Changing technology is easy...changing culture is hard. I think changing this cultural mind set can only be done by constantly making your managers and employees aware of the risks. Reminding them of the bottom dollar value of a security incident. reminding them that security is everybody’s problem.
I have implemented the most radical and successful changes to organizations after an 'incident' has occurred. This seem to be the only time when they are willing to listen...otherwise, it is a constant uphill battle.
I would never say, "if you want to have an accident, buy insurance"...and i would never say "if you want to change your companies security culture, have a security incident!" but security, like life, can be paradoxical.
We seem to learn best after making mistakes....and the bigger the mistake and the more it costs us, the more likely we are to change.
GPEN OSCP OSWP CCSE CCSA CHFI..etc
Bronze Swimming certificate..