Boardroom Dynamics: Group Support for the Board’s Involvement in a Smart Security Decision-making Process

Decision making during business meetings is an elusive phenomenon¹ for a couple of reasons. Business meetings have been defined as “…a gathering where people speak up, say nothing, and then all disagree.”² In general, the main objectives of meetings are to facilitate and enable decision makers in exchanging knowledge, discussing complex topics and monitoring large projects, and this all happens under pressure and amid uncertainties.³

Within the domain of information security, boards become more exposed due to expanded regulations, an escalating external threat environment and the complexity of IT on which organizations increasingly rely. All these factors drive increased focus from boards and executive management and the requirement for information security to integrate more widely into the business. This seems a challenge, since information security is perceived as a complex, IT-only subject and decisions are made in IT silos under pressure.⁴ The result is an unbalanced engagement of the relevant participants and, potentially, poor decision making. This poses a risk to organizations.

These pressures and uncertainties often result in:

• Cost to the business in man-hours due to prolonged decision making
• Business risk due to delayed actions as complexity causes paralysis
• Increased risk of making bad decisions due to complexity

The impact of these three factors on the future of organizations can be dramatic for the organization and its leaders. In contrast, getting these decisions correct and making them in a timely manner can provide a tremendous strategic advantage and secure the future of a business. This can be referred to as business information security (BIS). This article addresses the major takeaways of efficient meeting facilitation and decision making based on practical and academic insights. Focusing on boards and executive management, including the chief information security officer (CISO) and the chief risk officer (CRO), to increase efficiency in meetings and engage important stakeholders at all levels helps gain a mutual level of knowledge and meaning to increase impact and BIS effectiveness.

From IT Security to Business Information Security

Security is still seen as a technology-specific topic, not a wider business issue,^{5, 6} undeservedly, because the scope of information security is much broader than just IT.^{7, 8} In particular, this can be a challenge for mid-sized organizations.^{9, 10, 11} The lack of knowledge on information security can be addressed by adopting an appropriate framework; however, successful adoption requires strong engagement with multiple parties involved in business processes throughout the decision-making process.^{12, 13, 14}

The information security and risk management domains are largely managed by professionals who are well educated in IT, security or other related topics. They often receive only limited training in business management principles and, therefore, it can be challenging to find a fruitful balance between content and process.¹⁵ As a result, most meetings are managed based on the content instead of the process and, therefore, are derailed. This can result in meeting outcomes that fall far short of the desired objectives.¹⁶

Meetings without a steering process may lead to participant disappointment.¹⁷ To avoid this disappointment and increase the effect of collaborating toward predefined targets, meeting software can be employed to help facilitate goals achievement. According to a longitudinal study on 900 meetings, a 56 percent savings in man-hours can be achieved with the use of this technology and an experienced facilitator.¹⁸ Given that the average manager spends 25-80 percent of his/her time in meetings, the companywide savings are easily calculated, and the quality of the decision-making process enhanced.¹⁹

Thus, information security requires a business-oriented approach that involves multiple parties at all levels.

Introduction of Group Support Systems

Group support systems (GSS) facilitates the effective collection, organization, evaluation, cross-impact analysis and reporting of data²⁰ with the assistance of a group moderator. GSS can help to resolve subjective dilemmas among participants such as culture, attitudes or hierarchic relations. Because GSS support anonymous participation in meetings, individuals are more willing to be open and transparent. This enables ideas to be judged based on the content rather than origin. It also addresses the differences between introverted and extroverted participants, an issue that is seldom discussed, but is a dominant factor in meeting effectiveness as it impacts both process and content and, therefore, the eventual outcomes. The role of the facilitator is to acknowledge these different participants’ characteristics prior to and during the meeting.

