When Michael Gregg joined the State of North Dakota as a security leader, he brought with him a concept he liked to use for keeping his security program on track: identifying objectives and key results (OKRs) and tracking progress against them.He says they had worked for him in the past, and he believed that introducing their use to the state\u2019s security program could be equally useful.\u201cIt was a good way for the security team to stay focused. It helps give me and the teams priorities, it gives alignment between the teams, and we get the tracking and accountability,\u201d says Gregg, who was named the state\u2019s CISO in late 2021 after working in the position as an interim and prior to that as director of state cyber operations.This is how he makes OKRs work.Each of his five teams (the governance, risk and compliance team; analysis and response; active defense; engineering; and security infrastructure) identify three to five objectives each year. They devise those objectives based on the organization\u2019s strategic vision.Creating objectives, Gregg says, \u201cforces us to say, \u2018Can we agree which three, four or five things are most important for us to do?\u2019\u201dEach team then lists three to five actionable items to target for each identified objective; those are the key results.\u201cI work with each team lead. They know our objectives for the year, and I let them put forth the key results for the quarter. We review it as a group and after that, and after everything is aligned, we come back for one meeting where each team talks about the OKRs so everyone has visibility,\u201d he says.Teams then meet every two weeks to evaluate their progress on the key results, using key performance indicators (KPIs) and key goal indicators (KGIs) to measure their work toward reaching those key results that support achieving the overall objective.Gregg shares a straightforward example to illustrate how these pieces come together:If the state\u2019s strategic vision is to further strengthen security, one objective to support that mission could be rolling out a new tool for network and endpoint monitoring throughout the entire state organization within the year.That then becomes an objective for the teams that will be involved in the work, with the teams\u2019 quarterly key results reflecting the amount of work they need to accomplish every three months to hit that objective within a year.The teams will use KPIs and KPGs to measure progress toward those key results, with metrics reported every two weeks.\u201cSo if I\u2019m looking for 100% at year\u2019s end, then I need 50% by half year, the key results are how much I\u2019m achieving in a quarter to stay on track and the KPIs are how well I\u2019m doing,\u201d Gregg explains.Although such examples may make OKRs seem merely like a way to divvy up and schedule work, Gregg says their use actually delivers big management and executive benefits.\u201cWhat I like about OKRs is this: OKRs help me tie vision and mission, which is set by the governor\u2019s team, to our action plan, to how we will get there,\u201d he says. \u201cAnd OKRs help me align culture and resources to that action plan.\u201dIn other words, he says, OKRs help him set the track, stay on course, and keep a desired pace. So teams are less likely to chase projects that aren\u2019t priorities. They may get pulled into urgent work or be tempted to jump into a new proposal, but OKRs guide them back to the established priorities.Using OKRs also \u201ctie teams together. They can see how their work impacts the work of other teams,\u201d Gregg says. He explains that establishing OKRs that are tied to a strategic vision helps ensure that the required teams are contributing when, where, and how much they\u2019re needed to keep initiatives on track. In a world where one team\u2019s schedule and success are often dependent on other teams doing their part on time, OKRs help ensure each team is doing what it must and doing that work when it should.Google security\u2019s take on OKRsManagers have been using OKRs for decades, ever since Andy Grove introduced the goal-setting framework at Intel in the 1970s.Other business leaders have adopted this construct over the years, with John Doerr at Google often credited for making OKRs popular.Google uses OKRs today throughout its organization. That includes the Google Cybersecurity Action Team (GCAT) at Google Cloud, where Merrill Miller is head of business operations.Miller says there\u2019s good reason for that pervasiveness of OKRs.\u201cThey let you know your priorities along with your overall mission, and they give you the more specific goals for achieving the vision\u2014and how. They help put a practical lens to strategy and vision and ground prioritization,\u201d she says. \u201cThe objective speaks to an inspiring mission; the key results are measurable outcomes.\u201dMiller\u2019s use of OKRs is similar to the how Gregg leverages this framework.Miller says Google has an annual planning process during which leaders outline the objectives they want to achieve in the upcoming year and they break down the key results they need to achieve to reach those objectives. Miller says her security team then uses metrics to measure their progress toward reaching key results and, ultimately, the objectives.She offers a real-world example:Google leaders have articulated that GCAT\u2019s mission is to be a premier security advisory team.