If the goal of an organisation is to build a culture of cyber security awareness the cyber security leadership and the security team must be approachable and engaged with the business. This may sound like a simple mission but it's not. Cyber security and IT in general suffers from a very binary ”Is it on or off?” view of the organisation. in contrast to the business which is far more nuanced in its perspectives ”on-ish, off-ish or on & off at the very same time - business is rarely 100% certain of anything - especially in these turbulent and dynamic times. The desire to demonstrate or measure security through the application of Key Performance Indicators (KPI) becomes counter intuitive to actual progress in strengthening the organisational cyber posture. The number of ”insert security metric here” does little to advance the organisation culture and awareness as the metric is likely to be meaningless outside of the narrow field of vision of the security team. If you are genuinely interested in improving or building a culture of security within your organisation it's time to spend less time measuring and more time communicating.