It is increasing fundamental, in my opinion, wherever possible to work for goals. But what does it mean and how can it also be applied in the context of SAP security systems?
What does the acronym OKR mean and why is it different from MBO, for example?
What does OKR stand for?
This acronym stands for Objectives & Key Results. As often happens with the translation of an acronym, one probably fails to grasp its meaning and application.
However, it is possible to imagine this as a method of setting "key" goals and outcomes that allow one to control, measure and achieve the strategic or personal goals defined in the company.
Why is it important to think in terms of goals?
It is not always and in every situation possible, however, in many contexts it is. It allows each of us, in my opinion, to try to identify small goals (more or less easy to achieve) that lead us to get a result.
I believe it is fundamental that we always think objectively and not subjectively in setting these goals, reasoning by small key accomplishments.
In the context of SAP security system a few examples might be as follows:
- Securing the SAP system(s)
- Providing training
- Apply the principles of Segregation Of Duties
These examples, here, are perhaps too general. As we know, in the first case, the word SAP Security, now is a small "world" within which there are many facets ( Attack Surface) that can/should be addressed.
So it is better to go into some detail by trying to modify this approach and defining, for example, key outcomes or sub-goals.
- Reducing to zero the number of users with SAP_ALL in the production system
- Remove critical authorizations to non-administrative personnel
- Define a matrix of corporate access risks
In the examples above, a specific outcome is precisely identified. That may be part of a larger goal such as "Securing an SAP system" but with a certain specific action or sequence of actions.
Making the result objective is therefore a key first point, when defining the strategy related to the goals.
But how many goals are needed?
As often happens, it is easy to get carried away at first. Sometimes thinking that little is mediocre prompts us to define an extensive list. However, in such cases it is not so easy, then to do everything. One runs the risk of either failing to do anything or doing it poorly.
Therefore, it is better to start with a few goals, three/four, clearly defined. To us and to our referents (colleagues, superiors etcc). An ongoing monitoring process will then help us understand how things are going. In this case, a tool that allows us to keep track of updates could clearly be useful.
So is it better to reason by MBO or OKR?
These are two strategies with goals that have commonalities but also divergences evidently. Management by objectives (MBOs) are different in nature and purpose, but they have existed in different realities for a bit longer than OKRs.
I believe that in the context of cybersecurity, it may be more relevant to reason by the OKR method, for what reasons?
- Because they are assessed more frequently (monthly, quarterly), whereas MBOs tend to be annual
- MBOs are tied to a reward, while OKRs are not. This difference can lead to obtaining a de facto reward but without delivering a real benefit
- MBOs tend to be confidential while OKRs are public. I think it is useful for everyone to know what the goals are from an overall improvement perspective
- I perceive MBOs as "I've completed my own "little" task" (whether greater or lesser) while OKRs as the spirit of true innovation
This article was inspired by the book "OKR Revolution" by Jonh Doerr. Would you like to deepen the topic? Purchase here.
Topics: SAP Security, OKR