If the goal of an organization is to build a culture of cybersecurity awareness, the cybersecurity leadership and the security team must be approachable and engaged with the business. The desire to demonstrate or measure security through the application of key performance indicators (KPIs) becomes counterintuitive to actual progress in strengthening the organizational cybersecurity posture. If you are genuinely interested in improving or building a culture of security within your organization, it's time to spend less time measuring and more time communicating.

Here, we explain how CISOs can keep the organization’s risk at a reasonable level and articulate impacts on security aspects of dynamic organizational changes.