Learn
Connect
Blog
Resource hub
Featured resource
2026 Tech Forecast
2026 Tech Forecast

1,500+ tech insiders, business leaders, and Pluralsight Authors share their predictions on what’s shifting fastest and how to stay ahead.

Download the forecast

Why Security Policies Fail: The Human Side of Cybersecurity

with John Elliott • March 10, 2026

Listen on:
applepodcasts Apple Podcasts arrow_right_alt spotify Spotify arrow_right_alt amazonmusic Amazon Music arrow_right_alt iheartradio iHeartRadio arrow_right_alt youtube YouTube arrow_right_alt
Episode overview

Most security failures aren't technical — they're human. So why do we keep designing security programs that ignore how people actually think and behave?

In this episode of The Pluralsight Podcast, John Elliott — Pluralsight author fellow, PCI DSS contributor, and specialist in regulated security and data protection — makes the case that the language, culture, and psychology behind your security program matter just as much as the controls themselves.

John breaks down why policies get misread, ignored, or worked around, and what leaders can do differently. From the neurolinguistics of security training to the aviation concept of "just culture," this conversation is packed with practical frameworks for building security programs that people actually follow.

We also dig into the expanding attack surface of agentic AI, why your cybersecurity team is likely more anxious than you realize, and what organizations need to do right now to prepare for what's coming.

Want to go deeper? Check out our weekly newsletters focused on Security, Cloud, and AI.

Follow Pluralsight on Linkedin and join the conversation.

Connect directly with John Elliott on LinkedIn.

Questions or comments? podcast@pluralsight.com

Chapters

02:58 How John Discovered the Human Side of Security 

05:30 Why Security Communication Is So Often Overlooked 

06:03 Where Policies Break Down in Practice 

08:26 The Importance of Explaining the "Why" 

09:31 Connecting Individual Behavior to Organizational Security 

11:41 Designing Controls and Training People Will Actually Follow 

12:49 Compliance Is Always a Risk Decision 

14:36 Can You Ever Hit 100% Security Coverage? 

17:03 Beta Testing Policies Before You Roll Them Out 

18:05 What Most Teams Get Wrong About Security Training 

19:15 The COM-B Model: Capability, Opportunity, and Motivation 

21:04 How to Diagnose the Real Skill Gap in Your Organization 

24:24 Don't Patronize People — And Don't Give Them 50 Things Not to Do 

25:44 The Compliance Budget: You Only Get 3% of Someone's Brain 

27:55 Building a Healthy Security Culture 

28:10 Psychological Safety as the Foundation of Security Culture 

29:10 What "Just Culture" Means and Where It Comes From 

30:34 The Badge Policy Problem — And Why It Backfired 

34:07 Balancing Risk Appetite Across Large Enterprises

35:22 AI's Unique and Poorly Understood Attack Surface 

38:09 Agentic AI, Open Source Agents, and the Enterprise Risk 

41:49 Two Practical Changes Leaders Can Make Right Now 

44:49 Benchmarking Security Skills

Stay up to date on specific tech domains

Subscribe to our AI, cloud, and security newsletters.

Sign up now
Related Pages