Here's a counterintuitive starting point for anyone trying to fix their security culture: don't start by looking for what's broken. Start with what's working. Not because the gaps don't matter—they do, profoundly—but because the moment you lead with blame, you trigger compliance theater. People get defensive, data turns unreliable, and the real story disappears behind a wall of institutional self-preservation.

When we talk about culture strengths, we mean something specific and measurable: repeatable behaviors that simultaneously reduce risk and help the business move faster. Teams that escalate issues before they metastasize. Managers who own access decisions instead of delegating them into oblivion. Engineers reaching for secure patterns because those patterns are genuinely the path of least resistance. Staff reporting suspicious activity without the quiet dread that they'll be punished for raising a hand.

Those aren't soft metrics. They're operational assets. The diagnostic work is figuring out what conditions created them—and whether those conditions can be replicated elsewhere.

We're not hunting for culture problems. We're looking for risky decisions happening at scale—and the systems that produce them.

Gaps, meanwhile, deserve a different vocabulary. Workarounds, delayed reporting, inconsistent ownership, teams bypassing controls because the process is genuinely painful—these aren't character flaws. They're signals that the system itself is misaligned. Unclear decision rights. Friction in delivery. Weak feedback loops. Leadership reinforcing the wrong priorities when the pressure mounts. Fix the system, and the behaviors follow.

01

The Subculture Problem Nobody Talks About

Most organizations don't have one cybersecurity culture. They have a constellation of subcultures, and those subcultures are shaped far more by local incentives, workflow realities, and leadership habits than by whatever the enterprise policy document says.

Think about it. Engineering lives in speed, shipping, and autonomy. Finance lives in approvals, payment flows, and external manipulation risk. Operations lives in urgency and uptime. Sales lives in relationships and responsiveness. Those environments produce different decision defaults even when the written rules are identical across every department.

Engineering

Configuration drift, change control gaps, and speed-over-security tradeoffs baked into sprint culture.

Finance

Payment fraud, impersonation attacks, and rigid process that still gets compromised by social engineering.

Operations

Uptime pressure creates bypass habits. "Just get it running" overrides security hygiene when production is down.

Sales & Customer-Facing

Relationship urgency drives data handling shortcuts. Speed of response trumps verification steps.

This is why one part of your business reports issues early while another buries them. Why one team treats access reviews like normal hygiene while another lets them slide for months. It's not random. It's structural.

02

Three Lenses for Reading Subculture

If subcultures form wherever people share the same pressures and workflows, then diagnosing them requires understanding those pressures directly. Three lenses make this practical.

Lens 1: Incentives & Pressure

What actually happens when delivery is late, a customer is angry, or production is down? In some teams, leaders reinforce "do it safely." In others, the real message is "just get it done." Subculture is what people do when the pressure is real—not what they say in a town hall.

Lens 2: Workflow Friction

If the secure way of working is slow, unclear, or constantly blocked, you will get workarounds. No amount of awareness training changes this. When you see repeated bypassing behavior, don't call it a culture gap. Call it a system signal. The local subculture has adapted to survive.

Lens 3: Risk Exposure

Different units face different threats. The subculture evolves to manage what that unit experiences most—even when it creates blind spots for everything else. A team hyper-aware of phishing may be oblivious to configuration risk, and vice versa.

If you design for the average employee, you actually design for nobody.

This is the core insight: generic programs fail because they flatten real differences into a fiction of organizational uniformity. Subculture awareness lets you target hotspots where risky decisions cost the most, replicate strengths from teams that already perform well, and tailor interventions so the secure choice fits the local reality of workflow, incentive, and threat exposure.

03

Making Diagnosis Real: Surveys + Interviews

If you want to place your "us today" marker with any credibility, you need evidence—not opinion, not a single data source. The most effective combination is deceptively simple: surveys for breadth, interviews for depth. Together, they produce a picture you can trust and act on.

Surveys detect patterns in risk decision-making behaviors and the conditions driving them. They're best for three things: scale (how widespread a behavior is), trends (whether things are improving or degrading), and segments (where subcultures differ by unit, role, geography, or risk exposure). The design rule is critical: ask questions that map to observable behavior and system friction, not sentiment.

Survey Questions That Actually Work

Pressure test: "When under time pressure, it's acceptable to bypass security steps to deliver."
Clarity check: "I know exactly how to report a suspected incident, and I believe it will be handled constructively."
Friction probe: "Security requirements are clear and practical for my role."
Consistency gauge: "Security reviews happen consistently, even when delivery is urgent."

Interviews explain what the survey can't—the why behind the numbers. A good culture interview isn't abstract. It's a structured conversation surfacing the decision points where people choose speed over safety, the friction points causing workarounds, the signals from leadership about what gets rewarded or punished, and whether bad news travels upward or gets buried.

Interview Prompts That Surface Reality

"Walk me through the last time security slowed delivery. What happened next?"
"Where do people usually bend the process to get work done?"
"When someone reports a mistake, what's the typical reaction?"
"If you had to remove one security friction tomorrow, what would it be?"
04

Triangulation: Where Trust Comes From

Here's what makes or breaks the entire diagnostic: triangulation. If the survey shows a weak reporting pattern, interviews tell you whether that's driven by fear, uncertainty, past punishment, or unclear pathways. If interviews claim "we always follow process," the survey data tells you whether that's true across the organization or just true for the team talking to you.

Neither source alone is trustworthy. Together, they create accountability. The output isn't a report full of opinions—it's a usable diagnosis built on evidence.

Output 1

A heat map of behavior patterns by subculture—showing where risk decisions cluster and why.

Output 2

A prioritized list of hotspots: the high-frequency risky decisions costing the organization the most.

Output 3

Root causes you can actually fix: decision rights, workflow friction, incentives, and feedback loops.

Culture change fails when it starts with blame. Start with strengths. You get honesty, momentum, and you learn what already works that you can scale.

This is the foundation for everything that follows. A credible current-state view that doesn't depend on opinion, that respects the complexity of subcultures, and that gives you specific, actionable points of intervention. Not a poster on the wall. Not another awareness module. A diagnosis built for decisions.