I’m sure we’ve all been in meetings (or discussions) where
the person who called the meeting had made up his or her mind before the
meeting even began. These meetings
typically progress as follows:
- Meeting organizer makes initial statements, points, and/or assertions
- Some of these may appear incorrect or unrealistic to some meeting attendees
- Initial feedback is provided by meeting attendees
- Meeting organizer becomes insulted or defensive and may become dismissive or, worse yet, confrontational
- Meeting participants cease providing feedback
- Meeting organizer interprets the lack of feedback as agreement or "victory"
- The meeting concludes with the outcome that the meeting organizer had pre-determined
These types of encounters can be frustrating
experiences. Aside from the wasted
investment in time, there is another tragedy here. The meeting organizer’s behavior not only
shuts down and demoralizes the other meeting attendees, but it may in fact have
dire consequences.
Information security is a tough business. Decisions often need to be made quickly and
under intense pressure. Further, the
consequences of an incorrect decision can be enormous. For example, ending an incident response
without fully containing and remediating the issue can lead to embarrassment,
theft of intellectual property, monetary loss, and other undesired outcomes.
With the stakes so high, I would argue that an incorrect
decision is worse than a delayed decision, largely due to the potential for
cascading consequences. Given this, how
can an organization minimize its potential for error during the process of
making critical decisions? There are
likely many approaches to this question, but one of them that I have found to
be the most effective involves creating an environment that embraces feedback
and values diversity of opinion.
An accurate decision requires accurate data points upon
which to make that decision. This is
felt acutely in the information security realm where accurate data points come
from a variety of sources and can take a frustratingly long time to
assemble. It is most often the case that
the decision maker does not personally have insight into all of the data points
required to make the decision or decisions at hand. Because of this, the decision maker needs to
foster an environment where feedback is embraced and accepted openly, and one where
diversity of opinion is valued. This
entails creating an environment that is the exact opposite of the sequence of
events that was listed at the beginning of this post.
Decision makers who listen to their subject matter experts openly,
attentively, and without prejudice benefit from more accurate and unbiased
information. This requires a decision
maker who is willing to listen, and one who is willing to accept that he or she
may not be particularly in touch or in tune with the details and intricacies
concerned. In short, security decision
makers should not only accept feedback and differing opinions – they should
treasure them. It’s really the only way
to make the correct decision in a demanding environment.
No comments:
Post a Comment