* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* How Executive Culture Can...

# How Executive Culture Can Compromise Your Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fsecops-executive-culture%2F)  
[](https://twitter.com/share?text=How+Executive+Culture+Can+Compromise+Your+Security&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fsecops-executive-culture%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F09%2Fsecops-executive-culture%2F&title=How+Executive+Culture+Can+Compromise+Your+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2020/09/secops-executive-culture/&ts=markdown)  
\[\](mailto:?subject=How Executive Culture Can Compromise Your Security)  
Link copied  
By [Bruce Hembree](https://www.paloaltonetworks.com/blog/author/bruce-hembree/?ts=markdown "Posts by Bruce Hembree"), [Andre Ludwig](https://www.paloaltonetworks.com/blog/author/andre-ludwig/?ts=markdown "Posts by Andre Ludwig") and [Sasha Hellberg](https://www.paloaltonetworks.com/blog/author/sasha-hellberg/?ts=markdown "Posts by Sasha Hellberg")  
Sep 03, 2020  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[breach](https://www.paloaltonetworks.com/blog/tag/breach/?ts=markdown)  
[Leadership](https://www.paloaltonetworks.com/blog/tag/leadership/?ts=markdown)  
[Security Operations Center](https://www.paloaltonetworks.com/blog/tag/security-operations-center/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2020/09/secops-executive-culture/?lang=ja "Switch to Japanese(日本語)")

Dear Executive,

Last night, your company was breached, and it was potentially you who allowed that to happen.

*"How is this possible?"* you say. "*I spent the money. I hired the people. I bought \[insert flavor-of-the-year security solution\]. I attended the conferences and went to the classes.* *We were locked down!"*

Your manifold millions of dollars of security solutions and personnel were subverted in a savvy feat of technomancy by threat actors and, instead of some new zero day, they exploited a CVE from 2019. The reason they could had everything to do with your corporate culture.

*"But we have great corporate culture! Our people are happy and enthusiastic!"*

While that is a valuable advantage for a company to have, through action -- or inaction -- leaders frequently also create a culture of intimidation and reluctance to innovate and speak out in their organizations. This happens by fostering a focus on delivering the **production objectives** of leadership at **all costs** . When security hygiene is not held in the same reverence as production, it creates an atmosphere where maintaining production levels dominates and the drive to stay secure surrenders to fear.

TL;DR: People stop innovating when they fear retaliation.

## Does This Sound Familiar?

* Production must *not* be impacted.
* Rigid review board with change controls so onerous that changes, including ones to address security, move in *weeks* and*months* , not days and weeks,*even in DEV* .
* Patches can take *months* or *years* to go into production.
* The negative lessons of past security efforts are what are remembered, to the exclusion of positive changes.
* Negative comments in casual conversation by leadership continue long after the event.

Does the organization create a culture of security as a core philosophy?

* Would email delays caused by new phishing countermeasures be reprimanded or understood (given phishing is the threat mechanism most exploited by cyber criminals)?
* Should *temporarily* slowed traffic from newly fielded East-West firewalls be seen as a firing offense -- or praised for demonstrating the initiative to inspect traffic in new places?
* Are firewalls, CASB or endpoint protection settings in "monitor/alert" mode, instead of "block," for fear of false positives?
* Are fears of generating trouble tickets that increase ["mean time to resolution" metrics](https://www.paloaltonetworks.com/blog/2020/01/cortex-soc-metrics/?ts=markdown) keeping personnel from using the very solutions purchased to improve security simply because it would "make their numbers look bad?"

## "Fear Is the Mind Killer."

Even casual negative comments dropped in conversation from leadership can have an effect at the working level that will make any enterprise lumber like Frankenstein instead of dancing like Fred Astaire.

A culture of fear and retaliation flows from the top. Conversely, it must stop at the top, and not just implicitly. Understanding and wisdom must be driven from the top in outspoken terms and backed up with actions.

