What is security culture? There’s lots of talk about how important security culture is to a security program, but security culture is a nebulous concept to attempt to define — and harder still to measure. It’s also, apparently, difficult to achieve: a survey from the IT governance professional’s organization ISACA found that nine in ten enterprises said they have a gap between the security culture they want to have and the actual culture they have in place.