Role Playbook
SaaS
200-500 employees
CISO · Head of Security
Every quarter you're either compliant or you're not. Every audit you either pass or you don't. That's the CISO OKR trap at 200-500 SaaS — and yet your KRs depend on Engineering shipping fixes you can't write yourself.
Critical CVEs sit in Eng backlogCVSS 9.4 vuln logged Tuesday. Eng prioritizes feature work. Two weeks pass. Now your 14-day SLA is breached and audit findings are mounting.
Audit prep is a 60-day quarterly fire drillQ3 starts: "let's get ready for SOC 2." Q3 ends: 4 weeks of chasing screenshots, evidence, and Eng team commits. Pass barely, then the cycle repeats.
Enterprise deals stall on security review$800K deal in legal. Customer security questionnaire takes 6 weeks. Sales blames you. You're filling out the same questionnaire Marketing said you already had.
Phishing simulation finds 18% click rateMarketing says employees are smart. Q3 phishing test: 18% clicked. Compliance says retraining; Engineering says inbox-volume problem. You own the number.
Eng deprioritizes critical-CVE patches
→
Audit findings land on you
IT delays access reviews
→
Compliance posture decays
VPs skip phishing-training rollouts
→
Click-rate metrics blow up
The job isn't writing the SOC 2 evidence pack. It's making security work auditable in Eng's sprint — not in the audit retro.
THE SCORECARD
Three CISO OKRs that defend the seat at 200-500 SaaS.
You don't write the SAST integration. You don't chase audit evidence. You don't rotate credentials. You own the three bets that turn the seat from quarterly fire drill into continuous operating cadence — CVE SLA, audit posture, build-time discipline. Three objectives below.
| Objective | Key Result | Benchmark / Threshold | Target |
|---|
| Critical vulnerabilities never sit open past SLA — across every production service O1 · Outcome state. Auditors and customers ask one question: are critical CVEs open past SLA? You either are, or you aren't. |
100% of CVSS 9.0+ critical vulnerabilities remediated within 14 days, no exceptions14 days because beyond that, exploit windows compound and audit findings become unavoidable; 100% because exception-driven SLAs become aspirational |
60-80% typical Threshold | 100% |
| 100% of CVSS 7.0-8.9 high-severity vulnerabilities remediated within 30 days30 days because high-severity ships on customer infrastructure; longer cycles compound risk surface |
50-70% typical Threshold | 100% |
| SBOM coverage on all production services ≥ 95%, refreshed weekly95% because below 90% you can't trace dependencies on a critical CVE within hours; weekly because new vulnerabilities surface daily |
40-60% typical Threshold | ≥ 95% |
| Audit readiness holds continuously — not as a quarterly fire drill O2 · Outcome state. Compliance is operational, not theatrical. Auditors find what monitoring already surfaced. |
SOC 2 Type II audit-readiness score ≥ 90%, measured monthly via continuous-controls platform90% because below that, surprise findings become likely; monthly because quarterly checks miss control drift |
60-75% mid-cycle Threshold | ≥ 90% |
| Zero open Tier-1 audit findings older than 30 days30 days because beyond that, findings become repeat findings, which trigger material weakness flags |
3-8 typical Threshold | 0 |
| Security catches vulnerabilities at build-time — not at release-time or post-incident O3 · Outcome state. Findings caught in CI/CD are 50× cheaper than post-release. Discipline lives in the SDLC, not in the audit retro. |
100% of production releases include automated SAST + DAST + SCA scans in CI/CD with blocking thresholds100% because partial coverage means inconsistent enforcement; blocking because non-blocking scans become advisory and ignored |
~40-60% typical Threshold | 100% |
| Phishing-simulation failure rate < 5% sustained over 4 quarters; 100% remediation training within 7 days5% means awareness is structurally working; 7-day training because longer means employees forget the failure context |
12-22% failure typical Threshold | < 5% |
How to start in week 1 of the quarter
Don't migrate the SIEM. Don't run the org-wide phishing simulation. Do these five things:
→ Pull the current CVE backlog. Bucket by CVSS severity. Count how many critical (9.0+) and high (7.0-8.9) are open past SLA. That's your O1 baseline.
