IMO Health: 5 Reasons security culture starts with trust
I recently had the opportunity to sit down with Lori Kevin, VP of Security and Compliance at IMO Health, for another installment of the Strategic CISOs conversations series.
We covered a topic that many security leaders care about right now: how to build a security culture where people understand, engage with, and apply security principles in their own departments to improve business performance.
We talked about the core values of a strong security culture, lessons of leadership, and team development. She described her experience and success in developing a cross-functional security champions program, as well as her growth in communicating risk to executive leadership.
Here are five key lessons you can apply to how your security team operates.
1. Start with trust
One of the strongest themes in the conversation was that security culture has to start with trust. Lori described her core values for a strong security culture: trust, accessibility, clarity, transparency, and intentional communication. I think that framing is important. Usually, security culture is reduced to training programs or policy enforcement. But if people only experience security as rules and reminders, culture never really takes hold.
Lori Kevin
VP, Security & Compliance, IMO Health
“Trust is the foundation of everything my team does. We’re building a security function around the core values of trust, accessibility, clarity, and strong communication. We want the whole organization to know how to access security policies and see the strategic value security offers to their department.”
What makes it real is when people understand what strong security will accomplish for the business, know what is expected of them, and feel that the security team is there to collaborate and support them. That is when security becomes a daily part of every workflow, not a disconnected defensive mechanism.
2. Build security through a business lens
Another important part of the discussion was the value of bringing a broader business perspective into security leadership. Lori’s background includes accounting, customer support, and operations before she went deeper into security and compliance. That kind of foundation matters.
Lori Kevin
VP, Security & Compliance, IMO Health
“I haven’t just spent my career in security. My experience in software development and customer support has helped me approach security in a more transformative way. Not just through the lens of regulations, guidelines, and compliance, but through what also makes sense for the business.”
That perspective is a strategic advantage. It helps connect risk, process, and business priorities in a way that is much more practical and much more actionable.
3. Develop people, not just processes
We also talked about leadership and team development. Both are key to building a security culture from the inside out.
Lori emphasized how everyone brings different strengths to the table, and leaders should recognize this rather than trying to make everyone fit the same mold. That is especially important in security, where teams can become siloed or too dependent on a few key people.
Strong leaders should not try to hold onto everything. Lori actually wants her team to “kick her out” of meetings, and I agree! A lot of leaders are hesitant, because they care deeply and want things done well. But real growth happens in the space where teams step up, take ownership, and develop in meaningful ways.
When you do that, you are building trust and long-term resilience across the function.
Lori Kevin
VP, Security & Compliance, IMO Health
“The more that I am involved, the less development opportunity there is for the team. That is where trust comes in for me. If I keep stepping in, I get in the way of someone else being able to develop. As managers, our job is to create those opportunities so our teams can explore and grow.”
4. Security culture has to extend beyond the security team – how to develop a champions program
Another major point in the conversation was that security culture cannot exist solely within the security team.
At IMO Health, that meant being intentional about involving people across the business, not just technical or product teams. Lori shared how she envisioned and launched their Security Champions program, bringing more than 30 cross-functional team members into dialogue over security policies, practices, and ways that security can advance business objectives in every department.
IMO Health’s Security Champions program is not a rigid obligation or box-checking exercise. It is much more about creating an open forum for dialogue, surfacing what matters to different teams, and making security part of the company’s day-to-day rhythm.
That is what makes culture stick. It stops being something one team owns and starts becoming something the broader organization understands and supports.
Listen to the full discussion for more practical tips to start a Security Champions program
5. Communicate risk in business terms
The last major theme in the conversation was stronger communication with executive leadership.
This is where many teams still struggle. Security teams often have the raw data and the right technical depth, but don’t always deliver updates in a language that moves leadership. The ELT needs a clear understanding of the risk, possible business impact, what is already being done, and where action is still needed.
Lori Kevin
VP, Security & Compliance, IMO Health
“Conversations with executive leadership cannot be overly technical. You have to figure out what story will actually lead to action. For me, that means framing things from a risk perspective, because that is what connects. Leadership is responsible for running the business, so I need to think the way they think: what is the risk, why does it matter, and what are we doing about it? From there, it becomes an ongoing dialogue and feedback loop to make sure we are doing the right things.”
When security leaders master this skill of translation, they build credibility, create alignment, and make it easier for leadership to respond and act confidently.
Final thoughts
A strong security culture is built through a few things working together. This was not a detached discussion about culture in theory, it was a practical summary of the five lessons at the heart of a strong security culture:
- Start with trust
- Build security through a business lens
- Develop people and not just processes
- Extend security beyond the security team
- Communicate risk in business terms
I appreciated the opportunity to have this conversation with Lori, and I think it will resonate with any security leader working to build a stronger security culture at their own organization.
The post IMO Health: 5 Reasons security culture starts with trust first appeared on TrustCloud.
*** This is a Security Bloggers Network syndicated blog from TrustCloud authored by Sravish Sridhar. Read the original post at: https://www.trustcloud.ai/security-assurance/imo-health-5-reasons-security-culture-starts-with-trust/
