While most organizations still treat people as the weakest link, a human-centered security culture is turning employees into the strongest line of cyber defense.
Petra Klein, Chief Security Officer at Swedbank, explains how transparent, business-focused messaging and everyday conversations about risk help employees see themselves as defenders, not bystanders.
By making security fun and simple, training ambassadors, and tying threats to real business impact and AI accountability, organizations can build a culture where employees act quickly, report issues, and function as a human firewall.
Security is full of warnings that "people are the weakest link." Today, that cliché either holds up or falls apart in practice, depending on how a company approaches security in the first place. When organizations treat it like a top-down checklist, employees tend to tune out. But for those who build a culture where everyone understands their role and feels equipped to act, humans can be the strongest line of defense.
Petra Klein, Chief Security Officer at Swedbank, is tired of the old narrative. A multi-award-winning leader named a Top 100 Global CISO for three years running, Klien has built a strategy that challenges the notion that human error is an inevitable weakness. Having spent most of her career watching the industry point to people as the problem, Klein is busy proving that the right culture can turn that assumption on its head.
"People are not the biggest risk—they're just the most attacked vector. Instead, talk about employees as part of the solution," Klein says. "If we empower all our employees to feel like they are the defenders of their company, that is so much more powerful. Then you get everyone to be the first line of the cyber defense." Her method begins with accessible communication that extends from the coffee machine to the boardroom.
The fun in fundamentals: "For me, it's really important first to make security fun and engaging," Klein explains. "To really stick out in the buzz, you have to create short, crisp messages that are understandable for everyone. The first thing is to talk more in business language." The approach empowers even non-technical teams, Klein continues, recalling how her communications staff felt they were "in the middle of defending" the bank during a cyber incident.
Coffee machine campaigns: In practice, this means turning memorable slogans like "security is everyone's business" and "you are the most important part of the cyber defense" into a constant, visible presence. "We put these short, simple messages everywhere: by the coffee machines, on the monitors, and we're standing in the corridors having these conversations," she says.
The red thread: In the boardroom, Klein builds influence by framing security as a core business enabler built on trust. She secures executive buy-in with a simple narrative: "If you just bring solutions to the board, they will not understand the full 'red thread,' so I talk about the cyber threats and then connect that all the way down to the risk for the company and how we mitigate it. When they understand the full picture, from the threat to the risk to the impact, you get a very security-aware board."
When it comes to new technologies like AI, Klein’s human-centric philosophy emphasizes the role of human judgment in guiding the technology. "With a powerful tool like AI, we must move beyond simple awareness and start talking about accountability," she notes. "Every employee needs to develop a healthy, paranoid mindset, understanding that they are accountable for how they use these new tools."
Excellence across the org: To scale this culture across a major financial institution, Klein suggests a "train the trainer" model. "We're creating security ambassadors, and those ambassadors will bring the knowledge with them to their teams. We're pushing security knowledge out to every corner of the bank, and our team becomes more of a center of excellence that supports and empowers everyone else in the organization."
The strategy paid off. The culture change became undeniable when the bank's own HR department made security a formal core competence for employees—a clear signal that the investment in a security culture had become a recognized business asset.
The human firewall: For Klein, however, the real proof of the culture's success isn't in audits, but in the proactive efforts of employees. "During our simulated cyber attacks, sometimes the technology finds the issue, but in many cases, it's our employees who report things that don't seem normal," she says. "That culture of acting and taking accountability is what I'm really proud of. That is success."
The empowerment model is also a personal one for Klein, rooted in her own career journey. She also focuses on building the next generation of talent in an industry where women fill only 15-25% of roles. "I got a call from a colleague today. His friend, a 19-year-old working in the bank, had listened to one of my talks and told him that while she didn't know what she wanted to do before, she now knew for certain she wanted to work in security," Klein shares. "For me, that's a real success: to inspire others."
Ultimately, Klein concludes, when people feel trusted, equipped, and accountable, they stop waiting for instructions and start defending the company as if it were their own. "Make the employees the most important part of the cyber defense. That’s what we should all strive for, because that’s when you get the will to defend."