→ Score current audit-readiness via your GRC platform (or manual spot-check on top 20 controls if no platform). The gap to 90% is your O2 baseline; the path to it is the 30-day actions.
→ Audit current CI/CD pipelines: which production services have SAST + DAST + SCA running with blocking thresholds? Which run scans non-blocking or skip them? That's your O3 baseline.
→ Get the CTO and VP Eng in a 60-minute meeting. Walk through the CVE-SLA breach data + secure-SDLC gaps. Land an explicit Eng-side commitment to security tickets in sprint planning, not optional.
→ Build the security-questionnaire library: pull last 4 enterprise deals' completed questionnaires, normalize answers, store centrally. Time-to-respond drops from 6 weeks to days.
Why O1 is the seat-defining objective
O2 is what the auditor watches. O3 is what your team builds toward. O1 is what kills the seat fastest if it slips. A breach traced to a critical CVE that sat open past SLA ends careers and triggers regulatory inquiries. When O1 holds, audits become confirmation.
STRATEGIC BETS
The three bets inside every CISO OKR stack — and the dozen your team runs without you.
Your security engineering lead runs the SAST/DAST tooling. Your GRC analyst runs evidence collection. Your IAM admin runs identity hygiene. You don't. Your job is the three bets that turn vulnerability remediation into a tracked SLA, audit posture into a continuous KR, and security review into a build-time gate.
Strategy 1 — Replace CVE-backlog negotiation with tracked Eng-side remediation SLA
→ O1
1.1
CVE-SLA matrix signed by CTO + VP Eng + CISO at FY start: 14d for CVSS 9.0+, 30d for 7.0-8.9, 60d for 4.0-6.9 — tracked at Eng-manager level
CTO + VP Eng
1.2
SBOM pipeline: every production service has automated SBOM generation in CI/CD; weekly diff against vulnerability feeds (NVD, GitHub Advisory)
Security Eng + Eng
1.3
Sprint allocation rule: critical CVEs auto-flow into next sprint with non-negotiable priority; high-severity gets 25% of security-allocated capacity
VP Eng + Eng managers
1.4
Quarterly CVE-trend review: which services accumulate the most vulnerabilities? structural fix vs. patch-and-move-on
Internal
Strategy 2 — Replace 60-day audit-prep fire drills with continuous controls monitoring
→ O2
2.1
Continuous-controls platform (Vanta, Drata, Secureframe) configured with 100% of SOC 2 controls automated where possible; manual evidence collected weekly, not at audit time
GRC analyst
2.2
Audit-readiness score reviewed monthly with CTO + VP Eng + CFO; below-90 triggers root-cause review, not a panic project
CFO + CTO
2.3
Internal mock audit quarterly: catches 80% of issues before external auditor finds them; findings remediated within 30 days, no exceptions
External vendor
2.4
Audit-finding root-cause discipline: every finding traced to process or control gap, not patched and moved on
Internal
Strategy 3 — Move security from release-time blocker to build-time enforcer
→ O3
3.1
SAST + DAST + SCA all running in CI/CD with blocking thresholds — non-blocking scans become blocking by FY-end
CTO + Security Eng
3.2
Pre-release security review SLA: ≤2 business days p90; CISO-team capacity sized to meet it without bottleneck
Security Eng + Eng managers
3.3
Security-questionnaire library: top-200 enterprise questions pre-answered, owned by Marketing + Security jointly; refreshed quarterly
CMO + CRO
3.4
Phishing program: monthly simulation, mandatory 7-day training on failure, manager visibility on team-level failure rate
CHRO + IT
ENFORCEMENT LAYER
Enforcement for CISO OKRs — the cadence layer above your security tools.
Snyk scans dependencies. Vanta tracks SOC 2 evidence. CrowdStrike detects endpoints. Each runs in one lane. None enforces whether Eng remediated within SLA, whether audit-readiness drift triggered review, or whether the questionnaire library actually got refreshed. That's the cadence layer above your stack.
