How software companies can cultivate a security culture

Norms influence how individuals behave, and so setting a clear vision for security values is crucial from the outset. Security should never be an afterthought, but to build it into your software company’s DNA requires everyone to live and breathe those principles. Once leaders have identified security values, they should effectively and consistently communicate and model the associated security measures to transform them into norms.

Customer security is (and always has been) a top priority for Amazon Web Services (AWS). Making this possible also relies on establishing shared ownership and understanding, thus fostering security-by-design throughout the development lifecycle. Hart Rossman, Vice President of Global Services Security at AWS explains how having a dedicated security team helps with this: “First and foremost we’re focused on helping customers, build, deploy, and operate securely on AWS. But we also look after security internally, so we help Amazonians who are looking to raise the bar for security in the field.” When everyone leans into the company’s core values and is equipped with the right security knowledge, they can better detect and respond to changing security requirements.

As Simon Sinek once said, “If you don’t understand people, you don’t understand business.” Emotional intelligence (EQ) is a critical quality for software company leaders, helping to build thriving teams and a people-first environment. It’s the ability to understand and manage your emotions, as well as influence the emotions of others in a healthy and productive way. Because when teams feel safe and seen, they can contribute their best ideas, support security innovations, and gain greater job satisfaction.

Building a sense of psychological safety is especially important given the shortage of security talent, with a 28 percent vacancy rate reported for cybersecurity jobs worldwide. Software leaders with EQ not only help attract and retain talent, but they are better able to empower individuals to learn and contribute while preventing burnout.

The qualities for EQ are explored in the EPIC leadership program from AWS, guiding leaders on how to supercharge transformation with qualities such as empathy, purpose, inspiration, and connection. The EQ security workshops were proven to increase confidence in translating security needs into business outcomes by 42.8 percent. With these essential people skills, software companies can engage individuals, encourage input across the entire organization, and optimize collaboration on security practices.

Escalations are not a sign of failure. When positively reinforced, escalations can be a powerful tool for nurturing high-quality, high-velocity decision making. Practicing blame-free escalation is encouraged at AWS because it provides an opportunity for shared learning. When individuals are praised for escalating an issue or idea, they can work with the wider team to focus on mitigating the security risk together. This both promotes a calm environment and faster, more impactful resolutions when it really matters.

Evaluating these situations and seeking feedback also supports continuous improvements to security outcomes. Teams should question why something went wrong and probe into how it could have been detected sooner. Inspiring individuals to become security guardians for each service team can also reinforce the feedback mechanism and scale security awareness.

Security leaders that engage the board with their approach are better equipped to drive business outcomes. Sharing relevant updates regularly keeps executives aware and involved, but it requires actively trying to understand their challenges and goals. Communication is therefore key. However, a study found that 58 percent of CISOs have difficulty communicating technical language in a way that senior leadership can understand.

By translating security initiatives into business impact, security leaders can create alignment. For example, when discussing security automation, focusing on the benefits of cost and developer time savings will resonate with executives more than technical details. And when the effectiveness of security practices is continuously measured, security professionals can use compelling data and anecdotes to keep the board engaged with progress.

While a culture of security can’t be created overnight, software companies that champion these principles can build powerful benefits over time—from enabling faster, informed decision-making to unlocking security knowledge across the entire organization.

Using this repeatable mental model, AWS helps its customers establish security leadership and practices that are grounded in safety, empathy, and trust. In an environment that’s always changing, investing in learned skills such as emotional intelligence plays a significant role in empowering teams to respond efficiently to security concerns and build resilience.