Threatonomics

Aligning Strategic Objectives for Resilience

by Nikhil Chawla
Published

Can a company achieve cyber resilience in the face of cyber threats and potential losses?

Yes, but to get there, you must align your objectives.

TL;DR – The objective of cyber resilience is to thrive in the face of cyber incidents. To get there, organizational leaders must first frame and align their internal goals as a team. This eliminates acting at cross purposes and fosters competitive creativity.

Avoiding the Games People Play

We are all familiar with the game tug-o-war. Each team works to achieve an objective that is diametrically opposed to the other team. It represents the perfect example of a zero-sum game because the only outcome for either team is 1 or -1. There isn’t even an accrual of points, just win or lose. While competitive situations are naturally arranged in this zero sum way, organizations that foster toxic internal tug-o-wars are destined to eventually collapse. Businesses rarely achieve resilience against external threats while fostering internal strife.

Another all too common reality that commonly frustrates attempts to develop resilience in an organization is working at cross purposes. It may be even more insidious than tug-o-war. Why? Because the organizational members, who like to think they are working toward the same objectives, might be pulling the organization in an unintended direction. It’s not that anyone is intentionally working to achieve diametrically opposed objectives; rather, they are working at unintentionally misaligned objectives.

When I was about seven years old, my father needed to take down a tree in our yard that had died after being struck by lightning. He wanted the tree to be felled between two smaller trees on one side of it and our utility shed on the other without, obviously, crushing either.

He enlisted the help of a neighbor and his older son to manage this delicate operation. They tied two ropes to the tree about 20 feet up the trunk. Then they pulled the ropes at an acute angle so that neither one would be in the way of the falling tree as my father cut through the trunk with his chainsaw. They intended to create a net force that would pull the tree precisely into the narrow corridor required to avoid an undesirable outcome but, as you might imagine, they miscalculated the distribution of force they each contributed. Their intentions were misaligned with the reality of their efforts. Oops!

Aligning Objectives to Minimize Cross Purposes

There’s no doubt that most security and risk leaders, like yourself, have a set of objectives they are working toward. Maybe they’re based on the NIST Cybersecurity Framework.

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

By achieving these functional objectives, you ultimately intend to support the objectives of the business. However, without understanding where your efforts to achieve these actually lead, you might not be acting in alignment with the other important objectives. That’s tactical thinking, not strategic. That sound you hear is “…the noise before the tree crushes your shed.”

Each one of these objectives may have one or more specific technical KPIs associated with them. You know what they are, and you can easily articulate to yourself which controls and systems can achieve them and why. However, if you present these KPIs as criteria for why they’re important to the organization, almost no one in the C-suite will understand them. While acknowledging the importance of your function, they will simply view your request as one of many priorities competing for a limited budget. The result is that you will likely receive a fraction of the budget you think you need. This is the budgetary equivalent of working at cross purposes.

Empathize with the Money People

To bring your objectives into alignment with the business, you need to empathize with these “Money People” who weigh competing priorities for your organization’s budget. You need to think and speak to them on their terms so that you both can mutually align your respective objectives. This is how you will avoid “pulling the rope” at cross purposes.

Maximizing Shareholder Value

What are the Money People’s objectives? Relating the Money People’s  objectives in the following map helps to clarify what many of them are thinking about in the course of executing their responsibilities, which, if not met, can result in their being fired, fined, or jailed for neglecting to satisfy their fiduciary duty of care.

In short, to maximize the shareholder value, they will want to

  1. protect their plans for revenue growth,
  2. minimize operating costs without sacrificing quality of service (if they’re smart),
  3. achieve capital efficiencies by investing in strategies and projects that yield risk-adjusted returns greater than 1, and
  4. guard the treasury from shocks to its committed operating obligations and reserves.

But how do you know what they prioritize? You can’t just guess. You have to go ask. Or better yet, have a conversation with the Money People about what their decision criteria are. You will need to understand the value at risk in terms of what business disruption means to the organization; diminished reputation, liabilities, cost to repair all damages, and the ability to achieve intended strategic business purpose. To reach this alignment, you must  clarify and explain how your objectives relate to those fundamental business objectives. You will have to build the ladder of causation to avoid the possibility of working at cross purposes.

Reframe Your Objectives to Change the Game You Play

Eliminating working at cross purposes by aligning objectives is just the first step toward cyber resilience. By re-examining and testing what objectives an organization really aspires to, especially if those aspirations are conceived within unnecessary constraints, you can increase the odds of attaining higher levels of value.

Security executives may not think of themselves as baseball managers, but let’s consider an example from Richard Seiersen’s latest article, “Moneyballing Cyber Resilience.  Stick with me. If the Oakland A’s had the same budget as the New York Yankees, they would compete approximately at parity with the Yankees. They would do so, however, based on the same fallacious assumption that baseball players with “the look” (which included certain displays of athleticism) is what made baseball teams competitive. Of course, we now know that the budget of the New York Yankees was an overpriced budget because of that fallacious assumption. The Oakland A’s were competing with non-effectual controls because they played within three self-imposed constraints:

  • a wrong causal model of the world;
  • a false idea about what their budget had to be to participate effectively in the real world;
  • an uninformed understanding of what they could actually achieve with their current budget.

Any of these sound familiar to your organization?

What the A’s originally thought of as the “controlling constraint” propelled them to re-examine and reframe their objectives once they acknowledged how much they hated losing. This then gave them the ability to work less at cross purposes and look for arbitrage opportunities. When they found the arbitrage—selling off overvalued players (assets) to buy less expensive players with better stats more aligned to winning KPIs—they were able to pursue a strategy that was entirely consistent with their budget. They went from being impoverished to acting efficiently with their capital. That yielded the dividends they sought.

This is what starting by framing your efforts with values, preferences, and objectives provides: it eliminates constrained thinking to allow you to imagine the world you want without your current imposed constraints or policies. Thinking this way will generally create more value for you than starting with a given set of constrained alternatives or tactics, especially those represented by checklists and benchmarks. This happens because the expanded set of alternatives for action you conceive will derive from your own organizational values, not those of others.

The objective of a cyber resilient strategy is to thrive in the face of cyber threats and potential losses. To get there, organizations must first intentionally align their internal goals and objectives, not just because it eliminates unintentionally acting at cross purposes (it does) but because it fosters valuable creativity. Values-driven creativity broadens the scope of allowable decisions and provides the motivation to find competitive advantages in previously unrecognized spaces.

About the Author
Nikhil Chawla

You might also like

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]

cyber resilience framework

Cybersecurity Incidents & Trends in Canada

Executive Summary Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals […]

Digital Risk: Enterprises Need More Than Cyber Insurance

What you need to know: Artificial Intelligence at the Heart of Cyber

As AI technologies become more embedded in cyber strategies, they enhance the capabilities of threat actors while also offering innovative defenses to organizations [1]. AI tools can amplify adversaries’ traditional Techniques, Tools, and Procedures (TTPs) by automating the generation of sophisticated threats such as polymorphic malware — which can dynamically alter its code to evade […]