Cyber security involves many different technical and informational solutions that must be adopted and implemented to position an organization for the greatest chance of resiliency in a complex threat landscape. Technology is necessary in addressing cyber threats but it cannot work independent of complementary factors such as policy guidelines, information sharing on threats, and user awareness.\u00a0Indeed, developing a cyber security culture achieves two important objectives: 1) it intertwines security practices with business operations in order to improve an organization\u2019s security posture, and 2) it demonstrates that security is not a function relegated to an understaffed and underfunded IT department.Establishing a cyber security culture advocates the need that everyone \u2013 including executive leadership and management \u2013 has an equal part in cyber security, which is essential for bolstering an organization\u2019s resiliency. For this reason, when \u201cemployee\u201d is used in this paper, it refers to all levels of individuals employed by an organization, not just workers.If individuals are the weakest link of the cyber security chain, then it follows that cyber security must start on the individual level. Employees must be actively involved in an organization\u2019s cyber security apparatus, as they will likely have access to many of the business\u2019s computers, systems, and networks, and often will serve as the first line of defense in their protection. Executives are targets for their potential access to sensitive information; worker bees are similar targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information.\u00a0 They both represent access roads to the same destination.For this reason security training is best approached collectively. Many organizations require employees to undergo annual user awareness training. However, such training is often viewed as a compulsory necessity rather than an opportunity to inform and educate. Frequent interactive training will better prepare employees for the current threat trends, highlighting the tactics, techniques, and procedures used by hostile actors to gain unauthorized access into targeted systems.[ ALSO ON CSO: Culture clash: How physical security is impacted by cultural norms ]Furthermore, such training should bring in executives, management, and employees into the same room where they can share their experiences, thereby educating each other collectively on the types of threats they\u2019ve personally experienced. This type of transparent dialogue connects the workforce as a unifying whole and provides insights into where there are strengths and weaknesses in security awareness.The socialization of cyber threats among all levels of a company\u2019s workforce reinforces the concept that cyber security is a shared endeavor. For example, social engineering and spearphishing e-mails that target one class of worker may not target another; yet it is imperative that everyone be cognizant of what they entail, how suspicious e-mails can be checked, and what should be done if they are received.This instills the knowledge that each employee has a vested interest in safeguarding the organization by ensuring its sensitive information and accesses are preserved and maintained.\u00a0It\u2019s imperative that accountability and responsibility must not be viewed projected as burdens that punish employees or risk the impeding business operations for the sake of compliance. Rather they must be communicated as opportunities to strengthen an organization\u2019s commitment to protecting information and accesses that support the goals of the business.\u00a0A savvy and alert employee can be the impetus for proactively preventing an attack \u2013 the clicking on a malware embedded link in an e-mail \u2013 before it even has the chance to be initiated. Given the expenses incurred by organizations as the result of someone being duped into accessing hostile links or attachments, this is no small feat.Communication is integral part in cyber security culture and a critical enabler for employees to become active in the organization\u2019s security efforts. Communication takes several forms; it can be policy guidelines that are directed from executive leadership; it can be worker level individuals reporting potential security incidents prior to their execution; it can be security personnel informing the organization of new threats impacting the sector.\u00a0With the advent of bring your own device to work and more organizations enabling employees to work from home, communicating the importance for employees to maintain robust security standards at home has potential work implications as well.\u00a0 Therefore, educating them on acceptable online behaviors to include the types of information shared on social media will help employees reduce risks at both their residences as well as their places of work.Many believe that cyber security culture starts from the top and works its way down.\u00a0 While there is merit to this statement, I would argue that all stakeholders in the ecosystem create cultures collectively.\u00a0\u201cCulture\u201d by one definition is \u201ca way of thinking, behaving, or working that exists in a place or organization.\u201d Executives can certainly lead a cyber security culture, but it must be built, developed, and supported by the entire organization for it to be successful. In this way, "we are all equal partners" becomes a reality, rather than a slogan. And it\u2019s in everyone\u2019s best interest.