People Over Policies, Pt. 2 — From Compliance to Culture

After my last post, two brilliant leaders — @Darius Jasiulionis and @Gurpreet Singh — reminded me why frameworks matter only if people live them.

Darius said it best: “ISO 27001 was never meant to be just documentation, but a culture of accountability and continuous improvement.”
And Gurpreet echoed that: “The biggest challenge wasn’t implementing technical controls, but shifting mindsets from viewing security as overhead to recognizing it as a competitive advantage.”

That hit home.

Back in 2016, when our CIO handed me a blank slate and said, “We need policies and procedures, and we need them yesterday,” I thought writing the policies was the job.
Years later, I’ve learned that policies don’t create accountability — people do.

Frameworks like NIST CSF, ISO 27001, and HITRUST give us structure.
But it’s the culture that brings those frameworks to life — the daily habits, the ownership, the belief that security isn’t someone else’s job.

Compliance builds trust.
Culture sustains resilience.

The next evolution of cybersecurity isn’t a new framework — it’s a mindset shift.

So I’ll throw this question to the community:
👉 How do you build accountability into culture, not just compliance checklists?