Decisions, Decisions, Decisions, And Decisions

The HR Guru JP Elliott is back at it with a recently published piece on what he calls "decision leadership." His argument: the best HR leaders don't just execute decisions, they improve the quality of the decisions themselves by asking better questions, framing decisions more precisely, surfacing trade-offs that would otherwise stay hidden, and bringing a clear point of view. He frames the capability as Ask, Frame, Advise.

This framework applies even more powerfully in cybersecurity. With credit to JP for the concept, we want to translate it into cybersecurity because the gap he describes between leaders who support decisions and leaders who shape them is at least as wide and the consequences are at least as significant.

This post is written to two audiences. For executives who hire and resource cybersecurity leadership: this is what your organization should expect, and what you lose when you don't get it. For cybersecurity leaders moving toward senior roles: these are the capabilities the role increasingly demands.

The bilingual demand on cybersecurity leaders

Cybersecurity leaders are translators by necessity. They face downward into the technical reality of threats, controls, and operations. They face upward into the executive reality of risk, governance, and strategic decisions. The downward language is what most CISOs were trained in. (The technical baseline is real and necessary; nothing here is a critique of technical leadership.)

The upward language is the language of risk management, translating operational reality into the categories boards and executives use to make strategic decisions. This language determines whether cybersecurity gets a seat at the strategic table or arrives after the strategic decisions have been made. And it is the language most cybersecurity development programs have not seriously taught.

Decision leadership is precisely this upward language applied to the strategic moments where decisions are being made. This piece is about that upward dimension — the dimension on which most cybersecurity leaders are weakest, and on which the strategic positioning of cybersecurity most depends.

The pattern that determines whether cybersecurity is strategic

Across organizations, the pattern is consistent. The technically excellent CISO is invited into strategic conversations after the strategic decisions have been made — the acquisition target chosen, the product launch committed, the vendor selected. By the time the CISO is in the room, the decision space has narrowed to implementation. The strategic moment happened somewhere else, with someone else, without security in the conversation.

Organizations whose CISOs operate this way will have cybersecurity programs that are reactive by design, regardless of how well-resourced the function is. Organizations whose CISOs are in the room before strategic decisions are finalized will have cybersecurity programs that compound with the rest of the business. The difference is decision leadership — fluency in the upward language — and it shows up in four organizational capabilities.

Four capabilities organizations should expect

1. The capability to ask the questions that change the direction of a conversation. Organizations should expect their cybersecurity leaders to ask the questions no one else is asking — questions that surface what the executive team is actually deciding rather than what they think they're deciding. Cybersecurity-specific examples worth practicing:

• What risk are we accepting if we move forward as proposed?
• Who in this room owns the consequence if this control fails?
• Whose security exposure are we asking to absorb this decision?
• What would have to be true for this to fail?

A cybersecurity leader who consistently asks questions like these is doing strategic work no one else in the room can do, because no one else has the visibility to know which questions matter. A cybersecurity leader who never asks them has accepted the supportive role and has limited value as a thought partner. For cybersecurity leaders developing this capability: the art of the question is closer to consulting and executive coaching than to technical work, and worth investing in directly.

2. The capability to frame decisions so the real choice is visible. A team may think it's deciding whether to expedite a product launch. The real decision may be whether the organization is willing to ship without the security review the launch process normally requires — a different decision with different implications. Cybersecurity leaders are often the only executives who can name the real decision, because they are the only ones who see the cross-organizational pattern: which controls are accumulating exceptions, which suppliers are stressed, which business units are operating beyond their security capacity. The skill to develop is articulating cybersecurity issues in the language of business decisions without losing the technical accuracy that makes the framing credible.

3. The capability to surface trade-offs before the decision is final. Cybersecurity decisions are often asymmetric in ways other functional decisions are not. A small efficiency gain is weighed against a tail risk that, if it materializes, can be catastrophic. Most business decisions don't have this shape, so executives lack intuitions for reasoning about them well — and most decision-makers, being risk-averse, may over-weight the tail. The cybersecurity leader's job is to make the asymmetry legible by making the distribution of outcomes visible: "If this works as planned, we save X. If it fails as expected, the cost is Y. In the worst credible case, Z. Here's how the probabilities compare." This requires being comfortable with quantification under uncertainty, accepting that ranges with caveats are more useful than precision with false confidence.

4. The capability to bring a recommendation, not just an analysis. Organizations should expect cybersecurity leaders to walk into high-stakes conversations with a clear point of view and, when the situation calls for it, a specific recommendation. A cybersecurity leader who only presents data and options is signaling that they don't have a view worth defending. Senior business leaders need cybersecurity leaders who can say "here's how I see our options, here's what I'd recommend, and here's what I'd be watching to know whether the recommendation is working." The recommendation may turn out to be wrong; that is acceptable and recoverable. What is not recoverable is being known as the leader who never had a position because that reputation, once established, removes you from the strategic conversations where the position would have mattered.

What this means

The four capabilities are what determine whether cybersecurity is a strategic function or an operational one in your organization. They affect how you should hire cybersecurity leaders (selecting for executive presence and judgment under uncertainty alongside technical credentials), how you should develop them (investing in upward-language capabilities, not just technical ones), and how you should evaluate them (on the cybersecurity outcomes the organization achieves, not just on operational metrics inside the security function).

For cybersecurity leaders moving into senior roles, the four capabilities are the development agenda. The technical baseline is necessary and most senior leaders already have it. The upward-language capabilities are what differentiate the leaders who shape strategic decisions from the leaders who execute them.

JP Elliott's framework is the right lens for what cybersecurity leadership now requires. The translation work -- adapting Ask, Frame, Advise to the technical-downward and risk-management-upward demands of cybersecurity -- is what Pythia Cyber helps organizations do.

Ask us how you can build cybersecurity leadership that shapes decisions rather than just supporting them.

(image credit: Elen so, CC BY-SA 3.0 <https://creativecommons.org/licenses/by-sa/3.0>, via Wikimedia Commons)