How to build a real security mindset: lessons from Bart Sikkes

Earlier in the conference, a live hacking demonstration showed just how easily people can be misled when the right psychological buttons are pressed. That raises a different question. If trust is so easy to exploit, how do organisations build it back in a way that lasts?

For Bart Sikkes, Operational CISO at Valtech, the answer doesn’t have anything to do with stricter rules or louder warnings. After more than 30 years in cybersecurity, leading a global network of over 50 security officers across 25 countries, his focus has shifted away from technology and towards people. His argument is, if security is meant to live in everyday behaviour, it must first make sense in everyday human terms.

This article explores how Sikkes approaches that challenge, and what security leaders can learn from a mindset built on empathy, clarity, and small, repeatable actions.

Meet people where they’re at

Sikkes started his talk at Human Firewall Conference 2025, like he does most of his talks, by greeting the audience in multiple languages. German, French, Dutch, and more, before switching to English. It’s not done as a gimmick. It’s a deliberate choice he makes.

If I’m saying in their local language… then suddenly they see, hey, I am someone and I’m recognised.”

Bart Sikkes, Operational CISO, Valtech

That moment matters because security conversations often fail before they even start. Employees hear a distant voice speaking in abstract terms, using unfamiliar language, about risks that feel removed from their daily work. On the opposite side, if you’re able to garner recognition, then you’re able to create a connection, which will lower defences, according to Sikkes.

The lesson goes beyond literal language. Developers, sales teams, and executives each see the organisation through a different lens, and what feels obvious to one group may feel irrelevant or obstructive to another. Sikkes argues that security only starts working when leaders take the time to understand what motivates the person on the other end.

His phrase for this is “finding each other in the middle”, which means translating security goals into terms people can recognise as part of their own reality.

Cutting through resistance and fatigue

Many CISOs face the contradiction that they need security control, but their employees think security is boring or blocking their work, or some other interference. Which is why they hesitate to invest time or budget into security training, but still expect a secure environment with no incidents. Sikkes calls this the “mission impossible” moment.

There are some human barriers underlying it all. Fear is a typical one, and people are afraid for all kinds of reasons. But, resistance and fatigue are two main ones.

Resistance shows up when people feel like rules are being imposed on them rather than followed of their own volition, or when the rules make sense. Fatigue will start to build when people are bombarded with stuff like alerts, long courses that take time away from their work, or a bunch of documents nobody wants to read. Things stop being relevant when the employees can’t connect the suggested security needs with their own role or priorities.

One thing Sikkes is clear on is that pushing harder doesn’t solve the problem, rather, making things simpler with short messages, little nudges that start to form habits, and understanding that we’re all just people.

It’s important to acknowledge that we are all human… and humans do make mistakes.”

Bart Sikkes, Operational CISO, Valtech

Instead of suggesting hours of training or team building training over the weekend, Sikkes advocates for short, adaptable actions. Fifteen minutes instead of one hour. A single action instead of a full checklist. Over time, these little nudges are easier to accept and far more likely to stick.

Creating psychological safety 

One of the most consistent themes in Sikkes’ talk is the danger of shame. When people fear blame, they hide mistakes, and when mistakes stay hidden, small issues can turn into major incidents very quickly.

So, he tells everyone to make errors discussable. During ISO audits, he actively asks teams not to present perfect answers. He wants to hear about gaps, minor non-conformities, and areas that need improvement.

I want to know what’s really going on in the business, where we can help you when somebody is having a problem”

Bart Sikkes, Operational CISO, Valtech

If employees feel safe enough to talk about problems, they’re more likely to report them earlier, or at the least, less resistant. If employees are reporting more issues more often, the security team is able to get a more accurate look at the problems and fix them sooner.

Use relatable stories and metaphors

At one point, Sikkes asks the audience to check the colour of their socks, asking how many had black on and how many had blue on. He then says, “if I’m telling you never to wear blue socks, will you follow me blindly? Probably not, if you don’t understand why.”

The same applies to security guidance. “Don’t store passwords in your browser” isn’t going to mean much to someone who doesn’t understand why it’s risky or how it could affect them personally. If you create context for people, it’s much easier to get them to understand.

Sikkes uses everyday comparisons, humour, and repetition to make ideas more memorable to his audience. At Valtech, the security campaigns feature short videos, posters, and single-word cues like “THINK”. Think before you click. Think before you share. Think before you leave.

Over time, these cues become patterns.

Sikkes deliberately limits the message to a small set of core topics. Just a handful of ideas that people can internalise quickly and easily.

Design training around people’s lives

Mandatory training has a reputation for being dull, and Sikkes even jokes that security awareness videos are “by default boring”. But, he’s also seen first-hand that things can be different.

Employees recognise him in Valtech offices across the globe from awareness videos he’s created, and they even approach him outside of the office because of the effect the videos have had. There’s a higher level of recognition, even several months after first seeing the videos. And it’s a recognition that comes from designing training around people’s realities rather than specific checkboxes.

For Sikkes, effective training includes four elements.

1. Clear context that explains why something matters.
2. Real-life scenarios tailored to specific roles.
3. Variants of common attacks, from phishing emails to social engineering calls.
4. And a clear explanation of what is truly at stake.

He refers to these as “the diamonds we protect”. Reputation. Client trust. Jobs. When people see how a single mistake could damage those things, security stops being abstract.

Being digitally savvy in an increasingly digital world means you have to become somewhat of a cyber ninja.”

Bart Sikkes, Operational CISO, Valtech

Build long-term habits with small steps

If you’re trying to create long-term culture change in an environment, you’re not going to do it through grand gestures. You’re going to get there through repeated, manageable actions, which Sikkes returns to throughout his talk.

Make it small, make it recognisable, make it adaptable, and make it easy.”

Bart Sikkes, Operational CISO, Valtech

Instead of asking employees to clean their entire laptop in one session, he suggests breaking the task down. Delete the downloads folder on Monday. Clean sent items on Tuesday. By the end of the week, the job ends up being done with a lot less resistance.

Those same principles can be applied to all levels.Sikkes’ message is that security should be human-focused, and the best way to create a security culture is through daily interactions, smaller cues, and conversations that drive the concept home while also keeping it relevant.

Watch the trailer