Sign up to save your podcasts
Or
Share Why Security Policies Fail: The Human Side of Cybersecurity | John Elliott
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Why Security Policies Fail: The Human Side of Cybersecurity | John Elliott
Most security failures aren't technical — they're human. So why do we keep designing security programs that ignore how people actually think and behave?
In this episode of The Pluralsight Podcast, John Elliott — Pluralsight author fellow, PCI DSS contributor, and specialist in regulated security and data protection — makes the case that the language, culture, and psychology behind your security program matter just as much as the controls themselves.
John breaks down why policies get misread, ignored, or worked around, and what leaders can do differently. From the neurolinguistics of security training to the aviation concept of "just culture," this conversation is packed with practical frameworks for building security programs that people actually follow.
We also dig into the expanding attack surface of agentic AI, why your cybersecurity team is likely more anxious than you realize, and what organizations need to do right now to prepare for what's coming.
Chapters:
02:58 How John Discovered the Human Side of Security
05:30 Why Security Communication Is So Often Overlooked
06:03 Where Policies Break Down in Practice
08:26 The Importance of Explaining the "Why"
09:31 Connecting Individual Behavior to Organizational Security
11:41 Designing Controls and Training People Will Actually Follow
12:49 Compliance Is Always a Risk Decision
14:36 Can You Ever Hit 100% Security Coverage?
17:03 Beta Testing Policies Before You Roll Them Out
18:05 What Most Teams Get Wrong About Security Training
19:15 The COM-B Model: Capability, Opportunity, and Motivation
21:04 How to Diagnose the Real Skill Gap in Your Organization
24:24 Don't Patronize People — And Don't Give Them 50 Things Not to Do
25:44 The Compliance Budget: You Only Get 3% of Someone's Brain
27:55 Building a Healthy Security Culture
28:10 Psychological Safety as the Foundation of Security Culture
29:10 What "Just Culture" Means and Where It Comes From
30:34 The Badge Policy Problem — And Why It Backfired
34:07 Balancing Risk Appetite Across Large Enterprises
35:22 AI's Unique and Poorly Understood Attack Surface
38:09 Agentic AI, Open Source Agents, and the Enterprise Risk
41:49 Two Practical Changes Leaders Can Make Right Now
44:49 Benchmarking Security Skills
Want more insights on Security, Cloud, and AI? Subscribe to our newsletters: https://plrsg.ht/3MZ78ya
Follow Pluralsight on LinkedIn: https://www.linkedin.com/company/pluralsight/
Connect with John Elliott on LinkedIn: https://www.linkedin.com/in/withoutfire/
Questions or comments? [email protected]
www.pluralsight.com
View all episodes
By Josh BurkheadMost security failures aren't technical — they're human. So why do we keep designing security programs that ignore how people actually think and behave?
In this episode of The Pluralsight Podcast, John Elliott — Pluralsight author fellow, PCI DSS contributor, and specialist in regulated security and data protection — makes the case that the language, culture, and psychology behind your security program matter just as much as the controls themselves.
John breaks down why policies get misread, ignored, or worked around, and what leaders can do differently. From the neurolinguistics of security training to the aviation concept of "just culture," this conversation is packed with practical frameworks for building security programs that people actually follow.
We also dig into the expanding attack surface of agentic AI, why your cybersecurity team is likely more anxious than you realize, and what organizations need to do right now to prepare for what's coming.
Chapters:
02:58 How John Discovered the Human Side of Security
05:30 Why Security Communication Is So Often Overlooked
06:03 Where Policies Break Down in Practice
08:26 The Importance of Explaining the "Why"
09:31 Connecting Individual Behavior to Organizational Security
11:41 Designing Controls and Training People Will Actually Follow
12:49 Compliance Is Always a Risk Decision
14:36 Can You Ever Hit 100% Security Coverage?
17:03 Beta Testing Policies Before You Roll Them Out
18:05 What Most Teams Get Wrong About Security Training
19:15 The COM-B Model: Capability, Opportunity, and Motivation
21:04 How to Diagnose the Real Skill Gap in Your Organization
24:24 Don't Patronize People — And Don't Give Them 50 Things Not to Do
25:44 The Compliance Budget: You Only Get 3% of Someone's Brain
27:55 Building a Healthy Security Culture
28:10 Psychological Safety as the Foundation of Security Culture
29:10 What "Just Culture" Means and Where It Comes From
30:34 The Badge Policy Problem — And Why It Backfired
34:07 Balancing Risk Appetite Across Large Enterprises
35:22 AI's Unique and Poorly Understood Attack Surface
38:09 Agentic AI, Open Source Agents, and the Enterprise Risk
41:49 Two Practical Changes Leaders Can Make Right Now
44:49 Benchmarking Security Skills
Want more insights on Security, Cloud, and AI? Subscribe to our newsletters: https://plrsg.ht/3MZ78ya
Follow Pluralsight on LinkedIn: https://www.linkedin.com/company/pluralsight/
Connect with John Elliott on LinkedIn: https://www.linkedin.com/in/withoutfire/
Questions or comments? [email protected]
www.pluralsight.com