Within the last two decades, Federal agencies have been directed to engage in large-scale change efforts to develop and implement IT security programs that protect organizational assets. These efforts have been guided by regulations such the Federal Information Security Management Act (FISMA) and Office of Management and Budget Circular A-130, Appendix III, each of which specify that programs must be designed and executed immediately. All too often, program development efforts focus on compliance with these regulations and do not take action that supports changing cultural values. This paper advocates Federal agencies taking an approach to program development that reaches beyond compliance and enables cultural change. In doing so, this paper discusses how individual behavior change and organization-wide cultural change occur. Finally, the paper provides a step-by-step process for establishing a communications element within the IT security program to enable lasting change.