There’s this myth that still shows up in cybersecurity circles and way too often in boardrooms. The idea that security is just a bunch of tools. Firewalls. Encryption. MFA. Red teams. Blue teams. As if you can buy safety off the shelf. Push a button. Pull a lever.
But security isn’t a product. It’s a culture.
And culture lives in people.
It’s in the way we talk about security, whether it’s something we take seriously or something we laugh off. It shows up in the little choices we make every day. Clicking a link without thinking. Ignoring an alert. Delaying a patch because it probably won’t matter. It’s built on trust. On awareness. On how tired we are that day.
If that sounds like a lot, it is. But it’s also where the real power lives.
Security Culture Is Not a Training Manual
You cannot just compliance your way into a secure workforce. We’ve tried that. The check-the-box trainings. The annual refreshers. Those policy documents longer than a fantasy novel. But if nobody reads them or worse, nobody believes in them, then all you have is security theater.
Real culture doesn’t come from rules. It comes from how people live their values every day.
It’s the difference between “I guess I have to report this” and “I want to make sure we’re protected.”
Fear Doesn’t Build Culture. Stories Do.
I’ve watched well intentioned security efforts lean too hard on fear. Warnings about hackers lurking around every corner. Reminders that one mistake could bring everything down. That might be true, but fear doesn’t teach people anything. It just shuts them down.
What if we told better stories instead?
Like the new hire who spotted a phishing email because she remembered a story from onboarding about someone who didn’t. Or the radiology tech who flagged a weird login, not because it was his job, but because he knew what could go wrong and trusted someone would care.
Stories are how culture spreads. Through the wins we share. Through leaders who lead by example. Through teams that feel safe enough to ask questions.
Security Belongs to Everyone, But That Doesn’t Mean Everyone Has to Be a Security Expert
You hear it all the time, “security is everyone’s job”. And it’s true, but it gets misused.
Yes, security belongs to everyone. But that doesn’t mean we should expect every employee to think like an analyst or act like a CISO. That is not how you build a strong culture. That’s just handing off the responsibility and hoping for the best.
Our job as security professionals is to meet people where they are. Build systems that guide smart choices. Explain why we ask what we ask. Be teammates, not enforcers.
Start With Empathy. End With Trust.
It all starts with empathy. When we believe people want to do the right thing, and we design our processes around that belief, we create a place where people genuinely care about security.
And when people care, they speak up. They pay attention. They act.
That is where trust begins. And when you have trust, you have something stronger than any tool in the stack: a human powered defense system.
What You Can Do Right Now
If you’re reading this as someone in security, whether you’re a leader, a practitioner, or just someone who gives a damn; here’s your challenge:
Start a conversation. One that invites curiosity instead of criticism.
Share a story. One that makes the risks feel real and the wins feel possible.
Celebrate a success. Especially the small ones.
Make it personal. Because security isn’t a department. It’s a shared commitment. A shared value. A shared future.
Let’s build that future together.
One person. One habit. One story at a time.