“We have executive support for security.”

I hear this phrase constantly from security leaders, usually followed by a frustrated pause. Because having support and having a security culture are two very different things.

The Support Paradox

Executive support is necessary but not sufficient. You can have a CEO who champions security in every board meeting and still have employees clicking phishing links, developers shipping vulnerable code, and IT teams bypassing controls for convenience.

The gap between stated values and actual behavior is where security programs go to die.

What Security Culture Actually Looks Like

A strong security culture isn’t about fear or compliance. It’s about shared ownership. It shows up in small moments:

• A developer who pauses to question whether a shortcut introduces risk
• An executive who asks “what are the security implications?” before approving a new initiative
• An employee who reports a suspicious email without worrying about looking foolish

These behaviors don’t happen because of training modules or policy documents. They happen because security has become part of how the organization thinks.

Building Culture, Not Just Awareness

Traditional security awareness focuses on knowledge transfer: here are the threats, here are the rules, don’t do bad things. It’s necessary but insufficient.

Culture building requires something deeper:

Make Security Personal

People protect what they care about. Help employees understand how security practices protect their own data, their own work, their own reputation — not just the company’s assets.

Celebrate the Right Behaviors

When someone reports a potential incident, thank them publicly. When a team builds security into their process, highlight their example. What gets recognized gets repeated.

Remove Friction

If secure behavior is harder than insecure behavior, you’re fighting human nature. Invest in making the right thing the easy thing.

Lead by Example

Nothing undermines security culture faster than executives who exempt themselves from the rules. If the C-suite bypasses controls, everyone notices.

The Long Game

Culture change is slow. It’s measured in years, not quarters. But it’s also the most durable form of security investment you can make.

Technology fails. Processes get circumvented. But a culture where security is everyone’s job? That’s resilient in ways no tool can match.

This post explores themes from The CISO Crucible, where William Sterling learns that technical solutions are only part of the security equation.