The Leadership Gap
I recently deconstructed a rather uncomfortable truth from our 2025 Nordic survey of 2,000 employees. We often talk about the "human firewall" as if it were a technical component we could simply install, but our findings suggest the foundation is cracking at the very top of our organisations.
The data is sobering. Only 38% of employees agree that their leaders regularly discuss cybersecurity risks. Even more telling? A mere 57 out of 2,000 respondents—less than 3%—believe that management is better at following security rules than they are. This creates a dangerous "Leadership Gap" in which security is perceived as a set of chores for the workforce rather than a shared value for the business.
This disconnect between policy and behaviour is something we explore further in our latest research.
Download the whitepaper “Bridging the Knowledge–Action Gap” to learn why security awareness alone rarely changes behaviour.
I talked to behavioural designer Casper Danholt Iuul about this, and he reminded me that "Social Norms" are more powerful than any manual. If a CEO leaves their laptop unlocked in a glass-walled meeting room, that silent action speaks louder than a thousand mandatory e-learning modules. Employees quickly conclude that security is a hurdle to be bypassed, not a value to be lived.
Bridging the Gap: The "Security Minute"
If you want to shift this culture, you don't need a massive budget or a week-long seminar. You need to make security visible and human. My advice to any leader is to implement a "Security Minute" at the start of your management meetings.
Spend sixty seconds—no more—discussing a single security observation. It shouldn't be a technical lecture. Perhaps you praise a department for their high reporting rate of suspicious emails, or you share a personal story about a phishing attempt you nearly fell for. By being vulnerable and vocal, you strip away the "IT department only" stigma and signal that security is a core business priority.
When you vocalise security, you signal that it is a business priority, not just an IT problem. At NorthGRC, we believe compliance is a connected journey. It begins when leadership stops pointing at the rules and starts walking the path alongside their teams.
Learn about the NorthGRC Awareness Module for security awareness campaigns.
Explore the module
