Or it may never happen. Security is a culture and a way-of-life. It's not a couple of technologies, a new CTO, and a couple policy emails and training sessions.

Yes, but culture isn't immutable. And a top-down, company wide focus on security and proper training is a damn good place to start.

The problem is getting middle management on board. It's no good if mid-level managers tell their direct reports to go to the training and then go back to business as normal with the same old priorities and no extra time/focus on the new security aspects.