Security Isn’t a Checkbox: It’s a Partnership

A recent infrastructure review at a mid-sized professional services firm revealed critical security oversights. Despite having policies on paper, enforcement was lacking, which left the organization vulnerable to data breaches and operational disruption. This blog explores the lessons learned, the cultural shifts needed, and how Sikich Tech 360 can help organizations turn security from a checklist into a resilient, proactive partnership. 

Trust, But Verify: A Security Horror Story 

In cybersecurity, the most dangerous threats are often the ones you assume are already handled. 

A recent infrastructure review at a mid-sized professional services company uncovered a chilling truth: 

• No enforced multifactor authentication (MFA) 
• No local hard drive encryption 

The stakes? Total data exposure, operational disruption, and reputational damage. 

The Assumption: “We’re Covered” 

The organization had security policies documented—but not enforced. Only one account had MFA enabled (a test account), and encryption wasn’t even mentioned. 

This wasn’t a gap. It was a gaping hole. 

The company had roughly 150 employees, with an IT team of just three people—overextended and under-resourced. Their industry required handling sensitive client data, yet their security posture didn’t reflect that responsibility. 

I remember sitting in a similar review years ago, where the CIO confidently stated, “We’ve got MFA everywhere.” A quick audit showed it was enabled—but not enforced. That moment stuck with me. It wasn’t about being untruthful—it was about assuming. And assumptions are dangerous in cybersecurity. 

The Exposure: One Credential Away from Crisis 

Without MFA, a single phished password could unlock everything. 

Without encryption, a lost laptop could expose confidential data. 

Best practices were listed on paper, but not in practice. The organization was operating under a false sense of security. 

The Wake-Up Call 

A third-party audit revealed the truth: 

• MFA was configured but not registered for most users 
• No conditional access policies 
• No device encryption standards 

The audit was a turning point. It wasn’t just about technology—it was about culture. 

I’ve seen audits become catalysts for change. One client told me, “We didn’t know what we didn’t know.” That humility opened the door to transformation. Security isn’t just about fixing—it’s about learning. 

The Response: From Oversight to Action 

The organization took swift action: 

• Password policies modernized 
• MFA registration enforced 
• Licensing updated to support stronger identity controls 
• Encryption implemented to a best practice standard 

Security isn’t a checkbox—it’s a culture. And culture starts with ownership. 

Lessons for Every Organization 

1. MFA is not optional. It blocks 99% of account compromises. 
2. Encryption is your last line of defense. If a device is lost or stolen, encryption protects the data. 
3. Audits matter. They surface blind spots before attackers do. 
4. Ownership is critical. Security must be enforced—not just documented. 

Where Would I Start? A Personal Viewpoint 

If I were advising this organization before the audit, I’d start with culture.  

Security needs to be part of onboarding, daily operations, and leadership conversations. I’d begin by: 

• Making MFA a non-negotiable requirement 
• Training staff on why encryption matters—not just how to enable it 
• Empowering the IT team with the tools and authority to enforce policies 
• Creating a feedback loop between leadership and IT to ensure priorities align 

Years ago, I worked with a company where the CEO personally attended the first security training session. That single act changed everything. It signaled that security wasn’t just IT’s job—it was everyone’s job. 

Another time, a CFO asked to review the results of a phishing simulation—not to assign blame, but to understand how leadership could better support awareness. That kind of curiosity and accountability from the top sends a powerful message. 

At one client site, the head of HR partnered with IT to embed security into the onboarding process. New hires didn’t just get a laptop—they got a security briefing, a checklist, and a clear message: “We protect our data because we protect our people.” 

Leadership Overcoming Resistance: Real Stories 

Culture change is rarely smooth. Resistance is part of the process, but leadership makes the difference. 

One executive I worked with faced pushback from senior staff who felt MFA was “too disruptive.” Instead of mandating it overnight, he hosted a town hall, shared real-world breach stories, and invited questions. Within a week, adoption jumped from 40% to 90%. Transparency built trust. 

Another CIO inherited a team that saw security as a blocker. She reframed it as an enabler—showing how secure systems could speed up client onboarding and reduce compliance overhead. She didn’t just change tools—she changed minds. 

And in one memorable case, a board member initially resisted funding a security upgrade. After a simulated breach exercise revealed how easily their data could be compromised, he became the program’s biggest advocate—personally championing budget increases and quarterly reviews. 

Leadership isn’t just about setting direction. It’s about removing friction, modeling behavior, and making security a shared value. 

HR’s Role in Building a Security Culture 

HR is often overlooked in cybersecurity conversations, but they’re essential to sustaining change. 

One of the most effective strategies I’ve seen is the implementation of an Accountable Use Policy—a clear, accessible document that outlines what employees are expected to do to protect company data and systems. 

HR’s Opportunity to Enable a Security Culture: 

• Embed security into onboarding: Every new hire should receive training on secure behavior, including MFA, phishing awareness, and device handling. 
• Reinforce accountability through policy: An Accountable Use Policy should be acknowledged by all employees and revisited annually. 
• Partner with IT on training: HR-led sessions can normalize security conversations and make them part of company culture—not just compliance. 
• Track and report engagement: HR can monitor completion rates for security training and escalate gaps to leadership. 

At one organization, HR created a quarterly “Security Pulse” newsletter with tips, reminders, and real stories of how employees helped prevent incidents. It wasn’t technical—it was cultural. And it worked. 

How a Security Managed Service Can Help 

For organizations of any size, the stakes are too high to rely on assumptions. A trusted Strategic Partner like Sikich can offer: 

• Proactive Security Monitoring: Continuous oversight of MFA enforcement, encryption compliance, and endpoint protection. 
• Policy Enforcement: Automated configuration of conditional access, device encryption, and identity protection policies. 
• Best Practice Alignment: Implementation of controls that align with industry standards and compliance frameworks. 
• Rapid Response: Immediate remediation of vulnerabilities and support during audits or incidents. 
• Scalable Solutions: Tailored security frameworks that grow with your organization’s needs. 

Partnering with Sikich ensures that security isn’t just documented—it’s delivered, monitored, and continuously improved. 

The Path Forward 

This story is a cautionary tale, but also a hopeful one. 

By confronting vulnerabilities head-on and partnering with the right experts, the organization is building a more resilient future. 

Don’t wait for a breach to discover your defenses are missing. 

Let Sikich Tech 360 guide your organization in building a lasting, people-driven security culture.