How this works in practice
→ Your team enters KR values weekly — CVEs open by age, audit-readiness score, phishing results, SDLC coverage
→ Each becomes a tracked KR with an owner
→ ShiftFocus runs the cadence and fires triggers when KRs bend
We don't pull from Snyk or Vanta. We make the security KRs your team already maintains catch process breaches before they become production breaches.
Two triggers define daily pain: Trigger 6 (Dependency SLA Breach) when Engineering misses a CVE-remediation SLA, and Trigger 7 (Projected Miss) when audit-readiness trajectory projects to miss the next SOC 2 audit window.
The two that fire hardest at the CISO layer
Trigger 6 · Dependency SLA Breach — when Engineering misses a CVE-remediation SLA
⚡ Fires whenA critical (CVSS 9.0+) CVE has been open ≥ 12 days with no PR merged, or a high-severity (CVSS 7.0-8.9) CVE has been open ≥ 25 days. Threshold
▎ Why this matters
Every CVE that ages past SLA expands exploit window AND becomes an audit finding. When Eng deprioritizes security tickets, the cost lands on you — but the cause is upstream. Trigger 6 makes the dependency visible, attributes it correctly, and forces the conversation before SLA breach, not after.
▎ Why ShiftFocus catches it
Snyk shows the CVE. Jira shows the ticket. Neither links them to the CISO's SLA KR. ShiftFocus runs critical-CVE remediation as a tracked KR with Eng-side dependency — and missing the SLA fires a trigger that attributes upstream, not to security for "not pushing hard enough."
▎ Example scenario
CVSS 9.4 vuln logged Monday week 1 in core API service. Day 12: still no PR merged. Trigger 6 fires to VP Eng + Eng manager. Tuesday's exec meeting opens with "CVE-2024-XXXX has 2 days left on 14-day SLA — need a sprint commit by Friday" — not your audit firefight 8 weeks later.
Trigger 7 · Projected Miss — when audit-readiness trajectory projects to miss the next audit window
⚡ Fires whenAudit-readiness score trends to project below 85% by next SOC 2 / ISO 27001 audit window, OR open Tier-1 findings count + age trends to result in repeat findings at next audit. Threshold
▎ Why this matters
Audit failures and material weaknesses don't surface at audit time — they surface in the trajectory months earlier. Trigger 7 catches the trend bending wrong before audit time, so the recovery window is months, not weeks.
▎ Why ShiftFocus catches it
Vanta and Drata show current readiness score. Neither projects forward based on trajectory. ShiftFocus runs audit-readiness as a KR with a target audit-time score — and trajectory analysis fires when the trend won't reach target.
▎ Example scenario
Q3 month 2: audit-readiness drifted from 92% to 87% over 60 days. Trajectory projects 82% at audit time (Q4). Trigger 7 fires. Root-cause review identifies 4 controls drifting (access reviews stale, vendor-risk reviews backed up, vulnerability KR slipping). Recovery plan deployed in Q3 month 3 — not Q4 day 5 when the auditor asks.
The other 4 that also fire on your KRs
Trigger 1 · Missed Cadence
⚡ WhenWeekly CVE-backlog review skipped, OR monthly audit-readiness check skipped, OR quarterly pen test not scheduled.
▎ Example scenario
CVE review skipped 3 weeks. Trigger fires to Security Eng lead.
Trigger 2 · Velocity Drop
⚡ WhenPre-release security-review cycle stretching past 2-day p90, OR pen-test remediation velocity slowing.
▎ Example scenario
Q3 review cycle: 4-day p90 vs. 2-day target. Trigger fires — capacity review.
Trigger 3 · Momentum Decay
⚡ WhenPhishing failure rate trending up, OR CVE backlog count trending up week-over-week.
▎ Example scenario
Phishing: 4% → 6% → 9% over 3 quarterly tests. Trigger fires before threshold breach.
Trigger 4 · KPI Drift
⚡ WhenSBOM coverage drops below 90%, OR phishing failure rate exceeds 8%, OR Tier-1 audit findings count exceeds 5 open.
