I’m sure we’ve all been in meetings (or discussions) where the person who called the meeting had made up his or her mind before the meeting even began. These meetings typically progress as follows:
- Meeting organizer makes initial statements, points, and/or assertions
- Some of these may appear incorrect or unrealistic to some meeting attendees
- Initial feedback is provided by meeting attendees
- Meeting organizer becomes insulted or defensive and may become dismissive or, worse yet, confrontational
- Meeting participants cease providing feedback
- Meeting organizer interprets the lack of feedback as agreement or "victory"
- The meeting concludes with the outcome that the meeting organizer had pre-determined
These types of encounters can be frustrating experiences. Aside from the wasted investment in time, there is another tragedy here. The meeting organizer’s behavior not only shuts down and demoralizes the other meeting attendees, but it may in fact have dire consequences.
Information security is a tough business. Decisions often need to be made quickly and under intense pressure. Further, the consequences of an incorrect decision can be enormous. For example, ending an incident response without fully containing and remediating the issue can lead to embarrassment, theft of intellectual property, monetary loss, and other undesired outcomes.
With the stakes so high, I would argue that an incorrect decision is worse than a delayed decision, largely due to the potential for cascading consequences. Given this, how can an organization minimize its potential for error during the process of making critical decisions? There are likely many approaches to this question, but one of them that I have found to be the most effective involves creating an environment that embraces feedback and values diversity of opinion.
An accurate decision requires accurate data points upon which to make that decision. This is felt acutely in the information security realm where accurate data points come from a variety of sources and can take a frustratingly long time to assemble. It is most often the case that the decision maker does not personally have insight into all of the data points required to make the decision or decisions at hand. Because of this, the decision maker needs to foster an environment where feedback is embraced and accepted openly, and one where diversity of opinion is valued. This entails creating an environment that is the exact opposite of the sequence of events that was listed at the beginning of this post.
Decision makers who listen to their subject matter experts openly, attentively, and without prejudice benefit from more accurate and unbiased information. This requires a decision maker who is willing to listen, and one who is willing to accept that he or she may not be particularly in touch or in tune with the details and intricacies concerned. In short, security decision makers should not only accept feedback and differing opinions – they should treasure them. It’s really the only way to make the correct decision in a demanding environment.