Sales teams flash big revenue numbers. Product teams show spiking engagement. How can security teams show their impact through metrics? If you ask for investment - bigger teams and better tools - you should be able to show returns. Saying “trust us, we’re experts” without the data to back it up leads to low-impact projects that other teams ignore. Security objectives and key results (OKRs) make it clear whether your team is on the right track. Effective security OKRs drive trust outside of the team and focus within it. Ineffective security OKRs are drafted with good intentions, but recede into the background soon after. I've discovered some principles that I think help define security objectives that matter. Security objectives should be... - Aligned to broader company objectives - Consensus-driven with diverse perspectives - Collaborative with other company functions Security key results should be... - Decidable using metrics that are actively tracked - calculated automatically and viewable by anyone at any time - Flexible enough to adapt to new information about how the metric aligns with an objective - Challenging and inspirational to the team - Accountable and used to drive team learning Good security OKRs require effort to establish but can have a huge leverage by influencing up, down, and across the organization. Like the rest of a security program, they are grown over time. Establishing a process for building effective security OKRs and iterating regularly will help your team achieve its mission.