Services / Defense Strategy

Security Program Development

Achieve your defense targets with a strong security program foundation.

What is a Security Program?

Drive your Security Objectives

The security program is what drives a companies security objectives. High-quality programs primarily comprise of objectives that are linked to the strategic context and targets of the underlying business. They enable the business by combating threats ahead of the curve and making sure the right defense capabilities are in place at the right time. In simple terms: It gets you from A to B.

The Challenge

Defining the Right Objectives

Identifying the right objectives for a security program can be quite a challenge and many companies get caught up in over prioritizing initiatives or investments that have little strategic value. Top objectives address shortcomings on the defense side that effectively are must-win-battles to support the businesses short and long term targets.

Designing For Execution

In addition developing actionable objectives, running a successful security program requires a systematic and structured management approach that is designed for execution. This entails lightweight project management models, a framework for prioritisation, delineated responsibility and an approach to cut through operational complexity.

Obtaining Sponsorship & Buy-In

Once designed and developed, it is critical for the senior leadership team to take ownership of the program and jointly commit to objectives, priority, resources and the execution process. Achieving targets becomes unified effort that requires support from numerous stakeholders in the organization.

Our Unique Approach

OKR based Security Program

CISOCON develops security programs based on OKR. The acronym stands for Objectives and Key Results and is a very popular method used by the most successful technology companies worldwide to manage goals and excite teams to deliver their best work in pursuit of a shared purpose.

Elements of the OKR Model

Objectives describe the goals or outcomes that are set to be achieved during the period. They aim at maximum impact and are usually in hierarchical alignment, so that lower layer operational objectives contribute to the achievement of top layer strategic objectives.

Key Results

Key results are metrics with a distinct starting and target value. They quantify and measure the operational progress that has been achieved towards an objective.


Initiatives describe the the actual work that drives and influence key results. They are specific tasks, projects or similar activities linked to an objective.

Benefits of using OKR
Business Alignment

Clear-cut security objectives ensure that the security program is aligned with where the business is heading. Purpose and direction for any given activity are clearly stated and transparent to everyone contributing to the program.

Focused Execution

OKR, specifically the mapping between initiatives, key results and their parent objectives allow a focused execution on the work that has most impact - something that is easily lost in a space with overwhelming workload.


Effective project management requires work not just to be impactful, but measurable at the same time. Key results are metrics with discrete units, creating maximum transparency on operational progress and providing comfort to executive stakeholders.

Time Bound Iterations

OKR programs always run for a time bound period, ranging from one quarter to one year at max. Short and strict time frames enable effective review cycles to focus on what works and change course where required.

Delivery Process


Designing security programs is at the core of what we do. Our delivery process is simple and effective:

Designing the Engagement

The first step is to build a contextual frame around the engagement. This entails a breakdown of the business and organization, identification of all stakeholders, drivers & objectives, expected timeframe as well as the work that has already been done.

Understanding the Status Quo

In order to design and outline the target point, the current defense status must first be understood and examined as a baseline. The objective of the phase is not to dive into maximum depth of every security dimension, but rather to gauge what degree of hygiene maturity is in place and which defense capabilities exist in various critical fields.

Outlining the Target Point

The target point for the security program breaks into two distinct scopes: content and time horizon. Content entails a set of multi-layered strategic and operational defense objectives (technological, processual, organizational). Time sets a boundary for when these objectives need to be achieved to adequately support the business.

Developing OKR based Security Program

Based on all previously gathered insights about the business environment, current status quo and targets, an OKR based program roadmap can be developed. The outcome of this process will be a detailed, highly structured and pre-prioritized aggregation of all security objectives relevant for the upcoming period.

Presentation & Alignment

Lastly, the developed Security Program will be validated and adjusted through a phase of presentation and discussion with all stakeholders.

Our Services

We've created the following services for you.

Services / Defense Strategy

Professional Security Program Development

Full OKR based program development in alignment with business objectives.

Services / Defense Organization

Program Review & Revision

Review and strategic adjustments of your existing security program.