Goal setting vs. metrics: a guide for CISOs and security leaders

Goal setting vs. metrics: a guide for CISOs and security leaders

Robert Wood

If you've read anything about goal setting over the last few years, you've undoubtedly heard about OKRs. This acronym stands for objectives and key results. A lot has been written about OKRs, how to set them up, how to measure them, and so on.

In this article, I want to dig into the delineation between metrics (sometimes referred to as key performance indicators (KPIs) and an OKR. Not all of a security team's work is going to be growth-oriented. There will inevitably be a lot of operational work that you want to ensure is delivering as expected.

As a leader, you should strive to leverage both OKRs and standard metrics to drive toward the success of the program you're hoping for.

OKRs: the what and why

OKRs comprise Objectives, qualitative and inspirational goals, and Key Results, specific measures used to track the achievement of those objectives. They are typically set quarterly or annually and are instrumental in driving focus, alignment, and engagement within the team. OKRs, in my experience, are typically geared towards major growth areas that you're striving towards as a team (or organization).

Importance for Security Leaders:

  • Focus: OKRs enable security leaders to concentrate their team's efforts on priority areas, ensuring alignment with the broader organizational goals.
  • Agility: Given their short-term nature, OKRs can be adapted as things change in the field, budget, or organization.
  • Engagement: The transparency and clarity associated with OKRs foster team engagement and ownership of outcomes.

Metrics: the what and why

Metrics are quantitative measures used to track, monitor, and assess the efficiency and effectiveness of processes over time. In cybersecurity, they could refer to the number of detected vulnerabilities, response times, or patching frequencies. When discussed in the context of key performance indicators (KPIs), a metric is a specific measurement that signals whether a program or function is performing as expected.

Importance for Security Leaders:

  • Insight: Metrics offer critical insights into the current state of security postures, revealing strengths and weaknesses.
  • Accountability: They provide a basis for accountability, making it clear where improvements are needed. The data, in most cases, will speak for itself.
  • Decision-Making: Metrics inform strategic and operational decisions, ensuring they are data-driven and objective.

OKRs and metrics: a harmonious pairing

Complementing Each Other:
While OKRs outline the “what” and “why,” metrics provide the “how.” OKRs are the destination, and metrics are the roadmap. They’re more granular and operational, offering a step-by-step guide to achieving OKRs.

Why You Need Both:

  • Holistic Strategy: While OKRs drive motivation and focus, metrics ensure that the journey is measurable, manageable, and aligned with operational realities.
  • Adaptability: OKRs can be adapted based on the insights derived from metrics, ensuring that strategies remain relevant and effective amidst changing conditions.
  • Performance Optimization: Metrics offer the detailed data needed to optimize processes and performance continuously, feeding into the achievement of OKRs.

Action steps for CISOs

  1. Integration: Integrate OKRs and metrics within the organizational strategy, ensuring alignment between security goals and business objectives.
  2. Education: Educate the team on the distinctions and the synergies between OKRs and metrics, fostering a holistic approach to goal setting and performance measurement.
  3. Technology Utilization: Leverage technology to track and analyze metrics in real time, offering insights that can be used to refine OKRs.

One last note here is to make sure that you make it clear to your team that just because a piece of work isn't captured as a strategic OKR doesn't mean it's not important. I see this tension arise all the time, which can lead to the anti-pattern of creating too many OKRs such that it distorts what is actually important. This is really where metrics can be so helpful both as a tracking tool and a communications tool, even within your own team.

Concluding thoughts

As cybersecurity continues to evolve and mature into more of a business function, a dual approach integrating both OKRs and metrics is essential to our collective success. OKRs set the stage, inspiring and directing the team towards strategic objectives. In contrast, metrics offer the granular, actionable data needed to navigate the journey effectively. For CISOs and security leaders, understanding and leveraging these tools is not just beneficial—it’s a necessity for driving security, performance, and business alignment in today’s digital age.