Introduction
Companies spend millions on cybersecurity policies — but often overlook the human side of enforcement. Why do employees ignore security rules, even when they’re clearly defined and regularly updated? And how can organizations shift from checkbox compliance to genuine behavioral change?
These were the big questions tackled in our latest Passwork cybersecurity webinar, featuring ISO 27001 consultant and ISMS Copilot founder, Tristan Roth. Together, we explored how companies can strengthen security culture, align leadership and compliance teams, and ultimately get employees to care about cybersecurity policies.
This article highlights the key insights from that discussion, offering a practical roadmap for businesses aiming to turn policy fatigue into proactive security awareness.
The compliance trap: Why policies fall flat
According to a 2024 ISACA survey, just 38% of organizations believe their compliance efforts have improved their actual security posture. The rest? Going through the motions.
They want to be ISO-certified in three weeks. They write 50 documents, sign them, and think the job is done. But there’s no substance. And without substance, there’s nothing to embed into company culture.
— Tristan Roth
Tristan noted that many companies pursue ISO 27001 purely for external reasons — sales pressure, vendor demands, regulatory requirements. But this "checkbox compliance" mindset often leads to rushed implementations, shallow training, and policies that nobody reads.
That’s precisely why meaningful certifications stand out. As a case in point, Passwork itself recently achieved ISO/IEC 27001:2022 certification — a milestone that underscores our commitment not just to technical excellence, but to real, operational security practices. You can view the certification details here. For us, it’s not about the certificate on the wall — it’s about living the standard in our day-to-day approach to product design, customer trust, and internal controls.
The real reason employees tune out
It's easy to blame employees for ignoring security policies. But in many cases, they’re not wrong to do so.
Tristan described how companies often copy-paste policy templates from the internet without adapting them to their specific context. A policy meant for
a university might get handed to a startup team. A remote work rule might ignore hybrid realities.
If a policy obviously doesn’t reflect your real work environment, of course employees will skip it. They know when no effort was made.
This disconnect between policy and reality creates distrust. Employees learn
to view documentation as bureaucracy, not guidance.
Training vs. transformation
Security training is everywhere — but it’s often treated like background noise.
Tristan emphasized that truly effective awareness programs require empathy, relevance, and context. Instead of one-size-fits-all e-learning modules, what works best is direct, human conversation. Sitting down with small groups. Tailoring sessions to different roles. Explaining why a policy exists, not just what it says.
Sometimes, the most effective approach is doing things that don’t scale. A 10-person training session can do more than a 2-hour video everyone skips.
This type of pedagogy isn’t flashy — but it changes behavior. It creates a feedback loop between employees and security teams that policy documents alone can’t.
Third-party risk: The unseen threat
In 2024, over 60% of data breaches were linked to third parties. Yet many organizations still conduct vendor assessments as a one-time task during onboarding — and never revisit them.
The companies I work closest with — I know the people. And if something changes, I can ask for proof, or pivot fast. That’s the mindset companies need to adopt.
Tristan warned against over-relying on surface-level due diligence. He stressed the importance of designating a responsible person (even in small companies) to build real relationships with vendors, revisit risk exposure over time, and keep alternative solutions in mind for business continuity.
Password mismanagement: Still the weakest link
According to Verizon’s Data Breach Investigations Report (DBIR), over 80% of hacking-related breaches still involve stolen or reused credentials.
Despite having password policies in place, many companies don’t monitor whether employees actually follow them. Shared passwords in messaging apps, weak variations of old passwords, or resistance to using MFA — these are all symptoms of convenience overriding policy.
A good password policy isn’t enough. You need to design systems assuming passwords will be compromised — and build defenses like MFA around that assumption.
Passwork and similar tools offer self-hosted or cloud-based solutions, but Tristan’s advice was clear: tools help, but they don’t replace responsibility. Compliance teams need to combine tech with empathy, audits, and clear communication.
Automating GRC without alienation
Automation can cut Governance, Risk management and Compliance (GRC) workloads by up to 60%, but it’s not a silver bullet. Poorly implemented tools can actually increase policy fatigue.
Some platforms take ten times longer than Excel. People go back to Excel — not because they don’t believe in compliance, but because the tool wasn’t built with their workflow in mind.
Instead of aiming for “full automation,” companies should focus on effective automation — solutions that reduce friction, not increase it. This means assigning a project owner, setting realistic expectations, and piloting changes before rolling them out at scale.
Leadership role in building security-first culture
Cybersecurity is often seen as an IT issue, but real change starts with leadership.
A recent PWC survey found that 80% of executives say they prioritize security — yet only 30% of CISOs feel supported. Tristan argued that this misalignment often stems from poor communication.
Security leaders need to speak the language of business. Not vulnerability management. Risk in financial terms. Loss potential. Mitigation cost. Impact.
CISOs must become translators — connecting security risks to business outcomes. When leadership understands the stakes in terms they care about, support and budget follow.
Final thoughts
Employees ignore cybersecurity policies not because they’re lazy — but because the policies feel irrelevant, the training feels generic, and the tools feel like obstacles.
Shifting that mindset requires a cultural transformation: from compliance to care, from documentation to dialogue. As Tristan put it, be the captain of your own security ship. Know your context. Use the tools wisely. But lead with empathy and clarity.
Further reading:
Iliya Garakh, CTO
Iliya Garakh, CTO
Iliya Garakh, CTO
Why do employees ignore cybersecurity policies?
Employees often ignore cybersecurity rules not out of laziness, but because they feel generic, irrelevant, or disconnected from real work. True change starts with empathy, leadership, and context-driven policies. Read the full article to learn how to make security stick.
