This set of Objectives and Key Results (OKR) are complimentary to either testing your current security culture or to begin building one from scratch. Do note that there will almost certainly need to be customization to your enterprise. You may use all or some depending on your strategies for the year.
Objective 1: Foster a Culture of Cyber Security
Key Results:
- Achieve voluntary disclosures of potential cyber security issues from at least 0.25% of employees annually.
- Demonstrate public participation from each executive leader in at least 1 security awareness initiative per year.
- Reduce line-level employees committing three annual phishing simulation failures a year to 0% and privileged access users and senior leaders committing two annual phishing simulation failures a year to 0%.
- Achieve a 20% reduction in repeat offenders annually.
- Obtain testimonials from at least 25 random line-level operational employees, with 20 out of 25 successfully and confidently explaining three security expectations of the enterprise and describing how the enterprise ensures compliance with each on an annual basis.
- Perform clean desk audits of all functional areas separately on an annual basis resulting in less than 1% violations.
Objective 2: Improve Cross-Functional Collaboration on Security
Key Results:
- Establish monthly cross-functional meetings between IT, security operations, and security governance, with a minimum attendance rate of 80%.
- Develop and implement a collaborative project between IT and security operations to identify and mitigate at least 5 security vulnerabilities per quarter.
- Increase the number of enterprise-wide security discussions to at least 4 per year, focusing on recent security challenges and solutions.
Objective 3: Enhance Visibility and Accountability in Security Behaviors
Key Results:
- Achieve a 25% reduction in behavior analytics policy violations, as reported on by the SOC by the end of the year.
Objective 4: Enhance Secure Coding Practices
Key Results: