Building cybersecurity culture in science-driven organizations

In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders.

How do you measure progress when it comes to building a cybersecurity culture in a science-driven organization?

Science, exploration, and innovation are at the heart of our organizational DNA. However, no one is immune to making mistakes—anyone, regardless of their role, can fall victim to a phishing attack or other forms of social engineering. To measure progress in building a cybersecurity culture, we focus on both qualitative and quantitative metrics.

On the quantitative side, we track phishing simulation success rates, incident response times, and the number of reported security concerns. On the qualitative side, we assess changes in mindset through employee feedback, engagement during training sessions, and participation in cybersecurity discussions. Progress is evident when security stops being seen as an external burden and becomes embedded in daily routines—when people instinctively ask, “Is this secure?” as part of their decision-making process.

Ultimately, it’s about creating an environment where security isn’t just a responsibility for the IT team but a shared value embraced by everyone across the organization.

Scientists often prioritize speed, data sharing, and experimentation. How do you align those priorities with cybersecurity best practices without slowing down innovation?

We fully recognize that scientists thrive on rapid experimentation and open collaboration. Security cannot—and should not—be a roadblock to these pursuits. Instead, we aim to integrate cybersecurity in ways that support and even enhance innovation.

For example, we take a proactive approach by designing secure environments that enable collaboration within safe boundaries. This includes providing pre-approved platforms and tools for data sharing, implementing secure lab networks, and creating sandboxes for experimentation. For external collaborations—such as partnerships with universities, startups, or early-stage researchers—we often find that they lack the necessary security maturity. In those cases, we take on the responsibility of securing the collaborative ecosystem—whether by offering secure infrastructure or helping them implement basic controls.

The key is ensuring that security measures are frictionless, transparent, and tailored to the unique needs of the scientific community. When security becomes an enabler of innovation rather than a hindrance, alignment naturally follows.

How do you gain buy-in from influential scientists or lab leaders who may see security as a barrier rather than an enabler?

The perception of security as a barrier is a challenge faced by many organizations, especially in environments where innovation is prioritized. The solution lies in shifting the narrative: Security are care givers for the value created in this organization.

Most scientists and executives already understand the consequences of a cyberattack—lost research, stolen intellectual property, and disrupted operations. We involve them in the process. When lab leaders feel that their input has shaped security protocols, they’re more likely to support and champion those initiatives. Co-creating solutions ensures that security controls are not only effective but also practical for the scientific workflow.

In short, building trust, demonstrating empathy for their challenges, and proving the value of security through action are what ultimately win buy-in.

What’s your approach to shadow IT or unsanctioned tools in lab environments? How do you guide users toward safer choices without killing productivity?

Shadow IT is a reality in any organization, but it’s particularly prevalent in environments like ours, where creativity and experimentation often outpace formal approval processes. While it’s important to communicate the risks of shadow IT clearly, we also recognize that outright bans are rarely effective. Instead, we focus on enabling secure alternatives.

In the broader organization, we use tools to detect and prevent shadow IT, combined with strict communication around approved solutions. However, in lab environments, the risk profile is different, and we acknowledge that rigid enforcement might stifle innovation. Our approach is to create a balance: we actively monitor for unsanctioned tools and evaluate whether they pose unacceptable risks. If they do, we offer scientists alternatives that meet their needs while adhering to security standards.

What advice would you give to CISOs or security leaders just stepping into a science-driven organization for the first time?

Stepping into a science-driven organization as a CISO or security leader requires a mindset shift. Here are a few key pieces of advice:

1. Understand the mission: Take the time to immerse yourself in the organization’s purpose and values. Learn how the scientists work, what motivates them, and where security intersects with their goals. Building credibility starts with understanding their world.

2. Build bridges, not walls: Collaboration is critical. Partner with scientists, lab leaders, and executives to co-create security solutions that align with their workflows. Avoid a “one-size-fits-all” approach and make the risk-based approach a framework that invite stakeholders in.

3. Communicate in their language: Avoid technical jargon and focus on the outcomes that matter to them—protecting research, maintaining compliance, and enabling innovation. Frame cybersecurity as a business enabler, not a policing mechanism.

4.Be flexible and adaptive: Science-driven organizations are dynamic, and security measures must be equally agile. Adopt a risk-based approach and prioritize controls that address the highest-impact threats without introducing unnecessary friction.

5. Celebrate small wins: Changing culture takes time. Celebrate milestones—like increased reporting of phishing emails or successful adoption of a secure tool—to build momentum and reinforce positive behavior.

Finally, remember that your role isn’t just to protect the organization’s assets—it’s to empower the organization to achieve its mission securely. When you position security as a partner in progress, you’ll earn trust and drive meaningful change.