A well written cybersecurity strategy and the OKRs to match is like playing chess against someone else playing checkers

From Words to Action: Crafting OKRs and Assembling the Team

Robert Wood

Our last two posts in this series have discussed building a cybersecurity strategy and then communicating it to those needing to know. This need to develop a robust cybersecurity strategy is only getting more significant. However, the strategic plan doesn't add value until it is turned into action.

This article will delve into the practice of translating your cybersecurity strategy into objectives and key results (OKRs), setting metrics, and assembling your team. In addition, we'll explore effective team management and leadership empowerment, drawing inspiration from management expert Peter Drucker.

Introducing OKRs

Organizations and teams of any size can benefit from goal-setting. Even individuals can benefit from goal-setting. However, at some point in life, you've likely experienced that setting a goal and making it meaningful are two different things. Think about the new year's resolutions that you may have made over the years. Making more money or getting into shape isn't very helpful. Primarily because you won't know if you've been successful, and there's no underlying habit to fuel the change you want to see.

This won't exhaustively cover effective goal-setting; I think that could be a standalone article series. However, goal-setting through a tool called OKRs can be incredibly useful in the business context. An OKR is an objective and key result(s). I like the Measure What Matters book companion site for a more detailed reference.

On a basic level, the idea is that you establish an objective or a series of objectives as future-state outcome-oriented statements. The corresponding key results are the measurable activities that contribute to the outcome. Most literature you read on the subject will encourage you to set stretch goals. Put another way, shooting for the stars and being excited when you only hit the moon.

Crafting OKRs with Measurable Metrics

Your strategic plan should contain the outcomes you're striving for, even if they're not explicitly stated as such in the plan. As I've written a few of these, here are some things I've found beneficial to remember.

  • Aligning your outcome with business goals: Your cybersecurity objectives should align with your organization's goals. Write this down explicitly. Objective "X" aligns with and supports organization goal "Y." Ensure that your security strategy supports the growth and stability of the business.
  • Ensuring relevance to current threats: This sounds obvious, but you must stay informed about the latest cybersecurity threats and trends. Align your objectives with the most pressing risks (which are specific to your org) and what's happening around the sector to remain proactive and resilient.
  • Balancing proactive and reactive measures: This is the ambidextrous organization model. Design objectives that address proactive (e.g., threat prevention or innovation efforts) and reactive (e.g., incident response or compliance) aspects of cybersecurity to cover your bases.

Having your objectives is excellent. Now you need your key results; this is where the rubber meets the road. A well-written key result is what you might think of when you think about SMART goals (specific, measurable, action-oriented, realistic, time-bound). The metrics you establish should be measurable to determine whether your efforts are working. Here's a framework you can start working through:

  • Creating specific, measurable outcomes: For each objective, define key results that demonstrate progress toward achieving the objective. Be clear and ensure quantifiable outcomes, such as "reducing phishing attack success rate by 50%." This guide from the team at Coda has been handy for me in thinking about what kind of metrics I establish.
  • Setting time-bound targets: Assign deadlines for achieving key results to maintain momentum and enable tracking progress over time. If you don't set timelines, you risk Parkinson's law coming in, which is the idea that any task will swell to the amount of time you allocate.
  • Identifying an owner: We talked last week about the concept of accountability and ownership in communicating your strategic plan. This applies to OKRs. People need to know who owns what, who's making decisions, who is responsible for reporting, etc.

The original Andy Grove philosophy on OKRs is anchored heavily on data-driven goal-setting.

Example OKRs to Get Start

Writing good OKRs for security teams can be challenging. This might be a topic worthy of a complete guide or standalone set of resources to pull from but to tie this together, I wanted to provide a few examples, at least here.

Risk Management

Objective: Improve the organization's risk management process.

Key Results:

  • Identify and assess at least 90% of critical assets and associated risks within the next quarter.
  • Implement risk mitigation controls for at least 80% of identified high-risk assets within the next six months.
  • Review and update risk assessments for all critical assets at least once per year.

Employee Training and Awareness

Objective: Enhance employee cybersecurity awareness and reduce human-related security incidents.

Key Results:

  • Develop and deploy a comprehensive cybersecurity training program for all employees within the next three months.
  • Achieve at least 95% employee participation in the cybersecurity training program within the next six months.
  • Reduce the number of human-related security incidents (e.g., phishing attacks, unauthorized access) by at least 30% within the next year.

