Now that cybersecurity has become a regular topic of discussion in the C-suite and the boardroom, the next challenge is for top leadership and board directors to have engaging conversations about the organization’s management and governance of cyber risk and to decide where future efforts should be directed.

Making Better Cyber Risk Choices

Luckily, business executives can look to other disciplines to find advice on how to make better decisions. A recent Harvard Business Review (HBR) article titled “A Checklist for Making Faster, Better Decisions” outlined a checklist-based technique to consistently make good choices. One of the keys to making better decisions is to consider more than one alternative instead of looking at each as a should-we-or-shouldn’t-we choice.

The article pointed out that “most business decisions are made under the stress of high uncertainty, so we often rely on gut feelings and intuition to reduce our mental discomfort.” Most readers would likely characterize cybersecurity and cyber risk decisions as fitting this description.

The checklist recommended that decision-makers complete the following process when reviewing their options and narrowing their choices:

  1. Write five company goals or priorities that the choice might impact to avoid rationalization after the fact.
  2. Write three or more realistic alternatives. Looking at other possible choices is key to improving decisions.
  3. Write about the biggest unknown related to the decision.
  4. Write the expected impact that the decision will have one year from now.
  5. Limit stakeholder involvement to a team of between two and six people.
  6. Write down the decision that was made, why it was made and the level of support across the stakeholders to aid in the review of the decision in the future.
  7. Be sure to review this decision one to two months from now while there might still be time to make corrections.

The benefits of this approach are worth considering. HBR reported that research shows looking at more than one alternative — as opposed to performing a binary yes-or-no decision — increased the “number of good business decisions sixfold.”

Critical and Engaging Conversations

The checklist above provides a good start to making effective decisions by first considering multiple alternatives, considering the impact — both immediate and long-term — and recording the arguments generated during decision-making for later review. But what about the conversations happening during the decision-making process itself? The dynamics of the team as it considers and debates options is also very important.

Another HBR article, “How to Handle the Naysayer on Your Team,” pointed to the value and the pitfalls of criticism. According to HBR, “Opposition plays a crucial role in helping teams assess the quality of ideas, differentiate between different approaches, limit unproductive conversation and ultimately make high-quality decisions.” Put another way, “criticism is imperative for innovation.”

Of course, criticism can spin out of control and ultimately have a profoundly negative impact. But criticism and opposition — especially in the heated context of the management and governance of cyber risk — is too valuable to ignore; just ask any of the CISOs, CIOs, CFOs and CEOs who have been fired or stepped down following a data breach.

The article pointed out ways to channel and construct criticism to derive the highest benefits from it. Among its recommendations are to make it a point to explicitly ask for opposition, to do so in a controlled and inclusive manner such as by prompting each stakeholder in turn and to avoid resisting the opposition without giving proper consideration. Individuals involved in the process must also evaluate their own visceral response to such criticism, thank those opposed and provide them with feedback, and realize that having this kind of critical conversation isn’t a sign of poor unity in the group.

The stakes are high. Decision-makers, whether in the boardroom or the C-suite, should use all available tricks in the book to ensure that they make informed decisions after considering all options, including opposing views.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…