Threatonomics

Aligning Strategic Objectives for Resilience

by Nikhil Chawla
Published

Can a company achieve cyber resilience in the face of cyber threats and potential losses?

Yes, but to get there, you must align your objectives.

TL;DR – The objective of cyber resilience is to thrive in the face of cyber incidents. To get there, organizational leaders must first frame and align their internal goals as a team. This eliminates acting at cross purposes and fosters competitive creativity.

Avoiding the Games People Play

We are all familiar with the game tug-o-war. Each team works to achieve an objective that is diametrically opposed to the other team. It represents the perfect example of a zero-sum game because the only outcome for either team is 1 or -1. There isn’t even an accrual of points, just win or lose. While competitive situations are naturally arranged in this zero sum way, organizations that foster toxic internal tug-o-wars are destined to eventually collapse. Businesses rarely achieve resilience against external threats while fostering internal strife.

Another all too common reality that commonly frustrates attempts to develop resilience in an organization is working at cross purposes. It may be even more insidious than tug-o-war. Why? Because the organizational members, who like to think they are working toward the same objectives, might be pulling the organization in an unintended direction. It’s not that anyone is intentionally working to achieve diametrically opposed objectives; rather, they are working at unintentionally misaligned objectives.

When I was about seven years old, my father needed to take down a tree in our yard that had died after being struck by lightning. He wanted the tree to be felled between two smaller trees on one side of it and our utility shed on the other without, obviously, crushing either.

He enlisted the help of a neighbor and his older son to manage this delicate operation. They tied two ropes to the tree about 20 feet up the trunk. Then they pulled the ropes at an acute angle so that neither one would be in the way of the falling tree as my father cut through the trunk with his chainsaw. They intended to create a net force that would pull the tree precisely into the narrow corridor required to avoid an undesirable outcome but, as you might imagine, they miscalculated the distribution of force they each contributed. Their intentions were misaligned with the reality of their efforts. Oops!

Aligning Objectives to Minimize Cross Purposes

There’s no doubt that most security and risk leaders, like yourself, have a set of objectives they are working toward. Maybe they’re based on the NIST Cybersecurity Framework.

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

By achieving these functional objectives, you ultimately intend to support the objectives of the business. However, without understanding where your efforts to achieve these actually lead, you might not be acting in alignment with the other important objectives. That’s tactical thinking, not strategic. That sound you hear is “…the noise before the tree crushes your shed.”

Each one of these objectives may have one or more specific technical KPIs associated with them. You know what they are, and you can easily articulate to yourself which controls and systems can achieve them and why. However, if you present these KPIs as criteria for why they’re important to the organization, almost no one in the C-suite will understand them. While acknowledging the importance of your function, they will simply view your request as one of many priorities competing for a limited budget. The result is that you will likely receive a fraction of the budget you think you need. This is the budgetary equivalent of working at cross purposes.

Empathize with the Money People

To bring your objectives into alignment with the business, you need to empathize with these “Money People” who weigh competing priorities for your organization’s budget. You need to think and speak to them on their terms so that you both can mutually align your respective objectives. This is how you will avoid “pulling the rope” at cross purposes.

Maximizing Shareholder Value

What are the Money People’s objectives? Relating the Money People’s  objectives in the following map helps to clarify what many of them are thinking about in the course of executing their responsibilities, which, if not met, can result in their being fired, fined, or jailed for neglecting to satisfy their fiduciary duty of care.

In short, to maximize the shareholder value, they will want to

  1. protect their plans for revenue growth,
  2. minimize operating costs without sacrificing quality of service (if they’re smart),
  3. achieve capital efficiencies by investing in strategies and projects that yield risk-adjusted returns greater than 1, and
  4. guard the treasury from shocks to its committed operating obligations and reserves.

But how do you know what they prioritize? You can’t just guess. You have to go ask. Or better yet, have a conversation with the Money People about what their decision criteria are. You will need to understand the value at risk in terms of what business disruption means to the organization; diminished reputation, liabilities, cost to repair all damages, and the ability to achieve intended strategic business purpose. To reach this alignment, you must  clarify and explain how your objectives relate to those fundamental business objectives. You will have to build the ladder of causation to avoid the possibility of working at cross purposes.

Reframe Your Objectives to Change the Game You Play

Eliminating working at cross purposes by aligning objectives is just the first step toward cyber resilience. By re-examining and testing what objectives an organization really aspires to, especially if those aspirations are conceived within unnecessary constraints, you can increase the odds of attaining higher levels of value.

