Now that cybersecurity has become a regular topic of discussion in the C-suite and the boardroom, the next challenge is for top leadership and board directors to have engaging conversations about the organization’s management and governance of cyber risk and to decide where future efforts should be directed.

Making Better Cyber Risk Choices

Luckily, business executives can look to other disciplines to find advice on how to make better decisions. A recent Harvard Business Review (HBR) article titled “A Checklist for Making Faster, Better Decisions” outlined a checklist-based technique to consistently make good choices. One of the keys to making better decisions is to consider more than one alternative instead of looking at each as a should-we-or-shouldn’t-we choice.

The article pointed out that “most business decisions are made under the stress of high uncertainty, so we often rely on gut feelings and intuition to reduce our mental discomfort.” Most readers would likely characterize cybersecurity and cyber risk decisions as fitting this description.

The checklist recommended that decision-makers complete the following process when reviewing their options and narrowing their choices:

  1. Write five company goals or priorities that the choice might impact to avoid rationalization after the fact.
  2. Write three or more realistic alternatives. Looking at other possible choices is key to improving decisions.
  3. Write about the biggest unknown related to the decision.
  4. Write the expected impact that the decision will have one year from now.
  5. Limit stakeholder involvement to a team of between two and six people.
  6. Write down the decision that was made, why it was made and the level of support across the stakeholders to aid in the review of the decision in the future.
  7. Be sure to review this decision one to two months from now while there might still be time to make corrections.

The benefits of this approach are worth considering. HBR reported that research shows looking at more than one alternative — as opposed to performing a binary yes-or-no decision — increased the “number of good business decisions sixfold.”

Critical and Engaging Conversations

The checklist above provides a good start to making effective decisions by first considering multiple alternatives, considering the impact — both immediate and long-term — and recording the arguments generated during decision-making for later review. But what about the conversations happening during the decision-making process itself? The dynamics of the team as it considers and debates options is also very important.

Another HBR article, “How to Handle the Naysayer on Your Team,” pointed to the value and the pitfalls of criticism. According to HBR, “Opposition plays a crucial role in helping teams assess the quality of ideas, differentiate between different approaches, limit unproductive conversation and ultimately make high-quality decisions.” Put another way, “criticism is imperative for innovation.”

Of course, criticism can spin out of control and ultimately have a profoundly negative impact. But criticism and opposition — especially in the heated context of the management and governance of cyber risk — is too valuable to ignore; just ask any of the CISOs, CIOs, CFOs and CEOs who have been fired or stepped down following a data breach.

The article pointed out ways to channel and construct criticism to derive the highest benefits from it. Among its recommendations are to make it a point to explicitly ask for opposition, to do so in a controlled and inclusive manner such as by prompting each stakeholder in turn and to avoid resisting the opposition without giving proper consideration. Individuals involved in the process must also evaluate their own visceral response to such criticism, thank those opposed and provide them with feedback, and realize that having this kind of critical conversation isn’t a sign of poor unity in the group.

The stakes are high. Decision-makers, whether in the boardroom or the C-suite, should use all available tricks in the book to ensure that they make informed decisions after considering all options, including opposing views.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…