Research cybersecurity culture rarely shifts because someone publishes a new policy or buys a new tool. It shifts because behaviors change, expectations align, and once-disconnected groups begin rowing in the same direction. Many campuses have been forced into this cultural evolution through CMMC, NSPM-33, human subjects data, or simply because something broke. While every institution’s starting place or path looks different, the underlying mechanisms for making this work sustainable are surprisingly consistent.
This full-day workshop brings together higher ed cybersecurity, research IT, research security, and administrative professionals to explore what changes research culture?not in theory, but in practice. We will draw from several institutions’ lived journeys (including those that had bumpy, imperfect starts) to identify repeatable levers: cross-unit partnerships, trust-building with researchers, aligning on documentation, reshaping expectations, and using regulated research pressures to strengthen campus-wide security norms.
Participants will not be asked to replicate someone else’s model. Instead, the workshop focuses on helping you understand your own environment, surface the cultural friction points that matter most, and identify one or two actions that are realistic within your sphere of influence. Through guided exercises, peer feedback, and structured discussion, you will create a tailored “next 90 days” plan to begin shifting expectations, language, and collaboration patterns at your institution.
Whether your campus is just beginning this work or is already deep into securing biomedical data, CUI, or broader research security requirements, this session is designed to help you translate other institutions’ lessons into something that works in your reality.
