So there I was, standing at the front of a conference room in Manly, about to ask thirty forty grown adults to put their hands on their heads like they were being arrested. 65 ft 7.4 in Twenty meters from the beach, inside one of those hotel conference rooms that somehow manages to show you the beach and block out all evidence of natural beauty, and I'm about to demonstrate why expensive governance tools are probably a waste of money.

But I'm getting ahead of myself. Let me back up...

The hands-on-head incident example

Last Many weeks ago we had our team offsite - the whole extended crew, including some new joiners who were probably still trying to figure out if we were a normal company, an AWSome company, or one of those places where the Kool-Aid flows a little too freely. Our head of sales had this idea that we'd all share a "gift" during pod introductions - some wisdom or tip to impart to the team.

Everyone else was sharing sensible things. Practical advice about customer engagement. Tips for managing stakeholder expectations. You know, professional stuff that belongs in a conference room. Meanwhile, just beyond those hermetically sealed windows, the real world was happening. Waves were breaking. People were laughing. Life was being lived. It was like being served a perfectly plated photograph of food while slowly starving to death.

Then it's my turn.

"For me to share my gift, you need to put your hands on top of your heads and close your eyes."

The room goes quiet. Someone definitely thinks I've lost it. Others knew it well before now

"Go ahead, it'll make sense in a minute."

They all did it. Every single person.

Hands on heads, eyes closed, looking absolutely ridiculous compliant. If someone had walked past our conference room at that moment, they'd have thought we were doing some bizarre corporate mindfulness exercise or maybe being held hostage by the world's politest bank robber.

"Great - thanks - put your hands down."

Then I explained what just happened. And why it matters more than any governance tool you'll ever buy, sell, partner with, or build.

The Problem We're All Pretending to Solve

Here's what I told them, and what I'm telling you now: You are a trusted advisor for your customers. When we have a great culture and ask our teams to do something, they're generally capable of doing it properly. Not because we have the right tools. Not because we have the perfect processes documented in Confluence, Notion or 10,000 other relevant and useful tools

Culture creates compliance in ways that software never can.

I see this pattern everywhere. A company has a governance problem - maybe they're not following security protocols, or their documentation is a mess, or they can't get teams to follow the approved development process. So what do they do? They buy a SaaS tool. FANCY

"This'll fix it," they think, writing another check paying another invoice, to another vendor who promises their platform will magically transform organizational behavior.

It's like... imagine if after my little demonstration, someone hadn't put their hands on their head. And instead of asking why - instead of understanding what cultural or communication issue prevented compliance - I went and found a vendor. Paid for a tool that would come around and report on whether people did or didn't comply with hand-on-head requests.

What if the tool could somehow force you to do it? Would you be happy? Would you actually use the tool? Or would you find seventeen creative ways to work around it while technically maintaining compliance?

(I'm betting on option three. I've seen developers create entire shadow IT infrastructures just to avoid using the "approved" tools.)

Why We Keep Making This Mistake

The thing is, I get it. I really do. Buying software feels like solving a problem. It's concrete. You can put it on a roadmap. You can report to the board that you've "addressed the governance challenges" with a "best-in-class solution." There's a line item in the budget, contracts are signed, implementation is scheduled. It feels like progress.

Culture change? That's messy. It's slow. You can't really put "convince developers to actually care about documentation" on a Gantt chart. There's no vendor to blame when it doesn't work.

And let's be honest here - I've made this mistake myself. More than once. One time I had a massive problem with inconsistent deployment practices. Different teams doing different things, no visibility into what was actually happening in production, the usual chaos.

So naturally, we bought a tool. A really expensive tool. It had dashboards! And workflows! And integrations with everything!

Six months later, we had beautiful dashboards showing us that nobody was using the tool correctly. The teams that were already following good practices continued to do so. The teams that weren't... found creative ways to mark tasks as complete without actually doing them. We'd spent six figures to get prettier reports about the same problems we already had.

The Uncomfortable Truth About Tools

Here's what vendors won't tell you (and what I learned the expensive way): SaaS can't make people do the thing. Only culture can.

