No, it's not enough to simply satisfy minimal "check the box" compliance requirements, react to incidents, or fix security vulnerabilities after they're in production. Focusing only on the "right side" of the process is a recipe for eventual disaster, and is ultimately costly to pursue. You need to focus on shifting habits and behaviors to proactively address issues long before they reach production. You need to build a culture that is full of security best practices: training, threat modeling, architecture reviews, and so on. But HOW? In this talk, we'll discuss techniques for shifting your culture and motivating your employees to make the right choices by incentivizing and rewarding their behaviors. We'll focus on the "people" side, and use proven techniques from the fields of behavioral science and psychology to bring your awareness and appsec game to the next level. Security takes more than just tech and this is the piece you've been missing to make a lasting difference in your company's security posture.