\u201cBut that\u2019s a pretty broad mission. So how do we make sense of that and make that actionable?\u201d Miller asks. \u201cOne way to do that is through the \u2018O\u2019\u2014the objectives\u2014and tracking key results.\u201dSo Miller and her team develop several objectives that map to the organization\u2019s vision and its overarching priorities.And, as is standard practice when developing and using OKRs, GCAT created several key results for each objective.So, Miller says, one objective is to \u201censure that the Google Cybersecurity Action Team achieves its goals of being the world\u2019s premier security advisory team\u201d with one key result for that being \u201cincrease customer engagement by X% through the Google Cybersecurity Action Team pod engagement model.\u201dMiller says that example also illustrates the benefits of OKRs: They provide a clear picture of priorities, which can keep security teams focused on those priorities rather than spreading themselves thin by working on too many initiatives and diverting resources to less pressing projects.\u201cYou can get too scattered and take on too many things and you can take on scope creep, but having OKRs, when I write out projects and what needs to be done, I can prioritize based on what needs to be delivered. And that allows me to effectively communicate with leadership, team members, and invested parties why we\u2019re making the decisions we\u2019re making and how we\u2019re supporting the objectives,\u201d Miller says.She adds: \u201cOKRs constantly let you point back to priorities and ground yourself.\u201dMiller says they\u2019ve also helped her and her team say \u201cno\u201d to initiatives.\u201cI have a running list of all projects, including current and future ones; they\u2019re mapped to OKRs. So if something new goes on the list, and it doesn\u2019t map to the OKR, it might not get prioritized or it could mean we need to talk about creating a new OKR. It\u2019s a good gut check,\u201d she explains.Case in point: Miller and her team recently pushed off updating content for GCAT\u2019s service catalog because it wasn\u2019t part of their OKRs this year. \u201cThat [new] version will happen down the line but we have other things to prioritize first,\u201d Miller says.Making OKRs workInterest in OKRs is growing, says Paul Proctor, vice president and distinguished analyst at tech research and advisory firm Gartner.However, he and other management experts tempered their enthusiasm, noting that OKRs can be an effective goal-setting methodology for security teams, but the value is limited if that\u2019s all they are used for.Proctor says OKRs are all about askingWhat am I trying to accomplish? That\u2019s the objective.How am I going to accomplish it? That\u2019s the list of key results.And how am I going to measure? This determines the metrics to use.\u201cThe purpose of an OKR is to measure progress towards a strategy,\u201d Proctor explains. So CISOs\u2014or any executive or manager\u2014needs to understand their strategy to create the objectives and key results.\u201cThis is where people struggle because nothing in OKRs tells you your strategy. There\u2019s no definitive list of OKRs because it\u2019s dependent on your strategy, and most people don\u2019t have a strategy,\u201d he adds. \u201cOKRs is progress toward achieving a strategy. They\u2019re an integral part of developing and executing your strategy, and if you\u2019re not looking at them that way, you\u2019re not really using OKRs.\u201dMoreover, Proctor says OKRs are valuable when teams actually measure their work on key results and toward achieving their objectives, adding that he has found through his experience that \u201cpeople are terrible at metrics.\u201dInstead, Proctor says he gets enterprise leaders asking: \u201cWhat OKRs should I measure in security?\u201d or labeling whatever metrics they have as OKRs.\u201cOKRs are a very specific construct designed to support a very specific goal, but unfortunately a lot of people are setting metrics and then calling them OKRs,\u201d he says.Still, Proctor says he does see value in OKRs and agrees with statements made by Gregg and Miller about their benefits\u2014when organizations think about and use OKRs in the right manner, they do indeed help focus teams on achieving objectives that have been deemed important.\u201cOKRs can certainly be an effective way to articulate the objectives of the CISO function,\u201d says Andrew Retrum, a managing director in the Security and Privacy Practice at management consulting firm Protiviti. \u201cBut I think the OKRs that are most meaningful are those that tie back to the rest of the organization; in security, when they tie them back to the risk you\u2019re managing, and when the metrics being used are quantifiable.\u201dGregg, too, acknowledges that getting the objectives right is key to getting benefits from OKRs.He says teams often struggle, particularly when first using the OKR framework, with limiting the number of objectives they want to have. \u201cYou won\u2019t be successful if you\u2019re trying to do that many,\u201d he adds.He also agrees that follow-through matters for success; listing objectives and key results is itself not enough. He says it\u2019s essential to measure progress, evaluate those metrics, and even adjust and tweak OKRs if necessary. Getting that done, he adds, is about culture change\u2014something that takes time and investment to get right.