Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement.
Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.”
I like the post so much that I have only a small amount to add. I think we could benefit by sharing sample OKRs around either threat modeling, the four questions, or smaller deliverables.
I am not a master of the OKR form, but some simple examples might include:
- Increase assurance that we’re making the right security investments by having current threat model documents for 95% of our apps and operational environments. (Where current is some time metric related to velocity) or
- Improve system resilience by revisiting ‘what can go wrong’ for a system that’s led to lots of operational problems.
- Improve defenses by adding one test case for each of STIDE per sprint to existing code for at least 75% of sprint stories.
- Reduce security debt by 10% over Q1 by going back and creating appropriate system models for 5 of the Legacy Deployments.
Ideally, these would be anonymized versions of real OKRs, possibly with history. (For example, “I started by asking for one of each STRIDE test cases, but there was strong pushback because we concentrate our model of repudiation in our support use cases.”)