Why would anyone reject win-win? Because honestly, it never turns out to be win-win. That’s just a cliche for one party to compromise in order to to come to an agreement.
Turns out that by rejecting win-win you open the doors for so much more opportunity to be successful. And anyone who has read Jim Camp’s book Start with No is familiar with his (negative) views on win-win.
The alternative requires that that you start with a mission and purpose and stay true to it. You can’t and won’t compromise if doing so will endanger your mission and purpose. Jim Camp was talking about negotiations, but this can be applied to every interaction we have in our lives. In fact, many interactions we have with co-workers, bosses, vendors, family members and friends are actually negotiations.
And this also applies to how we manage cyber risk. Your mission and purpose should be to align and prioritize your team’s activities to reduce business risk and enable the business to prosper. Anything else runs contrary to your stated mission and purpose.
Even more:
A clear mission and purpose produces vision. That vision helps you prioritize your time and budget. When you interact with others, your job is to share your vision and help the other party to create their own vision which should align with yours. When you do that, you don’t need win-win. You’re already on the same page with a shared vision.
Applying this concept to your cyber strategy you need to ensure your team is properly prepared and has the tools, processes and training to perform their tasks when called upon. Your vision takes shape as you create your incident response plan, run training exercises, create playbooks, and in how you choose the vendors you partner with.