At CISO Sydney, across discussions, panels, and posts I’ve shared recently, one thought struck me.
"Cyber security is about change management."
At its core, cyber security is less about designing controls and more about driving behavioural change. Strategies can be written and risk frame works defined. But maturity emerges only when the organisation begins to make different decisions consistently, under pressure, and across functions.
Most organisations can write a strategy. They can define risk. They can even build compelling board decks. The real challenge lies not in knowing what to do but it lies in turning strategy into action, embedding new behaviours, and measuring meaningful outcomes.
Boards rarely ask about firewalls or endpoint configurations. They ask:
Answering these questions requires more than technical capability. It requires:
It struck me that execution, not strategy, is the real test of cyber leadership. This is particularly true when organisations are on a transformation journey moving from traditional security to securing data, strengthening privacy, and enabling trust.
It’s not OKRs instead of KPIs. It’s OKRs for change, KPIs for control.
In a transformation journey, metrics alone are insufficient. You need a mechanism that forces clarity on what must change, why it matters to the enterprise, and what evidence would signal progress. For some organisations, OKRs provide that discipline.
1. They focus on direction, not just measurement
Cyber security today is about shifting behaviour, culture, and operating models. OKRs force clarity around:
This is powerful for initiatives like zero trust, secure-by-design, cloud modernisation, or AI governance.
2. They connect cyber to business outcomes
A KPI might say:
An OKR reframes it:
This elevates the conversation from operational metrics to risk posture and trust, exactly what boards care about.
3. They encourage stretch and alignment
Cyber transformation often requires coordination across IT, legal, risk, product, and operations. OKRs are visible, shared, and aspirational, helping teams align around a common purpose.
Cyber security is not just tools and processes; culture is a control.
Panel discussions at CISO Sydney reinforced this. Red team exercises, near misses, and control failures are opportunities for shared learning, not blame. Organisations that embed learning reduce repeat failures and strengthen resilience.
Success, in this lens, is not zero incidents. It is the ability to learn faster than the threat landscape evolves.
Cyber transformation is incremental. Leaders must manage a long list of ambitions, accept constraints, and steadily move initiatives from “idea” to“ live”.
Time and patience are leadership skills. One simple mantra captures it: “Slow is smooth. Smooth is fast.”
By treating cyber as change management, and tracking outcomes with OKRs rather than activity-based KPIs, organisations can build capability and resilience over time.
On reflection, the measure of cyber success is not perfection. It is:
Strategy sets direction. OKRs track execution. Culture sustains it.
Cyber security is a transformation journey. You cannot win every battle. But you can build an organisation that improves with each one.
Reflections drawn from discussions at CISO Sydney 2026 (10-11 February, Royal Randwick Racecourse) and subsequent peer conversations. For speaking and interview opportunities on cyber leadership topics, feel free to reach out to Maddie Abe.