How OKRs keep security programs on track

When Michael Gregg joined North Dakota as a security lead, he took a concept he liked to use to get his security program off the ground.

He said they had worked for him in the past and believed introducing their use into state security programs would help as well.

“This has been a good way for the security team to stay focused. It has helped me and the team to prioritize, coordinated across teams, and helped gain tracking and accountability.” says Greg. Director of National Cyber ​​Operations.

This is how he makes OKRs work.

Each of his five teams (Governance, Risk and Compliance Teams, Analytics and Response, Active Defense, Engineering, and Security Infrastructure) identifies three to five goals each year. They formulate those goals based on the organization’s strategic vision.

Setting goals “forces us to say, ‘Can we agree on the three, four, or five most important things that we should do?'” says Gregg. increase.

Each team then lists 3-5 actionable items to target for each identified goal. These are the main results.

“I work with each team leader. They know our goals for the year and I have them present the key results for the quarter. Once aligned, we go back to one meeting where each team talks about their OKRs so everyone has visibility,” he says.

The team then meets every two weeks to assess progress on key outcomes using Key Performance Indicators (KPIs) and Key Goal Indicators (KGIs) to identify key outcomes that support the achievement of overall objectives. Measure your work to get to

Gregg shares a simple example of how these elements fit together.

If the state’s strategic vision is to further strengthen security, one goal in support of that mission is to roll out new tools for network and endpoint monitoring across state organizations later this year.

This becomes a goal for the team involved in the work, and the team’s quarterly key results reflect the amount of work that needs to be done every three months to reach that goal within a year. increase.

The team uses KPIs and KPGs to measure progress towards key results and reports metrics every two weeks.

“So if you’re looking for 100% at the end of the year, you want 50% by half a year. ‘ explains Greg.

While OKRs might seem like just a way to divide and schedule work in examples like this, Gregg says that using OKRs can actually bring significant benefits to management and executives. said to be brought.

“What I love about OKRs is that they help us tie the vision and mission set by the governor’s team to our plans of action and how we get there,” he says. “And OKRs help align culture and resources with that action plan.”

In other words, OKRs help him set a trajectory, stay on course, and maintain a desired pace, he says. So teams are less likely to chase non-priority projects. They may be drawn into urgent tasks or tempted to jump on a new offer, but OKRs guide them back to established priorities.

And with OKRs, “you can connect teams. They can see how their work impacts the work of other teams,” Greg says. He explains that establishing OKRs tied to your strategic vision ensures that the teams you need have the time, place, and quantity needed to get their initiatives off the ground. In a world where one team’s schedule and success often depends on the other team’s ability to do their part on time, OKRs require each team to do what it needs to do and do it when it needs to. It helps ensure that it does the work.

Google Security’s take on OKRs

Managers have used OKRs for decades, ever since Andy Grove introduced the goal-setting framework at Intel in the 1970s.

Other business leaders have adopted this structure over the years, and Google’s John Doerr is credited with popularizing OKRs.

Google now uses OKRs across the organization. This includes his Google Cyber ​​Security Action Team (GCAT) at Google Cloud, where Merrill Miller is Head of Business Operations.

Miller says OKRs are popular for good reason.

“They inform your priorities along with your overall mission and give you more specific goals and how to achieve your vision. It helps me put a practical lens on my skin,” she says. “Goals speak to an inspiring mission. Key outcomes are measurable outcomes.”

Miller’s use of OKRs is similar to how Gregg leverages this framework.

According to Miller, Google has an annual planning process in which leaders outline goals they want to achieve in the coming year and analyze key outcomes they need to achieve to reach those goals. According to Miller, security teams use metrics to measure progress toward key outcomes and, ultimately, goals.

She gives a real-life example.

Google leaders have made it clear that GCAT’s mission is to be the premier security advisory team.

“But it’s a pretty broad mission. So how do we make it understandable and doable?” asks Miller. “One way to do it is with ‘O’ (objective) and key outcome tracking. ”

Miller and her team then develop several goals that correspond to the organization’s vision and its overarching priorities.

Also, as a standard practice when creating and using OKRs, GCAT has created some key results for each goal.

According to Miller, one of the goals is to “ensure that the Google Cybersecurity Action Team achieves its goal of becoming the best security advisory team in the world,” and one of the key outcomes is that “the Google Cybersecurity Action Team Increase customer engagement by X% through team pods.” engagement model. ”

Miller says the example also demonstrates the benefits of OKRs. OKRs articulate priorities, and security teams should focus on those initiatives rather than spreading themselves out by working on too many initiatives or diverting resources to less urgent projects. You can stay focused on your priorities.

“You can get too scattered, take on too many things, and take on scope creep, but having OKRs helps you understand what you need to deliver when you write out your project and what needs to be done. so you can effectively communicate with management, team members, and investee stakeholders why you are making decisions and how they support your objectives. We can tell,” says Miller.

She adds:

Miller said it also helped her and her team say “no” to the initiative.

“We have a running list of all projects, including current and future projects. They map to OKRs. , which could mean that it’s not prioritized or we need to talk about creating new OKRs.It’s a good gut check,” she explains.

Case in point: Miller and her team recently put off updating the content of GCAT’s service catalog. That’s because it wasn’t part of her OKRs this year. “or [new] Versions will come later, but there are other things to prioritize first,” says Miller.

Make OKRs work

Interest in OKRs is growing, says Paul Proctor, vice president and distinguished analyst at technology research and advisory firm Gartner.

However, he and other management professionals tempered their enthusiasm, pointing out that OKRs can be an effective goal-setting method for security teams, but their value is limited when they are used solely for that purpose. .

Proctor says OKRs are all about asking questions

• what am i trying to achieve? That’s what it’s for.
• How can i achieve that? Here is a list of the main results.
• And how are you going to measure? This will determine which metric to use.

“The purpose of OKRs is to measure the progress of a strategy,” explains Proctor. As such, CISOs, or executives and managers, need to understand their goals and strategies for creating key outcomes.

“This is where people struggle because the OKRs don’t show any strategy. There is no definitive list of OKRs because it depends on the strategy. No,” he adds. “OKRs are progress towards achieving strategy.

Additionally, Proctor said OKRs are valuable when a team actually measures work towards achieving key outcomes or goals, and his experience has shown that “people are bad at metrics.” adds that he has found

Instead, Proctor says, let company leaders ask, “What OKRs should security measure?” Alternatively, label the metric as OKRs.

“OKRs are very specific structures designed to support very specific goals, but unfortunately many people set metrics and call them OKRs,” he said. increase.

Still, Proctor says he sees value in OKRs and agrees with statements made by Gregg and Miller about their benefits. When an organization thinks about OKRs and uses them in the right way, they can actually help keep teams focused on achieving goals deemed important.

“OKRs are undoubtedly an effective way to articulate the purpose of the CISO function,” said Andrew Retrum, managing director of the Security and Privacy Practice at management consulting firm Protiviti. “But I think the most meaningful OKRs are those that are tied to other parts of the organization. when it can be converted.”

Gregg also agrees that setting goals correctly is key to benefiting from OKRs.

He says teams often struggle with limiting the number of goals they want to achieve, especially when they’re new to an OKR framework. “If you try to do that much, you will never succeed,” he adds.

He also agrees that follow through is key to success. Listing goals and key outcomes is not enough. He says it’s also essential to measure progress, evaluate those metrics, and adjust and fine-tune OKRs as needed. Getting it done is about cultural change, he adds, and it takes time and investment to get it right.