GSS require the establishment of a predefined agenda for the meeting and prompt the facilitator to analyze in advance the topic, the group composition, and differences in participants’ issues and interests. This enables the facilitation of the meeting to align to the desired outcomes. The role of the facilitator is to make sure everybody has a voice in the meeting and to stimulate a free-flowing discussion throughout the processes displayed in figure 1. The facilitator must help members share their experiences, elicit the views of all participants, keep group members on track and capture responses.²¹

This calls for the facilitator to possess certain core competencies, including:

• Generating new data from the participants, thus creating awareness and transferring knowledge
• Testing assumptions
• Sharing relevant information (knowledge) with the participants
• Using specific examples and agreeing on the meaning of important terms
• Explaining reasoning and intent
• Focusing on professional, not personal, opinions
• Combining advocacy with inquiries
• Jointly designing next steps and ways to test disagreements
• Discussing “undiscussable” issues (barriers)
• Ranking outcomes (parameters or intervention candidates)
• Comparing outcomes and discussing variables (double-loop learning)²²

The acceleration of the meeting is achieved by the collective and simultaneous discussion, so the size of the group does not negatively influence the meeting’s duration. On the contrary, larger groups can influence the quality of the meeting and decision-making process.²³ The results of the meetings are directly processed and, therefore, visible on the participants’ screens, which enables double-loop learning.²⁴ The data are directly reported in an understandable and attractive format.

Everybody Has a Voice

GSS, which have made a tremendous contribution to knowledge sharing over the last 15 years,²⁵ are often used to diverge or to converge individual standpoints in the decision-making process. The use of GSS is highly efficient, effective and user friendly.^{26, 27} The Dutch Police Academy conducted 45 GSS sessions from 2005 to 2011, in which 763 employees of the Dutch police participated²⁸ in intelligence gathering for cold cases.²⁹ This large-scale longitudinal GSS research showed the potential of GSS as a facilitating system and methodology for capturing data and knowledge sharing, and reusing previous collected knowledge that was initially implicit and was made explicit through group discussion and thinking.³⁰

During sessions in which the authors have facilitated, the early engagement of senior management is addressed by the participants as a prerequisite to improve the maturity of BIS.³¹ Discussion is targeted to the specific underlying problems with which BIS is coping.

The first is a sense of urgency within the boardroom. The second is ad hoc approaches to solving problems. GSS can bridge this gap in two ways:

1. By making the problem explicit based on theoretical constructs and concepts thereby creating a sense of urgency on the magnitude of the problem
2. By establishing awareness and a mutual level of knowledge among those involved with the problem (object and subject) to stimulate group dialog and facilitate socialization,³² thinking,³³ discussions³⁴ and using the decision-making process for strategic planning,³⁵ e.g., improving the maturity of BIS³⁶

Figure 1 displays the flow of the GSS process of decision making.

Thus, technology and proper meeting facilitation can help with common pressures and uncertainties, such as the absence of “evidence trailing.” Collecting, storing and “trailing” during the decision-making process the information about who made which decision based upon what evidence may seem rather complex, but it does not have to be, since contemporary technology can facilitate it. GSS technology can record and store the entire meeting, from brainstorming to the final decisions.

In the absence of efficient process facilitation, meetings lack balanced engagement of all participants and the “law of decibel”³⁷—in which the person dominating the meeting with his/her opinion can influence the opinion of the group—may quickly take over. Meetings then become subjective and chaotic, and may lead to participants’ frustration and impaired decision making. Managing the process of the meeting is as important as the content, if not more so, in avoiding this outcome.³⁸ This is especially the case with projects that are complex and require a certain level of technical knowledge and a longer time slot.

GSS in Business Information Security

Scientific research at Antwerp University (Belgium) and Radboud University (Nijmegen, The Netherlands) has found that the use of GSS software enables complex and knowledge-intensive decision-making processes to be carried out faster and more efficiently than what is commonly experienced in business. For example, in the areas of risk management and information security, GSS makes it easier and swifter to arrive at an informed decision—a primary desire within the information security industry. A use case performed in the health care industry revealed that GSS and proper facilitation assisted the CISO with engaging management and prioritizing risk and security management activities.

