10 Great IT Security OKR Examples

Category: IT Security OKRs.

Introduction

IT security management describes the structured fitting of security into an organization. It specifies the aspects of establishing, implementing, operating, monitoring, reviewing, maintaining and improving the Information Security Management System within the context of the organization’s overall business risks.

The Information Security Management aims to ensure the confidentiality, integrity and availability of an organization’s information, data and IT services. The primary goal of information security is to control access to information. Information Security management provides the strategic direction for security activities and ensures that objectives are achieved. Hence it is utmost important for any organization to align the objectives with the strategic direction.

OKRs acts as a safety net to link strategies with the objectives and help with the execution of the same. Using OKRs will definitely put an organization on track and help to measure the distance (key results) that the organization needs to progress ahead to reach the target. It is also possible to check on the key achievements and progress for every quarter and know the level of offensity that has been built by driving the OKRs. This blog highlights some insights on framing best IT security policy OKR examples that would help any organization to execute its security objectives.

Objective #1: Improve efficiency of vulnerability assessment process

Vulnerability Assessment: It is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed

Objective

David Griffin

Improve efficiency of vulnerability assessment process

27%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Decrease the number of undetected intrusion attempts within a given period from 2% to 0%

Q2-2021 decrease-icon Intrusion Rate
2% 0% 1%

50%

Reduce the number of unidentified devices on a network at any point of time from 5 to 0

Q2-2021 decrease-icon Unidentified devices
5 0 4

20%

Reduce the number of spoofing attacks – IP Address Spoofing, DNS Spoofing, HTTPS Spoofing – from 200 to 10 per day

Q2-2021 decrease-icon Spoofing attack
200 Day(s) 10 Day(s) 179 Day(s)

11%

#2: Improve patch management process

Patch Management: It is the process of distributing and applying updates to applications. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software.

Objective

David Griffin

Improve patch management process

25%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Decrease the average mean time to patch (MTTP) from 90 days to 60 days

Q2-2021 decrease-icon MTTP
90 Day(s) 60 Day(s) 76 Day(s)

47%

Increase the percentage of systems that have the latest OS or application patches installed over time from 90% to 95%

Q2-2021 increase-icon Patch coverage
90% 95% 91%

20%

Improve the efficiency of automated patch deployment process from 50% to 75% to ensure patches are automatically deployed based on the deployment policies

Q2-2021 increase-icon Automated Patch coverage
50% 75% 52%

8%

#3: Improve antivirus protection coverage

Antivirus/ Antispyware coverage: Virus protection should be installed on every machine on the network. All antivirus clients, servers, and gateway products should be kept actively running and capable of generating audit logs at all times.

Objective

David Griffin

Improve antivirus protection coverage

19%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Increase % of systems that have antivirus software installed from 99% to 100%

Q2-2021 increase-icon AV software
99% 100% 99.4%

40%

Increase % of systems that have latest antivirus definitions installed from 95% to 99%

Q2-2021 increase-icon AV definition
95% 99% 96%

25%

Reduce the number of incorrectly configured SSL certificates from 10 to 1

Q2-2021 decrease-icon SSL certificates
10 1 9

10%

#4: Improve incident management process

Incident Management: It describes the activities of an organization to identify, analyze and correct hazards to prevent a future re-occurrence of an incident

Objective

David Griffin

Improve incident management process

27%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Increase the strength of dedicated incident response team from 4 to 8

Q2-2021 increase-icon Incident Response
4 8 6

50%

Decrease the mean time to resolve (MTTR) severity 2 incidents from 120 mins to 90 mins

Q2-2021 decrease-icon MTTR
120 Min(s) 90 Min(s) 111 Min(s)

30%

Decrease the number of recurring incidents per month from 20 to 5 (through KMDB)

Q2-2021 decrease-icon Recurring incidents
20 5 17

20%

Decrease the average downtime per quarter due to security incidents from 45 mins to 5 mins

Q2-2021 decrease-icon Down time
45 Min(s) 5 Min(s) 41 Min(s)

10%

#5: Improve audit management activities to minimize the security breach

Audit Management: It is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.

