The Call is Coming from Inside the House: Cybersecurity, AI, and Culture
As 2025 comes to a close and we look ahead to 2026, cybersecurity strategies are no longer just about firewalls and technical defenses—they’re about people and culture. While organizations have invested heavily in tools, firewalls, and AI-driven defenses, employees remain one of the biggest sources of risk. IBM’s Cost of Data Breach 2025 found human error accounts for 26% of data breaches. Developing cybersecurity strategies that employees will actually follow has become a business imperative for organizations of all sizes.
At the same time, artificial intelligence has entered the attacker’s toolkit. Large language models can generate spear-phishing emails that are almost impossible to distinguish from legitimate messages. Deepfakes are being used to impersonate executives, while employees experimenting with generative AI tools may unintentionally expose sensitive data. The World Economic Forum’s Global Cybersecurity Outlook 2025 warns that the rapid adoption of AI is widening both opportunities and vulnerabilities across industries.
The bottom line? Technology alone won’t keep us safe.
Culture and behavior will.
Peter Drucker famously said, “Culture eats strategy for breakfast.” No matter how advanced the cybersecurity strategies, their success ultimately depends on people. Employees are either your first line of defense—or your greatest vulnerability. Creating a security-conscious culture through deliberate organizational change management (OCM) and continuous training is essential for mitigating risks in the new era of AI-driven threats.
Cybersecurity Innovation Through OCM
Organizational Change Management (OCM) provides a deliberate, people-focused approach to align cybersecurity strategies with workplace culture. Employees don’t just operationalize cybersecurity—they reinforce and sustain it by creating a culture of security.
“Information security hinges on the effectiveness of the change management process.”
– The U.S. Department of Defense
Here are a six examples of how Organizational Change Management can strengthen your cybersecurity strategies for 2026.
1. Align to a Shared Security Vision
Successful organizational behavior change begins with a clear vision, and cybersecurity is no different. Conduct audits to evaluate workforce strengths and limitations. Set measurable goals for an improved future state and communicate why cybersecurity is critical given the evolving threats.
A shared vision:
- Aligns cybersecurity goals to business strategies and priorities.
- Ensures leadership champions and models secure behaviors.
- Provides focus and consistent messaging.
2. Understand the Influencers and the Impacted
It is important to understand who will influence the success of the cybersecurity vision. Some stakeholders will influence the success of cybersecurity adoption more than others. Identify leaders, teams, and influencers whose buy-in is critical.
A stakeholder plan helps determine:
- Who has competing priorities.
- Who can champion cybersecurity strategies across other initiatives.
- How best to engage them through targeted communications and feedback loops.
3. Communicate Cybersecurity Strategies Early, Clearly, and Often
For IT leaders, cybersecurity seems obvious. But employees may not grasp the business impact of a quick click leading to a costly ransomware attack. That disconnect is even bigger when AI threats feel “invisible.” Early communication will build awareness. Clear and (non-technical) communication will support understanding. Repeat communication will ensure the message is heard.
A structured communications plan helps bridge this gap. Effective communication includes:
- Audience targeted by role and risk exposure.
- Non-technical language that explains the real impact of threats.
- Consistent, repeated messaging across multiple channels with intended outcomes.
- Ways to equip leaders to reinforce the message at every level.
4. Document Accessible, Actionable Policies and Procedures
Policies can’t live in a forgotten folder or buried deep in the company intranet. They must be easy to access, clearly written, and regularly updated to reflect today’s challenges—including AI misuse. Employees experimenting with generative AI tools need clear guidance on what’s acceptable and what could expose sensitive data.
When developing or revising policies, test them with employees:
- Is the language clear and understandable?
- Do they know why these rules exist?
- What barriers might prevent compliance?
Involving employees turns policies from static documents into actionable, everyday tools that strengthen cybersecurity strategies and foster long-term adoption.
5. Build a “Security-Conscious” Culture Through Training
A “security-conscious” culture comes to life through continuous, engaging training. Reading a manual once a year isn’t enough—training must be ongoing and connected to real behavior.
An effective learning strategy includes:
- Cybersecurity training tailored by role.
- Practical scenarios (e.g. spotting AI-generated phishing).
- Manager coaching to reinforce secure behavior.
- Post-training measurement of actual on-the-job practices.
6. Sustain Cybersecurity Strategies for the Long Term
Cyber threats evolve constantly, and so must your cybersecurity strategies. A sustainment plan keeps employees prepared and adaptive.
Best practices include:
- Integrating cybersecurity into onboarding, training, and performance management programs.
- Recognizing and rewarding employees who model secure behavior.
- Reviewing vision, policies, training, and performance metrics on a regular cycle.
In 2026, that also means staying current on AI-driven risks and ensuring employees know how to respond to new threats as they emerge.
The Future of Cybersecurity
Cybersecurity is no longer isolated events—they’re a constant reality. But organizations aren’t powerless. By combining cybersecurity strategies with strong organizational change management and a security-first culture, leaders can turn employees from a vulnerability into their strongest defense.
As we move into 2026, one thing is clear: technology can detect threats, but only people can prevent them. The organization that thrives will be those that prepare their workforce not just to use tools, but to think, act, and behave with security in mind.
At CARA, we have experience creating holistic communications, training, and Organizational Change Management solutions designed to foster a culture of security for Fortune 1000 companies. To learn more, let’s connect.
Contact Us
Steve MacGill, Consultant Advisory Board Member, The CARA Group contributed to this blog.
