Applying OKR to a Security Learning Plan

Applying OKR to a Security Learning Plan

I have recently been reading about a management and measurement framework called OKR (Objectives and Key Results). This framework, was born from Intel's Andy Grove and has been championed in recent times by Venture Capitalist John Doerr. I've been reading his book, "Measure what matters" and I find it to be very compelling. The more I read about it, the more I feel that it fits into my way of thinking about achieving goals.

Being of the "eat your own dog-food" school of thought, I thought I'd try and apply OKR to my own personal goals and then implement it across my organization. I have a bunch of OKRs to implement this at we45 and I am chipping away at the Key Results with our various teams.

What is OKR?

Objectives and Key Results is a simple management framework that allows you to capture goals and how you can go about measuring and achieving these goals.

It starts with an Objective. An Objective is a high level statement of direction of aspiration. For example, one of my Personal Objectives is:

Become the most competent Kubernetes Security Expert

Obviously, this is a high-level statement of direction. This is:

  1. Aspirational
  2. (hopefully) inspiring
  3. a stretch

Objectives are meant to be high-level and in some cases, extend across more than a quarter.

Going about achieving this is where you frame Key Results. Key Results are the specific results you want to achieve that lead to your objective. For example, my Key Results for the Kubernetes Objective are as follows, for this quarter:

  1. Integrate Keycloak OIDC and OAuth (SSO) with Kubernetes Access Control and implement it for one of our internal products with Documented findings
  2. Implement a single deployment with SPIFFE and Open Policy Agent with Documented Findings
  3. Create my own Custom Resource Definition for $THING in Kubernetes with Documentation

It's very important for Key Results to be:

  1. Time-bound
  2. Specific, especially in terms of metrics. Example increase load times by 20% or deliver a single working example, etc.
  3. Stretch
  4. Linked to the Objective.

Key Results are NOT:

  • Tasks => They may arise from your Key Results
  • Vague => They are meant to be very specific on time and factor of achievement

At the end of the quarter, I will evaluate my performance against that goal with no judgement and see whether I have achieved the Key Results or not. Simple.

The entire idea (which I really like) about OKR is that you are not stuck to a static view of the goal-setting process. This is a dynamically evolving framework, which is self-driven and autonomous at heart.