Nobody wakes up on a Sunday, stretches, checks the weather, and accidentally clocks 26.2 miles before brunch. A marathon is built on lonely mornings, careful plans, lost toenails, and no social life. You train for weeks or months. You get injured. You ice. You tape. You pick protein over pudding. All because you know without this, you won’t cross that finish line.
Security culture works the same way. You do not stumble into it. You do not print three posters, throw in a quiz, and discover that everyone is serenely immune to scams. Culture is the accumulated result of small choices made in the same direction, under pressure, when nobody is watching. It is early miles in the rain, not a photo finish.
Runners don’t vibe, they start with a plan. Security needs the equivalent. A once‑a‑year training module will not help someone when they’re looking at their inbox at 4.43 p.m. on a Thursday.
Training and coaching need to be embedded into the flow of work. Short prompts. Fast checks. Small frictions at the moment of choice. Teach the legs to keep turning over, not just how to read a manual about running.
Things will go wrong. A hamstring twinges at mile seven. A blister turns up when you least want it. The fix is never to shout at the leg for being weak. You adjust. You rest. You learn.
If you punish people for those moments, they will hide them. If you praise fast reporting, they will tell you early and often. That is how you prevent real damage. Mental safety is not a poster. It is a policy you prove with how you behave when things go wrong.
Runners do not live on junk food when they are building up to a marathon. Because rubbish in means rubbish out. Security culture needs the right inputs too. Tools that reduce friction instead of adding it. Policies written so a human will read them. Leaders who say “no” publicly to the insecure shortcut, not just privately in a DM.
You can run a marathon in the wrong trainers, you just will not like your feet afterwards. In security, clunky processes are the wrong shoes. If reporting a suspicious email requires five menus, a ticket, and your grandmother’s maiden name, do not act surprised when nobody reports anything. Make the safe path the easy path. Spend money on trainers, not plasters.
Community helps more than people often realise. Ask any first‑timer what got them through and you will hear about club runs, mentors, and that stranger at mile twenty who offered a hydration gel sachet. Build your champions. Celebrate the people who catch near misses. Tell the stories of quiet wins, not just loud mistakes.
You can always tell who treated culture like a sprint and who treated it like a marathon. One group hopes for good weather and a flat course. The other has a rain plan, a pace band, a spare pair of socks, and the number of someone who will come get them if it all goes sideways. Security is not about never making mistakes. It is about building a team that notices early, recovers fast, and finishes together.
You will not build a positive security culture by accident. You will build it the long way. With repetition. With patience and with a few sore muscles.
You will get it wrong, then get it less wrong, then get it right more often than not. One day you will look up and realise your people are scanning for risks without being asked, reporting without being shamed, and helping each other over the line.
That is the finish worth training for.
Javvad Malik is Lead CISO Advisor at KnowBe4 and once tried carb‑loading for an incident response drill, which is why there are still six bags of pasta in the SOC cupboard.