**The key is to rationally accept risk and explicitly state that people won't lose their jobs due to an incident -- if they** ***responsibly innovate.*** **You have to back your words up with top cover.**

Being a leader means taking the heat when security innovation might cause disruptions -- ***and having the wisdom to keep doing it.***

## Creating a Better Executive Culture

So what are some simple steps executives can take to build a smart security culture?

1. Manage *sideways.* Partners in the executive team need to understand the explosively dynamic nature of security and the dedicated threat actors who are trying to penetrate the enterprise. Nothing will stop them forever. *Nothing.* Be prepared for trouble when it happens.
2. Manage *down.* People need to know the executives have their backs when hard calls to support security are needed. Period. Full stop.
3. *Lead from the front and then get out of the way.* People have to know they can take responsible risks at work without threatening their livelihood. Take the heat for allowing innovation before even knowing what went wrong. That is the executive's role.
4. *Watch what is said, how it was said and what is done --* ***especially*** *in private.* Middle tier management pays the *most* attention to their executives *when only they can hear what is said.* If something is done to suggest that executives won't truly support security measures and innovation, knowledge of this bleeds down from leadership and the organization will fall back into fear culture.
5. *Practice embracing "determined fallibility."* Understand that nobody is perfect and engineers are no less human. Learn well, forgive fully, and move on.
6. [*Automate everything possible*](https://www.paloaltonetworks.com/blog/2020/01/cortex-secops-strategies/?ts=markdown)*.* Engineers are never more dangerous than when they are bored and they can be the hardest working lazy people in the world. *"What does that mean?"* you ask. Many engineers will work all day to automate a step that takes 20 minutes. Let them. Once the mind-numbing work is handled, they will get to the side projects that truly increase your organization's security maturity level.
7. *Work as hard as they do.* They have to see it. Regularly. Get in amongst staff and be interested and accessible, but know when to get out of the way. This behavior will reward your entire organization in the form of dedication from your entire staff. Sequestering in an office reinforces a culture of seclusion. When executives enter workspaces, it invites feedback.

Executives must broadcast their stance that security is an evolving field and requires agility and tolerance of change. Agile organizations are ready to embrace the concept espoused by the legendary Bruce Lee: "Empty your mind, be formless, shapeless, **like water** . If you put water into a cup, it becomes the cup."

Security's "cup" will change before the paint is dry on the latest whizbang security appliance and the "water" will need to flow into it. Threats on the internet are inherently asymmetric,\* and we will never know when it is coming or what form it will take.

**With** the grace to tolerate calculated risk internally, Executives become the inspiration for their organization to grow.

**Without** it, security becomes secondary and the organization risks becoming the news article outsiders cite in their next security expenditure justifications.

*For more on how to improve security operations, read our series, "* [*Elements of Security Operations.*](https://www.paloaltonetworks.com/blog/tag/elements-of-security-operations/?ts=markdown)*"*

\***Asymmetric warfare** *(military concept) is conflict between belligerents whose relative capacity to make war differs significantly and implies irregular attack intervals and wildly changing vectors to subvert static defenses.*

*Bruce Hembree is a Cortex Field CTO for Palo Alto Networks.*

*Andre Ludwig is Chief Product Officer for Bricata.*

*Sasha Hellberg is Senior Manager of Threat Intelligence at Bell Canada.*

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Moving Beyond Traditional EDR](https://www.paloaltonetworks.com/blog/2020/10/secops-beyond-traditional-edr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Gartner: Market Guide for SOAR Solutions](https://www.paloaltonetworks.com/blog/2020/10/secops-gartner-soar-solutions/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### The 2020 State of Security Operations: Assessing Analyst Burnout](https://www.paloaltonetworks.com/blog/2020/09/secops-analyst-burnout/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Palo Alto Networks Is a Forrester ZTX Wave Leader](https://www.paloaltonetworks.com/blog/2020/09/forrester-ztx-wave-2020/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Forrester Study: The 2020 State of Security Operations](https://www.paloaltonetworks.com/blog/2020/09/state-of-security-operations/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise](https://www.paloaltonetworks.com/blog/2020/08/call-for-papers-ignite-2020/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language