FY21-Q2 Security Department OKRs
Create Security Operational Risk Management Program => 90%
Objective (IACV):- Key Result: Risk Management policy updates including methodology for operational risk and risk ratings => 100%
- Key Result: Completion of annual operational risk assessment => 100%
- Key Result: Implementation and execution of remediation plans for all high and moderate risks => 85%
Implement Complete Product Code Scanning Coverage => 80%
Objective (product):- Key Result: Applicable Secure products incorporated in all projects => 88%
- Key Result: Complete Twistlock/Anchore implementation => 66%
- Key Result: Create dashboards for Dev teams to review = > 88%
Improve Incident Response Metrics and Reporting => 75%
Objective (team):- Key Result: Clearly defined incident categories and KPI's => 100%
- Key Result: Automated data aggregation from issues and incident pages => 75%
- Key Result: Deployment of Metrics Dashboard => 50%
Retrospection
Good
- Risk Management Program initiated
- Risk Methodology established
- Risk Management Policy published
- Risk Register created and populated for: Security, Infrastructure, IT, and Product orgs
- 2020 Annual Risk Assessment created, communicated to stakeholders, DRI's assigned
- Encore, Twistlock proof of concept completed and running in DoD environment
- Enablement of all secure tools across all major repositories mostly complete
- SIRT team KPI's established
- SIRT team dashboards created in SISENSE
- Security Org KPI's and PI's redefined on handbook page
Bad
- 1 OKR was originally not scoped correctly and had to be repurposed weeks into Q2
- Still not officially licensed for Encore, Twistlock
- Appsec dashboards for dev teams not completed or implemented
- SIEM not yet implemented
Try
- Complete proper review of quarterly OKR's moving forward to ensure appropriateness of proposed work
- We will carry over the initiative to create appsec dashboards for dev in Q3
- A number of KR's and objectives to carry over to Q3
- Cleanup and prioritization of tasks to date need to happen
- Need to be more aggressive with security assurance OKR's
- Risk team should be moved earlier into the product/dev process to create a more efficient process of identification
Edited by Johnathan Hunt