Cyber Means Business: Andy Ellis on Why Culture is the Bedrock of Secure, High-Performing Organizations

In the first of our interview series with security leaders who have turned risk management into a corporate asset, Andy Ellis, the former CSO of Akamai Technologies and current leadership advisor, shares how security culture and smart engagement with business colleagues can unlock resilience, innovation—and even a few penguins along the way.

Andy Ellis doesn’t just talk about cybersecurity leadership—he helped define it. As the longtime chief security officer (CSO) of Akamai Technologies and now the founder of management advisory firm Duha, Ellis has spent his career turning security into a business advantage, one cultural shift at a time.

In the debut edition of Cyber Means Business, Ellis shares why culture is the hidden variable in every successful security strategy, and how inclusive leadership, user empathy, and a well-placed penguin can unlock measurable results.

Joan Goodchild: You’ve said culture is a key driver of effective cybersecurity. What do you mean by that?

Andy Ellis: Culture is the garden you grow. It is both the flowers you plant and the weeds you tolerate. It is not just what you encourage, it is also what you allow to fester. In cybersecurity, one of the weeds that has grown over time is the idea that our job is to say “no.” That mindset took root because security was historically treated as an afterthought, something outside the scope of cost-effective IT operations. We became a reactive profession. We showed up when something went wrong, patched the problem, and then disappeared back into the shadows.

That survival-based culture created a dynamic where the security team became a blocker instead of a partner. When that happens, business teams stop inviting security to the table. You find out about a product launch at the same time as the public, and you are expected to either rubber-stamp it or become the bad guy who halts progress. That approach is not sustainable, and it certainly is not aligned with business goals.

A healthier security culture shifts that dynamic. Instead of being the department of “no,” we become the team that helps others succeed safely. It is a subtle change. "We stop you from shipping insecure products" becomes "we help you release secure ones." That shift transforms how people engage with us. That is when you move from being a cost center to becoming a strategic enabler.

Can you give an example of how you built that kind of culture?

One of my favorite stories involves a ten-dollar stuffed penguin named George. Back when my team at Akamai was still small, maybe a dozen people, we would occasionally go on group outings. On one of those trips, we went to the New England Aquarium in Boston and someone spotted a plush penguin in a gift shop and asked if they could expense it. The reason? “Because it will make me happy and more productive.” We said yes.

What happened next surprised us. That penguin became a traveling mascot. One team member decided to hand it off each week to someone who made security better. The penguin became a symbol of appreciation and peer recognition, and it quickly outgrew our department. Soon, people across the company were asking how they could get a visit from George. We eventually had to make multiple copies—one for each continent—because George was spending more time in FedEx boxes than on desks.

That is when we realized something important had happened. Security was not just tolerated, it was being celebrated. People began looking for ways to contribute to security efforts because they wanted to be recognized. It sounds like a gimmick, but it created a shared sense of mission. When we later had to tackle tough cross-functional vulnerabilities that had stalled for years, people stepped up. Not because we forced them, but because they trusted us and wanted to be part of the solution.

How does that translate to business value?

It creates alignment and removes friction. In a lot of organizations, time and energy are 
wasted pushing back against security. Debating controls, bypassing reviews, avoiding collaboration with the security team—none of that produces any business value.

When security is seen as a partner, that wasted energy disappears. The business starts working with you, not against you. You begin prioritizing efforts together that support both security and business goals.

For instance, we helped accelerate our software delivery pipelines. That might not sound like a security initiative, but for us it was critical. Faster software delivery meant we could push out patches more quickly. That helped us and helped the business. That kind of mutual benefit is what real alignment looks like.

What advice would you give to other CISOs trying to build this kind of culture?

Focus on being useful. Especially when you are new in a role, take time to listen. I often tell CISOs to start by asking two simple questions: “What is the dumbest security control we have?” and “What is the most obvious thing we should be doing that we are not?”

You will get valuable answers. Some suggestions may reflect misunderstandings, which gives you a chance to educate. Others will be clear, actionable wins. Maybe your CIO is logging in seven times every morning and thinks single sign-on is broken. Fixing that is not just good security, it is a cultural victory. It shows you listen and deliver.

Also, know your true role. The CISO is not there to fix every risk directly. You are there to help the organization make the right security decisions. That is an important difference. Instead of enforcing everything from the top down, you educate, influence, and align with the business so that the company owns and supports the right fixes.

What’s the best way to measure success in a culture-driven security strategy?

I look at three things. First, the crises that never happened. If a competitor had a breach and you can show your board how your controls prevented the same thing from happening to you, that is a huge win.

Second, near misses. When an issue does happen but it is not nearly as bad as it could have been, call that out. Highlight the previous work that helped minimize the damage and give credit to the people or teams that made it possible.

The third measure is trust. When customers, board members, or employees say they trust your security program before you have even said a word, that speaks volumes. I remember a customer call where a security lead who was known for being tough said, “I do not have any questions. I have read Andy’s work. I trust him.” That kind of credibility is built over years and reflects a culture that others recognize and respect.

You also advise startups. Can early-stage companies use security as a business advantage?

Not the way they used to. These days, having SOC 2 compliance is just expected. Every startup has to do it. The opportunity is not about standing out through security alone, but about doing it efficiently and building a solid foundation early.

I see more startups hiring someone with a security mindset to run IT from day one. That is smart. If you are mostly cloud-based, you do not need a big team. You need someone who knows how to configure tools properly so you avoid problems later. That lets you scale securely without slowing things down.

Let’s talk about inclusive leadership, which is something you have championed in your career as a manager. What’s the business case for building diverse, inclusive security teams?

Inclusion lowers the energy cost of showing up. If someone walks into a room and wonders whether they are going to be asked to take notes instead of contribute, that is energy you are losing. You want that energy spent on solving problems, not managing bias.

At Akamai, our security team reached 40 percent women. That did not happen just because we hired more women. It happened because we created an environment where they stayed. We changed how we worked to support all employees. No meetings before 10 a.m. or after 2 p.m., so parents could do school drop-off and pickup. That helped retention and made our team more inclusive and effective.

Diversity brings different perspectives, which leads to better outcomes. If you are building a mobile app and no one on your team has considered how it might be used for stalking, which women experience in larger numbers, you are missing a critical risk. Someone with a different experience might flag that. You build safer, smarter products when your team can see more sides of a problem. That is not just good ethics, it’s good business.