From experience: if you create culture inside an org where you acknowledge security breaches happen, and place protecting customers and society at the heart of discussions, you will by proxy protect org from reputation damage, and employees, as everybody wants to do best thing.

There are always trade offs - but if you nail the culture, lead by CEO, intentions start from a good place.

Cybersecurity effectiveness isn’t just playing with technical toys. If you get culture wrong, outcomes are bad.