CISO Q&A: Building a Security-First Culture with Joe Evangelisto
How CISOs Can Turn Everyday Awareness into Lasting Security Mindsets
How CISOs Can Turn Everyday Awareness into Lasting Security Mindsets
Every October, Cybersecurity Awareness Month shines a spotlight on the shared responsibility we all have in keeping our organizations secure. But for today’s CISOs, the work of building a security-first culture doesn’t stop when the calendar turns to November. True cyber resilience requires daily reinforcement — not just reminders once a year.
To dig deeper into what it takes to embed security into a company’s DNA, we sat down with Joe Evangelisto, CISO at NetSPI, who has over 25 years of experience transforming IT operations, compliance, and security practices across industries.
In this Q&A, Joe shares practical insights on cultivating buy-in across departments, empowering teams through trust, and using AI tools to strengthen — not replace — human judgment. Because at the end of the day, every month should be cybersecurity awareness month.
About Joe Evangelisto
Joe Evangelisto is an accomplished IT executive with extensive experience in IT leadership, security, compliance, infrastructure, and operations. Currently serving as the CISO at NetSPI, Joe oversees IT, Security, and GRC.
Over his 25+ years in the IT industry, Joe has helped transform company cultures, processes, and policies — building high-performing, empowered teams with the past seven years focused specifically on security and compliance. A frequent guest on cybersecurity webinars and panels, Joe has shared his expertise at major industry events. He earned his BS and MBA in IT Management from WGU and holds a CISSP certification.
Q&A with Joe Evangelisto
Q: In your own words, what does a “security-first culture” mean — and how does it show up day-to-day inside an organization?
A: A “security-first culture” means that security happens without the security team being involved. It’s a natural part of the company’s makeup, no different than being cost conscious or efficient with your time. It shows up in small but impactful ways: Staff notifying you of concerns or security-related questions, development teams including security specific stories and security reviews in their development process, or other departments — such as marketing or services — asking for a security review or insight into a new product or process they are looking to implement.
Q: Why is cultivating a company-wide culture of security more critical today than ever — especially with the rise of AI and evolving threats?
A: You can call it “shadow IT” or just the cost of doing business but staff are able to purchase, use, and implement new tools and services without having to follow the standard process. Bypassing this “process” means that they are using and interacting with tools that expose them and the company to more risks than ever, and they can do this without the insight or awareness of the security team.
In a security-first culture they are not only aware of these risks but take proactive steps to involve the security team. This issue has always existed but has progressively gotten worse and now AI is making it even easier. It’s also exposing the company to a whole new set of security risks and challenges such as exposure of sensitive data. So, without the proper security culture staff will use tools, like AI, first and won’t worry about the impact or consequences till later. This is why it’s imperative that a security-first culture is established so that they will not only be aware of the risks but work with the security team to mitigate them.
Q: What are the most common roadblocks CISOs face when trying to get buy-in from non-security teams — and how do you overcome them?
A: The common view of security is that we are a roadblock to new ideas, initiatives, and/or tools and that we will prevent them from doing something — that we are essentially business disruptors. To overcome this view, you need to forge relationships with the various departments and show them that your goal is to support them while mitigating any risk to the company. It’s not about saying “no” but about highlighting risks and options; that you are a business enabler. To do this you have to work with them directly, get to know them, their teams and their way of working. Show support for their new ideas while highlighting ways to mitigate risks. This takes time to build these relationships, to form a trusted bond and to show your true intention is to foster a pragmatic risk-based approach and to highlight those benefits to the business.
Q: Can you share a real-world example where you successfully inspired employees outside the security team to take proactive ownership of security?
A: So it’s a simple one but I had a company where staff were constantly leaving their computers unlocked when they left their desk. We worked on very sensitive information so it was imperative that no system was ever left unlocked when unattended. The typical approach was not working so I decided to have a bit of fun and get the staff involved in the process or reminding their peers to “lock it before they leave it”. So we printed up a bunch of fun cartoons/signs that staff could use to remind their peers that they forgot to lock their system. So whenever someone forgot, a peer could lock the machine for them, grab the sign and put it on their desk as a reminder. It was a fun way to remind staff while adding a bit of peer pressure. It was all done in good fun and soon the whole company was into it and the issue went away. Within a month staff were consistently locking their systems and the whole company helped own this. I no longer had to send out reminders. It was great.
