Now that cybersecurity has become a regular topic of discussion in the C-suite and the boardroom, the next challenge is for top leadership and board directors to have engaging conversations about the organization’s management and governance of cyber risk and to decide where future efforts should be directed.
Making Better Cyber Risk Choices
Luckily, business executives can look to other disciplines to find advice on how to make better decisions. A recent Harvard Business Review (HBR) article titled “A Checklist for Making Faster, Better Decisions” outlined a checklist-based technique to consistently make good choices. One of the keys to making better decisions is to consider more than one alternative instead of looking at each as a should-we-or-shouldn’t-we choice.
The article pointed out that “most business decisions are made under the stress of high uncertainty, so we often rely on gut feelings and intuition to reduce our mental discomfort.” Most readers would likely characterize cybersecurity and cyber risk decisions as fitting this description.
The checklist recommended that decision-makers complete the following process when reviewing their options and narrowing their choices:
- Write five company goals or priorities that the choice might impact to avoid rationalization after the fact.
- Write three or more realistic alternatives. Looking at other possible choices is key to improving decisions.
- Write about the biggest unknown related to the decision.
- Write the expected impact that the decision will have one year from now.
- Limit stakeholder involvement to a team of between two and six people.
- Write down the decision that was made, why it was made and the level of support across the stakeholders to aid in the review of the decision in the future.
- Be sure to review this decision one to two months from now while there might still be time to make corrections.
The benefits of this approach are worth considering. HBR reported that research shows looking at more than one alternative — as opposed to performing a binary yes-or-no decision — increased the “number of good business decisions sixfold.”
Critical and Engaging Conversations
The checklist above provides a good start to making effective decisions by first considering multiple alternatives, considering the impact — both immediate and long-term — and recording the arguments generated during decision-making for later review. But what about the conversations happening during the decision-making process itself? The dynamics of the team as it considers and debates options is also very important.
Another HBR article, “How to Handle the Naysayer on Your Team,” pointed to the value and the pitfalls of criticism. According to HBR, “Opposition plays a crucial role in helping teams assess the quality of ideas, differentiate between different approaches, limit unproductive conversation and ultimately make high-quality decisions.” Put another way, “criticism is imperative for innovation.”
Of course, criticism can spin out of control and ultimately have a profoundly negative impact. But criticism and opposition — especially in the heated context of the management and governance of cyber risk — is too valuable to ignore; just ask any of the CISOs, CIOs, CFOs and CEOs who have been fired or stepped down following a data breach.
The article pointed out ways to channel and construct criticism to derive the highest benefits from it. Among its recommendations are to make it a point to explicitly ask for opposition, to do so in a controlled and inclusive manner such as by prompting each stakeholder in turn and to avoid resisting the opposition without giving proper consideration. Individuals involved in the process must also evaluate their own visceral response to such criticism, thank those opposed and provide them with feedback, and realize that having this kind of critical conversation isn’t a sign of poor unity in the group.
The stakes are high. Decision-makers, whether in the boardroom or the C-suite, should use all available tricks in the book to ensure that they make informed decisions after considering all options, including opposing views.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato