Manager Scorecards: The Key to HRM and Security Culture

When managers can see where their teams are vulnerable, they can coach, reinforce, and ultimately change behaviors that reduce risk.

Think back to your very first job. Chances are, you didn’t look to the CEO for cues on how to show up every day—you looked to your manager. They set the tone. They told you what mattered. They gave you that nod of recognition when you got it right (and the side-eye when you didn’t).

Now fast forward to today’s workplace. We talk a lot about building a “security-first culture,” but here’s the truth: culture isn’t built in boardrooms or all-hands presentations. Culture is built in team meetings, daily standups, and those casual one-on-ones.

That’s why a recent workplace study hits so hard: 87% of employees say managers shape their daily work environment—making them the single most influential lever for cultural and behavioral change. If that’s true, then when it comes to human risk management, managers may be our most underutilized security asset.

This is exactly where the HRM Framework comes in. It’s designed to help program admins think holistically about the 16 categories of human risk—including emerging areas like AI—and connect them across process, technology, and people. By mapping human risk to recognized standards like NIST, the HRM Framework gives security teams the foundation to identify where culture needs reinforcement and how tools like Manager Scorecards can turn insights into action at the team level. The result is a stronger, more measurable security culture that extends through every manager and employee.

The Security Culture Blind Spot

Here’s the problem: security teams have all the dashboards and data, but managers—the people closest to employees—are often flying blind. They don’t know which team members are making good security choices and which ones are putting the company at risk.

It’s a bit like a coach trying to improve a team’s performance without ever seeing the game tape. You can run more drills, but if you don’t know who’s dropping the ball, you can’t fix the problem.

Changing the Game with Human Risk Management Visibility

That’s where Manager Scorecards come in. Instead of keeping insights locked away in security dashboards, scorecards put simple, actionable metrics in the hands of managers. They don’t need to be security experts—they just need to know how their team is doing and how to encourage progress.

And when managers have that visibility, magic happens:

• Contractors, once disengaged, start reporting phishing attempts at double the rate.
  
  
• Teams with USB port exceptions get the targeted coaching they need to reduce risky behaviors.
  
  
• Frequent travelers—an often-overlooked risk group—become more vigilant because their managers reinforce security before every trip.
  
  

This isn’t theory. Organizations are already seeing culture shift when managers step in as security coaches.

The Questions Managers Will Ask (and How to Prepare)

As soon as managers get their first team scorecard, they’ll ask: “Okay, what do I do with this?”

That’s your moment. Be ready with answers like:

• Start small. Focus on one or two high-impact behaviors at first.
  
  
• Talk about it. Use intranet posts, team huddles, or quick emails to keep security visible.
  
  
• Celebrate wins. Shout out individuals or teams that are moving the needle.
  
  
• Stay connected. Share feedback with the security team so improvements keep building.
  
  

Think of it as giving managers a playbook. The plays don’t have to be complicated—they just need to be consistent.

Manager Scorecards: A Catalyst, Not the Finish Line

Manager Scorecards are just one step in moving the needle on security culture. They give managers visibility and the ability to coach, but true culture change requires a bigger plan. It starts with setting a clear goal for improving security culture, then taking deliberate steps to engage managers, align with HR and communications, and measure progress along the way.

Here’s a high-level view of that journey:

• Set clear goals – define what “better security culture” looks like for your organization.
  
  
• Build dependencies – partner with HR and comms so the rollout feels consistent, fair, and aligned to company values.
  
  
• Prepare & setup – decide which behaviors to track, design the scorecards, and draft messaging.
  
  
• Execute with managers – launch the scorecards, provide talking points, and coach managers on how to use them.
  
  
• Avoid pitfalls – ensure data quality, avoid vague messaging, and set realistic expectations.
  
  
• Report the wins – measure improvements in team behaviors, spotlight success stories, and share results with leadership.
  
  

Scorecards are the catalyst—but the real change comes from embedding them into a step-by-step play that transforms how managers, employees, and security leaders work together to reduce risk.  For the detailed playbook on setting goals, executing each step, and measuring cultural impact, please reach out to your Customer Success Manager. 

From Compliance to Culture

Security has spent years handing employees the equivalent of laminated “safety cards”—awareness modules, compliance trainings, check-the-box exercises. Important, yes. Memorable, not always.

But when you give managers visibility into human risk, the dynamic changes. Suddenly, security isn’t a once-a-year box to tick; it’s part of daily performance. Employees own their behaviors. Managers reinforce them. And security leaders finally have proof that culture is moving in the right direction.

Because at the end of the day, building a security-first culture isn’t about more dashboards in the SOC. It’s about the conversations happening inside teams, shaped by the leaders employees trust most.

Ready to see how Living Security is helping organizations make human risk a shared responsibility? Explore more at www.livingsecurity.com.