Threatonomics

Aligning Strategic Objectives for Resilience

by Richard Seiersen , Cyber Resilience Strategic Advisor
Published

Can a company achieve cyber resilience in the face of cyber threats and potential losses?

Yes, but to get there, you must align your objectives.

TL;DR – The objective of cyber resilience is to thrive in the face of cyber incidents. To get there, organizational leaders must first frame and align their internal goals as a team. This eliminates acting at cross purposes and fosters competitive creativity.

Avoiding the Games People Play

We are all familiar with the game tug-o-war. Each team works to achieve an objective that is diametrically opposed to the other team. It represents the perfect example of a zero-sum game because the only outcome for either team is 1 or -1. There isn’t even an accrual of points, just win or lose. While competitive situations are naturally arranged in this zero sum way, organizations that foster toxic internal tug-o-wars are destined to eventually collapse. Businesses rarely achieve resilience against external threats while fostering internal strife.

Another all too common reality that commonly frustrates attempts to develop resilience in an organization is working at cross purposes. It may be even more insidious than tug-o-war. Why? Because the organizational members, who like to think they are working toward the same objectives, might be pulling the organization in an unintended direction. It’s not that anyone is intentionally working to achieve diametrically opposed objectives; rather, they are working at unintentionally misaligned objectives.

When I was about seven years old, my father needed to take down a tree in our yard that had died after being struck by lightning. He wanted the tree to be felled between two smaller trees on one side of it and our utility shed on the other without, obviously, crushing either.

He enlisted the help of a neighbor and his older son to manage this delicate operation. They tied two ropes to the tree about 20 feet up the trunk. Then they pulled the ropes at an acute angle so that neither one would be in the way of the falling tree as my father cut through the trunk with his chainsaw. They intended to create a net force that would pull the tree precisely into the narrow corridor required to avoid an undesirable outcome but, as you might imagine, they miscalculated the distribution of force they each contributed. Their intentions were misaligned with the reality of their efforts. Oops!

Aligning Objectives to Minimize Cross Purposes

There’s no doubt that most security and risk leaders, like yourself, have a set of objectives they are working toward. Maybe they’re based on the NIST Cybersecurity Framework.

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

By achieving these functional objectives, you ultimately intend to support the objectives of the business. However, without understanding where your efforts to achieve these actually lead, you might not be acting in alignment with the other important objectives. That’s tactical thinking, not strategic. That sound you hear is “…the noise before the tree crushes your shed.”

Each one of these objectives may have one or more specific technical KPIs associated with them. You know what they are, and you can easily articulate to yourself which controls and systems can achieve them and why. However, if you present these KPIs as criteria for why they’re important to the organization, almost no one in the C-suite will understand them. While acknowledging the importance of your function, they will simply view your request as one of many priorities competing for a limited budget. The result is that you will likely receive a fraction of the budget you think you need. This is the budgetary equivalent of working at cross purposes.

Empathize with the Money People

To bring your objectives into alignment with the business, you need to empathize with these “Money People” who weigh competing priorities for your organization’s budget. You need to think and speak to them on their terms so that you both can mutually align your respective objectives. This is how you will avoid “pulling the rope” at cross purposes.

Maximizing Shareholder Value

What are the Money People’s objectives? Relating the Money People’s  objectives in the following map helps to clarify what many of them are thinking about in the course of executing their responsibilities, which, if not met, can result in their being fired, fined, or jailed for neglecting to satisfy their fiduciary duty of care.

In short, to maximize the shareholder value, they will want to

  1. protect their plans for revenue growth,
  2. minimize operating costs without sacrificing quality of service (if they’re smart),
  3. achieve capital efficiencies by investing in strategies and projects that yield risk-adjusted returns greater than 1, and
  4. guard the treasury from shocks to its committed operating obligations and reserves.

But how do you know what they prioritize? You can’t just guess. You have to go ask. Or better yet, have a conversation with the Money People about what their decision criteria are. You will need to understand the value at risk in terms of what business disruption means to the organization; diminished reputation, liabilities, cost to repair all damages, and the ability to achieve intended strategic business purpose. To reach this alignment, you must  clarify and explain how your objectives relate to those fundamental business objectives. You will have to build the ladder of causation to avoid the possibility of working at cross purposes.

Reframe Your Objectives to Change the Game You Play

Eliminating working at cross purposes by aligning objectives is just the first step toward cyber resilience. By re-examining and testing what objectives an organization really aspires to, especially if those aspirations are conceived within unnecessary constraints, you can increase the odds of attaining higher levels of value.

Security executives may not think of themselves as baseball managers, but let’s consider an example from Richard Seiersen’s latest article, “Moneyballing Cyber Resilience.  Stick with me. If the Oakland A’s had the same budget as the New York Yankees, they would compete approximately at parity with the Yankees. They would do so, however, based on the same fallacious assumption that baseball players with “the look” (which included certain displays of athleticism) is what made baseball teams competitive. Of course, we now know that the budget of the New York Yankees was an overpriced budget because of that fallacious assumption. The Oakland A’s were competing with non-effectual controls because they played within three self-imposed constraints:

  • a wrong causal model of the world;
  • a false idea about what their budget had to be to participate effectively in the real world;
  • an uninformed understanding of what they could actually achieve with their current budget.

Any of these sound familiar to your organization?

What the A’s originally thought of as the “controlling constraint” propelled them to re-examine and reframe their objectives once they acknowledged how much they hated losing. This then gave them the ability to work less at cross purposes and look for arbitrage opportunities. When they found the arbitrage—selling off overvalued players (assets) to buy less expensive players with better stats more aligned to winning KPIs—they were able to pursue a strategy that was entirely consistent with their budget. They went from being impoverished to acting efficiently with their capital. That yielded the dividends they sought.

This is what starting by framing your efforts with values, preferences, and objectives provides: it eliminates constrained thinking to allow you to imagine the world you want without your current imposed constraints or policies. Thinking this way will generally create more value for you than starting with a given set of constrained alternatives or tactics, especially those represented by checklists and benchmarks. This happens because the expanded set of alternatives for action you conceive will derive from your own organizational values, not those of others.

The objective of a cyber resilient strategy is to thrive in the face of cyber threats and potential losses. To get there, organizations must first intentionally align their internal goals and objectives, not just because it eliminates unintentionally acting at cross purposes (it does) but because it fosters valuable creativity. Values-driven creativity broadens the scope of allowable decisions and provides the motivation to find competitive advantages in previously unrecognized spaces.

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]