When Michael Gregg joined the State of North Dakota as a security leader, he brought with him a concept he liked to use for keeping his security program on track: identifying objectives and key results (OKRs) and tracking progress against them.
He says they had worked for him in the past, and he believed that introducing their use to the state’s security program could be equally useful.
“It was a good way for the security team to stay focused. It helps give me and the teams priorities, it gives alignment between the teams, and we get the tracking and accountability,” says Gregg, who was named the state’s CISO in late 2021 after working in the position as an interim and prior to that as director of state cyber operations.
This is how he makes OKRs work.
Each of his five teams (the governance, risk and compliance team; analysis and response; active defense; engineering; and security infrastructure) identify three to five objectives each year. They devise those objectives based on the organization’s strategic vision.
Creating objectives, Gregg says, “forces us to say, ‘Can we agree which three, four or five things are most important for us to do?’”
Each team then lists three to five actionable items to target for each identified objective; those are the key results.
“I work with each team lead. They know our objectives for the year, and I let them put forth the key results for the quarter. We review it as a group and after that, and after everything is aligned, we come back for one meeting where each team talks about the OKRs so everyone has visibility,” he says.
Teams then meet every two weeks to evaluate their progress on the key results, using key performance indicators (KPIs) and key goal indicators (KGIs) to measure their work toward reaching those key results that support achieving the overall objective.
Gregg shares a straightforward example to illustrate how these pieces come together:
If the state’s strategic vision is to further strengthen security, one objective to support that mission could be rolling out a new tool for network and endpoint monitoring throughout the entire state organization within the year.
That then becomes an objective for the teams that will be involved in the work, with the teams’ quarterly key results reflecting the amount of work they need to accomplish every three months to hit that objective within a year.
The teams will use KPIs and KPGs to measure progress toward those key results, with metrics reported every two weeks.
“So if I’m looking for 100% at year’s end, then I need 50% by half year, the key results are how much I’m achieving in a quarter to stay on track and the KPIs are how well I’m doing,” Gregg explains.
Although such examples may make OKRs seem merely like a way to divvy up and schedule work, Gregg says their use actually delivers big management and executive benefits.
“What I like about OKRs is this: OKRs help me tie vision and mission, which is set by the governor’s team, to our action plan, to how we will get there,” he says. “And OKRs help me align culture and resources to that action plan.”
In other words, he says, OKRs help him set the track, stay on course, and keep a desired pace. So teams are less likely to chase projects that aren’t priorities. They may get pulled into urgent work or be tempted to jump into a new proposal, but OKRs guide them back to the established priorities.
Using OKRs also “tie teams together. They can see how their work impacts the work of other teams,” Gregg says. He explains that establishing OKRs that are tied to a strategic vision helps ensure that the required teams are contributing when, where, and how much they’re needed to keep initiatives on track. In a world where one team’s schedule and success are often dependent on other teams doing their part on time, OKRs help ensure each team is doing what it must and doing that work when it should.
Google security’s take on OKRs
Managers have been using OKRs for decades, ever since Andy Grove introduced the goal-setting framework at Intel in the 1970s.
Other business leaders have adopted this construct over the years, with John Doerr at Google often credited for making OKRs popular.
Google uses OKRs today throughout its organization. That includes the Google Cybersecurity Action Team (GCAT) at Google Cloud, where Merrill Miller is head of business operations.
Miller says there’s good reason for that pervasiveness of OKRs.
“They let you know your priorities along with your overall mission, and they give you the more specific goals for achieving the vision—and how. They help put a practical lens to strategy and vision and ground prioritization,” she says. “The objective speaks to an inspiring mission; the key results are measurable outcomes.”
Miller’s use of OKRs is similar to the how Gregg leverages this framework.
Miller says Google has an annual planning process during which leaders outline the objectives they want to achieve in the upcoming year and they break down the key results they need to achieve to reach those objectives. Miller says her security team then uses metrics to measure their progress toward reaching key results and, ultimately, the objectives.
She offers a real-world example:
Google leaders have articulated that GCAT’s mission is to be a premier security advisory team.
“But that’s a pretty broad mission. So how do we make sense of that and make that actionable?” Miller asks. “One way to do that is through the ‘O’—the objectives—and tracking key results.”
So Miller and her team develop several objectives that map to the organization’s vision and its overarching priorities.
And, as is standard practice when developing and using OKRs, GCAT created several key results for each objective.
So, Miller says, one objective is to “ensure that the Google Cybersecurity Action Team achieves its goals of being the world’s premier security advisory team” with one key result for that being “increase customer engagement by X% through the Google Cybersecurity Action Team pod engagement model.”
Miller says that example also illustrates the benefits of OKRs: They provide a clear picture of priorities, which can keep security teams focused on those priorities rather than spreading themselves thin by working on too many initiatives and diverting resources to less pressing projects.
“You can get too scattered and take on too many things and you can take on scope creep, but having OKRs, when I write out projects and what needs to be done, I can prioritize based on what needs to be delivered. And that allows me to effectively communicate with leadership, team members, and invested parties why we’re making the decisions we’re making and how we’re supporting the objectives,” Miller says.
She adds: “OKRs constantly let you point back to priorities and ground yourself.”
Miller says they’ve also helped her and her team say “no” to initiatives.
“I have a running list of all projects, including current and future ones; they’re mapped to OKRs. So if something new goes on the list, and it doesn’t map to the OKR, it might not get prioritized or it could mean we need to talk about creating a new OKR. It’s a good gut check,” she explains.
Case in point: Miller and her team recently pushed off updating content for GCAT’s service catalog because it wasn’t part of their OKRs this year. “That [new] version will happen down the line but we have other things to prioritize first,” Miller says.
Making OKRs work
Interest in OKRs is growing, says Paul Proctor, vice president and distinguished analyst at tech research and advisory firm Gartner.
However, he and other management experts tempered their enthusiasm, noting that OKRs can be an effective goal-setting methodology for security teams, but the value is limited if that’s all they are used for.
Proctor says OKRs are all about asking
- What am I trying to accomplish? That’s the objective.
- How am I going to accomplish it? That’s the list of key results.
- And how am I going to measure? This determines the metrics to use.
“The purpose of an OKR is to measure progress towards a strategy,” Proctor explains. So CISOs—or any executive or manager—needs to understand their strategy to create the objectives and key results.
“This is where people struggle because nothing in OKRs tells you your strategy. There’s no definitive list of OKRs because it’s dependent on your strategy, and most people don’t have a strategy,” he adds. “OKRs is progress toward achieving a strategy. They’re an integral part of developing and executing your strategy, and if you’re not looking at them that way, you’re not really using OKRs.”
Moreover, Proctor says OKRs are valuable when teams actually measure their work on key results and toward achieving their objectives, adding that he has found through his experience that “people are terrible at metrics.”
Instead, Proctor says he gets enterprise leaders asking: “What OKRs should I measure in security?” or labeling whatever metrics they have as OKRs.
“OKRs are a very specific construct designed to support a very specific goal, but unfortunately a lot of people are setting metrics and then calling them OKRs,” he says.
Still, Proctor says he does see value in OKRs and agrees with statements made by Gregg and Miller about their benefits—when organizations think about and use OKRs in the right manner, they do indeed help focus teams on achieving objectives that have been deemed important.
“OKRs can certainly be an effective way to articulate the objectives of the CISO function,” says Andrew Retrum, a managing director in the Security and Privacy Practice at management consulting firm Protiviti. “But I think the OKRs that are most meaningful are those that tie back to the rest of the organization; in security, when they tie them back to the risk you’re managing, and when the metrics being used are quantifiable.”
Gregg, too, acknowledges that getting the objectives right is key to getting benefits from OKRs.
He says teams often struggle, particularly when first using the OKR framework, with limiting the number of objectives they want to have. “You won’t be successful if you’re trying to do that many,” he adds.
He also agrees that follow-through matters for success; listing objectives and key results is itself not enough. He says it’s essential to measure progress, evaluate those metrics, and even adjust and tweak OKRs if necessary. Getting that done, he adds, is about culture change—something that takes time and investment to get right.