10 Great Examples of IT Security OKRs

BLOG » OKR Examples » IT Security OKRs » 10 Great Examples of IT Security OKRs
- 12 min read
10-great-it-security-okr-examples

Category: IT Security OKRs.

Introduction

IT security management describes the structured fitting of security into an organization. It specifies the aspects of establishing, implementing, operating, monitoring, reviewing, maintaining and improving the Information Security Management System within the context of the organization’s overall business risks.

The Information Security Management aims to ensure the confidentiality, integrity and availability of an organization’s information, data and IT services. The primary goal of information security is to control access to information. Information Security management provides the strategic direction for security activities and ensures that objectives are achieved. Hence it is utmost important for any organization to align the objectives with the strategic direction.

OKRs acts as a safety net to link strategies with the objectives and help with the execution of the same. Using OKRs will definitely put an organization on track and help to measure the distance (key results) that the organization needs to progress ahead to reach the target. It is also possible to check on the key achievements and progress for every quarter and know the level of offensity that has been built by driving the OKRs. This blog highlights some insights on framing best IT security policy OKR examples that would help any organization to execute its security objectives.

Example 1

Vulnerability Assessment: It is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed

Objective : Improve efficiency of vulnerability assessment process

KR 1 : Decrease the number of undetected intrusion attempts within a given period from 2% to 0%

KR 2 : Reduce the number of unidentified devices on a network at any point of time from 5 to 0

KR 3 : Reduce the number of spoofing attacks – IP Address Spoofing, DNS Spoofing, HTTPS Spoofing – from 200 to 10 per day

objective-circle-icon1Objective

David Griffin

Improve efficiency of vulnerability assessment process

27%

Target Date: Q2-2021

Visibility: All Employees

key-icon1Key Results

Decrease the number of undetected intrusion attempts within a given period from 2% to 0%

Q2-2021 decrease-icon1 Intrusion Rate
2% 0% 1%

50%

Reduce the number of unidentified devices on a network at any point of time from 5 to 0

Q2-2021 img-roger-smith-assignee1 decrease-icon2 Unidentified devices
5 0 4

20%

Reduce the number of spoofing attacks – IP Address Spoofing, DNS Spoofing, HTTPS Spoofing – from 200 to 10 per day

Q2-2021 img-alice-assignee1 decrease-icon3 Spoofing attack
200 Day(s) 10 Day(s) 179 Day(s)

11%

Example 2

Patch Management: It is the process of distributing and applying updates to applications. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software.

Objective : Improve patch management process

KR 1 : Decrease the average mean time to patch (MTTP) from 90 days to 60 days

KR 2 : Increase the percentage of systems that have the latest OS or application patches installed over time from 90% to 95%

KR 3 : Improve the efficiency of automated patch deployment process from 50% to 75% to ensure patches are automatically deployed based on the deployment policies

objective-circle-icon2Objective

David Griffin

Improve patch management process

25%

Target Date: Q2-2021

Visibility: All Employees

key-icon2Key Results

Decrease the average mean time to patch (MTTP) from 90 days to 60 days

Q2-2021 decrease-icon4 MTTP
90 Day(s) 60 Day(s) 76 Day(s)

47%

Increase the percentage of systems that have the latest OS or application patches installed over time from 90% to 95%

Q2-2021 img-roger-smith-assignee2 increase-icon1 Patch coverage
90% 95% 91%

20%

Improve the efficiency of automated patch deployment process from 50% to 75% to ensure patches are automatically deployed based on the deployment policies

Q2-2021 img-alice-assignee2 increase-icon2 Automated Patch coverage
50% 75% 52%

8%

Example 3

Antivirus/ Antispyware coverage: Virus protection should be installed on every machine on the network. All antivirus clients, servers, and gateway products should be kept actively running and capable of generating audit logs at all times.

Objective : Improve antivirus protection coverage

KR 1 : Increase % of systems that have antivirus software installed from 99% to 100%

KR 2 : Increase % of systems that have latest antivirus definitions installed from 95% to 99%

KR 3 : Reduce the number of incorrectly configured SSL certificates from 10 to 1

objective-circle-icon3Objective

David Griffin

Improve antivirus protection coverage

19%

Target Date: Q2-2021

Visibility: All Employees

key-icon3Key Results

Increase % of systems that have antivirus software installed from 99% to 100%

Q2-2021 increase-icon3 AV software
99% 100% 99.4%

40%

Increase % of systems that have latest antivirus definitions installed from 95% to 99%

