AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Building Security Culture Through Empathy, Influence, and Shared Ownership with Ariel Shin

Learn how to build a security-first culture through empathy, developer relationships, shared vulnerability ownership, and scaling influence across engineering organizations.

Security culture is not built by mandates, tooling, or dashboards alone. It is built through relationships, empathy, and the deliberate accumulation of social capital. Ariel Shin, Product Security Team Lead at Twilio, started her career as a penetration tester before moving into application security specifically because she wanted to create visible, lasting change through developer relationships. In this episode, she shares how to find the right balance between speed and security, why empathy is a non-negotiable skill for security teams, and how to make vulnerability ownership a shared responsibility rather than a security-team-only burden.

You can read the complete transcript of the episode here >

How do you balance speed and security in DevSecOps?

Ariel frames this clearly: the fastest code review is no code review at all — but fastest does not mean best. The balance between speed and security is ultimately for engineering to determine and prioritize, with security acting as advisors.

  • Use a maturity model approach: You cannot have everything at once. Set measurable short-term and long-term goals that scale with the organization’s readiness. Think of it like training for a marathon — trying to run 10 miles on day one leads to burnout.
  • Acknowledge competing priorities: Security is not the only concern developers balance. Usability, performance, and feature delivery all compete for attention. Understanding those competing demands is the starting point for effective collaboration.
  • Motivate through relationships, not just tooling: You can use carrots (rewards for doing the right thing), sticks (consequences for doing the wrong thing), or do nothing and hope for the best. The method that works most consistently is building relationships that make developers want to prioritize security.

This maturity-based approach mirrors what works in shifting security culture from friction to flow — meeting teams where they are rather than imposing an ideal state immediately.

Why is empathy the most important skill for security teams?

Empathy provides the context needed to motivate individuals to do the right thing. Without it, security becomes a flat list of findings with no business meaning.

  • Vulnerabilities without context get ignored: If you prove a vulnerability exists but do not explain why it matters — in terms the audience cares about (revenue, brand, engineering productivity) — it becomes a non-issue to them.
  • Remote work amplified the challenge: During and after the pandemic, people became flat screens. Personal lives bled into work lives, productivity dropped, and the question “why should I fix this security bug when the world feels like it’s ending?” became real. Empathy helps bridge that gap.
  • It enables proper prioritization: Turning on a security tool that generates thousands of findings is easy. Deciding which findings actually matter to the organization, and communicating that effectively, requires understanding the developer’s context, workload, and constraints.

Ariel’s core principle: security is all about social capital. You build it through generosity with your time, through understanding what others are dealing with, and through showing up as human before showing up as security.

How do you build security culture in practice?

There is no single tool or framework for building culture. The approach must adapt to the audience and what motivates them.

  • Lead with your power users: These are people who care about security without you even trying. They reach out on your first day, sing your praises, and give you honest feedback. Use them as amplifiers and feedback loops.
  • Adapt your message to the organization’s incentives: If the company is sales-driven, explain how vulnerabilities affect revenue. If they care about brand image, frame risk in those terms. If they care about engineering productivity, show how incidents destroy it. Never assume security speaks for itself.
  • Scale your influence beyond one-on-ones: Individual relationships are foundational, but they do not scale. Eventually you need to influence leadership’s thinking about security — and that requires translating security value into the language leadership uses to make decisions.
  • Create space for human connection: Happy hours, informal one-on-ones, conversations that are not about security — these build the social capital you spend when you need a vulnerability prioritized or a tool adopted.

How should security training be structured?

One-size-fits-all compliance training checks a box. Effective training requires audience awareness.

  • Broad audience (all employees): Keep the message simple. Phishing awareness, reporting processes, acceptable use basics. People click through; the goal is minimum viable awareness.
  • Developer-specific training: This is where real impact happens. Ariel’s approach at Twilio Segment paired “think like an attacker” sessions with hands-on exercises (breaking the OWASP Juice Shop app), followed by walking through real threat models.
  • Tailor to actual problems, not generic frameworks: Instead of teaching the OWASP Top 10 in isolation, pull from your bug bounty program to identify the top vulnerabilities your organization actually faces. Cater training to those specific issues.
  • Create progressive levels: Once developers understand the basics of your threat modeling framework, offer advanced sessions rather than repeating introductory material every cycle.

The result is training that developers find genuinely useful rather than performative — which feeds back into the culture of taking security seriously across the secure development lifecycle.

How do you make vulnerability ownership a shared responsibility?

The worst model: security owns all risk. The better model: security is a partner, engineering is the owner.

  • Standardize the process: Create a single, clear way for all individuals to interact with vulnerabilities. Developers should not need to understand the difference between cloud security, incident response, and product security teams to report or act on an issue.
  • Democratize vulnerability management: The vulnerability belongs to the team whose code or infrastructure introduced it. Security partners with them to influence prioritization, but the decision and the action are theirs.
  • Use social capital, not mandates: When you need an engineering leader to prioritize a vulnerability, that conversation goes very differently depending on whether you have an existing relationship. Dashboards and automated alerts are easy to mute. Relationships are not.

The honest truth Ariel shares: at some point in your career, a business decision will be made that compromises a security concern you felt was critical. That is normal. The response is not to fight harder — it is to invest more in influence, provide better context, and build the case more effectively over time.

How do you show security’s value to the business?

Ariel reframes security as an enabler, not a cost center.

  • Tie risks to business impacts: Identify the top risks and explain how they materially affect the company — stock price, customer trust, engineering productivity, contract loss.
  • Quantify where possible: At Twilio Segment, they tracked the dollar amount of contracts enabled by SOC 2 compliance and customer questionnaire responses. But measurement is a double-edged sword — over-quantifying can invite cost-cutting on things that do not show immediate dollar returns.
  • Use external incidents as context: If your company has not experienced a breach, reference similar companies that have. Create a security Slack channel that shares post-incident analyses from peers in your industry. It makes the risk tangible without being alarmist.
  • Balance metrics with relationship: Dashboards and KPIs matter, but they do not motivate action on their own. The relationships you build are what convert a data point into a prioritized work item.

How does Ariel rate common security practices?

  • Training employees only during onboarding: Rated 2.5. At least you have training and a process for tracking who is trained. You are on the right path, but continuous reinforcement and audience-specific depth are needed to mature.
  • Granting unrestricted cloud access for speed: Rated 2. Not ideal, but context matters. A 10-person startup focused on growth may reasonably accept this risk short-term while building a roadmap toward just-in-time access. Outline the risk, give leadership a plan, and mature as signals from customers demand it.
  • No retrospective analysis after incidents: Rated 1 (worst). Retros are small, low-cost activities that compound into long-term cultural improvements. Skipping them signals that yesterday’s problems do not matter — which destroys the iterative improvement mindset security culture depends on. Retros also build humility and shared empathy when teams acknowledge what went wrong together.

Related Resources

Continue exploring Cloudanix

Connect this concept to the platform

These learning topics are most useful when tied back to cloud posture, identity, runtime, data, and agent workflows.

Platform CNAPP+

See how Cloudanix connects code, cloud, identity, data, access, and AI agents in one graph.

 Detection Cloud Detection and Response

Move from isolated logs to graph-backed cloud investigation and response.

 Graph Attack Path Analysis

Prioritize vulnerabilities and misconfigurations by reachability and blast radius.

 AI Security Agentic AI Security

Secure coding agents, MCP tool access, and temporary cloud credentials.

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo