Building effective security OKRs

This is an abridged version of my LocoMocoSec 2020 conference talk

How do you set the strategy for a security team? If your goals are vague, people on your team will work on whatever they’re interested in because there’s no clear mission. If you don’t measure impact, your organization will hesitate to give you resources because you won’t be able to show what they get in return.

OKRs let your security team do work that everyone in the organization values. John Doerr’s book Measure What Matters calls out four organizational OKR “superpowers” that also apply to security teams.

• Focus and Commit to Priorities
• Align and Connect for Teamwork
• Track for Accountability
• Stretch for Amazing

Maybe you’ve seen first-hand how OKRs lead to amazing results. Or, maybe they’re mandated by your organization. Either way, how should security teams get the most value out of the OKR process?

Security objectives

Define the mission with high-level security objectives

First, make sure you have a set of security objectives that make sense outside the security team. They should describe how security supports the organizational mission. What risks are your team focused on preventing? If your organization has cascading OKRs, think about how security can be framed as a company-level objective.

Michal Zalewski describes the importance of objectives for your security team:

Rather than focusing on tactical objectives and policy documents, try to write down a concise mission statement explaining why you are a team in the first place, what specific business outcomes you are aiming for, how do you prioritize it, and how you want it all to change in a year or two.

A good example of high-level objectives is in Gitlab’s information security team’s handbook. They talk about three tenets:

• Secure the Product
• Protect the Company
• Assure the Customer

Note that the first two are about reducing actual risk, whereas the third is about perceived risk. Reducing actual…