Security managers define policies and procedures to express how employees should behave to 'do their bit' for information security. They assume these policies are compatible with the business processes and individual employees' tasks as they know them. Security managers usually rely on the 'official' description of how those processes are run; the dayto-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy-as with the currently popular idea of 'security champions'rather than as a representative of employee security needs. Towards helping organisations 'close the loop' and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types-the prevailing security cultures-vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should rethink the role of security champions as diverse 'bottom-up' agents to change policy for the better, rather than communicators of existing 'top-down' policies. * Authors contributed equally. The promotion of security champions is seen as a way to find local representatives who can promote and monitor security policy at a local level, acting as an extension of company's security management team [12]. However, security champions may only be effective in this way if the policy itself is workable [6]. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.