Cybersecurity in the Boardroom

It is evident that boardroom involvement in cybersecurity initiatives is essential; this is not a new realization.⁴⁰ Involvement is more than just appointing a chief information officer (CIO) or IT department to deal with it. Sincere involvement in and commitment to common business management processes, such as meetings are required, especially since knowledge management becomes the focal point in meetings about information security. Making the right decisions depends on the active generation, capture and sharing of knowledge during meetings at the top levels of the organization, especially during meetings that have the objective of formulating viewpoints on items that justify the entire decision-making process. In boardrooms, this becomes increasingly important because the individual board member needs to form his/her own meaning and opinion on a certain topic in order to make a valuable and justified decision.⁴¹

The aforementioned university research indicates that using GSS can make meetings about prioritizing information security practices very productive.

“This paper describes the application of Group Support Systems (GSS) in the field of Business Information Security Governance (BISG). The focus is on longitudinal small team collaboration—for instance within Boards of Directors (BoD), Management Teams and groups of experts—with large amounts of items…It shows how GSS can play a facilitating role in small team collaboration to process and assess large amounts of data in order to make qualified decisions.”⁴²

There is an increasing demand to evaluate, direct and monitor (EDM)⁴³ cybersecurity initiatives at the board level to create broader understanding of this complex topic. The complexity, as well as the huge number of topics related to the information security domain, increases the necessity to create transparency about the basic level of knowledge that is required within boards and how to maintain and further develop it.⁴⁴ This is necessary so board members have a clear level of understanding of what they need to know.

An example of topics on the agenda of a board session on cybersecurity is displayed in figure 2. This is a screenshot of the GSS agenda. In this example, the board members participate in a session to assess the asset values and score the vulnerabilities these assets pose. The outcome is a set of critical assets on which they can prioritize their investments in cybersecurity initiatives. This provides the CISO, for one, with clear direction.⁴⁵

Information Security as an Integrated Business Practice

Information security is increasingly becoming an integrated business practice instead of just IT. Information security academic literature emphasizes the necessity to govern information security at the level of the board of directors (BoD) and to execute it (i.e., plan, build, run and monitor) at the management level. GSS is a powerful and novel instrument to discuss and prioritize complex items such as information security practices. The distilled core practices (figure 3) for BoDs, derived via GSS, present a core set of carefully selected and prioritized information security governance practices and thereby reveal the power of GSS in knowledge sharing and decision-making processes. These strategy elements, based upon SPRM, are successfully applied by numerous organizations. These 10 practices function as a frame of reference for BoDs and management teams to gain knowledge consensus and facilitate the decision-making process in order to improve the maturity level of business information security.^{46, 47}

In addition to use within academic environments, GSS has proven itself in practice. For example, hundreds of sessions at the Boeing aircraft corporation with 654 participants in 82 GSS sessions, IBM with 441 participants in 55 GSS sessions, Nationale Nederlanden with 414 participants in 41 GSS sessions, where knowledge management and thorough decision making on safety and security are crucial, have successfully used GSS.⁴⁸

From Strategy to Operations

A potential use for GSS in relation to BIS could be for organizations to apply a cyberthreat perspective to the analysis and prioritization of BIS strategy. The strategic forces model appears to be suitable for use in GSS to assess the strategic cybersecurity forces in a group.^{49, 50} Examples of forces can be cybercriminals, states and terrorists. Discussing these forces and prioritizing the necessary measurements and investments of improvement⁵¹ can be done via GSS. For example, translating the threat actors (which can be perceived as forces) identified by the National Cyber Security Centre in The Netherlands (figure 4) to effective measures that protect critical assets no longer comes from theoretical books but from the collective brain of the group.⁵²