▎ Example scenario
Mid-quarter: 7 Tier-1 findings open. Trigger fires — root-cause review with GRC team.
Why this works alongside your existing security stack
Snyk scans deps. Vanta tracks evidence. CrowdStrike covers endpoints. Each does its job. ShiftFocus is the cadence layer above them — where critical-CVE SLA, audit-readiness trajectory, and secure-SDLC KRs run on one weekly review, every Eng commit to security becomes a tracked SLA dependency, and trajectory bending fires before audit-time. Keep your stack. Add the cadence layer that makes security continuous instead of audit-driven.
ESCALATION DESIGN
The CISO escalation chain — 5 levels, all on a 48-hour clock.
Below: a single critical-CVE remediation breach (CVSS 9.4 vulnerability past 14-day SLA in production service) threaded through the ladder.
L1
Auto-Nudge — to Eng owner of affected service
Day 12 of CVE: trigger fires. Eng manager + assigned engineer get Slack + email: 14-day SLA in 2 days, PR required.
Immediate
L2
Peer Flag — VP Eng + CISO see it
Day 14: SLA breached. Visible in VP Eng and CISO dashboards. Resolution conversation happens at the Eng-management layer.
+48h
L3
CTO Review — direct conversation with VP Eng
Day 16: still unresolved. CTO directly asks VP Eng for status and re-commit. Conversation is CTO-to-VP-Eng, not CISO-to-Eng.
+48h
L4
Pattern Brief — recurring breaches surface
Q3 audit: 5 critical CVE SLAs breached this quarter. Pattern goes to CTO + VP Eng + CISO + CEO — sprint-prioritization problem, not security-team problem.
Week 8
L5
Intervention — operating-cadence review
Quarter close. SOC 2 audit-readiness dropped from 92% to 84% across the quarter. Full Eng + Security + CFO + CEO in the room. Decision: dedicate Eng capacity to security-debt, restructure sprint planning, or accept the structural risk and re-baseline audit timing.
Quarter-end
What this kills
The failure mode where you spend Q3 chasing Eng managers on critical CVE tickets, present a clean compliance dashboard Monday that's 8 points off true readiness, and absorb audit findings at QBR. Trigger 6 fires the moment SLA approaches breach — at the Eng manager, not your desk.
EXECUTION INTELLIGENCE
How the 5 ShiftFocus metrics read on your CISO KRs.
ShiftFocus runs five health metrics on every KR — same five whether the KR is "100% of CVSS 9.0+ remediated within 14d" or "Audit-readiness ≥ 90%" or "Phishing failure < 5%." Here's what each tells you on a CISO KR.
What this looks like at week 6 of Q3
$40M ARR SaaS, 320 employees, 5-person security team. CISO has three OKRs running mid-quarter:
What the security gap actually costs
The primary case is operating quality. Dollar leakage varies wildly by ARR and breach exposure — but four costs reliably stack the same year:
→ Audit-prep fire drills — 3 FTEs × 60 days × every quarter that compliance runs as a project
→ Enterprise deals stalled on security review — questionnaires take weeks, deals cool
→ Critical-CVE exploit-window exposure — modeled expected loss from each aged CVE
→ Repeat audit findings — material weakness flag risk on the second occurrence
Each costs more than the cadence investment that prevents it. Breach-cost components per IBM 2024 Cost of a Data Breach Report.
The case to make to your CTO and CEO
Convert "are we secure?" into "of 5 critical CVEs that breached SLA this quarter, 4 trace to Eng sprint deprioritization, 1 to a vendor patch dependency; here's the sprint-allocation fix." The seat-defining moment is when the CTO sees CVE backlog as an Eng-process problem, not a security complaint.
▶ Pilot-verifiable
See where your security KRs actually break — and which upstream function caused it.
Connect your security tools, ticketing system, and GRC platform. We'll audit the last 4 quarters for CVE-SLA breach patterns, audit-readiness drift, and Eng-side prioritization patterns — and show you which functions' missed commits caused which audit findings, week by week.