“But I write cyber security policy for the company. How does this apply to me?” the corporate telecom lawyer asked me. We were in a large room filled with 149 of her colleagues from all over the world. I was on stage, giant screens behind me, teaching Objectives and Key Results. I’d just finished explaining the basics of OKRs. She understood right away how to set objectives. “Ensure organizational security is maintained at the highest levels.” She struggled with the perceived lack of “product” and “customers” in her world. Without those two elements OKRs seemed useless in her context.
“You make cyber security policy. That’s your product,” I said.
“Who do you write the policy for? Who consumes it?” I asked.
“Primarily external vendors who provide services for the company,” she replied.
“So, me,” I smiled. “I’m your target audience. I’m your ‘customer.’”
“And if you write the best cyber security policy? If it’s clear, effective and easy to follow? What do you hope to see me do differently?” I continued.
“Fewer data security breaches. Reduction in security costs. Faster onboarding time for vendors with less time spent by humans supporting that process.” She knew her stuff and responded quickly.
“You just wrote your first OKR,” I smiled again. I then proceeded to recount it to her on the big screens:
Objective: Ensure organizational security is maintained at the highest levels.
Key Result: Reduction of X% of data security breaches by external vendors.
Key Result: Y% drop in security costs due to reduction of breaches.
Key Result: Z% decrease in onboarding time of new vendors
I could see that she understood. The cyber security policy was her best guess at how to get these desired behaviors but it wasn’t the actual goal of her department. The goal was the behavior change.
Everyone makes a product. Everyone has customers. Take them into consideration when setting your goals for 2023.
Happy new year.