Author: Eric Thiele
The moment you realize culture matters more than any tool often arrives quietly. For me, it happened during a late‑night incident call where every dashboard looked green, every alert was silent, and every control appeared to be functioning. Yet something had gone wrong. A developer had spun up a shadow environment to test a feature, skipped the approval process, and unintentionally exposed sensitive data. There was no attacker, no malware, no zero‑day exploit. It was simply a human decision made under pressure.
That incident taught me a lesson I have seen repeated across organizations: technology rarely fails first. Culture does. A CISO once told me, “You can automate everything except judgment.” He was right. The companies that stay out of breach headlines are not always the ones with the most advanced tools. They are the ones where people instinctively pause and ask, “What could go wrong?” before they act.
In a world where cloud-native development moves faster than governance frameworks can evolve, risk awareness is no longer a security function. It is a shared mindset that must stretch from DevOps to the boardroom.
Why Culture Matters More Than Ever in 2026
The pace of modern development has created a new kind of risk. Infrastructure can be deployed in minutes. AI-assisted coding accelerates delivery even further. CI/CD pipelines push changes dozens of times per day. In this environment, a single misconfigured S3 bucket or overly permissive IAM role can expose millions of records before anyone notices.
Industry research shows that more than 70 percent of cloud breaches still stem from human error or misconfiguration. That statistic should be a wake‑up call. It means the biggest threat is not a nation-state actor. It is a rushed decision, a skipped review, or a well-intentioned shortcut.
At the same time, regulators are raising expectations. NIST Cybersecurity Framework 2.0, SEC disclosure rules, and state privacy laws are placing accountability squarely on executives and boards. One board member told me, “Cybersecurity is now a business survival issue. If we get it wrong, nothing else matters.”
During my time leading incident response and root cause analyses at Cars.com, I saw the same pattern repeatedly. The incidents that caused the most damage were not the result of sophisticated attacks. They were the result of cultural blind spots. Shadow resources. Bypassed approvals. Assumptions that something was safe simply because it worked in development. The root cause was almost always cultural, not technical.
Starting Where You Are: The DevOps Foundation
Culture does not begin in the boardroom. It begins with the people who ship code every day. If risk awareness does not exist at the engineering level, it will never take hold anywhere else.
One of the most effective ways to build this awareness is to make risk visible in the tools engineers already use. When IAM Access Analyzer findings appear directly in pull requests, or when Config rule violations block deployments in GitHub Actions, risk becomes part of the workflow rather than an afterthought. Terragrunt modules that include lightweight risk prompts can turn a routine infrastructure change into a moment of reflection.
Another essential step is speaking the language of engineers. Security professionals often lose credibility by relying on compliance jargon. Engineers do not think in terms of “control deficiencies.” They think in terms of “blast radius,” “latency,” and “mean time to remediate.” When you translate risk into engineering outcomes, you meet people where they are. A senior engineer once told me, “If you explain security in terms of reliability, I am all in. If you explain it in terms of audit findings, I tune out.”
Recognition also plays a powerful role. When teams proactively identify risks and fix them before they become incidents, those stories should be shared. A simple message in Slack celebrating a team that prevented a potential data exposure can do more to shape culture than any mandatory training.
Bridging the Gap: Engineering Leadership
Engineering managers and directors serve as the cultural bridge between technical teams and executive stakeholders. Their influence determines whether risk awareness becomes a habit or remains a slogan.
One effective approach is to integrate risk into planning conversations. When quarterly planning sessions or OKR discussions include a dedicated moment to ask, “What could go wrong with this feature or migration?” teams begin to internalize risk as part of the development process.
Tabletop exercises are another powerful tool. A short, scenario-based session such as “What happens if our primary AWS region goes down while our backup provider experiences a ransomware attack?” can reveal assumptions and gaps far more effectively than any policy document.
Metrics also matter, but only if they reflect real risk reduction. Vanity metrics like “number of vulnerabilities” rarely drive meaningful change. Metrics such as mean time to detect IAM permission drift or the percentage of workloads with verified backups tell a more accurate story about organizational resilience.
When leaders consistently ask risk-related questions in standups and one-on-ones, they send a clear message: risk awareness is not a security initiative. It is how we operate.
Executive and Board Engagement
The true test of culture is whether risk awareness reaches the C-suite and the boardroom. Executives shape incentives, priorities, and the tone of the organization. If they do not model risk-aware behavior, no one else will.
One of the most effective tools at this level is a clear risk appetite statement. When leadership defines what level of risk is acceptable in areas such as availability, data privacy, or vendor reliance, it provides a compass for decision-making across the organization.
Executive dashboards can also make a significant impact. Instead of presenting a list of GuardDuty findings, translate the information into business terms. For example: “The estimated financial exposure from unremediated high-risk issues is X million dollars.” Executives respond to clarity, not complexity.
Boards, in particular, benefit from scenario-based reporting. Rather than presenting tactical metrics, frame discussions around strategic risks. For example: “If we proceed with this acquisition, here are the top three inherited GRC risks and the timeline for mitigation.”
Personal accountability matters as well. When executives participate in the same security awareness training and phishing simulations as everyone else, it sends a powerful signal that risk awareness is a shared responsibility.
Common Pitfalls to Avoid
Many culture initiatives fail because they rely too heavily on annual training, which often creates cynicism rather than awareness. Punitive approaches can drive risk underground, making problems harder to detect. Announcing a culture initiative without sustained leadership attention undermines credibility. And perhaps most importantly, organizations often ignore incentives. If promotions and bonuses reward speed and feature delivery but not risk-aware behavior, culture will follow the incentives, not the policies.
A security leader once told me, “If your incentive structure contradicts your security policy, your culture will always choose the incentive.”
Measuring Success
Culture is difficult to measure, but not impossible. Leading indicators include an increase in self-reported risks, faster remediation times for high-priority findings, higher participation in voluntary security activities, and a reduction in repeat audit findings. Qualitative feedback from surveys and exit interviews can also reveal whether people feel empowered to raise concerns.
Tracking these indicators over time and sharing progress transparently builds trust and reinforces the message that risk awareness is a collective effort.
A Personal Note on the Transition
After spending years in cloud engineering and DevOps before moving into GRC, I learned that technical experts and business leaders each see only part of the risk picture. Engineers understand the system. Executives understand the business. Security understands the threat. Real progress happens when these perspectives come together.
Culture change is slow. It requires consistency, psychological safety, and alignment between stated values and actual incentives. But the payoff is enormous. Fewer incidents. Smoother audits. Better decisions. Teams that feel empowered rather than policed.
The organizations that will thrive in the coming decade are not the ones with the most tools. They are the ones where every person, from the most junior developer to the board chair, instinctively considers risk as part of doing their job well.
So here is the question worth asking: What is one small change you can make this week to strengthen risk awareness in your organization?
