IT security management describes the structured fitting of security into an organization. It specifies the aspects of establishing, implementing, operating, monitoring, reviewing, maintaining and improving the Information Security Management System within the context of the organization’s overall business risks.
The Information Security Management aims to ensure the confidentiality, integrity and availability of an organization’s information, data and IT services. The primary goal of information security is to control access to information. Information Security management provides the strategic direction for security activities and ensures that objectives are achieved. Hence it is utmost important for any organization to align the objectives with the strategic direction.
OKRs acts as a safety net to link strategies with the objectives and help with the execution of the same. Using OKRs will definitely put an organization on track and help to measure the distance (key results) that the organization needs to progress ahead to reach the target. It is also possible to check on the key achievements and progress for every quarter and know the level of offensity that has been built by driving the OKRs. This blog highlights some insights on framing best IT security policy OKR examples that would help any organization to execute its security objectives.
Vulnerability Assessment: It is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed
KR 1 : Decrease the number of undetected intrusion attempts within a given period from 2% to 0%
KR 2 : Reduce the number of unidentified devices on a network at any point of time from 5 to 0
KR 3 : Reduce the number of spoofing attacks – IP Address Spoofing, DNS Spoofing, HTTPS Spoofing – from 200 to 10 per day
Target Date: Q2-2021
Visibility: All Employees
Decrease the number of undetected intrusion attempts within a given period from 2% to 0%
Reduce the number of unidentified devices on a network at any point of time from 5 to 0
Reduce the number of spoofing attacks – IP Address Spoofing, DNS Spoofing, HTTPS Spoofing – from 200 to 10 per day
Patch Management: It is the process of distributing and applying updates to applications. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software.
KR 1 : Decrease the average mean time to patch (MTTP) from 90 days to 60 days
KR 2 : Increase the percentage of systems that have the latest OS or application patches installed over time from 90% to 95%
KR 3 : Improve the efficiency of automated patch deployment process from 50% to 75% to ensure patches are automatically deployed based on the deployment policies
Target Date: Q2-2021
Visibility: All Employees
Decrease the average mean time to patch (MTTP) from 90 days to 60 days
Increase the percentage of systems that have the latest OS or application patches installed over time from 90% to 95%
Improve the efficiency of automated patch deployment process from 50% to 75% to ensure patches are automatically deployed based on the deployment policies
Antivirus/ Antispyware coverage: Virus protection should be installed on every machine on the network. All antivirus clients, servers, and gateway products should be kept actively running and capable of generating audit logs at all times.
KR 1 : Increase % of systems that have antivirus software installed from 99% to 100%
KR 2 : Increase % of systems that have latest antivirus definitions installed from 95% to 99%
KR 3 : Reduce the number of incorrectly configured SSL certificates from 10 to 1
Target Date: Q2-2021
Visibility: All Employees
Increase % of systems that have antivirus software installed from 99% to 100%
Increase % of systems that have latest antivirus definitions installed from 95% to 99%
Reduce the number of incorrectly configured SSL certificates from 10 to 1
Incident Management: It describes the activities of an organization to identify, analyze and correct hazards to prevent a future re-occurrence of an incident
KR 1 : Increase the strength of dedicated incident response team from 4 to 8
KR 2 : Decrease the mean time to resolve (MTTR) severity 2 incidents from 120 mins to 90 mins
KR 3 : Decrease the number of recurring incidents per month from 20 to 5 (through KMDB)
KR 4 : Decrease the average downtime per quarter due to security incidents from 45 mins to 5 mins
Target Date: Q2-2021
Visibility: All Employees
Increase the strength of dedicated incident response team from 4 to 8
Decrease the mean time to resolve (MTTR) severity 2 incidents from 120 mins to 90 mins
Decrease the number of recurring incidents per month from 20 to 5 (through KMDB)
Decrease the average downtime per quarter due to security incidents from 45 mins to 5 mins
Audit Management: It is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria.
