How to organize cybersecurity in your company with the help of OKR

Nine out of ten companies experienced cyber attacks in the past year. Also because the workflow is not right. How objective and key results (OKR) can help to set up IT securely.

For almost two weeks nothing went in the Anhalt-Bitterfeld district. No e-mail program worked, no benefits could be paid out, not even the phones went off. Encryption software, so-called ransomware, prevented access to systems and data. In the same month, such an attack hit several companies around the world, in Sweden an entire supermarket chain had to close its stores because the cash register systems no longer worked, in Germany the food chain Tegut was affected.

According to Bitkom the total damage caused by such attacks in Germany last year amounts to 223 billion euros. And these are only the documented cases, the number of unreported cases is likely to be much higher. While large companies and corporations are already investing a lot of resources in the security of their systems, small and medium-sized companies in particular have a lot of catching up to do. Hacker groups have long since recognized this and are targeting them. Because all too often only one person or a small group is responsible for the cybersecurity of these companies, which in turn acts separately from other departments. And this is exactly where the problem lies: although security is essential, it is too often viewed separately from the overall strategy. Because in the end it’s not just about the best firewall or the best defense system. Rather, it is a matter of creating awareness for the everyday threat, the corresponding precautions and options for action throughout the company.

With regard to cybersecurity, companies can often only react, i.e. intervene, if gaps become apparent or an emergency occurs. For teams and employees in the field of cybersecurity, it is a great challenge to adequately protect the increasingly complex application landscape. They are seldom closely interlinked with the corporate strategy and as a result cannot control cybersecurity actively, but mostly only reactively.

In order to become active, it is worth taking a look at the method box: Working with OKR, short for Objectives and Key Results, is a way of getting closer to the topic and breaking down the cybersecurity monster into individual, comprehensible and feasible building blocks. OKR give organizations the opportunity to react very flexibly to situations. Instead of laying out strategy cycles over years, this method allows the individual cycles to be laid out over three or even one month without losing sight of the general goal, the objective. On the contrary: the individual steps make the big goal easier to digest. Tasks are sensibly divided within teams, transparency is increased and greater commitment is also ensured. In this way, the method promotes innovations and also the acceptance of measures within the team. It can also help to close the gap between management and team level, as it promotes exchange as a whole. On a weekly basis, goals are tracked and hurdles are discussed so that readjustments can be made in case of doubt. The entire team knows the most important issues and focuses on achieving the goals. The close-knit control and regular reflection of the goals in the process creates the possibility of reacting and making adjustments at short notice to changing framework conditions. OKR can also be used to check and measure which measures are successful and which are not.

With regard to a company’s security strategy, the same applies to the OKR method: Instead of continuing to work in silos and thus allowing the individual teams and departments to run in parallel, OKR offer the opportunity to close these gaps and control the entire security apparatus in this way to modify significantly. The targeted nature of the measures thus improves cybersecurity in the long term.

But where do you start? The first step must first be to do a maturity check – for example with the assessment tool for the ICT minimum standard of the Swiss Federal Office for National Economic Supply – to find out where the company is. A distinction is made according to different degrees of maturity, which relate to how far the company is in achieving the respective security levels. The different levels of maturity, in turn, can be broken down into key results, which at the end of the day contribute to an annual objective. So if an organization determines that it is currently at maturity level 2, an objective can be to achieve maturity level 3 by a certain point in time. The next step is then to define the specific activities that are necessary to achieve the goal. This is how the key results are created.

This method is particularly suitable in self-organized teams. Managers have the opportunity to fully involve their teams in all processes and at the same time to retain control. Micromanagement is therefore out of place with this method. Rather, it is about giving the individual team members responsibility for their respective tasks and, as a manager, being the connection to the other teams in the company and identifying the problems and challenges that prevent the team from achieving the goals.

But caution is also advised with the OKR method: Organizations are all too happy to use this tool without it making sense. If, for example, standard tasks are translated into OKR all at once, it quickly moves into pure performance management and tracking of individual services. There is also the risk of high complexity due to too many individual and diversified subject areas.

But when it comes to coordinating decentralized teams, bringing people and knowledge together and setting up a fluid security process, OKR can be the right method. Because prevention, reaction and evaluation are elementary for cybersecurity and that in turn for the security of the company itself.