In an ornate boardroom, a group of executives gathered at a large round table for their annual strategic planning meeting. Morgan, the CEO, was surrounded by Lana, the VP of Sales; Susan, the CISO, Smith, the COO; and Barbara, Chief Compliance Officer. There was much to get done in the next twelve months, so they were passionately debating how best to invest their limited budget to achieve their goals and to address various sources of risk.
After a morning of going over the numbers and weighing their options, the leaders had reached an impasse.
“We need to expand our territory”, the VP of Sales insisted. “We must invest in horses! If our knights continue using coconuts to get around, we’ll just fall further behind.”
The CISO interrupted, offering a different opinion, “I disagree, Lana. There will be nothing to expand if our defenses are breached. We should invest in upgrading the walls and building a moat! We have to protect our critical assets.”
Not sitting idly by, the COO jumped in, “You are forgetting that we actually need to run this place. We need additional blacksmiths and blade sharpeners – not to mention the cobblestone repairs I requested last time. Just last week, an entire donkey fell in the pothole down on Oak Street.”
“Remember, the Emperor expects us to conduct annual inspections,” the Compliance Officer stated emphatically. “We need to keep our production up, our staff well trained, and our supplies in top shape. You remember the last time we failed an audit? Heads rolled. Literally,”
The CEO pursed her lips and looked around pensively, “Barbara is quite right, we don’t want to see that happen again and I’d rather not lose another compliance head if we can help it. Each of you makes a strong case; however, we only have so much gold, and we need to spend it on the right things at the right time. Let’s break for lunch and continue after we’ve eaten.”
It’s not easy running Camelot, Tinc. Important strategic interests compete for attention and funding. The executives need to manage risks and take advantage of opportunities. Slicing up the funding pie is a strategic choice affecting the company’s market posture, and any success or failure would be on CEO Morgan’s shoulders.
As the executives adjourned to the dining hall, the VP of Sales and the CISO were engaged in a spirited discussion about their requested projects. “At least my staff have healthy disagreements,” the CEO thought to herself. “The last thing I need is infighting.” The other team members chatted amiably, strolling past their leader as she turned to look out a large window at the lands beyond the castle wall.
“Coming to lunch, Morgan?” asked Smith, the COO.
“Oh, Yes. I need the break. I’ll be there in a moment,” Morgan replied. The COO nodded and headed down the hallway while the CEO returned to her thoughts.
Investing in security seems like a safe choice. There are attacks reported every day, and I don’t want to be in the headlines like some other CEOs. On the other hand, fortune favors the bold, and if we don’t expand our territory, organic growth will be hard to come by. Splitting the pot with half-measures seems like a recipe for failure, or at least mediocrity, which I won’t accept.
Morgan sighed, turned and walked down the hall. At least lunch would prove to be a welcome respite. Investment is always a risk – how can the money work in the best interest of Camelot?
Arriving at the dining hall, Morgan was greeted with the din of lively conversation and cutlery as staff ate their mid-day meal and relaxed from the morning’s work. The CEO found an available chair and joined a table. As she sat down to eat, she could hear her CISO discussing a local news story.
“…and so the guy broke in and grabbed what he thought was an expensive vase from the front room. Turns out it was a fake. Which makes sense – nobody puts their most valuable stuff out in the open in the front room. The guards caught him and turned him out on his ear.”
Conversation continued around the table, and the meal wound to a close. Slowly, executives and staff began returning to their meeting rooms, reluctantly leaving the relaxed atmosphere of the dining hall to return to the hard work of planning.
“Alright, let’s get back to it,” Morgan said as she called the meeting back to order.
“From what I’ve heard, compliance and operations don’t have any major projects for next year. We need to keep up the status quo and maybe make some modest investments – especially the Oak Street repairs. We’ll keep funding in those areas relatively flat.”
The Operations and Compliance officers reluctantly nodded their heads in agreement.
