“As a SaaS Founder and CTO, one field of particular special interest for me is software security. We are proud to have a few emerging software security companies use OKRs and KPIs on Fibots. I can attest to the importance of OKRs and KPIs for SaaS companies in 2023.”
- Kashi Ks
Tools like KPIs and OKRs provide a framework for measuring and tracking the effectiveness of security efforts, enabling teams to focus on the most critical areas and make progress toward their goals. By regularly reviewing progress against OKRs and KPIs, teams can identify areas for improvement and make necessary adjustments. This ensures that security efforts are aligned with the overall objectives of the organization and that resources are being used effectively. In today's digital landscape, where security threats are constantly evolving, SaaS companies must stay on top of their security measures. OKRs and KPIs provide a means to do so, by keeping the security team focused on the most important objectives, and by providing a way to evaluate performance against these objectives over time.
According to a study by the Ponemon Institute, the average cost of a data breach for a company is $3.86 million. This highlights the financial impact that a security failure can have on a business. Additionally, a study by Gartner predicts that by 2023, 30% of all companies will use OKRs to measure and track their security performance, up from 20% in 2018. This trend highlights the growing importance of these tools in the field of software security.
Furthermore, OKRs and KPIs are important for SaaS security teams, as they can help identify areas of risk and prioritize resources to mitigate those risks. For instance, setting a KPI for the number of vulnerabilities found and fixed can help the security team to focus on finding and mitigating vulnerabilities as soon as they are discovered. Additionally, OKRs can be used to set and measure progress towards objectives such as reducing the number of successful attacks on the company's systems or increasing the percentage of systems that are compliant with industry standards. To start with, here’s how you can write OKRs for your organization’s security and AppSec programs.
In short, OKRs and KPIs are essential tools for SaaS companies in 2023, as they provide a framework for measuring and tracking the effectiveness of security efforts, enabling teams to focus on the most critical areas and make progress toward their goals. These tools are becoming increasingly important as the costs of data breaches continue to rise and the need to stay ahead of evolving security threats becomes more pressing.
Following are the top 20 KPIs we see being managed by SaaS product security teams along with the levers used to achieve them.
1. Vulnerability Density: Number of vulnerabilities per 1,000 lines of code, measured quarterly. Lever: Regular security audits and code reviews.
2. Incident Response Time: The time taken to identify and resolve a security incident, measured daily. Lever: Regular incident response drills and incident response plans.
3. Security Compliance: Percentage of compliance with industry-specific security regulations, measured monthly. Lever: Regular security audits and compliance assessments.
4. Security Training Completion: Percentage of employees who have completed mandatory security training, measured monthly. Lever: Regular security awareness training and testing.
5. Network Security: Percentage of network traffic that is secure and encrypted, measured daily. Lever: Regular network security assessments and penetration testing.
6. Application Security: Percentage of applications that are free from known vulnerabilities, measured monthly. Lever: Regular application security testing and remediation.
7. Malware Detection: Number of malware instances detected and blocked, measured daily. Lever: Regular malware scans and endpoint protection.
8. Phishing Detection: Number of phishing attempts detected and blocked, measured daily. Lever: Regular phishing simulation tests and employee education.
9. Data Loss Prevention: Number of data loss incidents prevented, measured monthly. Lever: Regular data loss prevention assessments and employee education.
10. Security Incident Rate: Number of security incidents per 1,000 users, measured monthly. Lever: Regular security incident response and incident reporting.
11. Penetration Testing Pass Rate: Percentage of successful penetration tests, measured quarterly. Lever: Regular penetration testing and remediation.
12. Security Automation: Percentage of security processes that are automated, measured quarterly. Lever: Implementation of security automation tools and technologies.
13. Security Team Utilization: Percentage of security team's time spent on proactive security measures, measured monthly. Lever: Regular security team training and skill development.
14. Cloud Security: Percentage of cloud infrastructure that is secured, measured monthly. Lever: Regular cloud security assessments and remediation.
15. Identity and Access Management: Percentage of users who have appropriate access to resources, measured monthly. Lever: Regular identity and access management assessments and remediation.
16. Security Governance: Percentage of security policies and procedures that are up to date, measured quarterly. Lever: Regular security governance review and updates.
17. Security Metrics: Number of security metrics being tracked and reported, measured quarterly. Lever: Regular security metric tracking and reporting.
18. Security Incident Severity: Average severity of security incidents, measured monthly. Lever: Regular incident response and incident reporting.
19. Security Budget: Percentage of budget allocated to security, measured annually. Lever: Regular security budget planning and reviews.
20. Third-Party Risk Management: Percentage of third-party relationships that are securely managed, measured quarterly. Lever: Regular third-party security assessments and contracts review.
Trust and compliance are the top priorities for CTOs and CSOs in 2023 in order win business and drive growth. The following example represents an OKR set by the security team.
Objective: Improve software security in order to drive trust among customers and reduce organizational break risk
KR: Reducing the vulnerability density by 30% in the next quarter
KR: Reduce the incident response time by 50% in the next quarter
KR: Achieve compliance with industry-specific security regulations within the next quarter
KR: Increase the security training completion rate to 90% in the next quarter
KR: Block 90% of network traffic that is not secure and encrypted in the next quarter
KR: Increase the percentage of applications that are free from known vulnerabilities to 90% in the next quarter
KR: Block 95% of malware instances in the next quarter
KR: Block 90% of phishing attempts in the next quarter
KR: Prevent 90% of data loss incidents in the next quarter
KR: Reduce the security incident rate by 50% in the next quarter
KR: Achieve a penetration testing pass rate of 95% in the next quarter
KR: Automate 80% of security processes in the next quarter
At Fitbots we are obsessed with OKRs, KPIs, and strategy execution. While helping you figure out what to measure, we strongly believe actions drive progress. Fitbots software is specially tuned to help you drive actions with both OKRs and KPIs no matter how you choose to run your business.
Kashi is the Co-founder and CTO of Fitbots. Kashi has coached over 700+ teams on OKRs with the focus on helping founders and teams achieve more with OKRs. His niche focuses on the future of work by bringing technology to life.
Free 21-day access when you sign up...