Security executives may not think of themselves as baseball managers, but let’s consider an example from Richard Seiersen’s latest article, “Moneyballing Cyber Resilience.  Stick with me. If the Oakland A’s had the same budget as the New York Yankees, they would compete approximately at parity with the Yankees. They would do so, however, based on the same fallacious assumption that baseball players with “the look” (which included certain displays of athleticism) is what made baseball teams competitive. Of course, we now know that the budget of the New York Yankees was an overpriced budget because of that fallacious assumption. The Oakland A’s were competing with non-effectual controls because they played within three self-imposed constraints:

  • a wrong causal model of the world;
  • a false idea about what their budget had to be to participate effectively in the real world;
  • an uninformed understanding of what they could actually achieve with their current budget.

Any of these sound familiar to your organization?

What the A’s originally thought of as the “controlling constraint” propelled them to re-examine and reframe their objectives once they acknowledged how much they hated losing. This then gave them the ability to work less at cross purposes and look for arbitrage opportunities. When they found the arbitrage—selling off overvalued players (assets) to buy less expensive players with better stats more aligned to winning KPIs—they were able to pursue a strategy that was entirely consistent with their budget. They went from being impoverished to acting efficiently with their capital. That yielded the dividends they sought.

This is what starting by framing your efforts with values, preferences, and objectives provides: it eliminates constrained thinking to allow you to imagine the world you want without your current imposed constraints or policies. Thinking this way will generally create more value for you than starting with a given set of constrained alternatives or tactics, especially those represented by checklists and benchmarks. This happens because the expanded set of alternatives for action you conceive will derive from your own organizational values, not those of others.

The objective of a cyber resilient strategy is to thrive in the face of cyber threats and potential losses. To get there, organizations must first intentionally align their internal goals and objectives, not just because it eliminates unintentionally acting at cross purposes (it does) but because it fosters valuable creativity. Values-driven creativity broadens the scope of allowable decisions and provides the motivation to find competitive advantages in previously unrecognized spaces.

About the Author
Nikhil Chawla

You might also like

third-party cyber risk management

New Frontier: Cyber Risk Mitigation with Superforecasting

You’re a CISO, bombarded from all sides. New vulnerabilities emerge daily, vendors tout countless security solutions, and your inbox overflows with security alerts. Your skilled analysts are stretched thin, struggling to keep pace with the ever-evolving threat landscape. How do you make sense of it all? How do you prioritize investments, allocate resources, and make […]

third-party cyber risk management

Cybersecurity Essentials: The Role of Vulnerability Management in Building Cyber Resilient IT Systems

Navigating the complexities of cybersecurity requires a strategic approach to mitigate risks and safeguard IT systems. Central to this approach is vulnerability management, a systematic process that identifies, assesses, and prioritizes vulnerabilities within organizations’ infrastructure. Understanding what vulnerability management entails and how it contributes to preemptive cyber defense is critical.  According to a recent report […]

third-party cyber risk management

Mastering Cybersecurity Risk Metrics: A New Way to Think About Cyber Risk

Digital threats are not just possibilities but inevitabilities; understanding and calculating cyber risk is more than a precaution – it’s a necessity. Understanding cybersecurity metrics is essential to safeguarding and improving business operations. Calculating cyber risks simplifies complex issues and empowers professionals to communicate them clearly to improve their organization’s digital security. This requires a […]

third-party cyber risk management

Evolving Cybersecurity: From Risk Management to Cyber Resilience

With an astonishing 95% of cybersecurity breaches attributed to human error, organizations must educate, train, and implement a security foundation for all employees. This staggering statistic highlights the vulnerability of humans within digital infrastructures and underscores the importance of building a security-forward mindset into the culture of resilient businesses.   As cyber threats continue to lead […]

third-party cyber risk management

Counting the Cost: Understanding the Financial Risk of Cybersecurity Breaches

Cybersecurity breaches stand as a relentless challenge for organizations worldwide, causing substantial financial repercussions. As cyber threats advance in complexity, the economic impact on businesses intensifies, affecting everything from upfront costs to sustained financial health.  A thorough investigation into the financial risks posed by cybersecurity breaches reveals the breadth of direct and indirect expenses that […]

third-party cyber risk management

Rewriting the Rules of Cyber Security Risks: Part II

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security […]