Assign real owners
Each metric requires someone who can change, adapt and influence the system. Not just report the number.
Security can advise and enable. The business must own the risk and the trade-offs.
Reward the right stories
Stop celebrating only heroic recoveries. Celebrate prevented incidents. Celebrate early escalation. Celebrate boring discipline.
If you want ownership, reward the behaviors that create it.
Fund friction removal
Budget is culture.
Invest in automation, secure defaults, identity hygiene and vendor controls that make the safe path easy to follow.
Defund theatre. The posters. The annual checkbox training that no one remembers by Friday.
Close the learning loop fast
After an incident, don’t ask “what happened?” forever.
Ask, “What will change by Friday?” Then track it. Publicly.
When people see changes land, they keep reporting. When they don’t, they stop.
Sustain ownership when the novelty wears off
Culture doesn’t fail in the first month. It often fails in month seven, when priorities shift and the organization becomes fatigued. HBR shows the governance pattern that makes metrics live, and modern metrics must be embedded in routines and tied to ownership.
Build micro-habits that survive stress
Add a two-minute risk pause to major change approvals.
Remember to use breathing to help manage stress
Run pre-mortems before big releases. “How could this go wrong?” sounds simple. It saves you later.
Give managers escalation scripts. People freeze when they need words. Give them words with aligned meaning.
Tell better stories
Most security stories start with shame. They end with blame.
Tell stories about good judgment. About near-misses caught early. About a leader who chose safety and still shipped. Celebrating good news not just bad news is very important.
Stories travel faster than policies. They also train identity. “This is who we are.”
Rebuild ownership during onboarding
Every hire is a culture reset.
Teach new joiners how decisions really work. Who to call. What gets escalated? What does good look like in daily work?
Role-based scenarios delivered with passion beat generic slides; every time.
Equip middle managers
Middle managers translate strategy into Tuesday — they are the oil and glue of the system.
If they don’t model ownership, nobody will. Give them tools, not slogans. Trade-off language. Decision rules. Support when they push back on risky demands.
Stress-test the system
Run exercises that test decisions, not just technical response.
Include product, legal, comms, procurement and key vendors.
Ask one hard question. “Who can accept this risk right now?” If the room goes quiet, your culture just confessed.
The road ahead
Awareness is polite. Ownership is personal.
Awareness says, “I attended.” Ownership says, “I changed how I work.”
You build ownership by making it possible to care without getting punished.
So, pick three behaviors you want to see. Make the secure path easier than the shortcut. Assign owners. Measure the signal. Review it monthly. Fix friction fast.
Then, the next time someone asks for admin credentials “just for an hour,” you won’t need a cupcake to say no. Make cultural high performance the foundation of great security!
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