Q2-2021 img-roger-smith-assignee3 increase-icon4 AV definition
95% 99% 96%

25%

Reduce the number of incorrectly configured SSL certificates from 10 to 1

Q2-2021 decrease-icon5 SSL certificates
10 1 9

10%

Example 4

Incident Management: It describes the activities of an organization to identify, analyze and correct hazards to prevent a future re-occurrence of an incident

Objective : Improve incident management process

KR 1 : Increase the strength of dedicated incident response team from 4 to 8

KR 2 : Decrease the mean time to resolve (MTTR) severity 2 incidents from 120 mins to 90 mins

KR 3 : Decrease the number of recurring incidents per month from 20 to 5 (through KMDB)

KR 4 : Decrease the average downtime per quarter due to security incidents from 45 mins to 5 mins

objective-circle-icon4Objective

David Griffin

Improve incident management process

27%

Target Date: Q2-2021

Visibility: All Employees

key-icon4Key Results

Increase the strength of dedicated incident response team from 4 to 8

Q2-2021 increase-icon5 Incident Response
4 8 6

50%

Decrease the mean time to resolve (MTTR) severity 2 incidents from 120 mins to 90 mins

Q2-2021 img-roger-smith-assignee4 decrease-icon6 MTTR
120 Min(s) 90 Min(s) 111 Min(s)

30%

Decrease the number of recurring incidents per month from 20 to 5 (through KMDB)

Q2-2021 img-alice-assignee4 decrease-icon7 Recurring incidents
20 5 17

20%

Decrease the average downtime per quarter due to security incidents from 45 mins to 5 mins

Q2-2021 img decrease-icon8 Down time
45 Min(s) 5 Min(s) 41 Min(s)

10%

Example 5

Audit Management: It is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.

Objective : Improve audit management activities to minimize the security breach

KR 1 : Increase monitoring time for communication ports that allow remote sessions – TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) – from 1 min to 5 mins

KR 2 : Increase the frequency of review of third party accesses to company’s network from 3 days to 1 day

KR 3 : Increase the frequency of IT security audits from half yearly to quarterly

objective-circle-icon5Objective

David Griffin

Improve audit management activities to minimize the security breach

27%

Target Date: Q2-2021

Visibility: All Employees

key-icon5Key Results

Increase monitoring time for communication ports that allow remote sessions – TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) – from 1 min to 5 mins

Q2-2021 increase-icon6 Remote session monitoring
1 Min(s) 5 Min(s) 3 Min(s)

50%

Increase the frequency of review of third party accesses to company’s network from 3 days to 1 day

Q2-2021 img-roger-smith-assignee5 increase-icon7 3rd party access review
3 Day(s) 1 Day(s) 2 Day(s)

50%

Increase the frequency of IT security audits from half yearly to quarterly

Q2-2021 img-alice-assignee5 increase-icon8 Security Audit frequency
6 Month(s) 3 Month(s) 4 Month(s)

33%

Example 6

Cybersecurity: It is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Objective : Reduce cyber security breaches

KR 1 : Decrease the time taken (MTTD) by the cybersecurity team or security operations center to become aware of a potential security incident (on average) from 10 mins to 5 mins

KR 2 : Decrease the percentage of employee population falling for phishing attempts from 20% to 8%

KR 3 : Reduce the botnet infection rate per month from 200 to 100

objective-circle-icon6Objective

David Griffin

Reduce cyber security breaches

27%

Target Date: Q2-2021

Visibility: All Employees

key-icon6Key Results

Decrease the time taken (MTTD) by the cybersecurity team or security operations center to become aware of a potential security incident (on average) from 10 mins to 5 mins

Q2-2021 decrease-icon9 MTTD
10 Min(s) 5 Min(s) 8 Min(s)

40%

Decrease the percentage of employee population falling for phishing attempts from 20% to 8%

Q2-2021 img-roger-smith-assignee6 decrease-icon10 Phishing rate
20% 8% 17%

25%

Reduce the botnet infection rate per month from 200 to 100

Q2-2021 img-alice-assignee6 decrease-icon11 Botnet Infection rate
200 100 167

13%

Example 7

IT Security Training: It is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization./p>

Objective : Increase awareness on information security among employees

KR 1 : Increase % of employees in security roles receiving specialized security training (eg. NIST 800-50) from 50% to 75%

KR 2 : Increase the average security awareness training score from 70% to 80%

KR 3 : Increase the complexity of average password strength for all logins from strong to very strong

objective-circle-icon7Objective

David Griffin

Increase awareness on information security among employees

31%

Target Date: Q2-2021

Visibility: All Employees

key-icon7Key Results

Increase % of employees in security roles receiving specialized security training (eg. NIST 800-50) from 50% to 75%

Q2-2021 increase-icon9 Security Training
50% 75% 62%

48%

Increase the average security awareness training score from 70% to 80%

Q2-2021 img-roger-smith-assignee7 increse-icon11 Security Training
70% 80% 73%

30%

Increase the complexity of average password strength for all logins from strong to very strong

Q2-2021 img-alice-assignee7 milestone-KPI Password strength
0% 100% 15%

55

15%

Example 8

Anti-Spam Management: It refers to the use of any software, hardware or process to block spam from entering a system. The anti-spam software uses a set of protocols to determine unsolicited and unwanted messages and prevent those messages from getting to a user’s inbox.

