David Brown is an executive and non-executive director with a proven track record in leading large, multi-site and multi-discipline commercial and public sector organisations.

Culture, Change and the Boardroom

David Brown, the CEO of a large enterprise business, was sitting in his office wading through emails. His personal assistant was nearby, so David asked whether she had sent his note to the local managers.

She did, but made a few changes before she sent it. Her edits aligned with a decision the leadership team had recently made: everyone, regardless of their position, should be referred to as “colleagues.” The idea was to move away from a hierarchical culture. David agreed he had inadvertently reverted to the old ways and his original note didn’t support the new culture.

David tells this story when people ask him about building a positive culture. He spent decades in leadership roles across transportation, energy, and infrastructure, and he’s now the Chair of Renew Holdings and TripShift. He has the kind of CV that usually insulates a person from being corrected by anyone.

However, the interaction above is “one of the things I always want to aim for” David explains. “I want people to voice their opinion. I want people to feel they’re involved. I want people to actually contribute in a positive way”.  This is not because he’s proud of writing the perfect email – but because it’s important to him that people in his company would feel safe enough to stop him from sending the wrong message – “where people aren’t just keeping quiet for fear of having their heads chopped off”.

Why should you care?

For David, building a strong culture is about creating an environment where people voice their opinions without fear, they can contribute in a positive way and thrive in their work. We spend approximately one third of our lives at work, and so, David says: “Why wouldn’t you want a better place to work?

But beyond having a good workplace, David believes it’s good for business. First, a good culture is essential to decision making. Those at the senior level need to communicate with their people at all levels of the company to know what is going on. “You don’t want people hiding. You don’t want people not telling you the truth. ‘Truth to power is very important.” Senior leaders are only as good as the information they get – and in most organisations, bad news gets filtered, softened, or buried completely before it reaches the top. David explains that when people aren’t afraid to speak up, he can hear what really needs fixing before systems break and catastrophes happen.

Another benefit of culture is its connection to purpose and meaning that motivates and unite employees. There is strength in numbers and the feeling of comradery gained from working together. David remembers telling his teams: “we’re affecting the quality of people’s lives”, making sure to repeatedly reinforce that connection between what they do and why it matters. That’s what keeps people from jumping ship when things are hard; a shared vision means employees are more likely to stay with their organisation.

The final and perhaps most important point is that a strong culture is a differentiator for an organisation. When things inevitably go sideways – because they always do – clients notice the difference. They notice when everyone in the organisation, from top to bottom, is trying to do the right thing. They give you the benefit of the doubt.

A Continuous Process of Improvement

Culture isn’t just a quick fix or poster on the wall. It’s not just the Friday afternoon workshop where everyone shares their feelings and then goes back to their desks.

“It needs to be embedded in everything,” David says. “In the recruitment, the language, every policy, every communication, every way you deal with people, the way you reward your managers.”

For David, culture is built through storytelling. He’s learned to look for the small moments where culture lives or dies, and to take every opportunity to embed and solidify culture in the organisation. For example, when the company wins a big contract, he doesn’t just send a congratulations email. He explains how their values and their culture allowed them to grasp that success.

He does this constantly. “You can’t just do it for a couple of weeks and move on.”

The good news? Once you’ve built the kind of place where people speak up, the culture starts to reinforce itself. Acting in accordance with the culture becomes intuitive and innate. No one is perfect, and everyone should be comfortable in looking out for when the culture isn’t being reflected accurately. An assistant having the confidence to suggest improvements to a senior’s email – that’s the culture being alive.

Culture is multidirectional

David is blunt about this: “If I went around saying I want openness and transparency but didn’t listen to people and didn’t care what they have to say – it’s just not authentic,” if there’s no trust and openness in the board, those values won’t trickle down throughout the organisation. “Any leader should be authentic.” But most leadership teams say they want honesty while operating as though they are in a performance where everyone’s playing a role, this doesn’t work, “people can smell inauthenticity from a mile away.” The board must model the behaviours they want to see. They can’t be anonymous entities, detached from the business, showing up quarterly to nod at PowerPoints before disappearing again.

At the same time, culture can’t be imposed onto everyone else. It must also grow from the ground up. David’s approach is simple: listen to what people across the organisation say about their culture, then play those words back to them. “If you’re saying things that they believe themselves, then you don’t get pushback. They feel part of it.”

