As the guardians of the organization, IT personnel also exemplify the standards for the broader workforce, which means their conduct significantly influences the security culture. When employees observe IT circumventing policies or employing lax practices, they are more inclined to imitate such behavior. Conversely, consistent and disciplined actions bolster compliance throughout the organization. Therefore, IT must adhere to security policies without exception, motivate staff to report any issues, clarify risks in straightforward language while assisting others, and engage in the same awareness training mandated for all employees. For instance, in one organization, IT administrators frequently utilized personal USB drives at work, a practice that was mimicked by employees and resulted in malware infections; had IT staff instead modeled compliance, they would have fostered positive security behavior across the entire business.
Why this matters:
IT sets the tone for the whole company. Your habits become everyone’s habits.
Do this
- Model report-first behaviour (don’t forward live phish).
- Use plain language when guiding users; avoid blame.
- Share quick wins: verification steps, secure tools, where to get help.
Mini-lab
Write a 3-line script to verify a caller before a password reset (ticket, callback, MFA policy).