One of the first steps in attempting to change culture is creating a sense of urgency. Without a strong sense for a need for change, especially at the senior level, it is difficult to change peoples' beliefs, attitudes and behaviors. The excellent book Leading Change by John Kotter does an outstanding of explaining an 8 step process to culture change, and step #1 is a sense of urgency. This is why in the United States I feel we are seeing an acceleration in security awareness and investment in information security due to all the breaches that have been publicized in the past 18 months. From Target and Home Depot to JP Morgan Chase and other financial institutions, there is a growing sense of urgency as organization after organization goes public about recent incidents. No one wants to be the next Target, and I'm hearing from students that senior management is investing in change to ensure that happens.
As I've been traveling and teaching through Europe the past several weeks, I feel the security community here has a disadvantage. Europe currently lacks any legal requirements that all industries publicly report data breaches. Since incidents are not as aggressively publicized in Europe, there is a less sense of urgency at senior levels, and thus much more difficult to change culture. I never thought about it before, but laws requiring organizations to go public about data breaches may be one of the key steps to ultimately changing culture (and behaviors) across industries.