who act on these insights will empower their people, build resilient cultures, and win crucial boardroom support.
The message from CISOs and cyber security experts is clear: cybersecurity awareness isn’t just a checkbox; it’s a continuous organisational journey with real business value.
Invest in the human factor, engage your leaders, and communicate well. In doing so, your cybersecurity campaign will mature beyond compliance and become a strategic enabler – one that does indeed help to protect your enterprise in a world where every employee counts.
Blue Goose has more than 15 years experience advising CISOs and internal communications leaders on effective cyber awareness strategies and campaigns. You can read about our cyber awareness campaigns here>>
Speak to our specialists team today to talk through your challenges and ambitions
Sources:
Securitybrief.co.uk
Diligent.com
Digitaldefynd
Proofpoint.com