KR 1 : Increase monitoring time for communication ports that allow remote sessions – TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) – from 1 min to 5 mins
KR 2 : Increase the frequency of review of third party accesses to company’s network from 3 days to 1 day
KR 3 : Increase the frequency of IT security audits from half yearly to quarterly
Target Date: Q2-2021
Visibility: All Employees
Increase monitoring time for communication ports that allow remote sessions – TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) – from 1 min to 5 mins
Increase the frequency of review of third party accesses to company’s network from 3 days to 1 day
Increase the frequency of IT security audits from half yearly to quarterly
Cybersecurity: It is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
KR 1 : Decrease the time taken (MTTD) by the cybersecurity team or security operations center to become aware of a potential security incident (on average) from 10 mins to 5 mins
KR 2 : Decrease the percentage of employee population falling for phishing attempts from 20% to 8%
KR 3 : Reduce the botnet infection rate per month from 200 to 100
Target Date: Q2-2021
Visibility: All Employees
Decrease the time taken (MTTD) by the cybersecurity team or security operations center to become aware of a potential security incident (on average) from 10 mins to 5 mins
Decrease the percentage of employee population falling for phishing attempts from 20% to 8%
Reduce the botnet infection rate per month from 200 to 100
IT Security Training: It is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization./p>
KR 1 : Increase % of employees in security roles receiving specialized security training (eg. NIST 800-50) from 50% to 75%
KR 2 : Increase the average security awareness training score from 70% to 80%
KR 3 : Increase the complexity of average password strength for all logins from strong to very strong
Target Date: Q2-2021
Visibility: All Employees
Increase % of employees in security roles receiving specialized security training (eg. NIST 800-50) from 50% to 75%
Increase the average security awareness training score from 70% to 80%
Increase the complexity of average password strength for all logins from strong to very strong
Anti-Spam Management: It refers to the use of any software, hardware or process to block spam from entering a system. The anti-spam software uses a set of protocols to determine unsolicited and unwanted messages and prevent those messages from getting to a user’s inbox.
KR 1 : Decrease the percentage of average incoming emails for a calendar day that were delivered to the instance and marked as spam from 15% to 5%
KR 2 : Maintain the volume of data transferred using the corporate network between 80% and 120% of average daily data volume
KR 3 : Reduce the volume of Non-human traffic (NHT) on the website to less than 1%
Target Date: Q2-2021
Visibility: All Employees
Decrease the percentage of average incoming emails for a calendar day that were delivered to the instance and marked as spam from 15% to 5%
Maintain the volume of data transferred using the corporate network between 80% and 120% of average daily data volume
Reduce the volume of Non-human traffic (NHT) on the website to less than 1%
Physical security: The purpose of the Physical Security Policy is to establish the rules for granting, control, monitoring, and removal of physical access to office premises; to identify sensitive areas within the organization; and. to define and restrict access to the same
KR 1 : Reduce the number of tailgating incidents from 5 to 0 per month
KR 2 : Improve response efficiency by reducing the average emergency response time from 10 mins to 5 mins
KR 3 : Reduce the time taken to deactivate former employee credentials from 24 hours to 4 hours
Target Date: Q2-2021
Visibility: All Employees
Reduce the number of tailgating incidents from 5 to 0 per month
Improve response efficiency by reducing the average emergency response time from 10 mins to 5 mins
Reduce the time taken to deactivate former employee credentials from 24 hours to 4 hours
Risk Management: It is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters
KR 1 : Reduce the dwell time of network from 10 mins to 1 min (mean time an attacker has undetected access to sensitive data without being removed)
KR 2 : Maintain the % of systems with approved system security plan at 99% least
KR 3 : Increase the percentage of mitigated risks from 90% to 100%
Target Date: Q2-2021
Visibility: All Employees
Reduce the dwell time of network from 10 mins to 1 min (mean time an attacker has undetected access to sensitive data without being removed)
Maintain the % of systems with approved system security plan at 99% least
Increase the percentage of mitigated risks from 90% to 100%
Using the above IT security OKRs as an inspiration, the IT organizations can start framing their own security OKRs to monitor and track the IT security policies and procedures. Building such OKRs helps teams to foresee threats and diagnose solutions to protect the security policy stigma of the organization. These OKRs help to secure the firewall of any organization with predictable outcomes that the policies claim to perform. In general, setting OKRs for IT security policies develops goals, enhances confidence and proves that it’s a very good way to go.
TL;DR: The Balanced Scorecard cause-and-effect chain is the strategic DNA that connects your organization's capabilities…
TLDR The Balanced Scorecard is a strategic management tool that evaluates business performance through four…
Velmurugan Sankara Sr. Customer Success Manager Last updated: July 30, 2025 When you think of…
The economic heartbeat of the UAE is relentless, demanding constant innovation, agility, and a clear…
Here’s a little secret about leadership and not the kind you read in thick business…
Ever feel like you’re just pretending to be good at your job and any minute…