I've spent the vast majority of my career working at security companies. You might thing working on the vendor side of things puts you too far from the action to actually see what security strategies work. But the truth is, when your job includes sitting in on consultative sales cycles, creating and hosting customer advisory boards, and talking with analysts about customers across a huge set of industries, you see a lot. I've had front-row seat to what’s working, what’s not, and why.

Plus, when you work at a security company, the pressure gets cranked up to eleven. Everyone knows that if something goes wrong — if there’s a breach, a major lapse, a public incident — it won’t just hurt your customers. It’ll make your whole company look like a fraud. That fear is real and forces teams to think deeply about how to build security into the way people work, not just the tools they use.

That’s what this post is about.

I’ve seen these three challenges come up again and again — across industries, team sizes, and maturity levels. Here’s how the companies that get it right actually solve them.

1. Division and opposition 🤼‍♂️

The pain: Security vs. IT. Devs vs. Infra. Ops vs. Risk starts to feel like an ongoing WWE feud. Something goes wrong and people come to the table already assuming they’ll be at odds. The meeting starts tense, maybe even a little combative. People posture, defend their turf, try to subtly shift blame, or just stay quiet. By the end, they often leave more frustrated than when they arrived — unheard, unconvinced, and even less likely to collaborate the next time around.

What works:Get everyone in the room from the very beginning. When security only gets brought in after systems are already designed, or only when something goes wrong, resentment builds. Acknowledge the stress and the competing incentives. Then remind folks of this shared truth: everyone here wants the company to succeed. Start from that place and build up — together.

Real world example:

I joined Proofpoint to help manage the acquisition of a new technology — security for social media. The acquired company had primarily sold to marketing teams, not security. At first, we tried to fold the tech straight into the Proofpoint portfolio and sell it directly to security buyers. But pretty quickly, we realized we were setting teams up to fail. When we talked to security about marketing platforms without getting marketing in the room, it caused confusion and friction. It wasn’t until we started asking security leaders to invite their marketing counterparts to our calls (and vice versa) that we saw real traction — both in the sales cycle and in long-term customer success.

2. “People are the weakest link” 🔗

The pain: It’s easy to blame employees for clicking the wrong link or bypassing a policy. But if your training sucks or your tools are painful, what do you expect?

What works:Make security training short, accessible, and respectful of people’s time. Put it right in the SSO portal and make it real (skip the stock photos and cringeworthy videos). Build trust by limiting surveillance tech — only use invasive tools where it’s absolutely necessary (think: compliance retention for financial systems or using Bastion to push code to production).

It also helps to remind people WHY they are doing training. Are you going through SOC2 certification? Or just trying to stay out of the news? Either way, helping people understand the positive impact completing their training has on the company can make it seem like less of a drag. Treat employees like adults and they’re a lot more likely to act like security partners.

Real world example:

My current company, ZeroTier, uses Vanta for security audits and training. It's easy to log in, the trainings are comprehensive, and it's simple to see your checklist of open items. And you know what? The talking Llama from the Vanta videos is actually pretty easy to listen to. 

3. “It’ll never happen to us” 🫠

The pain: Security feels abstract. Leadership hears about breaches on the news, but it still feels far away. It’s something that happens to other companies — ones with poor controls or bad luck. Until it happens to you. And by then, it’s too late to build the culture that's needed to respond effectively. Without that personal connection, it’s easy for people to deprioritize security entirely.

What works:Make it tangible. Wargames and red team simulations are a great start — especially when they’re collaborative, not punitive. Simulated phishing is another powerful tool, if you treat it like a game. Track progress, reward good reporting, and throw in some incentives (gift cards work wonders). When security becomes something people can interact with — not just a set of rules to memorize — it sticks.

Real world example: I loved the way Atlassian handled internal security. Being on red team was seen as a fun community building activity. Choosing people in rotation and publicizing the list made it feel like a cool-kid club and built an enjoyable sense of secrecy around meetings. Druva is another great example of a company getting security right. During my time there, I helped implement anti-phishing programs that included simulated phishing emails. These weren’t just box-checking exercises — they actually made the "does this link look phishy?" training stick in people’s minds and behavior.

Security culture isn’t a vibe. It’s a set of intentional choices.

It’s how you design systems. How you talk to each other. How you respond when something goes wrong.

And most of all, it’s how you treat your people.

If you want a stronger security culture, start with empathy and clarity. Invite people in early. Make expectations easy to meet. And find ways to connect security to the real work people do every day. That’s what turns awareness into action — and action into long-term resilience.