Tools are amplifiers. They take whatever culture you have and make it more visible, more measurable, maybe more efficient. But they don't change the underlying behavior. A great tool in a broken culture just gives you detailed metrics about how broken your culture is.

Think about it this way - and this is where my conference room demonstration comes in. When I asked everyone to put their hands on their heads, they did it because:

1. They trusted that I had a reason (even if they didn't know what it was yet)

2. The social contract of our team culture made non-compliance more uncomfortable than compliance

3. They were curious about where this was going

4. There was psychological safety - they knew they wouldn't be humiliated or punished for participating

Now imagine trying to achieve the same result with software. "Please log into our Hand Position Management System (HPMS) and update your status to 'Hands on Head.' Don't forget to attach photographic evidence and complete the post-hand-raising survey!"

You're laughing (I hope you're laughing), but this is literally what we do with governance tools. We try to software our way out of cultural problems.

How to Actually Do This (Without the Fluff)

Alright, enough philosophy. Let's get practical. How do you actually build a culture of governance before (or instead of) buying tools?

Start with One Team: Don't try to boil the ocean. Find one team that's either suffering from lack of governance or already naturally good at it. Work with them to understand what governance means in their context. What are they trying to prevent? What are they trying to enable? Build something that works for them, then expand.

Make It Visible: Culture thrives on visible examples. When someone follows good governance practices, make it visible. Not in a "gold star for Jimmy!" patronizing way, but in a "here's how the platform team's new tagging standard saved us from a production outage" way.

Connect Governance to Outcomes People Care About: Nobody cares about governance for governance's sake. They care about not getting fired. They care about not working weekends. They care about shipping features that don't break. Show how governance connects to these outcomes.

Start with Why, Not How: Before you document a single process or buy a single tool, make sure everyone understands why this governance matters. And "because compliance says so" isn't a why - that's a what.

Build Feedback Loops: Culture dies in darkness. You need mechanisms for people to say "this isn't working" without fear of retribution. And then - this is the critical part - you need to actually change things based on that feedback.

Lead by Example: If you're asking developers to follow secure coding practices, leadership better not be sharing passwords in Slack. If you want teams to document their architectures, executives better be able to articulate the company's technical strategy.

The Tool Paradox

Here's the thing that might surprise you after this whole rant: I'm not actually anti-tool. I love good tools. I've built my career on knowing which tools solve which problems.

But tools are tactics, not strategy. They're implementation details, not solutions.

The paradox is that the better your culture, the less sophisticated your tools need to be. A team with strong governance culture can maintain better compliance with a shared spreadsheet than a team with weak culture can achieve with a million-dollar platform.

I've seen teams maintain perfect infrastructure governance using nothing more than well-structured Terraform Cloudformation and strong code review culture. I've also seen teams with every governance tool imaginable still shipping credentials to public repos.

The tools aren't the difference. The culture is.

Bringing It Home

Remember my conference room demonstration? Everyone put their hands on their heads not because a tool made them, but because the culture of our team made it the natural thing to do. That's what real governance looks like - people doing the right thing because it's become the obvious thing to do.

You can't buy that. You can't install it. You can only build it, one interaction at a time, one team at a time, one leader at a time.

So next time someone suggests buying a tool to solve a governance problem, try this instead: Get everyone in a room. Ask them to metaphorically put their hands on their heads and describe their real problems. When they do (or don't), ask why.

The answer will tell you everything about whether you have a tools problem or a culture problem.

And I'm betting it's not a tools problem.

What's your experience with this? Have you seen organizations successfully build governance culture, or have you watched them fail trying to buy their way there? Drop me a line - I'm genuinely curious about how others are tackling this challenge. Because despite what I've written here, I definitely don't have all the answers. I'm just someone who's made these mistakes enough times to recognize the pattern.

And if you're wondering - yes, everyone at the offsite got the message. Sometimes the best way to teach about compliance is to make people voluntarily look ridiculous for thirty seconds. The lesson tends to stick.