Conclusion

By making use of knowledge facilitation technologies such as GSS, in combination with an experienced facilitator, board members can prioritize more effectively and meetings can become more pleasant and efficient. The list of 10 core practices noted in figure 3 enables boards to set strategic directives and collect viewpoints and voices of all parties within the business, in addition to IT. GSS can support bringing more insights into these viewpoints, eliciting the right level of urgency and collecting the evidence during the meeting. This substantiates a smart decision-making process.⁵³

By achieving a mutual level of knowledge, directors and managers are able to strip away the jargon of the security professionals and focus on the essence. This better prepares them to take the heat once they are exposed to an escalated threat. Proven technology and theory such as double-loop learning provide managers with more understanding so they can fully take responsibility and ownership and, as a result, perceive information security as an integrated business practice instead of an ad hoc practice.

References

• Gordon, L.; M. Loeb; “The Economics of Information Security Investment,” ACM Transactions on Information and System Security, vol. 5, no. 4, 2002, p. 438-457.
• Gordon L. L. M.; T. Sohail; “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly, vol. 34, no. 3, 2010
• Solms, B.; “Corporate Governance and Information Security,” Computers and Security, vol. 20, 2001, p. 215-218
• Gordon, L.; M. Loeb; “The Economics of Information Security Investments,” ACM Transactions on Information and System Security, vol. 5, no. 4. 2002, p. 438-457
• Day, G.; “Cybersecurity for Small Businesses,” 23 October 2009, small business.uk.reuters.com.
• Calder, A.; Implementing Information Security Based on ISO 27001/ISO 27002, Zaltbommel: Van Haren Publishing, 2009
• ITGI, “Aligning COBIT 4.1, ITIL V3, ISO/IEC 27002 for Business Benefit,” IT Governance Institute and OGC, United Kingdom, 2008
• Von Solms, B.; R. Von Solms; “The 10 Deadly Sins of Information Security Management,” Computers & Security, South Africa, 2004.
• Sveena, F.; J. Torresa; J. Sarriegia; “Blind Information Security Strategy,” International Journal of Critical Infrastructure Protection, vol. 2, 2009, p. 95-109
• Pfeffer, J. S. R.; The Knowing Doing Gap: How Smart Companies Turn Knowledge into Action, Harvard Business School Press, USA, 2001
• Meyer, B.; R. De Wit; Strategy Synthesis: Resolving Strategy Paradoxes to Create Competitive Advantage, Thomson, UK, 2005
• De Haes, S.; W. Van Grembergen; “Practices in IT Governance and Business/IT Alignment,” ISACA Journal, vol. 2, 2008
• De Haes, S.; W. Van Grembergen; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009
• ISACA, COBIT 5 for Information Security, ISACA, USA, 2012
• ISACA, Controls and Assurance in the Cloud: Using COBIT 5, ISACA, USA, 2014

