Building a ‘Speak Up’ Culture: How to Encourage Employees to Report Security Issues 

If your employees aren’t reporting potential security issues, incidents, or concerns, then it’s safe to say you don’t have a true ‘speak up’ culture. Many organizations have policies and awareness materials urging employees to report anything unusual, but there’s often a significant gap between what’s written and what’s actually done. 

In this blog, I’ll explore why your employees might not be engaging in security reporting and what factors could be hindering their participation. Here are some of the main reasons employees may be staying silent: 

Let’s break these down one by one. 

1. It’s Not Clear What to Report 

This ties directly into my previous blog, “Recognizing the Unusual”, where I discussed how security professionals often assume employees know what’s unusual or risky. The truth is, we need to spell it out. Instead of overwhelming employees with complex threat actor motives, focus on practical, day-to-day examples—like system prompts or suspicious behavior by individuals. The more specific you are, the better chance your employees will recognize and report potential threats. 

2. It’s Not Clear How to Report 

Having a reporting process buried in a policy document or an obscure email address just won’t cut it. Make the process clear and accessible. If your organization uses an intranet, put the reporting process in a prominent location. If you rely on collaboration tools like Microsoft Teams or Slack, set up a dedicated channel for reporting security concerns. Employees need to know exactly how and where to report, and it should be easy to find. 

3. It’s Complicated to Report 

While reporting security issues is a responsibility, we have to consider the employee’s time and attention. When a breach occurs, there’s often a critical window, like the “golden hour” in emergency response, where quick action is crucial. Make reporting as simple as possible. Complex forms can be a deterrent—design them with non-technical users in mind, and always provide the option to speak to a human. Reporting a colleague, feeling embarrassed, or lacking technical knowledge can all prevent people from coming forward. How well does your system handle these sensitivities? 

4. Nothing Happens When You Do 

If employees see no outcome after reporting an issue, they’ll quickly lose interest and trust in the process. Without feedback, the system loses value and becomes ignored. A strong security culture includes follow-up—whether at a macro level or to the individual reporter. Share incident updates or examples of reports that helped prevent issues to reinforce the importance of reporting. 

5. Employees Don’t Feel Valued 

Rewarding and recognizing employees who report issues is crucial. If someone takes the time to report a potential threat, we owe them recognition and feedback, even if it turns out to be a non-issue. Companies can establish “security champions” to acknowledge those outside the security team who make significant contributions. Regardless of your approach, ensure that employees feel heard and appreciated. 

6. You Have No Idea if Anyone Else is Reporting 

Making reporting a normal, expected behavior starts with visibility. Share high-level stats on the number of reports, the types of issues identified, and what actions were taken. Include this information in onboarding sessions, so new hires understand the importance of speaking up from day one. By making security reporting a visible part of your company’s culture, you set the expectation that it’s simply “how we work here.” 

Hopefully, this post has highlighted the human factors—rather than technical ones—that influence whether employees engage in reporting security concerns. Creating a ‘speak up’ culture takes intentional effort, from clarifying what and how to report, to recognizing those who do. Take the time to engage with your employees and understand their challenges in reporting. After all, while security depends on the data, the “customers” of your security reporting system are your employees. Let’s make it easier for them to help keep the organization safe.