Incident Response Planning

Objective: Strengthen the organization's incident response capabilities.

Key Results:

  • Develop and implement a comprehensive incident response plan within the next quarter.
  • Conduct at least two incident response simulations or tabletop exercises involving all relevant stakeholders within the next six months.
  • Reduce the mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents by at least 25% within the next year.

Vendor Management

Objective: Improve vendor risk management and reduce third-party security risks.

Key Results:

  • Establish a vendor risk management framework and process within the next three months.
  • Conduct security assessments for at least 75% of critical third-party vendors within the next six months.
  • Implement risk mitigation controls for at least 80% of identified high-risk vendors within the next year.

Catching up on last week? Check out this reaction video on effective writing skills in cyber.

Who and What - Selecting the Right People and Empowering Leadership

A successful cybersecurity team requires diverse skill sets and experiences, including technical expertise, communication skills, and problem-solving abilities. We touch on some of this in our Soft Skills Framework. To build a well-rounded team to deliver on your cybersecurity strategy, you've got to step back and think about what you're trying to do, the current organizational posture, and what you need to get it done. For example, technical experts may focus on network security, malware analysis, or vulnerability assessments, while others may excel at policy development, user training, or incident response. You might also need people with access, influence, or existing relationships. This is consistently true, but team members should possess strong communication and interpersonal skills to collaborate and share knowledge across the organization effectively.

Fostering a teamwork and open communication culture is crucial in ensuring the cybersecurity team's success. Encourage collaboration among team members by providing opportunities for regular meetings, brainstorming sessions, and informal knowledge-sharing. Promote a supportive environment where team members feel comfortable discussing challenges, sharing ideas, and seeking help. Just because you've laid out your strategy and selected people to work on it doesn't mean it will be fully understood. This collaborative approach directly correlates to effectiveness in my experience.

As we touched on last week, one of the essential aspects of effective team management is empowering team members to take on leadership roles. By delegating responsibility and providing autonomy in decision-making, you can nurture leaders within the cybersecurity team who can drive success and improve overall team performance. In addition, encourage team members who will own particular key results in your strategy to take ownership of their projects and initiatives and support them by providing guidance and resources as needed. This approach helps build a strong sense of accountability, fosters innovation, and promotes a proactive attitude toward addressing cybersecurity challenges.

Investing in ongoing training and development ensures your cybersecurity team's continuous growth and improvement. However, please don't assume that people have everything or know everything they need to do the job.

Encourage team members to pursue certifications, attend workshops, and participate in industry conferences to stay current with cybersecurity trends and best practices. This is, in large part, what works for them. Additionally, consider implementing mentoring programs within your team, allowing more experienced members to share their knowledge and expertise with newer members. This strengthens the team's overall skillset and contributes to a culture of continuous learning.

Lastly, it is crucial to establish and keep those performance metrics that align with your cybersecurity objectives and recognize team members who excel in their roles. By measuring and rewarding performance, you encourage team members to strive for excellence and continuously improve their skills and abilities. Regular performance reviews, recognition programs, and incentives can contribute to a motivated and high-performing cybersecurity team. We touched on this in our breakdown of security culture.

Conclusion

Going from words to action on the cybersecurity strategy demands a strong emphasis on crafting clear goals (hint...we like OKRs), developing actionable and trackable metrics, and building a well-rounded team. In my career, I've drawn much inspiration from Peter Drucker's management principles around empowering your team members with leadership roles, continuous learning opportunities, and performance-based recognition. A successful cybersecurity strategy relies on constant adaptation and improvement in response to ever-changing threats. Focusing on OKRs, metrics, and effective team management will create a resilient and proactive cybersecurity posture for your organization.

CISO and Security LeaderLeadership

You might also like

Robert Wood
Members Public

Where Soft Skills Meet Generative AI

The rise of generative AI tools has ushered in a new era in modern businesses, bringing with it untapped potential as well as unprecedented challenges. This technology has exploded onto the scene, and there are no signs that it will be slowing down anytime soon. Some organizations have decided that

Robert Wood
Members Public

Bridging the Gap: A CISO's Guide to Supporting Sales and Marketing with Cybersecurity

Leading a cybersecurity organization is hard. You're not just responsible for security matters, despite what you were told in your interviews. You're expected to help enable the business, support sales and marketing efforts, be a good public representative, be a key component of any digital transformation