Start by making the invisible visible. You can’t fix what you can’t see. Conduct culture audits. Run anonymous surveys. Bring in external facilitators who can spot blind spots you’ve normalized. Ask uncomfortable questions and actually listen to the answers.
Leadership has to model the behavior you want to see. Don’t just talk about it. Actually do it. Visibly. Consistently. When leaders admit mistakes, it creates permission for everyone else to do the same. When leaders prioritize security over convenience, it signals what really matters.
Embed security into daily operations. Not as a separate function that people have to remember. As part of how work gets done. DevSecOps isn’t just a buzzword. It’s about making security the default path, not the exception.
Build continuous learning into your culture. Threats evolve. Your understanding needs to evolve, too. Post-incident reviews shouldn’t be about blame. They should be about building organizational memory and getting smarter.
Fix your incentives. If you reward speed over security, people will choose speed. If you punish people for reporting problems, they’ll stop reporting. Ensure consequences for negligence are transparent and fair, while also ensuring people feel safe raising concerns.
At that financial firm, we spent six months working through all three layers. We didn’t just update policies. We surfaced hidden beliefs through facilitated discussions. We identified implicit assumptions and challenged them openly. We changed how leadership talked about and acted on security.
It was messy. It was uncomfortable. But it worked.
The reality
In practice, technical controls are easy. Culture is hard.
You can buy tools. You can write policies. You can mandate training. But you can’t mandate belief. You can’t purchase trust. You can’t deploy psychological safety.
Target had the tools but not the operational discipline. Sony had the policies but not the shared belief that security mattered. Equifax knew, but lacked the cultural permission to act on it. Each breach happened at a different cultural layer. Each costs hundreds of millions. Each could have been prevented not by better technology but by better culture.
Culture change requires patience, consistency and a willingness to confront uncomfortable truths. It requires leaders who are willing to examine their own assumptions and behaviors. It requires organizations that value honesty over appearances.
Observable culture provides structure. Non-observable culture offers motivation. Implicit culture includes the foundation. You need all three.
The organizations that survive are those where security is woven into their cultural DNA, where risk intelligence is instinctive rather than imposed, where people make good security decisions because it’s simply how things are done.
That’s the real work. Not buying another tool. Not writing another policy, but building a culture where security isn’t something people do. It’s something they are.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