When he was leading a group of subsidiary companies, he let different cultures flourish in different places – so long as they all connected back to the core. Some variation isn’t just acceptable, it’s necessary. It means that the people at those companies ‘bought into [the culture] and felt that it was important to them’. David explains that what matters is that people feel it’s real. He remembers the subsidiaries with a particular fondness: “They had this ‘can-do’ attitude – and I believed it too. When there was a crisis, they were the people I wanted with me, because they’d roll up their sleeves and get stuff done.”

The Unfinished Work

David talks about his organisations the way people talk about something they helped build with their hands. There’s pride, yes, but also care. A strong culture is something you recommit to, every day, in small and big choices.

It’s the looking out for each other. It’s the constant reinforcement of the story and values. It’s about how they came together – to celebrate and to tackle a crisis. These aren’t just milestones – they’re ongoing maintenance of something unique and precious to the company. The constant, unglamorous work of making sure that “openness and transparency” aren’t just words in a company mission statement, but the lived experience of everyone who works there.

Vic Djondo is the SRO for Security Culture and Education at the BT Group

A security leader’s risky bet and what finally moved the C-suite

Vic Djondo had five hours to prove his point to his new CEO, who had been in post for a few weeks.

Vic, who leads cyber security culture across a major telecommunications company, had a 1 PM presentation scheduled with her. At 8 AM that same morning, his team sent a simulated phishing attack to her office.

“It could have been career limiting,” he laughs now. “But I did it anyway.”

The attack worked and the CEO’s team fell for it. And when Vic walked into that afternoon presentation with the evidence of how easily her inner circle had been compromised, the CEO’s first response wasn’t defensiveness or anger. It was immediate action: “I want my entire office educated on this stuff. And I want it permeated throughout the whole organisation.”

This is a story about what it actually takes to make senior leaders invest in security – enough to change how they work, what they prioritise, and how they hold themselves accountable.

The Problem

Vic has spent over a decade building security cultures across major organisations. “Getting leaders to care – making it relevant and resonate for leaders in the first instance and then getting them to really set the tone of security to the business – that is probably the hardest piece,” he says.

Everything else in the security culture playbook is easier once you’ve secured leadership buy-in. You can have the best awareness campaigns, the most sophisticated training, a network of champions spread across the business. But if the C-suite doesn’t commit their resources, none of it sticks.

Leaders understand that security matters. The issue however is that security is one of fifty things competing for their attention, and most of those other things have clearer, more immediate consequences. Until something goes catastrophically wrong, security lives in the realm of theoretical risk. And theoretical risks are easy to deprioritise when you’re dealing with quarterly earnings, customer complaints, and the person who just quit taking half their team’s institutional knowledge with them.

Not only that, but most organisations, Vic believes, are still in their infancy when it comes to security culture. And it’s not because they don’t have the right policies or tools. It’s because culture takes time – a decade, sometimes longer. In big organisations, the C-suite can change every three to five years. “It can be very difficult to embed a culture that you want when you’re really talking about five to ten year shifts,” he says.

So how do you get leaders to invest in something that won’t fully mature during their tenure? How do you make the need for security culture real, impossible to ignore?

The League Table Strategy

Vic has a secret weapon, and he is “absolutely shameless” about using it (his words!).

“I’ll absolutely put that data front and centre,” he says. The data: phishing resilience metrics, training completion rates. All displayed in board meetings, with each C-suite member’s division ranked against their peers.

“Leaders never want to be second, and they never want to be last.”

This isn’t about shame, exactly. It’s about understanding what drives people at that level. Competitiveness is their superpower – it’s how they got to the C-suite in the first place – but it’s also a “way in” for Vic.

He says, “that embarrassment of being at the bottom of that league table is usually enough to get them moving even quicker than things like reputational or financial risk.”

Vic has seen this approach transform behaviour across functions. No leader wants to be the one dragging down the numbers while their peers excel.

But the more sophisticated part: when someone challenges the data – and they will – it opens up a conversation about why their numbers are worse. Sometimes a division performs poorly not because its staff doesn’t care, but because the security requirements don’t fit how that part of the business actually operates.

Vic gives the example of procurement teams who need to constantly open email attachments: invoices, purchase orders, contracts. If the security policy says “don’t open attachments,” procurement can’t do their jobs. “Then the way we’re trying to work securely doesn’t suit the procurement side of the business. So, we need to create a solution that does suit them.” The league tables start a conversation. Sometimes it’s about attitude and leadership. Sometimes it’s about security needing to adapt. Either way, systemic issues surface, and real change starts taking place.

In part two, we will explore with Vic what that change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick.