It is still Coffee. Security Culture and the Art of Getting It Wrong on the Way to Getting It Right.

I got a new coffee machine yesterday. A proper one, a Sage Barista Express Impress, where you grind your own beans, tamp your own puck, and pull your own shots. I was excited. I had done my research. I knew what I was doing.

I made four espressos. They were ok. Not right, but ok. I could not tell you why they weren’t right. They just weren’t.

I went to bed still thinking about it.

By morning I had worked it out. The pressure gauge had not been reaching the right zone during extraction, and I had been watching it without understanding what it was telling me. Two things were wrong. I was pulling a single shot through a double basket, and the grind was too coarse. Both meant the same thing, not enough resistance, so the water moved through too fast, the pressure never built properly, the extraction was wrong, and everything that followed was wrong too. Two fundamental errors sitting underneath every variable I had been adjusting, and I had not questioned either of them because I did not know they were the questions to ask.

This morning I fixed the basket, made the bean grind finer, made the espresso, and et voilà, it was exactly right. First time.

Then I tried the milk frother. First attempt was too foamy. Second attempt made a pretty good flat white. Texturing milk for latte art is still some way off, but I will get there.

I have been thinking about what this has to do with security and the resulting culture, and the answer is: quite a lot.

The problem is not often where you think it is

When organisations struggle with security culture, the instinct is to change the obvious variables. More training. Better policies. A new awareness campaign. A different tool. These are the equivalent of adjusting the grind, the tamp, the temperature, and the pressure without ever questioning whether the basket is the right size for what you are trying to do.

I have seen organisations run sophisticated phishing simulations, invest in expensive security awareness platforms, and redesign their incident reporting processes, all while the fundamental problem sits untouched underneath. The reporting line is wrong. The accountability is unclear. The board is not asking the right questions. The security team is reactive because nobody gave them permission to be proactive.

You can tune the variables endlessly. But if the foundation is wrong, none of it will produce the result you are looking for.

Fix the foundation, then tune the variables

The grind matters. Getting the right amount of coffee into the portafilter for the shot you are pulling is important. Too coarse and the water rushes through with no resistance. Too fine and everything seizes up. In security terms this is your policy framework. Too vague and nobody knows what is expected. Too rigid and people find ways around it because the friction is too high.

The tamp matters. Consistent, level pressure applied properly to the coffee before the water hits it. Uneven tamping means uneven extraction. In security terms this is your governance. Inconsistent application of controls, one team held to a different standard than another, produces inconsistent results and breeds cynicism.

The temperature matters. Too hot and you burn the coffee, too cold and nothing works properly. In security terms this is risk appetite. If the organisation’s tolerance for risk runs too hot, controls get bypassed in the name of speed. Too cold and legitimate business activity gets strangled by security process that cannot distinguish between a real risk and a theoretical one.

The pressure matters. It must be calibrated to what you are working with. In security terms this is your incident response. Too fast and you miss things. Too slow and the damage compounds. The right pressure for the right situation, applied consistently, is what produces a repeatable outcome.

But none of these variables will produce a good espresso if the basket is the wrong size. And none of your security variables will produce a security culture if the fundamentals of accountability, leadership commitment, and organisational honesty are not in place underneath them.

Even when it works, keep going

The espresso this morning was right. The flat white was pretty good. The latte art is still coming but will take practice and time.

This is the part of security culture that organisations find hardest to accept. There is no point at which you are done. No audit passed, no certification achieved, no training completion rate reached that means you can stop adjusting. The threat changes. The organisation changes. The people change. The machine is always the same but what you are trying to produce from it keeps evolving.

The milk texturing is an art form. I will need to keep practising that and I knew that before buying the machine, but it didn’t put me off getting it.

Security culture is the same. You will get some things wrong before you get them right. You will fix one variable and discover another needs adjusting. You will have mornings where it all comes together and mornings where something is inexplicably off and you have to work backwards to find out why.

But it is still coffee. And it is still security. Just not perfect yet.

The question worth asking in your organisation is not whether your security culture is perfect. It is whether you have the right basket in the first place.