Why Your Biggest Security Risk Is Internal Culture, Not External Hackers

How internal culture trends create cybersecurity vulnerabilities that technical solutions can't fix

When cybersecurity breaches make headlines, the focus typically lands on technical failures, unpatched systems, sophisticated attacks, or inadequate firewalls. But there's a critical vulnerability that rarely gets discussed in boardrooms: employee sentiment and organizational culture.

Recent analysis of employee feedback from major technology companies reveals a stark reality: internal culture issues may be creating significant cybersecurity risks that technical solutions alone cannot address. From legacy system frustrations to leadership transparency gaps, the human element of cybersecurity is being overlooked, and it's costing companies dearly.

But the story doesn't end with prevention. When breaches do occur, they create a devastating secondary impact that compounds these cultural vulnerabilities. Analysis of post-incident employee sentiment data reveals how cyber breaches don't just compromise data, they shatter employee trust, creating long-term organizational vulnerabilities that persist long after the technical remediation is complete.

The Culture–Security Connection

The relationship between organizational culture and cybersecurity effectiveness is more profound than most leaders realize. When employees lose trust in leadership, struggle with inadequate resources, or feel disconnected from company values, they become the weakest link in even the most sophisticated security frameworks.

Our analysis of employee sentiment across technology companies, including IBM, Microsoft, CrowdStrike, SentinelOne, and Change Healthcare, reveals concerning patterns that extend far beyond typical workplace complaints. These are fundamental cultural trends that directly impact cybersecurity posture and become even more dangerous when organizations face actual security incidents.

Trend 1: Legacy Systems and Technical Debt Crisis

Perhaps the most pervasive cybersecurity risk emerging from employee feedback is the widespread struggle with outdated technology infrastructure.

The Scale of the Problem

Across multiple organizations, employees consistently report working with antiquated systems that create both operational frustration and security vulnerabilities:

Legacy Infrastructure Complaints:

  • Change Healthcare: "The company has old software (20+ years old on some systems)"

  • Change Healthcare: "For a healthcare technology company, some of the technology given to employees and internal systems are a bit old"

  • IBM: "The hardest part of the job was dealing with job site security issues"

  • Change Healthcare: "Terrible network technology"

Quantitative Insight: Workplace scores at Change Healthcare remained below industry norms, with scores between 47–51 and percentile rankings as low as 10th across 2024–2025. These figures affirm employee frustrations with internal systems and highlight a systemic infrastructure deficit.

Security Implications

Legacy systems represent more than just productivity challenges, they're active security threats. When employees describe working with decades-old software, they're highlighting systems that:

  • Lack modern security patches and updates

  • Cannot integrate with contemporary security tools

  • Create compliance gaps in regulated industries like healthcare

  • Force workarounds that bypass security protocols

Technical Debt Accumulation: SentinelOne employees report "Lots of technical debt," while others describe infrastructure that needs fixing before productive work can begin: "Too many good engineers not being put into good use just waiting for the infrastructure to be fixed."

Trend 2: Security vs. Productivity Friction

A critical tension emerges across organizations between security requirements and operational efficiency, a friction that often leads to security circumvention.

The Compliance Burden

Microsoft employees particularly highlight how security measures impact daily productivity:

Operational Friction:

  • "Over time the data tooling has decreased in user-friendliness and flexibility as leadership tries a cookie cutter approach to security"

  • "Security constraints can slow technical progress and add extra maintenance"

  • "Security levels can slow down your ability to work, you need approval for every software you install"

  • "Development is slow due many security checks"

Compliance Overload:

  • "Tons of compliance and security requirements that keeps on coming up"

  • "Corporate security restrictions and rules are sometimes make work much harder and slower"

The Shadow IT Risk

When security processes become too cumbersome, employees inevitably find workarounds. This creates the dangerous phenomenon of "shadow IT"—unauthorized tools and processes that bypass official security controls.

Trend 3: Leadership Transparency and Trust Deficits

Across all organizations analyzed, employees consistently report issues with leadership transparency and communication, factors that directly undermine security culture and become critical vulnerabilities when incidents occur.

Leadership Disconnect:

  • IBM: "Upper level execs make decisions with very wide impact without any transparency"

  • Microsoft: "There is a disconnect between the company's stated values and the reality experienced by employees"

  • CrowdStrike: "CrowdStrike has the worst and blind management"

  • Change Healthcare: "Management is always watching making sure you are answering calls"

Quantitative Insight: Leadership scores at Change Healthcare hovered between 36 and 38 across most of 2024, rising to 42 in mid-2025. Even at its peak, this placed the company only in the 30th percentile compared to peers. Integrity scores were even more concerning, bottoming out at 30 in January 2025—just the 3rd percentile.