Q: How can automation and AI-powered tools (like SecurityPal AI) support a stronger security culture rather than replace human judgment?
A: Tools, like SecurityPal AI, allow us the time to spend on more complex issues. They are a huge efficiency and productivity boost. While it is imperative for us to do these tasks, like security questionnaires, they are a bit of a time suck and, as such, really impact our ability to focus on more high-value issues or projects. Leveraging these tools allows us to keep the simple security tasks on track while allowing us time to do the heavier work or work that simply cannot be automated like relationship building. Anytime you can delegate tasks, in this case to an AI-powered tool, it strengthens security just through the fact that we can do more. More time digging into issues, more time having discussions with staff on risks, more time mitigating those risks.
Q: What’s one early action or “quick win” you recommend to other CISOs looking to kickstart a company-wide security culture initiative?
A: Identify your security champions. These are the individuals in other departments who are naturally security conscious, who care about risks. Risk to their department, their company and/or their peers. Every department has at least one. Find them, pull them together, and have them help you build out your initiative. They will provide not only support but amazing insight into the culture of the company and their departments that you can utilize in your initiative. This will not only speed up the implementation of your project but ensure it is impactful.
Q: How do you measure whether your efforts to build a security-first culture are actually working?
A: There are of course the tangible ways; lower click rates, faster completion of security training but also the intangible. When I have staff message me on slack with a question or raise a concern or reach out and ask for security to be involved that is when I know that our initiative to build a security-first culture is working. For me, the intangibles are more important and ultimately more impactful than any security metric I may define.
Q: What role does executive leadership play in modeling and reinforcing security-first behavior — and how do you keep them engaged?
A: Like anything in life, whatever the leader models, everyone else follows. This is why it’s imperative that the entire leadership team (CEO, CFO, CMO, etc.) are not only involved in your initiative but understand its values and lead by example. This needs to be more than lip service but an active participation on their part. For me, like so much in life, this starts with my relationship with them and ensuring that they buy into not only what I’m doing but why and that they understand how I need them to support it. Sometimes it’s the little things like being the first ones to complete their security training. Other times, it's more involved like asking security/risk related questions of any new project or reminding project leads to involve security in the review/implementation. Ultimately without their support your ability to be successful will be limited and short lived.
Q: As customer expectations around transparency and security continue to grow, how can CISOs turn strong security practices into a business advantage?
A: It’s not only about being transparent but also being proactive in our security controls and efforts. Customers don’t want to be the ones driving us to make a change but instead they want a partner who is continually monitoring security and compliance changes and proactively making changes to meet them. When you take this transparent and proactive approach it reassures them of your commitment to security and can often tip the scales in your favor during vendor selection. It also highlights the company’s commitment to the security and safety of their data and fostering trust and long-term loyalty.
Q: What advice would you give to CISOs or security leaders struggling to balance operational demands with the long-term work of shaping culture?
A: You will always have daily issues first and a never-ending set of operational tasks, which makes it that more important that you find time to focus on long-term work including shaping the company’s security culture. I think the best way to do this is to integrate security into the everyday rather than as a separate initiative. Leverage the daily issues and/or incidents you see as a way to re-enforce security lessons. Take opportunities to remind staff, in a friendly way, of opportunities to practice security. I think we must remember that shaping culture is an ongoing process that requires daily interactions both large and small. We just need to stay patient and persistent, and not lose sight of the bigger picture, even when the day-to-day gets hectic.
Key Takeaways:
- A security-first culture means security is woven into everyday decision-making — not an afterthought.
- AI and automation can enhance culture by freeing humans to focus on strategy, relationships, and risk awareness.
- Relationship-building and trust are essential to overcoming resistance and gaining buy-in.
- Leadership modeling sets the tone for the entire organization.
- Security awareness isn’t seasonal — it’s an all-year effort that strengthens both protection and trust.
Empower a Security-First Culture with SecurityPal
Building a security-first culture is less about enforcing rules and more about inspiring ownership. As Joe reminds us, it’s the daily habits, small gestures, and shared accountability that turn security from a department into a mindset. The strongest programs aren’t powered by fear — they’re fueled by trust, transparency, and a collective belief that everyone has a role to play in protecting the business.
Cybersecurity awareness may have its month, but in practice, it’s a year-round commitment that drives stronger teams, smarter decisions, and greater resilience.
Learn how SecurityPal helps CISOs scale security culture — combining automation with human expertise to free your team for higher-impact work.
