It’s not just Microsoft - big corporations like Google and Target utilize OKRs for measuring and defining their targets and performance goals. In AppSec retrospective, OKRs can be a great tool to identify a target goal and define it.
OKR stands for "Objectives and Key Results." Let's briefly look at what this means in the cyber security and AppSec world.
Michal Zalewski, an established white-hat hacker, has mentioned the many benefits of treating our organizational security goals as OKRs. Here is his article if you prefer to have a read, but to quote him briefly:
“Rather than focusing on tactical objectives and policy documents, try to write down a concise mission statement explaining why you are a team in the first place, what specific business outcomes you are aiming for, how do you prioritize it, and how you want it all to change in a year or two.”
As you can see, the best place to begin is to start crafting some OKRs. Once you are on the track, it will eventually become easier to write better Objectives and Key Results as you progress on your journey.
It is important to note that effective key results are written when we consider our security team as a product.
What do we mean by that? While Objectives can be defined on an organizational level, key results for security must be scoped to smaller teams and groups of individuals. This will also promote learning through accountability.
- Your tech stack.
- The organizational structure of the team.
- Constitutional and strategic requirements.
Effective OKR modeling by itself can ensure that our goals are not only in great tactical shape, but also help define a strategic roadmap for our security program.
From Wikipedia, Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.
Let’s suppose our threat modeling identifies that most of our attack vectors and threats are geared towards authorization and access control. We can possibly create an objective statement that looks like this:
“Implement a congruous access control mechanism.”
Now, based on this Objective, we can define the following Key Results:
KR 1 Create a 50% divide to create a red team to focus on access control.
KR 2 Generate weekly reports on access control systems.
KR 3 Devise a pen-testing mechanism to enhance insights over the system and identify at least one critical threat on each iteration.
KR4 Implement OAuth to solidify the controls.
Notice that we have tried to keep KRs as quantitative as possible. Also, it is important to keep in mind that our objectives are made around high-level security goals and actions. Our KRs are the ones that give them structure and quantification.
Alex Smolen in one of his articles discussed what metrics should be considered while defining our security OKRs. Just like a threat modeling activity, metrics help us define clear achievable goals which are easy to implement and traceback for improvements.
Here are some examples of metrics that can be considered while defining your KRs:
- Risk Assessment.
- Objectives around CVEs and other vulnerabilities.
- KRs around time to remediation and time to detection
“Reduce the average time to detect vulnerabilities by 50%,” could be a real-world example of a KR or an Objective based on time-to-remediation. This KR, of course, can then be connected with your financial KR, defined by your financial team, to have a better-aligned goal with respect to your organization.
Reduce the average time to detect vulnerabilities by 50%.
Reduce the debugging cost to 20% of its current value.
(Cannot “link” OKRs? Here is the new way to visualize and understand your organizational goals better through our alignment boards)
At Fitbots, Security and OKRs go hand in hand because OKRs facilitate better creation of our security goals, which are easier to track, manage and achieve, compared to more ancient ways of doing things. Looking at the tech giants like Microsoft and Google in Silicon Valley, OKRs are the way to move forward.
Since most of the security teams are made up of Engineers (who are really good at system modeling and defining clear goals and objectives), it is only natural to understand the involvement of OKRs in the planning and management of the short-term and long-term vision of the security division.
Want to learn more? Check out more success stories with OKRs.
Aditya Tripathi is a software engineer and a cyber security enthusiast. He writes about information security, app security and how to manage them in an organization.
Free 21-day access when you sign up...