Regulation here. I’m in banking and having examiners down your throat regularly is the fear factor.
That being said, what keeps them actually doing more than the letter of the law is a robust training and employee involvement program. Many varieties of social engineering tests monthly or more frequently, fun games to “spot” security holes, posters and fliers in the break areas, mandatory testing, involvement with presentations in department meetings, full staff and board meetings. Individual meetings with department heads, executive staff and the board because... and this is the big bit... all of senior management getting involved is the game changer.
If I know other Execs are passing down my info and taking it seriously, everyone does. Getting their buy-in can take time, but it’s necessary to implement a program and see real, long-term results. It’s not just a policy to sign, it’s keeping the culture security-conscious.