The Soft Skills Behind a Strong Security Culture

For most of my career, I’ve seen our industry laser-focused on securing technology—and for good reason. Vulnerability management, endpoint protection, network filtering, security incident and event management have allowed us to make a huge impact. But while we’ve become exponentially better at using technology to secure technology, cyber attackers have become just as effective at targeting people. The human side of cybersecurity is now where we're the most vulnerable.

That’s why building a strong security culture isn’t just about deploying the right tools or technical controls. It’s about communication, engagement, and influence. In short, it's about soft skills.

What the 2025 Security Awareness Report® Taught Us

This year’s 10th annual SANS Security Awareness Report® underscored what many of us already suspected: the most mature programs are often led by practitioners who know how to engage, connect, and lead. Soft skills were repeatedly cited—especially in open-ended responses—as a core driver of success.

And it’s not just about being able to communicate with and engage your workforce. Practitioners also need to influence leadership and their own security teams. Many respondents reported struggling with leadership support or being dismissed by security peers as the “HR-lite” team or “the fun posters crew.” These perceptions don’t happen because our work lacks value. They happen when we fail to clearly communicate why our work matters. That too, is a soft skill.

The Soft Skills That Matter Most

If you’re working to build a security culture, here are the skills that help you move from awareness to influence and from influence to lasting change.

1. Communication: Making Security Simple

At the heart of every successful security awareness and culture program is the ability to communicate effectively. This isn’t about overwhelming people with technical knowledge—it’s about making security understandable and actionable.

Whether you're speaking to frontline staff, mid-level managers or senior executives, your message must be clear, concise, and relevant to their priorities. Security communication often fails not because the content is wrong, but because the delivery is poor.

A few guiding principles:

• Simplify. Don’t try to communicate everything. Focus only on what people truly need to know. Too much detail overwhelms. The shorter your message, the better.
• Avoid jargon. Skip technical terms and acronyms., Use straightforward language anyone can understand.
• Highlight the “why.” Why should people care? Like marketing, our job is to sell security. Whenever possible, emphasize personal benefits (e.g., how password managers make life easier).

Understanding your target audience, their motivations and challenges, makes it easier to connect. Marketing models like Attention, Interest, Desire, Action (AIDA) can help shape more engaging communications. The more people see value in security, the more likely they are to embrace secure behaviors.

2. Empathy: Seeing People Through Their Eyes

Empathy is foundational for anyone working in security culture. To change behavior, you must first understand why people act as they do. Risky behavior is rarely driven by negligence or malice—it’s usually the result of stress, unclear policies, or pressure to perform.

Leading with empathy shifts us from blaming users to supporting them. I’m a huge fan of how Amazon AWS approaches this mindset as well: its security team isn’t in the risk management business, but the customer service business. Their job is to support and enable others.

When you empathize, you design security efforts that reflect real-world challenges. You identify friction points that drive insecure behavior. And you build trust. When employees believe security understands their challenges and is there to help, they are far more likely to engage, report concerns, and become allies.

3. Collaboration: Culture Is a Team Sport

A strong security culture is a shared effort across teams and disciplines. HR, Legal, IT, Operations, and Finance, each play a role and have unique needs. Your ability to collaborate with these partners determines how well your program can scale and sustain your efforts.

True collaboration requires more than scheduling meetings. It’s about building trust, listening actively, and aligning around shared goals. When security positions itself as an enabler—not an enforcer—it becomes a valued partner.

Collaboration expands your reach and impact. HR can support onboarding efforts, Comms can amplify campaigns, and leadership can model key behaviors. A culture of security forms when every department sees it as part of their responsibility—and that starts with your ability to bring people together. A great way to build trust is never to eat lunch or go out for a coffee alone. Use those opportunities to reach out to colleagues and get to know them better.

4. Strategic Framing: Speak the Language of Leadership

To secure long-term support for your program, you need to frame your work in terms of leadership cares about: strategic priorities such as risk reduction, operational resilience, innovation, and reputation. Too often, security awareness and culture programs are seen as a compliance exercise because we focus on what we’re doing rather than why it matters.

But when you reframe your efforts as a strategic lever—one that directly supports business objectives—you shift the conversation entirely. Ask yourself:

• Are you enabling the safe adoption of Artificial Intelligence?
• Are you reducing costly social engineering incidents?
• Are you supporting secure remote work?
• Are you driving the adoption of stronger authentication?

Framing your work around business priorities demonstrates impact, not just activity. It also ensures you’re seen as part of the core security strategy—not a side effort. Strategic framing builds credibility and earns you a seat at the table where real decisions are made.

Soft Skills Are the Hard Part

Soft skills may sound, well, soft. But they are some of the hardest, and most important, skills to develop. The good news? These skills can be learned and practiced. And in a world where people are the primary attack vector, these skills are no longer optional for security teams. They’re critical.

Ready to move from awareness to influence?

Discover how leading organizations rank communication, collaboration, and leadership abilities alongside technical expertise in the 2025 Cybersecurity Workforce Research Report by SANS|GIAC.