Behavioral standards: What ‘good’ looks like on Tuesday
You can’t ask people to “care about risk” and expect it to stick. People run on what gets rewarded and what gets them in trouble.
So strong teams set behavioral standards. Not as a lecture. As an operating agreement.
Security’s job is to reduce harm while keeping work moving, not to act as a gatekeeper. That means rules people can follow, and guardrails that make the right path easier than the wrong one.
Engineering’s job is to own what they ship, not to “help security.” If you build it, you own the blast radius.
Product’s job is to make exposure part of design, not to treat security as a late-stage checklist. If you can’t explain why a feature is worth the risk, you don’t understand the feature.
Vendor owners have a job too. They can’t outsource supplier risk to a questionnaire. They own the follow-up when a supplier says, “We’ll fix it next quarter.”
A small practice I love. Ask each team for three “no surprises” rules.
No privileged access without expiry.
No production change without rollback.
No new vendor without an owner and an exit plan.
Short list. Clear verbs. Real enforcement. That’s culture.
Operating rhythm: The week is where risk becomes real
If you only talk about risk during audits and incidents, you don’t have a culture of risk. You have a seasonal sport.
Forecasting lives in cadence. In the meetings you actually attend.
Weekly, run a short review with three questions.
What changed that affects exposure?
What almost went wrong?
What needs a decision?
Keep it tight. If it turns into status theatre, kill it and start again.
Monthly, practice one scenario. Plain, no fancy decks. If ransomware hits this service, what happens in the first hour? Who decides. What do you shut down, and what must stay alive?
Quarterly, test what you claim. Backups. Access controls. Vendor escalation. If you can’t test it, you don’t know it.
This rhythm teaches people that risk isn’t a surprise visitor. Risk is a resident. You don’t panic when you see it. You deal with it.
Imagine you once joined a team’s weekly review as a guest. Ten minutes in, an ops lead said, “We changed the identity provider settings yesterday. It felt odd.” No panic. No blame. Just a raised hand. Security asked two questions, engineering checked logs and they rolled back a risky toggle before lunch. Nothing made the news. Nobody got a medal. Everyone went home on time. That’s what a good rhythm buys you. Most weeks, quietly.
Measures that point forward: Count what moves before damage
Many dashboards tell you what already happened. Incidents. Downtime. Loss.
Useful, but late.
If you want forecasting, track measures that move before the mess. Let’s shift to being a little more proactive and presilience-focused, instead of testing our reactions and resilience as the go-to responses.
How long do critical patches sit on systems that matter?
How often do privileged access exceptions expire on time?
How many urgent changes bypass checks, and where?
How many near misses get reported, and how fast you learn?
Watch a team celebrate fewer incidents while near-miss reporting fell to zero. They thought they improved. In reality, people stopped speaking. Six weeks later, they got hit. The silence was the signal.
You don’t want perfect numbers. You want honest trends that trigger choices, not slides.
Leadership: The culture you reward is the culture you get
Leaders say they want transparency. Then they punish the first person who brings bad news. That one moment teaches the organization more than any policy ever could.
If you want forecasting and Presilience, protect the messenger. Praise early escalation. Treat risk as a trade, not as a personal failure.
Also, stop romanticising heroics. The midnight save feels good. It makes a great story. It also hides the root issue: poor planning, weak controls, unclear ownership and a habit of postponing boring work.
Boring work buys calm, discipline buys reliability but risk intelligence enables the right balance of compliance, resilience and presilience to manifest.
Think of board conversations where someone asked, “Why spend on resilience when nothing happened this quarter?” And you answered with a question. “Would you rather pay for brakes or for ambulances?” It landed because it was true.
A simple 90-day shift: Small moves, real change
If your team feels stuck, don’t start with a massive program. Start with a few moves that change behavior fast.
- First 30 days. Map your top repeat failures. Pick five signals to watch weekly. Name owners.
- Days 31 to 60. Fix one decision bottleneck. Write the rule. Use it.
- Days 61 to 90. Run one scenario practice a month. Learn one thing. Change one playbook. Close one gap.
You’re not chasing perfection. You’re building a habit. Habits compound.
If you do this well, something shifts. You stop being surprised by the same problems. People raise issues earlier. Engineers stop hiding bad news. Security stops shouting into the void. The organization feels calmer. Not complacent. Calm.
That calm is not luck. It’s culture. The right balance between prevention, reaction and proactivity ensures sustainable high performance.
And here’s the quiet mic-drop. When risk becomes a daily conversation, you don’t need to guess the future. You stop being shocked by the present.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
