Good Security is Built on Good Habits

When people think of cybersecurity, they often think of tools: firewalls, detection systems, MFA, endpoint protection. Tools are essential - but they’re not enough. What truly keeps an organisation secure isn't just what tools you have, but how consistently your teams use them.

I’m reminded of this every week in a very different part of my life: swimming.

Discipline in the Pool

I’ve built a habit that’s now 53 weeks strong: swimming 2km, four times a week. That means for over a year, through busy weeks, travel, and days when I didn’t feel like it, I’ve shown up at the pool.

It’s become my minimum standard. The distance and frequency aren’t up for debate; they’re built into my week. The days I least feel like swimming are the days that reinforce the habit most.

James Clear, in Atomic Habits, explains that small, consistent actions compound into extraordinary outcomes. You don’t set out to be “disciplined” or “fit” - those are just the identities that emerge once habits are ingrained. I’m no longer trying to be a swimmer. I am a swimmer because I’ve proven it to myself, week after week.

Habits vs Processes, Rituals, and Ceremonies

In business, we often call these things processes, rituals, or ceremonies. We hold daily stand-ups, quarterly reviews, and annual audits. But at their core, these are just structured habits - actions repeated often enough that they become part of an organisation’s identity.

When these habits are backed by culture and standards, they’re sticky. They don’t fall away when things get busy; they define “how we work here.”

The Same Truth in Cybersecurity

This distinction matters in cybersecurity. Many organisations rely on tools alone - assuming a new piece of software will make them safer. But without the right habits, tools are underused, misconfigured, or ignored.

Here’s where the habit mindset makes the difference:

• Consistent practice, not one-off effort.
  ‍Too often, companies run a tabletop exercise once every couple of years - usually because a regulator or board asks for it. By then, teams are rusty, lessons forgotten, and the exercise feels like a performance. The disciplined alternative is running them every quarter. Over time, this creates muscle memory, roles become clear, responses sharpen, and the team’s confidence compounds.
• Minimum standards that aren’t negotiable.
  Just as my weekly swims are locked into my routine, organisations need baselines - patching schedules, access reviews, tabletop drills - that remain steady regardless of business pressures.
• Identity-driven security.
  The most secure organisations don’t treat cybersecurity as a checklist.  They see themselves as secure organisations. Habits like logging out, reporting suspicious activity, and following access protocols become cultural norms, not optional extras.
• Compounding gains.
  Each small, repeated action builds resilience. The more disciplined the organisation is in embedding these habits, the better it can respond when the unexpected happens.

Tools vs. Habits

Tools are like swim gear - goggles, fins, a lane in the pool. They help. But gear doesn’t make you fit. Showing up, putting in the laps, and sticking to habits does.

In the same way, you can buy every cybersecurity solution on the market and still remain vulnerable. It’s the organisational habits - the processes, rituals, and ceremonies that are embedded into culture - that transform tools into protection.

Closing Thought for Leaders

For CISOs, executives, and boards: good security isn’t about chasing perfection or the latest shiny tool. It’s about habits, discipline, and culture.

Ask yourself:

• Do we only rehearse crises when someone demands it, or do we drill regularly?
• Do our “minimum standards” survive the end-of-quarter crunch, or do they get skipped?
• Do our teams see security as a task, or as part of their identity?

Just as my 53-week swim streak has reshaped my identity and built resilience in the pool, the habits your organisation commits to will define its resilience in the face of cyber threats.

The real question for leaders isn’t “what tools do we have?” but: What habits are we building, and how are we embedding them into culture and standards so they endure?

‍

Founder Insights are shared by Overcyte's Aaron Gayton

With deep domain knowledge in Industrial Control Systems (ICS) and Operational Technology (OT), Aaron has spent over 20 years helping mission critical organisations secure their infastrucutre and their people.

His passion lies in adopting a risk-based approach, breaking down traditional barriers between IT and OT, and positioning cybersecurity as a strategic business enabler.

His deep understanding of industry-specific challenges, coupled with his experience in business transformation, uniquely positions him to lead both the product and technical teams at Overcyte.

Photo by Gentrit Sylejmani