Morgan continued, “Now, it’s a matter of determining our strategy. We can’t adequately fund significant upgrades to the castle wall and to our knights. Do we risk spending on horses with the expectation that expansion yields a return? Is the threat landscape such that failure to upgrade the walls will lead to catastrophic damage?”
“You’ve seen the projections with and without the upgrades.” The VP of Sales said. “While the upgrades show modest growth initially, they position us well against Loimbard, who most certainly want to encroach on our territory. The three- to five-year outlook based on expansion is for significant growth.”
“And if Loimbard chooses to go on the offense, then what, Lana? And they’re not the only ones – we’ve got bandits in the forest, and I hear the Vikings are on the move,” the CISO said. “Not only do we need repairs; a significant upgrade would protect us from anything that comes our way. The moat would provide siege defense, PLUS it comes with a free supply of crocodiles, Lana. Crocodiles.”
Barbara, the Compliance Officer, was skeptical, “What are the chances we see a major attack, Susan? Sure, anything could happen, and while I do love the idea of crocodiles, the knights won’t get very far riding them.”
Stepping in, Morgan tried to break the impasse, “We seem to be a bit stuck here and not making any progress. Lana has provided a sales assessment, and the three-to-five-year strategy seems sound. I haven’t seen anything backing up the likelihood of success, though. And we all understand the impact of a major attack, but I’m still not convinced about the threat landscape. It never hurts to shore up our defenses, but we also need to use our money wisely and ensure growth.”
The CEO stood up resolutely. She knew this was a knotty issue that required additional work.
“We’re not making a decision today. Instead, we’re going to spend the rest of the afternoon going through what I need from you to resolve this. We’ll define worst and best-case scenarios for market growth with and without the horses. I need to more clearly see the upside and risks of this investment.
In terms of security, Susan, I’m going to look to you to lead a risk assessment. I need to know how vulnerable we are to attack, get a better handle on threats, and, most importantly, the likelihood of loss.”
The staff got to work and spent the afternoon going through their risk and opportunity inventories. Several use cases were drawn up, and the staff debated how much money they would need to spend to make each successful. When they were satisfied with their work, they agreed that the lists were final, correctly prioritized and ready for the next step.
Morgan smiled, “This is really good work. You haven’t made this decision any easier, but we now have a much clearer understanding of our choices. We’re not quite done, though.”
The staff was visibly discouraged. It was getting late, and they were all tired from a long day’s work.
“Don’t worry – I have no plans to keep everyone much longer. I do have some homework for Lana and Susan, though. Two things: the first is to get me real numbers on these lists. ‘High’ isn’t good enough for likelihood, impact, or growth. Is high greater than seventy-five percent likelihood? Ninety? Give me the impact in gold or concrete terms so we can really make good choices. The second is a bit different – and all of you can help with this one – bring me your best ideas on how we can create synergies with these investments. If I spend on security, I want to help Operations and even Sales. Can our investment in horses improve our security or compliance posture? I’m not asking us to blow up what’s on the table, just expand our view of what’s possible.”
Clasping her hands together and smiling, the CEO nodded and dismissed the team, thanking them for their hard work and progress. The executive staff rose, heading their separate ways for the night. Lana, the VP of Sales, already knew that she had a date with her spreadsheets and was pulling together the numbers in her head. Susan, on the other hand, needed to think, and that meant a visit with the CISO’s friend Lucinda, the owner of the castle’s inn and casino.
Epilogue – Cybersecurity and Risk
Cybersecurity doesn’t exist in a silo. Every organization is limited by a budget that must be strategically allocated to meet business objectives. Business units advocate for budget dollars based on their own strategic lenses, and all modern enterprises must include cybersecurity as part of that boardroom discussion. The cybersecurity risk must be weighed against other business risks and opportunities. Failure to manage cyber risk will likely end in a data breach. Forward thinking organizations will look holistically at their business and develop a clear vision and strategy when it comes to managing risk including sales, operations, legal, and cyber risk.
Next time on Plights of the Round Table…Lessons from the Casino: Taking a Gamble or Making an Investment?