Endnotes

¹ Elsayed-Elkhouly, S.; H. Lazarus; “Why Is a Third of Your Time Wasted in Meetings?” Journal of Management Development, vol. 16, no. 9, 1997, p. 672
² Kayser, T.; Mining Group Gold, Third Edition: How to Cash in on the Collaborative Brain Power of a Team for Innovation and Results, McGraw-Hill Education, USA, 2010
³ Riabacke, A.; “Managerial Decision Making Under Risk and Uncertainty,” IAENG International Journal of Computer Science, vol. 32-4, 2012
⁴ Hu, Q.; T. Dinev; P. Hart; D. Cooke; “Managing Employee Compliance With Information Security Policies: The Critical Role of Top Management and Organizational Culture,” Decision Science, vol. 43, no. 4, 2012, p. 615-660
⁵ Solms, V.; “From Information Security to Business Security,” Computer and Security, Elsevier, South Africa, 2005
⁶ ISACA, An Introduction to the Business Model for Information Security, USA, 2009
⁷ Op cit, Solms
⁸ Bobbert, Y.; Maturing Business Information Security, Utrecht: IBISA, 2010
⁹ Kluge, D.; S. Sambasivam; “Formal Information Security Standards in German Medium Enterprises,” Conisar, 2008
¹⁰ Sanchez, L.; A. Santos-Olmo; E. Fernandez-Medina; M. Piattine; “Security Culture in Small and Medium-Size Enterprises,” Communications in Computer and Information Science, vol. 110, 2010, p. 315-324
¹¹ W. Flores, W.; E. Antonsen; M. Ekstedt; “Information Security Knowledge Sharing in Organizations: Investigating the Effect of Behavioral Information Security Governance and National Culture,” Computers and Security, vol. 43, 2014, p. 90-110
¹² Siponen, M.; R. Willison; “Information Security Management Standards: Problems and Solutions,” Information and Management, vol. 46, 2009, p. 267-270
¹³ da Veiga, A.; N. Martins; “Improving the Information Security Culture Through Monitoring and Implementation Actions Illustrated Through a Case Study,” Computers and Security, vol. 49, 2014, p. 162-176
¹⁴ Straub, D.; R. Welke; “Coping With Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly, vol. 22, no. 4, 1998, p. 441-469
¹⁵ Miranda S.; R. Bostrom; “Meeting Facilitation: Process Versus Content Interventions,” Proceedings of 30^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 1997
¹⁶ Pai, J.; “An Empirical Study of the Relationship Between Knowledge Sharing and IS/IT Strategic Planning (ISSP),” Management Decision, vol. 44, 2006, p. 105-22
¹⁷ Romano, N.; J. F. Nunamaker; “Meeting Analysis: Findings From Research and Practice,” Proceedings of 34^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 2001
¹⁸ Ibid.
¹⁹ Op cit, Elsayed-Elkhouly and Lazarus
²⁰ Vreede, G.; J. Boonstra; F. Niederman; “What Is Effective GSS Facilitation? A Qualitative Inquiry Into Participants’ Perceptions,” Proceedings of 35^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 2002
²¹ Newby, R.; G. Soutbar; J. Watson; “Comparing Traditional Focus Groups With a Group Support Systems (GSS) Approach for Use in SME Research,” International Small Business Journal, vol. 21, no. 4, 2003, p. 421-433
²² Hengst, M.; M. Adkins; S. van Keeken; A. Lim; “Which Facilitation Functions are Most Challenging: A Global Survey of Facilitators,” Proceedings of the Group Decision and Negotiation Conference, 2005
²³ Dennis, A. R.; J. S. Valacich; J. F. Nunamaker; “An Experimental Investigation of the Effects of Group Size in an Electronic Meeting Environment,” IEEE Transactions on Systems, Man, and Cybernetics, vol. 20, no. 5, 1990, p. 1049-1057
²⁴ Double-loop learning entails the modification of goals or decision-making rules in light of experience. The first loop uses the goals or decision-making rules, the second loop enables their modification, hence double loop. Double-loop learning recognizes that the way a problem is defined and solved can be a source of the problem.
²⁵ Kolfschoten, G.; J. Nunamaker; “Collaboration Support Technology: Patterns of Successful Collaboration Support Based on Three Decades of GSS Research,” Collaboration Science, Technologies, Processes and Applications, Advances In Management Information Systems, no. 3, 2014
