OKRs for Cybersecurity Teams
Goals for Nerds
The most Silicon Valley of business books in recent years has got to be Measure What Matters by John Doerr. In it, the venture capitalist shares the goal-setting system that he learned from Intel’s legendary manager-engineer Andy Grove. Doerr brings in Larry Page and Bill Gates to weigh in as well on OKRs: Objectives and Key Results.
Objectives and Key Results
The OKR framework helps organizations to align their members towards a set of high-impact outcomes. Objectives (Os) are aspirational goals that are meant to put on paper “what matters most” to the organization in the coming quarter or year. At Google, as Larry Page explains in the book, Objectives are set at every level to be challenging and not easily achievable.
For each lofty objective, a set of Key Results (KRs) are chosen to define how success will be measured. These KRs are quantitative and objectively measured.
Here’s an example of an OKR set by Grove for Intel in the second quarter of 1980:
INTEL CORPRORATE OBJECTIVE
Establish the 8086 as the highest performance 16-bit microprocessor family, as measured by:
KEY RESULTS (Q2 1980)
1. Develop and publish five benchmarks showing superior 8086 family performance (Applications).
2. Repackage the entire 8086 family of products (Marketing).
3. Get the 8MHz part into production (Engineering, Manufacturing).
4. Sample the arithmetic coprocessor no later than June 15 (Engineering).
Setting Cybersecurity Objectives
At Snowflake, the security team has been setting OKRs for itself in each of the last few quarters. It’s been really helpful in keeping us security engineers from getting pulled in so many different directions that we end up making little forward progress.
For security engineers, objectives should feel like they come from a magical world of unicorns, gumdrops, and comprehensive single-pane-of-glass visibility into activity and configurations. Imagine the reality you want and pick a few slices that might be possible to achieve in the next quarter.
For example, you might wish for a world where you don’t spend hours verifying access is revoked for terminated employees. If that’s your dream, an aspirational objective might be:
SECURITY ENGINEERING OBJECTIVE
IT is automatically notified of any access not revoked for terminated employees.
In that wonderful world, security is no longer in the loop and on the hook for securing routine turnover at the company.
Measuring Objectives Through Key Results
Key results are set after the objective and should include hard numbers or dates. The trick is picking results such that when they’re met, the objective would be achieved. For our example objective, key results might be:
KEY RESULTS (Q1 2019)
1. The entire process of verifying revoked access for terminations is documented.
2. Hourly user account configuration snapshots are collected to the Snowflake database from all relevant applications by February 11.
3. All configuration checks are automatically performed, with violation findings recorded in Jira.
4. At least five members of IT are trained to understand and act on violation findings by March 15.
5. Following at least two cases of employee termination, automated validation is double checked manually with results presented to CISO.
Get Started
Before you set your own OKRs, take note that OKRs are not intended to determine compensation. It may be tempting to use them as a basis for performance reviews (“You scored an average of 0.74 on your OKRs this quarter”). Avoid the temptation, because OKRs are most effective when they inspire team members to collaborate and stretch in pursuit of an ambitious vision.
Imagine a world where your security team is making meaningful progress towards better security for the company with less impact to employees. Remove any pressure to complete all the objectives. Then get the team together to pick your OKRs and begin to measure what matters.
