Picture this. You are a new employee on your first day and you need to set your password. You create a 20-character phrase, unique and strong. The system rejects it. No repeating characters, add a symbol. Your immediate reaction, after the frustration, is "why? My password was already strong."
This kind of friction is common. When people encounter security controls that seem arbitrary, the instinct is to find the fastest way to comply rather than the most secure one. That is not a character flaw. It is a predictable response to a control that has not been explained.
Why controls get ignored
The same dynamic plays out in development teams all the time. Developers work under constant pressure to ship features. When a security requirement lands without context, they look for the quickest route through it, even if they know a better approach would take a little longer.
This is not a criticism of developers. Feature delivery is the primary pressure most engineering teams operate under. If the reason for a control is not clear, the motivation to follow its spirit is low. Everyone has a job to do.
When someone understands why a control exists, they understand the risk it is trying to mitigate. That understanding changes behaviour. It makes people take the control more seriously. This is what security culture actually means in practice.
The pressure on security teams
Security teams in most tech organisations are already stretched. They face a constant stream of security updates, a changing business risk picture, new application deployments shifting the attack surface, and alerts from monitoring platforms. On top of that there is the evolving attacker capability, proactive control configuration, and reporting to stakeholders.
The only sustainable way to manage that remit is to build a healthy security culture across the organisation. When the people around you understand why security matters, they share the burden. When they do not, the security team carries it alone.
Building that culture requires transparency. People need to understand not just what to do to stay secure but why those things help in the first place.
How threat modelling builds culture
Threat models are a clear and comprehensive way to describe security measures in terms of the business risks they address. They link controls to threats, and threats to risks. That connection is what makes security legible to people who are not security specialists.
When developers see that a particular password policy exists because there is a specific, documented threat of credential theft with a mapped business impact, the policy stops feeling arbitrary. It has a reason. That reason connects to something they care about.
The same is true for anyone else in the business. Business leaders, product owners, legal teams. A threat model surfaces why security work matters in language everyone can engage with.
This transparency is the foundation of security culture. It does not require everyone to become a security expert. It requires everyone to understand enough to take the right things seriously.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →