April 27, 2016 By Christophe Veltsos 3 min read

Now that cybersecurity has become a regular topic of discussion in the C-suite and the boardroom, the next challenge is for top leadership and board directors to have engaging conversations about the organization’s management and governance of cyber risk and to decide where future efforts should be directed.

Making Better Cyber Risk Choices

Luckily, business executives can look to other disciplines to find advice on how to make better decisions. A recent Harvard Business Review (HBR) article titled “A Checklist for Making Faster, Better Decisions” outlined a checklist-based technique to consistently make good choices. One of the keys to making better decisions is to consider more than one alternative instead of looking at each as a should-we-or-shouldn’t-we choice.

The article pointed out that “most business decisions are made under the stress of high uncertainty, so we often rely on gut feelings and intuition to reduce our mental discomfort.” Most readers would likely characterize cybersecurity and cyber risk decisions as fitting this description.

The checklist recommended that decision-makers complete the following process when reviewing their options and narrowing their choices:

  1. Write five company goals or priorities that the choice might impact to avoid rationalization after the fact.
  2. Write three or more realistic alternatives. Looking at other possible choices is key to improving decisions.
  3. Write about the biggest unknown related to the decision.
  4. Write the expected impact that the decision will have one year from now.
  5. Limit stakeholder involvement to a team of between two and six people.
  6. Write down the decision that was made, why it was made and the level of support across the stakeholders to aid in the review of the decision in the future.
  7. Be sure to review this decision one to two months from now while there might still be time to make corrections.

The benefits of this approach are worth considering. HBR reported that research shows looking at more than one alternative — as opposed to performing a binary yes-or-no decision — increased the “number of good business decisions sixfold.”

Critical and Engaging Conversations

The checklist above provides a good start to making effective decisions by first considering multiple alternatives, considering the impact — both immediate and long-term — and recording the arguments generated during decision-making for later review. But what about the conversations happening during the decision-making process itself? The dynamics of the team as it considers and debates options is also very important.

Another HBR article, “How to Handle the Naysayer on Your Team,” pointed to the value and the pitfalls of criticism. According to HBR, “Opposition plays a crucial role in helping teams assess the quality of ideas, differentiate between different approaches, limit unproductive conversation and ultimately make high-quality decisions.” Put another way, “criticism is imperative for innovation.”

Of course, criticism can spin out of control and ultimately have a profoundly negative impact. But criticism and opposition — especially in the heated context of the management and governance of cyber risk — is too valuable to ignore; just ask any of the CISOs, CIOs, CFOs and CEOs who have been fired or stepped down following a data breach.

The article pointed out ways to channel and construct criticism to derive the highest benefits from it. Among its recommendations are to make it a point to explicitly ask for opposition, to do so in a controlled and inclusive manner such as by prompting each stakeholder in turn and to avoid resisting the opposition without giving proper consideration. Individuals involved in the process must also evaluate their own visceral response to such criticism, thank those opposed and provide them with feedback, and realize that having this kind of critical conversation isn’t a sign of poor unity in the group.

The stakes are high. Decision-makers, whether in the boardroom or the C-suite, should use all available tricks in the book to ensure that they make informed decisions after considering all options, including opposing views.

More from Risk Management

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today