Workshop: Changing Security Culture

Security culture hacking is the skills and creativity to disrupt an existing security culture and redirect it towards a more secure future, and it is a skill that can be learned. Explore how to use awareness, continuous security learning, and security champions as “hacks” to disrupt your security culture. It is time to disrupt your organizational security future.

This workshop is a mixture of lecture and table-top exercises. A security culture champion leads the activities, and attendees are split into groups and find a company in trouble. Each group takes on the role of a group of consultants and works through different tasks as they build solutions to change the security culture of the organization. At the conclusion, teams will share their best results with the room.

Audience: The audience for this session is those that wish to proactively change the security of their organization by creating a program that enacts real-world techniques. Participants may come from program, product, executive, or security management ranks. Participants will apply their experiences working in security to the case study.

Prerequisites: Participants should have a foundational understanding of application/product security and how ordinary organizations approach security. You must understand how security is done today to effectively change security culture and apply the lessons.

Computer Setup: Computers are needed for research and note taking. There are no specific requirements for computer setup.


  • An overview of security culture hacking, the security culture hacker, and a process to hack security culture (45 minutes)
  • An interactive case-study in security culture hacking (Flindly)
    • Back story (30 minutes)
    • Consulting through the five steps
      • Assess exercise (45 minutes)
      • Communicate exercise (45 minutes)
      • Connect exercise (45 minutes)
      • Educate exercise (45 minutes)
      • Reward exercise (45 minutes)
  • Lessons learned through team presentation (60 minutes)