A culture of trust: balancing cyber security with workforce enablement

The healthiest organisations recognise that these goals are not mutually exclusive but aligning them can be a challenge.

The key to balancing cyber security and workforce enablement lies in fostering a culture where security empowers – rather than obstructs – the workforce. So how can cyber-conscious organisations strike that balance? In this article, we will share common pitfalls, helpful pivots and actionable strategies cyber teams can use to improve collaboration and adherence.

Security as a partner, not a police force

Cyber security teams often face resistance because they are perceived as enforcers and blockers. To shift this dynamic, security must position itself as an advisor, not a gatekeeper. For example, instead of mandating complex password changes every 60 days (a policy that often leads to insecure sticky notes on monitors), collaborate with teams to implement user-friendly multi-factor authentication (MFA) or password management tools. By involving employees in solution design, security becomes a partner in problem-solving. By involving non-security teams in solution design, it demonstrates trust that will then flow both ways.

Actionable strategies: 

●     Host cross-functional workshops where IT, security and department leads co-design policies and solutions

●     Pilot new tools with feedback loops. For example: “We are testing this VPN. Does it slow your workflow? If so, let’s adjust."

Reward vigilance rather than punishing cyber transgressions

A punitive approach to security – for example, shaming employees for clicking phishing links or delaying breach reporting for fear of blame – breeds resentment and secrecy. In contrast, organisations that celebrate proactive behavior see higher engagement and compliance.

Cyber security training plays a key role in this buy-in and enthusiasm, too. Osterman Research found that 76% of users who spend 15+ minutes per month on cyber training initiatives feel they have an active role in protecting their organisation from cyber threats, versus 30% of those who spent under five minutes per month. Time investment in cyber education had a direct impact on how invested those employees felt.

Actionable strategies: 

●     Gamify training by offering badges or bonuses (gift cards, time off, etc.) for completing modules or spotting simulated phishing attempts

●     Break training and awareness modules into bite-size chunks delivered natively within existing tools and workflows to optimise for completion

●     Share anonymised success stories, such as: “Thanks to a team member’s alert, we stopped a ransomware attempt last week!” – this has the added benefit of demonstrating to the workforce how often threats do require intervention, encouraging vigilance.

Design frictionless security

Employees will bypass cumbersome tools, no matter how secure. For instance, requiring IT approval for every software download often leads to shadow IT (e.g. unauthorised cloud apps). Whilst no cyber programme is completely frictionless (cyber security is good friction, after all), there are tactics that can help ease the burden on the workforce, like single-sign on (SSO) portals to reduce password fatigue or AI-driven tools that run scans in the background without interrupting workflows.

Actionable strategies: 

●     Audit employee pain points. Are VPNs slowing remote work? Consider zero-trust networks that grant access based on user identity, not location.

●     Simplify reporting by replacing lengthy incident forms with native flagging options, like a Slack bot with a one-click method for reporting anything that does not look right

Build mutual awareness

Security teams often underestimate how policies impact daily operations. To help inform cyber strategies and improve collaboration, cyber security staff can be rotated into business units or those same business units could have dedicated security contacts to work with on solutions. This not only helps security team members better understand workforce pain points but also gives them the capacity to explain the “why” behind policies and recommendations.

Practise monitoring before implementing preventative measures

Heavy-handed controls often backfire, especially when put in place too early. For example, blocking social media might seem like a reasonable step at face value, but sales teams relying on LinkedIn for client outreach could be negatively impacted by blanket bans. Where possible, start with visibility in order to establish a context and baseline before introducing new measures:

Monitor: use endpoint detection to identify risky behavior (e.g., unauthorised file shares). 

Educate: “we see frequent use of personal Dropbox. Let’s migrate you to a secure alternative.” 

Enforce gradually: restrict access only if behaviour does not change.

This phased approach builds trust and reduces backlash, whilst keeping the lines of communication open and therefore fostering a spirit of collaboration and mutual trust.

Make security personal

Employees care most when they see how cyber security affects their lives beyond work. Training that links corporate policies to personal benefits – like protecting home smart devices or avoiding identity theft – can drive deeper engagement. 

Actionable strategies: 

●     Offer optional sessions on securing personal accounts or recognising scams

●     Share stories about how cyber security at work and at home interact, or how employees avoid being personally victimised because of their at-work training

Enablement is the best defence

The most secure organisations are not those with the most firewalls; they are those where every employee feels responsible for protection. By designing user-centric tools and processes, rewarding collaboration and fostering mutual understanding, businesses turn their workforce into a first line of defence.

“When security is seen as an enabler, compliance stops being a chore. People stop asking, ‘Why are you making me do this?’ and start asking, ‘What else can I do to help?’”

– John Cole, Senior Manager Forvis Mazars

In the end, balancing security and productivity is not about compromise. It is about proving that trust and collaboration make everyone – and every system – stronger.