Culture Eats Security for Breakfast

Every security leader faces the same choice, to police or to influence.

Both can work in the short term. Only one builds real resilience.

The policing approach

It’s easy to default to command and control where we write policies, enforce compliance, and measure adherence.

People follow the rules, until they don’t. Policing can create compliance, but not commitment.

Teams start to see security as an obstacle to navigate, not a partner to collaborate with.

When that happens, you may win the audit but lose the culture.

The influence approach

Influence starts with engagement. It means bringing teams into the process early, not after the policy is written, but while it’s being shaped.

Ask how new controls might affect the way they work. Invite them to help solve security problems instead of being the subject of them.

When people feel heard, they’re more likely to care and when they care, security becomes part of how they work, not something done to them.

Shared ownership, not central control

A mature security culture recognises that security teams don’t own risk, they help manage it. When the security team tries to be the defenders of the organisation they are likely to fail.

Risk ultimately sits with the business. Security’s role is to provide clarity, evidence, and guidance so that risk owners can make informed decisions.

That shift from control to collaboration changes everything. It moves the conversation from “You must do this” to “Here’s what this means for your part of the business, and how we can manage it together.”

Building influence takes longer, but lasts longer

Policing delivers quick wins but fragile results. Influence takes time, patience, and consistency, but it creates shared accountability that outlives individual initiatives or leaders.

• Culture is the multiplier in every security programme.
• Get it wrong, and even the best controls fail in practice.
• Get it right, and people become your strongest defence.

Founder Insights are shared by Overcyte's Aaron Gayton

With deep domain knowledge in Industrial Control Systems (ICS)and Operational Technology (OT), Aaron has spent over 20 years helping mission critical organisations secure their infastrucutre and their people.

His passion lies in adopting a risk-based approach, breaking down traditional barriers between IT and OT, and positioning cybersecurity as a strategic business enabler.

His deep understanding of industry-specific challenges, coupled with his experience in business transformation, uniquely positions him to lead both the product and technical teams at Overcyte.

Amish barn-raising culture shot by Randy Fath