The phrase “security culture” is being used a lot more often within organizations, during conversations with other security professionals and even in the media. But there is a problem: the definition is not necessarily clear, and the steps to start working toward creating a positive security culture are even less clear. Organizations only have a vague idea what that really looks like or how to accomplish it. This guide exists to provide a high-level look at what security culture is and what actions you can take to begin favorably changing the security culture within your organization. The goal of this guide is not to give a detailed deep dive into all things security culture (though we’ll provide resources for that in the future); instead it is to help readers understand the fundamentals of what security culture is and what steps you can take to move the culture needle in your organization.