SalesAssistIQ
June 17, 2025

Why Your Biggest Security Risk Is Internal Culture, Not External Hackers

How internal culture trends create cybersecurity vulnerabilities that technical solutions can't fix

When cybersecurity breaches make headlines, the focus typically lands on technical failures: unpatched systems, sophisticated attacks, or inadequate firewalls. But there's a critical vulnerability that rarely gets discussed in boardrooms: employee sentiment and organizational culture.

Recent analysis of employee feedback from major technology companies reveals a stark reality: internal culture issues may be creating significant cybersecurity risks that technical solutions alone cannot address. From legacy system frustrations to leadership transparency gaps, the human element of cybersecurity is being overlooked—and it's costing companies dearly.

But the story doesn't end with prevention. When breaches do occur, they create a devastating secondary impact that compounds these cultural vulnerabilities. Analysis of post-incident employee sentiment data reveals how cyber breaches don't just compromise data—they shatter employee trust, creating long-term organizational vulnerabilities that persist long after the technical remediation is complete.

The Culture–Security Connection

The relationship between organizational culture and cybersecurity effectiveness is more profound than most leaders realize. When employees lose trust in leadership, struggle with inadequate resources, or feel disconnected from company values, they become the weakest link in even the most sophisticated security frameworks.

Our analysis of employee sentiment across technology companies, including IBM, Microsoft, CrowdStrike, SentinelOne, and Change Healthcare, reveals concerning patterns that extend far beyond typical workplace complaints. These are fundamental cultural trends that directly impact cybersecurity posture and become even more dangerous when organizations face actual security incidents.

Trend 1: Legacy Systems and Technical Debt Crisis

Perhaps the most pervasive cybersecurity risk emerging from employee feedback is the widespread struggle with outdated technology infrastructure.

The Scale of the Problem

Across multiple organizations, employees consistently report working with antiquated systems that create both operational frustration and security vulnerabilities:

Legacy Infrastructure Complaints:

  • Change Healthcare: "The company has old software (20+ years old on some systems)"
  • Change Healthcare: "For a healthcare technology company, some of the technology given to employees and internal systems are a bit old"
  • IBM: "The hardest part of the job was dealing with job site security issues"
  • Change Healthcare: "Terrible network technology"

Quantitative Insight:

Workplace scores at Change Healthcare remained below industry norms, with scores between 47–51 and percentile rankings as low as 10th across 2024–2025.

Security Implications

Legacy systems represent more than just productivity challenges—they're active security threats. When employees describe working with decades-old software, they're highlighting systems that:

  • Lack modern security patches and updates
  • Cannot integrate with contemporary security tools
  • Create compliance gaps in regulated industries like healthcare
  • Force workarounds that bypass security protocols

Trend 2: Security vs. Productivity Friction

A critical tension emerges across organizations between security requirements and operational efficiency—a friction that often leads to security circumvention.

The Compliance Burden

Microsoft employees particularly highlight how security measures impact daily productivity:

Operational Friction:

  • "Over time the data tooling has decreased in user-friendliness and flexibility as leadership tries a cookie cutter approach to security"
  • "Security constraints can slow technical progress and add extra maintenance"
  • "Security levels can slow down your ability to work, you need approval for every software you install"
  • "Development is slow due many security checks"

The Shadow IT Risk

When security processes become too cumbersome, employees inevitably find workarounds. This creates the dangerous phenomenon of "shadow IT"—unauthorized tools and processes that bypass official security controls.

Trend 3: Leadership Transparency and Trust Deficits

Across all organizations analyzed, employees consistently report issues with leadership transparency and communication—factors that directly undermine security culture and become critical vulnerabilities when incidents occur.

Leadership Disconnect:

  • IBM: "Upper level execs make decisions with very wide impact without any transparency"
  • Microsoft: "There is a disconnect between the company's stated values and the reality experienced by employees"
  • CrowdStrike: "CrowdStrike has the worst and blind management"
  • Change Healthcare: "Management is always watching making sure you are answering calls"

Quantitative Insight:

Leadership scores at Change Healthcare hovered between 36 and 38 across most of 2024, rising to 42 in mid-2025. Even at its peak, this placed the company only in the 30th percentile. Integrity scores were even more concerning, bottoming out at 30 in January 2025—just the 3rd percentile.

Trust Erosion and Security Implications

When employees don't trust leadership decisions, they're less likely to:

  • Report security incidents promptly
  • Follow security protocols they view as arbitrary
  • Participate actively in security training and awareness programs
  • Collaborate effectively during incident response

Particularly Concerning: CrowdStrike employees, working for a cybersecurity company, express doubt about their own organization's security capabilities: "They are afraid that they themselves cannot defend against breaches."

Trend 4: Resource Constraints and Support Deficits

Inadequate resources and support infrastructure create cybersecurity vulnerabilities by forcing employees to work with insufficient tools and guidance.

Outsourcing and Support Issues:

  • Change Healthcare: "IT support teams were outsourced to Wipro"
  • Change Healthcare: "Issues trying to get an IT tech to understand what you're having a problem with"
  • IBM: "The hardest part of the job is lack of support structure for technical issues"
  • Change Healthcare: "System errors always calling tech support"

Security Impact

Inadequate IT support creates several cybersecurity risks:

  • Delayed patching and system updates
  • Increased reliance on potentially insecure workarounds
  • Higher likelihood of human error due to frustration
  • Reduced ability to detect and respond to security incidents

Trend 5: Organizational Instability and Change Fatigue

Rapid organizational changes, frequent restructuring, and leadership turnover create environments where security initiatives struggle to take root.

Constant Flux:

  • SentinelOne: "C-Suite is a revolving door"
  • IBM: "They've changed hands twice in 5 years"
  • Change Healthcare: "Policies are always changing with each acquisition"

Security Implications of Instability

Organizational chaos undermines cybersecurity in multiple ways:

  • Security policies lack continuity and consistency
  • Employee security training becomes fragmented
  • Incident response procedures suffer from knowledge gaps
  • Security culture cannot develop deep roots

Trend 6: Process Bureaucracy and Decision-Making Paralysis

Overly complex approval processes and bureaucratic red tape create security vulnerabilities by slowing response times and encouraging workarounds.

Bureaucratic Barriers:

  • CrowdStrike: "Good ideas die on the vine because no one can figure out who needs to approve something before it can be tested"
  • IBM: "Every decision, no matter how minor, requires endless layers of approvals"
  • Microsoft: "Every decision takes weeks as multiple leadership & sister teams need to be consulted"

Security Response Impact

Complex approval processes particularly harm cybersecurity because:

  • Security incidents require rapid response that bureaucracy prevents
  • Security tool implementations get delayed in approval chains
  • Employees bypass proper channels to maintain productivity
  • Innovation in security practices stagnates

The Preview: When Prevention Fails

But what happens when these cultural vulnerabilities meet an actual cybersecurity incident? In Part 2 of this series, we examine how cyber breaches create devastating secondary impacts on employee trust and organizational stability.

Analysis of post-incident employee sentiment data reveals patterns that should concern every security leader: breaches don't just compromise data—they shatter the very cultural foundations needed for long-term security resilience.

The story of cybersecurity isn't just about preventing the first breach—it's about building organizations resilient enough to recover and remain secure after incidents occur.

Download Our Detailed Analysis

Discover how organizational culture creates cybersecurity vulnerabilities at IBM, CrowdStrike, Microsoft, SentinelOne, and Change Healthcare through our in-depth analysis.

IBM Culture Report IBM Executive Summary IBM Leadership Report
Get Started with SalesAssistIQ