Boardspan Library

What Do Masks and Cyber-Attacks Have in Common?

by Abby Adlerman

Change is good: it’s what drives most of business success. We accept that, with change, we will encounter unknowns that can be both favorable and challenging. Preempting downside while making change is a critical aspect of risk management.

Yet "humans are tuned to making decisions around stability” according to Dr. Gaurav Suri, a computational neuroscientist at San Francisco State University. So, in moments of change – when things are less stable, by definition – we find ourselves assuming some level of risk that we’re simply not wired to manage well.

While risk management is often discussed in my board circles, I took this particular learning from a National Public Radio program about how individuals can safely circumnavigate their worlds while Covid is raging. On All Things Considered, Dr. Leana Wen, an emergency physician and public health academic, spoke about developing a “risk budget”. Building on that, Dr. Suri, whose work focuses on human decision making, discussed calculating risk, noting that it is especially hard to do in times of fluctuation. I would add – it’s even harder to do in moments of full-on turmoil.

Dr. Suri’s comments helped me come to an important realization: the worst time to make decisions about risk are when you’re in the thick of things, with complex positive and negative possibilities. The stress and the stakes are both too high.

To address this conundrum, Dr. Suri, suggests that ahead of time you “accept there is risk, and you will have a better chance of making an informed choice. That allows this value-maximizing, utility-maximizing part of our decision making to come to the fore.”

In this pandemic, we use our intuition and good judgment before putting ourselves in harm’s way to determine our risk exposure and mitigate where possible: being vaccinated and boosted, wearing a mask indoors, and picking which events to attend. In our business lives, we need to ask our ourselves similar questions about risk and do the same calculus. What could go wrong, how big a deal is it, and what can I do to preempt that problem without compromising my objectives? Of course, averting the fallout of a possible cyber-attack is considerably more complex than deciding whether and when to go to the supermarket. Nonetheless, the act of considering the risks of our actions (or inactions) and then making a plan to mitigate those risks starts at the same place. Three basic questions will get you going:

  • What risks are we facing?
  • How bad will it hurt us?
  • What can we do to prevent the pain or minimize the fallout?

Inarguably, risk management is an extremely complex science and art. Professionals dedicate their careers to the subject and even then, there are no guarantees that someone will get it right. Still, with proper thought processes, analytics, and planned decision making, especially in moments of calm and stability, boards can get considerably ahead of the challenges rather than waiting until something hits the fan.

Then take risk management to the next level by cataloging your greatest exposures, namely the most painful potential outcomes that have the greatest likelihood of happening. Shining a light on these vulnerabilities is the best way to assure that your organization has a mitigation plan for them. While many management teams will have conducted a similar exercise at the enterprise level, boards need to go through a high-level process of their own to provide independence, objectivity, and true oversight. It’s not about doubting the veracity of management’s risk management program but about bolstering it with an informed yet less-partial perspective.

Remember, the greatest risk you’ll ever take is ignoring risk now. Stay safe, friends.


Abby Adlerman is CEO and Founder of Boardspan. The author thanks Mary Louise Kelly for conducting an insightful interview and NPR for publishing it in written form. All quotes are fully credited to them and Dr. Suri.

More on Boardspan Insights