When Strategy Isn’t the Problem: The Quiet Work Behind Cyber Maturity

You can’t win every battle, so what does “success” actually look like when the threats keep moving and the best defence still fails?

At CISO Sydney, across discussions, panels, and posts I’ve shared recently, one thought struck me. 

"Cyber security is about change management."

At its core, cyber security is less about designing controls and more about driving behavioural change. Strategies can be written and risk frame works defined. But maturity emerges only when the organisation begins to make different decisions consistently, under pressure, and across functions.

Most organisations can write a strategy. They can define risk. They can even build compelling board decks. The real challenge lies not in knowing what to do but it lies in turning strategy into action, embedding new behaviours, and measuring meaningful outcomes.

From Strategy to Transformation to Impact

Boards rarely ask about firewalls or endpoint configurations. They ask:

• What data was taken?
• Who accessed it?
• How do we prevent this from happening again?

Answering these questions requires more than technical capability. It requires:

• Cross-functional ownership
• Clear processes and response plans
• Regular tabletop exercises
• A culture that treats mistakes as learning, not blame

It struck me that execution, not strategy, is the real test of cyber leadership. This is particularly true when organisations are on a transformation journey moving from traditional security to securing data, strengthening privacy, and enabling trust.

Leveraging OKRs for Enhancing Maturity

It’s not OKRs instead of KPIs. It’s OKRs for change, KPIs for control.

In a transformation journey, metrics alone are insufficient. You need a mechanism that forces clarity on what must change, why it matters to the enterprise, and what evidence would signal progress. For some organisations, OKRs provide that discipline.

1.  They focus on direction, not just measurement

Cyber security today is about shifting behaviour, culture, and operating models. OKRs force clarity around:

• What are we trying to change?
• Why does it matter to the business?
• What does meaningful progress look like?

This is powerful for initiatives like zero trust, secure-by-design, cloud modernisation, or AI governance.

2. They connect cyber to business outcomes

A KPI might say:

• % of critical vulnerabilities patched within SLA

An OKR reframes it:

• Objective: Increase executive confidence in our ability to manage material cyber risk
• Key Result: Reduce critical exposure window from 21 days to 7 days
• Key Result: Achieve 100% alignment of incident reporting to top enterprise risks

This elevates the conversation from operational metrics to risk posture and trust, exactly what boards care about.

3. They encourage stretch and alignment

Cyber transformation often requires coordination across IT, legal, risk, product, and operations. OKRs are visible, shared, and aspirational, helping teams align around a common purpose.

Culture as a Control

Cyber security is not just tools and processes; culture is a control.

Panel discussions at CISO Sydney reinforced this. Red team exercises, near misses, and control failures are opportunities for shared learning, not blame. Organisations that embed learning reduce repeat failures and strengthen resilience.

Success, in this lens, is not zero incidents. It is the ability to learn faster than the threat landscape evolves.

Patience and Incremental Progress

Cyber transformation is incremental. Leaders must manage a long list of ambitions, accept constraints, and steadily move initiatives from “idea” to“ live”.

Time and patience are leadership skills. One simple mantra captures it: “Slow is smooth. Smooth is fast.”

By treating cyber as change management, and tracking outcomes with OKRs rather than activity-based KPIs, organisations can build capability and resilience over time.

Redefining Success

On reflection, the measure of cyber success is not perfection. It is:

• Clear answers under pressure
• Cross-functional ownership of risk
• Learning embedded in culture
• Progress measured through outcomes, not activity

Strategy sets direction. OKRs track execution. Culture sustains it.

Cyber security is a transformation journey. You cannot win every battle. But you can build an organisation that improves with each one.

Reflections drawn from discussions at CISO Sydney 2026 (10-11 February, Royal Randwick Racecourse) and subsequent peer conversations. For speaking and interview opportunities on cyber leadership topics, feel free to reach out to Maddie Abe.