²⁶ Kolfschoten, G; J. B. F. Mulder; H. Proper; “De fata morgana van Group Support Systemen,” Informatie, vol. 4, no. 5, 2016, p. 10-14
²⁷ Fjermestad, J.; S. Hiltz; “Group Support Systems: A Descriptive Evaluation of Case and Field Studies,” Journal of Management Information Systems, vol. 17, no. 3, 2001, p. 115-159
²⁸ Snel, A.; J. B. F. Mulder; A. Van der Niet; “Group Support System,” Opsporing Belicht, Politieacademie, Vols. Lectoraat Criminaliteitsbeheersing & Recherchekunde, 2011
²⁹ Mulder, J. B. F.; et al, “New Applications of Group Support Systems, Group Decision and Negotiation,” University of Vienna, Austria, 2005
³⁰ Op cit, Sanchez, Santos-Olmo, Fernandez-Medina, Piattine
³¹ Bobbert, Y.; J. B. F. Mulder; “Governance Practices and Critical Success Factors Suitable for Business Information Security,” Proceedings of International Conference on Computational Intelligence, Communication Systems and Networks, Institute of Electrical and Electronics Engineers, 2015
³² Nonaka, I.; “A Dynamic Theory of Organizational Knowledge Creation,” Organization Science, vol. 5, no. 1, 1994, p. 14-37
³³ Lebek, B.; J. Uffen; M. Neumann; B. Hohler; M. Breitner; “Information Security Awareness and Behavior: A Theory-based Literature Review,” Management Research Review, vol. 12, no. 37, 2014, p. 1049–1092
³⁴ Rutkowski, A.; B. van de Walle; G. van den Eede; “The Effect of Group Support Systems on the Emergence of Unique Information in a Risk Management Process: A Field Study,” Proceedings of 39^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 2006
³⁵ Op cit, Pai
³⁶ Op cit, Solms
³⁷ Murray Turoff refers to this “decibel law” as the Asch Effect. Solomon Asch studied if and how individuals yielded to or defied a majority group and the effect of such influences on beliefs and opinions.
³⁸ Altier, W. J.; “Process Expertise—A Critical Managing Fundamental,” Business Horizons, vol. 36, 1993, p. 10-15
³⁹ Op cit, Pai
⁴⁰ Op cit, Hu, Dinev, Hart and Cooke
⁴¹ Op cit, Miranda and Bostrom
⁴² Bobbert, Y.; J. B. F. Mulder; “Group Support Systems Research in the Field of Business Information Security: A Practitioners View,” Proceedings of 46^th Hawaii International Conference on System Science, Institute of Electrical and Electronics Engineers, 2013
⁴³ EDM refers to the COBIT 5 for Information Security Governance Process, Evaluate, Direct and Monitor.
⁴⁴ Op cit, Miranda and Bostrom
⁴⁵ Gordon, L.; M. Loeb; “You May Be Fighting the Wrong Security Battles,” The Wall Street Journal, 26 September 2011
⁴⁶ SPRM refers to the strategic elements, to establish a competative advantage, from De Wit and Meyer. This distinction is applied by numerous studies at Antwerp Management school by Steven De Haes and Wim van Grembergen and later on integrated into COBIT 5 for Information Security and its derivatives for assurance and cloud.
⁴⁷ Op cit, Bobbert and Mulder
⁴⁸ de Vreede, G.; D. Vogel; G. Kolfschoten; J. Wien; “Fifteen Years of GSS in the Field: A Comparison Across Time and National Boundaries,” Proceedings of the 36^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 2002
⁴⁹ Porter, M.; “How Competitive Forces Shape Strategy,” Harvard Business Review, March 1979
⁵⁰ Bobbert, Y.; “Porter’s Elements for a Business Information Security Strategy,” ISACA Journal, vol. 1, 2015, http://h04.v6pu.com/resources/isaca-journal/past-issues
⁵¹ Bobbert, Y; A. Niet; “Cybersecurity in the Boardroom,” Oracle Innovation in Government Day, Erasmus University, Rotterdam, The Netherlands, 2015
⁵² Turoff, M.; S. Hiltz; H. Cho; Z. Li; Y. Wang; “Social Decision Support Systems,” Proceedings of 35^th Hawaii International Conference on System Sciences, Institute of Electrical and Electronics Engineers, 2002
⁵³ Pfeffer, J. S. R.; R. I. Sutton; “Evidence-based Management,” Harvard Business Review, January 2006