As security leaders advance into 2026, the real challenge is no longer technology, but culture. In this article, Federico Iaschi, Information Security Director at Starling Bank, argues that fear-driven security models are actively undermining resilience - and explains why senior leaders must move beyond “human firewalls” towards blameless, business-aligned guardrails. This shift from punishment to transparency sits at the heart of the strategic, peer-level discussions taking place at the #RISK Executive Forums, where decision-makers come together to redefine how security enables growth, trust and long-term value.
Federico Iaschi, Information Security Director, Starling Bank
When I was invited to contribute to this #RISK content series inspired by Janus, the god of transitions, watching the past and future, looking back and forward at the same time, I thought it was a nice image. Yet, most of us in security spend our days staring at our boots and frantically extinguishing fires that are burning right in front of us. We rarely get the chance to look up, but if we actually stop putting out fires for five minutes to look at the culture we built last year, we would find it fundamentally broken.
Looking back: The friction of 2025
We spent the last 12 months guarding every door with fear, but if we actually sit down and look at the data, it is evident that the strategy didn’t work.
We need to abandon the ‘human firewall’ concept because it is dead, evidenced by the significant amount of cash we burned on security compliance videos that just a few of our employees watched, and those awareness phishing campaign tricks that failed to change behaviour according to every industry stat I’ve seen; they just taught people how to hide. In my experience, when you terrify a member of staff with the threat of public shaming or a disciplinary meeting just because they clicked the wrong link, you don’t actually stop them from clicking; you just stop them from reporting it.
Let’s imagine a junior finance admin clicking a bad link where their first reaction should be to call us, but last year their immediate thought was to hide the mistake to avoid being blamed, creating a silence that blinds us and is ultimately far worse than the malware itself. That silence is infinitely more dangerous than the technical threat because we cannot fight what we cannot see, a hard lesson that taught us scaring people doesn’t make them secure, it only makes them quiet.
Looking forward: Guardrails, not gates
2026 requires a fresh start built on a blameless culture, and whilst some hear ‘blameless’ and assume it means zero accountability, the reality is purely pragmatic: we must remove the fear of punishment for honest mistakes if we ever hope to see what is truly happening in security.
We need to apply the principles of ‘Radical Candor’ by caring personally about our colleagues while challenging them directly when they mess up, avoiding toxicity to gain real visibility and ensuring our awareness programmes stop lecturing and start listening to the people who act as our sensors on the ground because they know the business processes better than we do.
This cultural shift forces us to change what we measure, moving away from the 2025 board obsession with ‘click rates’ in phishing simulations and instead obsessing over the ‘reporting rate’ and the ‘speed to report’.
If a staff member clicks a malicious link but picks up the phone to the Security Operations Centre within two minutes, we should aim for that, it is a win because it allows the Respond and Recover teams to contain it before it moves, a speedy response that we will never get if the staff are terrified of security.
Therefore, 2026 has to be the year we democratise our language because, as practitioners, we often hide behind acronyms and technical jargon that alienate the very people we are trying to protect, instead of just explaining the risk in plain English.
Conclusion
The Security ‘Department of No’ needs to be left behind as we transform our security teams into the ‘Department of How’ by building a place where mistakes are fixed rather than punished.
Janus looks two ways, and we must do the same by keeping one eye on future risks and one eye on our business’s needs today, finding that balance where security becomes the foundation of growth rather than a barrier.
That is how you actually build resilience in 2026.
Federico’s call to transform security from the “Department of No” into the “Department of How” perfectly encapsulates the core mission of #RISK Expo Europe. As organisations advance into the challenges of 2026, the need to break down silos between cybersecurity, compliance, and human behavior has never been more urgent.
At #RISK Expo Europe, taking place at ExCeL London on 10-11 November 2026, these exact cultural shifts are central to the agenda. Through dedicated content streams like Information Security and Governance, Risk & Compliance (GRC), the event connects senior decision-makers to explore how to turn compliance into strategic value and implement technology-driven security controls that empower, rather than punish employees.
For leaders ready to abandon the outdated “human firewall” concept and build true operational resilience, #RISK Expo Europe is the definitive forum to align your security strategy with business growth.
Cyber and AI are now ranked as top-five corporate risks across almost every industry globally
The latest Allianz Risk Barometer confirmed what we’ve been hearing from our community all year. But identifying the risk is only half the battle. How are you actually governing it?
At #RISK Expo Europe 2026, we are diving deep into the practical solutions for AI & Cloud Security, Operational Resilience, and Risk-led Governance.
Join 6,000+ leaders at ExCeL London this November to build the frameworks you need for the year ahead.
No comments yet