Every work place has its own security culture defined by the values, traditions, beliefs, interactions, behaviors, and attitudes of the group. Many companies have appropriately stated security policies and standards that are not reflected in practice due to the security culture of the office, or it is difficult to change the policies and standards due to the security culture. In this talk I discuss how to stimulate change in an organization. I will go through multiple real life situations and discuss my successes and failures to stimulate change. Some of the real life situations include getting the business to change requirements that are not secure, improving the level of security awareness in IT staff / programmers / code, changing security policies that hurt overall security, and more. I have statistical data on the efficacy of some of the methods discussed, and go through a post mortem on the failures to help others avoid the same mistakes.