Nothing happens until the pain of remaining the same outweighs the pain of change.

Arthur Burt

We've discussed why security culture is becoming a hot topic and why it is so important that it deserves board-level attention. But what about awareness? And what about all the other things generally associated with awareness, like simulated phishing tests? Where do they fit in?

Those are great questions.

The answer is both simple and complex. Those things are important to culture, but they are not culture. They are pieces of the puzzle, but they are not the entire puzzle. They are both artifacts of culture, and instruments that can be used to influence culture. Culture exists anywhere there are people. And a security culture exists anywhere there are people. You have a security culture even if you aren't focusing on it. The question comes down to whether your security culture is one that reflects the knowledge, values, norms, and behaviors you want—and what you need to do about it.

Back in 2019, I (Perry) wrote a book titled, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley). The book was rattling around in my head for 10 years or so. It was the book I hoped to find when I started out as an awareness practitioner. Since its ...