← Decks
# CDC Strategy Days 9–10 June 2026 --- ## Day 1 Current state and strategic decisions / direction --- ## Day 2 Future state and OKR --- ## Summary of input from Day 1 What do we in CDC need to do or change? What impacts our current focus and activities? --- ## Objectives Describe **purpose and direction** for CDC towards 2028. - Current state - Stakeholder input - Purpose - Beliefs - Future state - Strategy and directions --- ## Current state Describe the current state of CDC (big picture). - What works well today? - What are CDC's strengths to build on? - What are the improvement areas? --- ## Purpose — Introduction **Equinor's overall purpose** _"Turning natural resources into energy for people and progress for society."_ **ISC's purpose** _"Zero harm from cybersecurity incidents."_ What is **our purpose in CDC**? What drives us and gets us up in the morning? --- ## Purpose - **ISC:** Zero harm from cybersecurity incidents - **CDC:** ? --- ## Strategic Beliefs What will the future look like in 2028 and beyond? Equinor strategy is centred around six beliefs: 1. Energy system in transition 2. Liquids resource replacement challenge 3. Markets remain cyclical 4. Transformation of cost base 5. Low carbon creates opportunities 6. Prepare to be surprised What key trends and developments do you see with implications for us? --- ## Future State - Strategic objectives - Description of state - Where do we want to be in **2029**? Later, actions and activities will take us from current state to future state. --- ## Future State — North Star Define the North Star that guides every team towards 2029. --- ## Strategy without execution is hallucination We can't do everything. **What is most important for the next 3 months?** --- ## Who uses OKRs? Intel · Google · Amazon · Microsoft · Slack · Spotify · Uber --- ## Why OKRs? - Focus and commitment to priorities - Everyone knows what the priorities are - Freedom to change focus quickly - Communicate with clarity - Motivating to see key results moving - Achieve more by pushing for stretch goals - Stringently curated goals — not the sum of a team's mundane tasks - Always prepared for performance reviews --- ## Objectives vs. Key Results **Objectives — the "whats"** - Express goals and intents - Aggressive yet realistic - Must provide clear value for Equinor / ISC **Key Results — the "hows"** - Measurable milestones that advance the objective - Describe outcomes, not activities - Avoid verbs like _consult_, _help_, _analyse_, _participate_ --- ## A few vital things With a select set of OKRs we highlight the **vital things** that must get done, as planned and on time. - **Objectives** — inspiration, a direction (one sentence) - **Key Results** — earth-bound and metric-driven (3–5 KRs) Mix of qualitative (growth, users) and quantitative (quality, security, customer engagement). --- ## OKR #1 **Objective:** Zero harm from cybersecurity incidents in 2026 Key results: - Deliver on all ISC-related CIP initiatives - Avert weekly users up from 300 → 400 by end of Q4 - GPS: 74 + 84 → 78 + 88 - Forecast accuracy: |forecast − actual| < 2 % - All teams dedicate 20 % to Cyber and AI skill development --- ## OKR #2 **Objective:** No impact from incidents in 2026 Key results: - Mean time to respond: X - Zero critical valid secrets in GitHub - Avert accurately displays the attack surface with < 400 unique weekly users --- ## OKR #3 **Objective:** Reduce uncertainty of the Top Enterprise Risk Key results: - TER uncertainty: Medium → Low - Accurate and timely update of TER - 80 % coverage of compliant device and phishing-resistant MFA across TDI - External users % --- ## Desired outcome 1. Agree on a **top-level OKR for ISC** that VP ISC will own and use actively (SVP EDT, webinars, performance reviews). Yearly scope. 2. **3–4 OKRs** that we can tie to. --- ## Lessons learned - Takes time to learn and get used to - Iterate, test, stop - Keep it simple — avoid extra reporting - Success criteria: visit them often (ISC MC, 1:1s) - Weekly cadence: 5–10 min colour check, push for green --- ## Reference OKR **Objective:** Zero harm from cybersecurity incidents in 2026 - **KR1** Develop and implement a competence plan across all ISC deliveries - **KR2** All BAs have evaluated and described their cyber risk in MIS with agreed actions - **KR3** Zero critical and high-impact issues in ISC on Avert and SOX - **KR4** 80 % coverage of compliant device and phishing-resistant MFA across TDI - **KR5** Mean Time To Acknowledge alarms ≤ 1 hour at all times - **KR6** Critical vulnerabilities and conditions are identified and communicated to risk owners --- ## Thank you Questions?