You do not write your life with words…You write it with actions. What you think is not important. It is only important what you do.

Patrick Ness, A Monster Calls

One of the things we love about the cybersecurity community is that there is an already thriving group of individuals who focus day in and day out on improving the security culture of their organization or the organizations they serve. There are individuals running programs that have moved far beyond mere security awareness and are approaching the human side of things in a transformational way. This chapter is a small glimpse into the collected wisdom and experience within our community. Sadly, we were not able interview all the people we admire, but we can bring you a representative sample.

The format of this chapter is simple, we sent a list of seven questions to several thought leaders and asked each of them to (as their time allowed) complete at least four of the questions. This allowed each expert to focus on the questions they were most passionate about.

We asked the following questions:

• Why is culture important?
• Why do you find culture interesting?
• Is there a specific definition of culture that you find useful?
• How do you use metrics to improve culture / measure the effectiveness of cultural change?
• What actions can be taken to direct cultural change?
• Is there a success or horror story you'd like to share related to culture change? (Alternative question: ...