Trust Erosion and Security Implications

When employees don't trust leadership decisions, they're less likely to:

  • Report security incidents promptly

  • Follow security protocols they view as arbitrary

  • Participate actively in security training and awareness programs

  • Collaborate effectively during incident response

Particularly Concerning: CrowdStrike employees, working for a cybersecurity company, express doubt about their own organization's security capabilities: "They are afraid that they themselves cannot defend against breaches."

This trust deficit becomes catastrophic when actual breaches occur, as we'll explore in detail in Part 2 of this series.

Trend 4: Resource Constraints and Support Deficits

Inadequate resources and support infrastructure create cybersecurity vulnerabilities by forcing employees to work with insufficient tools and guidance.

IT Support Failures

Outsourcing and Support Issues:

  • Change Healthcare: "IT support teams were outsourced to Wipro"

  • Change Healthcare: "Issues trying to get an IT tech to understand what you're having a problem with"

  • IBM: "The hardest part of the job is lack of support structure for technical issues"

  • Change Healthcare: "System errors always calling tech support"

Quantitative Insight: Hiring and Benefits scores at Change Healthcare remained stagnant throughout 2024–2025. Career scores hovered around 53–56, while percentile rankings for these scores often stayed in the 30s to 40s, indicating weak internal investment in resources and retention support.

Security Impact

Inadequate IT support creates several cybersecurity risks:

  • Delayed patching and system updates

  • Increased reliance on potentially insecure workarounds

  • Higher likelihood of human error due to frustration

  • Reduced ability to detect and respond to security incidents

Trend 5: Organizational Instability and Change Fatigue

Rapid organizational changes, frequent restructuring, and leadership turnover create environments where security initiatives struggle to take root.

Constant Flux:

  • SentinelOne: "C-Suite is a revolving door"

  • IBM: "They've changed hands twice in 5 years"

  • Change Healthcare: "Policies are always changing with each acquisition"

Security Implications of Instability

Organizational chaos undermines cybersecurity in multiple ways:

  • Security policies lack continuity and consistency

  • Employee security training becomes fragmented

  • Incident response procedures suffer from knowledge gaps

  • Security culture cannot develop deep roots

Change Fatigue Effects: When employees describe feeling overwhelmed by constant change, they often become resistant to new initiatives, including critical security updates and training programs.

Trend 6: Process Bureaucracy and Decision-Making Paralysis


Bureaucratic Barriers:

  • CrowdStrike: "Good ideas die on the vine because no one can figure out who needs to approve something before it can be tested"

  • IBM: "Every decision, no matter how minor, requires endless layers of approvals"

  • Microsoft: "Every decision takes weeks as multiple leadership & sister teams need to be consulted"

Security Response Impact

Complex approval processes particularly harm cybersecurity because:

  • Security incidents require rapid response that bureaucracy prevents

  • Security tool implementations get delayed in approval chains

  • Employees bypass proper channels to maintain productivity

  • Innovation in security practices stagnates

Overly complex approval processes and bureaucratic red tape create security vulnerabilities by slowing response times and encouraging workarounds.

The Real Cybersecurity Risks: Connecting Culture to Vulnerabilities

These cultural trends translate into concrete cybersecurity vulnerabilities that technical solutions cannot address:

  • Increased Insider Threat Risk

  • Security Control Circumvention

  • Delayed Incident Response

  • Compliance Theater vs. Real Security

  • Knowledge and Skill Gaps

  • Legacy Vulnerability Persistence

Building Security-Conscious Culture: Addressing the Foundation

Organizations serious about cybersecurity must address these cultural foundations systematically:

  • Modernize Infrastructure Strategically

  • Balance Security and Usability

  • Build Leadership Transparency and Trust

  • Invest in Adequate Resources and Support

  • Stabilize Change Management

  • Streamline Security Processes

The Preview: When Prevention Fails

But what happens when these cultural vulnerabilities meet an actual cybersecurity incident? In Part 2 of this piece we'll examine how cyber breaches create devastating secondary impacts on employee trust and organizational stability. Analysis of post-incident employee sentiment data reveals patterns that should concern every security leader: breaches don't just compromise data, they shatter the very cultural foundations needed for long-term security resilience.

The story of cybersecurity isn't just about preventing the first breach—it's about building organizations resilient enough to recover and remain secure after incidents occur.

Discover how organizational culture creates cybersecurity vulnerabilities at IBM, CrowdStrike, Microsoft, SentinelOne, and Change Healthcare through our in-depth analysis. Our comprehensive reports examine leadership effectiveness, employee sentiment trends, and cultural dynamics that expose the human factors behind security risks, vulnerabilities that no technical solution can fix.

Download our detailed culture and security analysis report for IBM. Interested in reports for other companies? Just ask!

IBM Company Culture Report

IBM Executive Summary

IBM Leadership Performance and Development

Curious About a Company?

Which organization are you most interested in seeing our exclusive reports on? We're constantly growing Aniline's Insights and prioritize the companies that matter most to our readers.

Request a Custom Report

Blog Home Page