What do culture, HR, storytelling and microstories have in common?

Sofia Pogrebynska, IT & Cloud Officer at PayPal, is one of our speakers at The Banking Scene Conference 2026 Luxembourg. As usual, I try to speak with the speakers before they take the stage. The first call with Sofia quickly led to another. I got curious, and excited, about her domain of expertise: cybersecurity, and how fast it’s evolving.

In cybersecurity, conversations tend to focus on tools and threats, and rightly so, but Sofia brought something more subtle to the surface: the biggest shift in cybersecurity today has less to do with technology and far more to do with how organisations behave and operate.

That matters for PayPal, and for every other financial institution. As the attack surface expands and intelligent systems enter our daily workflows, our traditional security reflexes are no longer enough. The real differentiator will be how well we design our organisations for resilience.

When cyber stops looking like cyber, that is when it works

Think of this for a moment: the most secure organisations are those where cybersecurity becomes almost invisible.

That is not because it is neglected, but because it is embedded so deeply into everyday workflows that people barely notice they are acting securely. A simple example Sofia gave: a phishing-report button in Outlook. It sounds trivial. But it’s a perfect illustration of a broader truth: Security becomes culture only when secure behaviour requires no extra effort and is a natural part of our day-to-day work, and life for that matter.

Banks have learned to obsess over customer experience. The next step is to apply this thinking internally as well. A secure organisation is ultimately one where the employee journey is designed with the same care as the customer journey.

The unexpected importance of HR and Legal in cybersecurity

We don’t often see HR invited to cybersecurity panels. Maybe we should: HR owns onboarding, offboarding, performance frameworks, and leadership development. HR own the areas where behaviours are shaped and reinforced. If security is truly part of an organisation’s DNA, then it cannot be confined to the cybersecurity team. It must be carried through:

• how we onboard people,
• how we review performance,
• how we reward behaviour,
• how we grow leaders.

Sofia pointed out something we all know but don’t say enough: resilience is made or broken in the gaps between departments.

HR and Cyber.

Legal and Security.

Business and Technology.

These handover points are where misunderstandings happen and they’re often exactly where attackers slip through.

Why storytelling matters more than statistics

Another point that resonated: storytelling.

Security teams think in data, but people act on stories.

And when a real threat hits, it’s not the data they rely on, it’s their intuition.

This is not about making cybersecurity “fun” or “creative.” It is about speaking to the organisation in a way that shapes instinctive behaviour. We saw the power of this during The Banking Scene Art Night: stories, not checklists, shape how people understand risks and possibilities.

If we want secure behaviour to be automatic, we need stories that stick.

Looking back on my time at banks, that narrative was the set of instructions we were reminded of when we failed an unexpected cyber test. It wasn’t intuition, and it wasn’t storytelling. So I completely understood why she emphasised storytelling to make cyber awareness part of the job, any job.

Micro-training fits the rhythm of modern work

Annual cyber trainings made sense when threats evolved annually. Today, they evolve weekly.

Sofia’s case for micro-learning goes beyond just shrinking attention spans. It’s about understanding how people really operate today: in brief bursts, using multiple tools, and frequently switching between tasks. Small, ongoing prompts are much more aligned with that reality.

It mirrors what we see in banks and fintechs: the future belongs to organisations that adapt learning to the flow of work, not the other way around.

Psychological safety: the cybersecurity metric we rarely discuss

One of the strongest indicators of a mature security culture?

According to Sofia, it is when employees feel safe reporting mistakes or suspicious activities.

This aspect is seldom discussed in regulatory frameworks, but it holds significant operational importance. Faster reporting enables quicker responses, and increased transparency reduces blind spots. In a sector where there is still a fear of making mistakes, this area that deserves much more attention.

It reminds us that cybersecurity is more than a technical field, it is a leadership challenge.

Agentic AI forces us to rethink governance

Looking ahead to her keynote on agentic AI (January 27, Luxembourg: “Rethinking Governance in a World of Agentic AI”), Sofia highlighted an emerging tension: as systems become more autonomous, our traditional governance models do not keep pace.

For years, AI governance meant data governance and tomorrow, it will mean decision governance.

How do we supervise decisions made by intelligent systems? What is the escalation path? Where does accountability sit when humans and machines co-produce outcomes?

These are practical questions that will influence how financial institutions design their operating models in the next decade.

Her message was clear: even when machines act, humans remain accountable, and that is challenging, because employees are increasingly operating with fragmented attention, while attackers are using increasingly capable AI tools.

Independently, each trend is manageable. Combined, they accelerate risk.

This underscores the importance of security that doesn't rely on constant vigilance such as secure-by-design workflows, embedded controls, and real-time detection. Banking won't succeed in this challenge by simply expecting more vigilance from employees. Instead, success comes from designing systems that inherently safeguard them.

The industry takeaway: resilience is a design problem

If there is one conclusion to draw, it is this: the future of cybersecurity will be won not by the organisations with the best tools, but by those with the best design.

• Design of culture.
• Design of incentives.
• Design of workflows.
• Design of governance.
• Design of human-machine collaboration.

Technology will continue to advance on both sides of the equation. But it is the organisational layer that will determine whether banks remain one step ahead or fall two steps behind.

As Sofia put it, cybersecurity is everyone’s responsibility, and that is why I cannot wait to see her full story on stage in Luxembourg!

You can get a flavour of just how passionate Sofia is about this topic by watching / listening to the full interview below, or follow along on your favourite podcast channel here - don't forget to subscribe to keep up to date with the latest news and insights and of course we would love to welcome you to The Banking Scene Conference 2026 Luxembourg on January 27, where you can meet Sofia in person and continue the discussion.