Objective : Improve anti-spam protocol to filter the unsolicited messages on employees’ inbox

KR 1 : Decrease the percentage of average incoming emails for a calendar day that were delivered to the instance and marked as spam from 15% to 5%

KR 2 : Maintain the volume of data transferred using the corporate network between 80% and 120% of average daily data volume

KR 3 : Reduce the volume of Non-human traffic (NHT) on the website to less than 1%

objective-circle-icon8Objective

David Griffin

Improve anti-spam protocol to filter the unsolicited messages on employees’ inbox

39%

Target Date: Q2-2021

Visibility: All Employees

key-icon8Key Results

Decrease the percentage of average incoming emails for a calendar day that were delivered to the instance and marked as spam from 15% to 5%

Q2-2021 decrease-icon12 Anti Spam filter
15% 5% 9%

60%

Maintain the volume of data transferred using the corporate network between 80% and 120% of average daily data volume

Q2-2021 img-roger-smith-assignee8 control-KPI-icon Data volume
60% 120% 84%

8%

Reduce the volume of Non-human traffic (NHT) on the website to less than 1%

Q2-2021 img-alice-assignee8 decrease-icon13 NHT
1% 0% 0.5%

50%

Example 9

Physical security: The purpose of the Physical Security Policy is to establish the rules for granting, control, monitoring, and removal of physical access to office premises; to identify sensitive areas within the organization; and. to define and restrict access to the same

Objective : Improve the physical and access security policy

KR 1 : Reduce the number of tailgating incidents from 5 to 0 per month

KR 2 : Improve response efficiency by reducing the average emergency response time from 10 mins to 5 mins

KR 3 : Reduce the time taken to deactivate former employee credentials from 24 hours to 4 hours

objective-circle-icon9Objective

David Griffin

Improve the physical and access security policy

31%

Target Date: Q2-2021

Visibility: All Employees

key-icon9Key Results

Reduce the number of tailgating incidents from 5 to 0 per month

Q2-2021 decrease-icon14 Tailgating incidents
5 0 3

40%

Improve response efficiency by reducing the average emergency response time from 10 mins to 5 mins

Q2-2021 img-roger-smith-assignee9 decrease-icon15 Emergency Response Time
10 Min(s) 5 Min(s) 9 Min(s)

20%

Reduce the time taken to deactivate former employee credentials from 24 hours to 4 hours

Q2-2021 img-alice-assignee9 decrease-icon 16 Deactivation time
24 Hour(s) 4 Hour(s) 22 Hour(s)

10%

Example 10

Risk Management: It is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters

Objective : Improve risk management process

KR 1 : Reduce the dwell time of network from 10 mins to 1 min (mean time an attacker has undetected access to sensitive data without being removed)

KR 2 : Maintain the % of systems with approved system security plan at 99% least

KR 3 : Increase the percentage of mitigated risks from 90% to 100%

objective-circle-icon10Objective

David Griffin

Improve risk management process

28%

Target Date: Q2-2021

Visibility: All Employees

key-icon10Key Results

Reduce the dwell time of network from 10 mins to 1 min (mean time an attacker has undetected access to sensitive data without being removed)

Q2-2021 decrease-icon17 Dwell Time
10 Min(s) 1 Min(s) 5 Min(s)

56%

Maintain the % of systems with approved system security plan at 99% least

Q2-2021 img-roger-smith-assignee10 control-KPI2 System security
49% 149% 71%

8%

Increase the percentage of mitigated risks from 90% to 100%

Q2-2021 img-alice-assignee10 increase-icon10 Risk mitigation
90% 100% 92%

20%

Conclusion:

Using the above IT security OKRs as an inspiration, the IT organizations can start framing their own security OKRs to monitor and track the IT security policies and procedures. Building such OKRs helps teams to foresee threats and diagnose solutions to protect the security policy stigma of the organization. These OKRs help to secure the firewall of any organization with predictable outcomes that the policies claim to perform. In general, setting OKRs for IT security policies develops goals, enhances confidence and proves that it’s a very good way to go.

Related Articles