All you need is the plan, the road map, and the courage to press on to your destination.

Earl Nightingale

Now that you've had an overview of the moving parts, we'd like to offer some advice and perspective as you plan your program. You essentially have a bag of tools, the utility of which is entirely up to how you choose to use them. Improving your security culture takes time, effort, planning, and reflection.

The goal of this chapter is to remind you of some of the tools at your disposal, to highlight a few additional items that we've skimmed over until now, and to shed some light on the science of maturing your security culture.

Taking Stock of What We've Covered

We've come a long way so far! We've laid out the case for why security culture and the human defense layer needs to be a critical focus area of your security program and why it deserves attention at the highest levels of your organization. You've seen how traditional approaches to security awareness have failed because they didn't account for the knowledge-intention-behavior gap and the three realities of security awareness. We've worked to add precision to your understanding of what security culture is and what it looks like in both security contexts as well as from a traditional social sciences context.

With that groundwork complete, we added more precision by showing how security culture can be broken down into seven component parts, which we refer to as the