By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
Two phone calls. That is all it took. Two phone calls and two of the largest entertainment companies on the planet were on their knees. MGM Resorts. Caesars Entertainment. September 2023. Damage somewhere north of one hundred and fifteen million dollars between them. No firewall failed. No zero-day exploit. A help-desk employee picked up the phone, heard a credible voice, and reset a credential. That was the breach.
Now hear this. Verizon’s 2025 Data Breach Investigations Report says about sixty percent of all breaches involve a human element. Sixty percent. And the response from most boardrooms is to buy more software. Roll out another awareness module. Send out another phishing test that everyone groans about and ignores. We are spending billions on technology to solve what is fundamentally a culture problem.
I am Chuck Gallagher, business ethics keynote speaker and AI speaker and author, and I have watched this exact pattern play out across industries for more than two decades. The mechanics are always the same. Need. Opportunity. Rationalization. A pressured employee, a system that makes the wrong choice convenient, and a story they tell themselves to justify the shortcut. Cybersecurity is just the newest stage where the same old play runs.
A recent OutThink article on human-centric cybersecurity gets the diagnosis right. The perimeter is not the network anymore. The perimeter is the person. Gartner now classifies Security Behaviour and Culture Programs as a defining trend, and the framework they recommend, called PIPE, focuses on Practices, Influencers, Platforms, and Enablers. Useful scaffolding.
But you cannot train your way out of a culture problem. You can run drills until your people recite the policy in their sleep, and the moment a vendor calls with urgency in their voice on a busy Friday afternoon, all of that training evaporates. Behavior under pressure reveals the actual culture, not the official one.
What should leaders actually do? Three things. One. Stop blaming the help-desk employee and start examining the conditions that produced the rushed decision. Two. Make the secure action the easy action. If multifactor authentication is annoying, fix the friction, do not eliminate the control. Three. Reward people who report mistakes the moment they happen. A culture built on blame buries risk until it explodes. A culture built on transparency surfaces it while you can still act.
Here is the uncomfortable truth. The breach numbers are not going to move until accountability moves up the org chart. When something fails, the security team gets blamed and the CEO talks about resilience. Until that changes, we keep watching the same headlines.
Drop a comment with the single biggest cultural barrier you are running into when you try to make secure behavior the default in your organization. I read every comment, and I respond personally. If this kind of conversation on ethics, behavior, and consequences is what you want more of, hit subscribe and ring the bell. We are just getting started.
Related Articles:
Rights-Based Ethics: The Floor That Stops the Drift
The Ethics of Aggregation: Why Harmless Posts Become Intelligence
