Selling the value of culture isn’t easy. Especially in a cybersecurity program. I’ve found security professionals to be among the loudest complainers about terrible security cultures within their organizations. But, ironically, they also tend to be the first ones to throw up their hands when it comes to changing those cultures. Sometimes the reason behind this feeling of helplessness is the unpleasant truth that, as much as companies say they take security seriously, InfoSec teams and CISO’s often lack the political juice to effect fundamental change. Other times the reason has more to do with the fact that people don’t come equipped with a command line interface. That tends to make them more or less unfathomable to security teams used to working with technology systems. Changing the unconscious biases and values that make up organizational culture seems about as likely as writing a shell script that will make your server kiss you and really mean it. So why bother?