Objective

David Griffin

Improve audit management activities to minimize the security breach

27%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Increase monitoring time for communication ports that allow remote sessions – TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) – from 1 min to 5 mins

Q2-2021 increase-icon Remote session monitoring
1 Min(s) 5 Min(s) 3 Min(s)

50%

Increase the frequency of review of third party accesses to company’s network from 3 days to 1 day

Q2-2021 increase-icon 3rd party access review
3 Day(s) 1 Day(s) 2 Day(s)

50%

Increase the frequency of IT security audits from half yearly to quarterly

Q2-2021 increase-icon Security Audit frequency
6 Month(s) 3 Month(s) 4 Month(s)

33%

#6: Reduce cyber security breaches

Cybersecurity: It is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Objective

David Griffin

Reduce cyber security breaches

27%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Decrease the time taken (MTTD) by the cybersecurity team or security operations center to become aware of a potential security incident (on average) from 10 mins to 5 mins

Q2-2021 decrease-icon MTTD
10 Min(s) 5 Min(s) 8 Min(s)

40%

Decrease the percentage of employee population falling for phishing attempts from 20% to 8%

Q2-2021 decrease-icon Phishing rate
20% 8% 17%

25%

Reduce the botnet infection rate per month from 200 to 100

Q2-2021 decrease-icon Botnet Infection rate
200 100 167

13%

#7: Increase awareness on information security among employees

IT Security Training: It is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

Objective

David Griffin

Increase awareness on information security among employees

31%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Increase % of employees in security roles receiving specialized security training (eg. NIST 800-50) from 50% to 75%

Q2-2021 increase-icon Security Training
50% 75% 62%

48%

Increase the average security awareness training score from 70% to 80%

Q2-2021 increse-icon Security Training
70% 80% 73%

30%

Increase the complexity of average password strength for all logins from strong to very strong

Q2-2021 flag-icon Password strength
0% 100% 15%

55

15%

#8: Improve anti-spam protocol to filter the unsolicited messages on employees’ inbox

Anti-Spam Management: It refers to the use of any software, hardware or process to block spam from entering a system. The anti-spam software uses a set of protocols to determine unsolicited and unwanted messages and prevent those messages from getting to a user’s inbox.

Objective

David Griffin

Improve anti-spam protocol to filter the unsolicited messages on employees’ inbox

39%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Decrease the percentage of average incoming emails for a calendar day that were delivered to the instance and marked as spam from 15% to 5%

Q2-2021 decrease-icon Anti Spam filter
15% 5% 9%

60%

Maintain the volume of data transferred using the corporate network between 80% and 120% of average daily data volume

Q2-2021 control-KPI-icon Data volume
60% 120% 84%

8%

Reduce the volume of Non-human traffic (NHT) on the website to less than 1%

Q2-2021 decrease-icon NHT
1% 0% 0.5%

50%

#9: Improve the physical and access security policy

Physical security: The purpose of the Physical Security Policy is to establish the rules for granting, control, monitoring, and removal of physical access to office premises; to identify sensitive areas within the organization; and. to define and restrict access to the same

Objective

David Griffin

Improve the physical and access security policy

31%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Reduce the number of tailgating incidents from 5 to 0 per month

Q2-2021 increase-icon Tailgating incidents
5 0 3

40%

Improve response efficiency by reducing the average emergency response time from 10 mins to 5 mins

Q2-2021 decrease-icon Emergency Response Time
10 Min(s) 5 Min(s) 9 Min(s)

20%

Reduce the time taken to deactivate former employee credentials from 24 hours to 4 hours

Q2-2021 increase-icon Deactivation time
24 Hour(s) 4 Hour(s) 22 Hour(s)

10%

#10: Improve risk management process

Risk Management: It is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters

Objective

David Griffin

Improve risk management process

28%

Target Date: Q2-2021

Visibility: All Employees

key-iconKey Results

Reduce the dwell time of network from 10 mins to 1 min (mean time an attacker has undetected access to sensitive data without being removed)

Q2-2021 increase-icon Dwell Time
10 Min(s) 1 Min(s) 5 Min(s)

56%

Maintain the % of systems with approved system security plan at 99% least

Q2-2021 Control-KPI-icon System security
49% 149% 71%

8%

Increase the percentage of mitigated risks from 90% to 100%

Q2-2021 increase-icon Risk mitigation
90% 100% 92%

20%

Conclusion:

Using the above IT security OKRs as an inspiration, the IT organizations can start framing their own security OKRs to monitor and track the IT security policies and procedures. Building such OKRs helps teams to foresee threats and diagnose solutions to protect the security policy stigma of the organization. These OKRs help to secure the firewall of any organization with predictable outcomes that the policies claim to perform. In general, setting OKRs for IT security policies develops goals, enhances confidence and proves that it’s a very good way to go.

Related Articles