📋 Guide

Interests vs Position in Negotiations — Scenario 10 — Security Crisis Management

Practical example on how to separate position and interest during a security crisis between Security and Management to make coordinated and effective decisions.

Security crises require quick and coordinated decisions; when it is unclear who has the final say or how to communicate, tensions between containing risk and protecting the business increase. Separating position and interest helps create playbooks with authority and aligned communication.

Below: context, objectives, blocker, positions and interests, and practical proposals to move forward.

Scenario 10 — Security Crisis Management between Security and Management

Conflict: a critical vulnerability was detected; Security requests partial shutdown and containment; Management fears commercial and reputational impact from stopping services.

Context

A critical vulnerability was detected; the Security team recommends shutting down/stopping services partially to contain the intrusion and perform forensics; Management is concerned about impact on sales and reputation.

Objectives

Security: mitigate the threat, protect data, and perform forensic analysis. Management: minimize commercial and reputational impact, maintain customer trust and critical operations.

Blocker

Centralized decision-making and unclear authority: no consensus on who has the authority to stop services, nor coordinated public communication protocols.

Scenario detail and practical reminder

Practical note: Stopping services protects technically but can harm revenue and trust; not stopping can expand the intrusion scope. Clear playbooks and defined authorities prevent chaotic decisions and allow controlled communication.

Summary context: Critical vulnerability detected that may require active containment.
Risk for Security: greater intrusion or data loss if not acted upon quickly and decisively.
Risk for Management: commercial losses, reputational impact, and unhappy customers if service is stopped without control or communication is poor.

Interests and positions

Security

Position: Shut down/partially stop services to contain the vulnerability.

Interests: Protect assets and data, limit intrusion scope, and preserve technical integrity.

Management

Position: Keep services active and control public communication to avoid business damage.

Interests: Minimize commercial and reputational impact, maintain operations and customer trust.

Difference between position and interest in this case

The position is the immediate action (shutdown vs keep service). The interest is technically protecting assets versus maintaining business continuity and reputation.

Identifying interests allows agreeing on playbooks, clear decision roles, and a coordinated communication plan that balances technical mitigation and commercial impact mitigation.

Examples of interest-based solutions (not just positions):
- Incident Response Playbook (IRP): predefined procedures that determine when and how to execute partial shutdowns, with operational checklists and technical thresholds.
- Delegated authority and crisis committee: define roles (CSO, CTO, COO, CCO) and a clear RACI for urgent decisions and external communication.
- Coordinated communication: pre-approved public and private communication templates (clients, partners, press) to activate with the incident.
- Parallel mitigations: containment plans that reduce impact (rate limiting, traffic segmentation, degraded mode) instead of total shutdown.
- Business continuity plan: identify critical services to maintain and temporary alternative routes to minimize losses.
Immediate practical action: Convene a response committee within 1–3 hours with:
1. Quick risk assessment and mitigation options (impact and estimated time).
2. Operational decision with clear authority (apply playbook/IRP or authorize alternative measures).
3. Communication plan (internal, critical clients, press) with designated spokespersons.
4. Temporary measures to maintain critical operations (segmentation, degraded mode, limiting non-critical functions).
5. Record and post-mortem: timeline of actions, decisions, and lessons to update playbook after the incident.

Quick recommendations

Define a clear playbook/IRP with technical thresholds and decision roles to avoid paralysis debates during the crisis.
Appoint delegated authority for immediate decisions and a crisis committee for strategic decisions and communication.
Prioritize mitigations that reduce technical damage without completely paralyzing the business (degraded mode, segmentation).
Have pre-approved communication templates and trained spokespersons to reduce reputational risk.
Document everything and conduct a post-mortem with concrete actions to update playbooks and responsibilities.

If you want, I can turn this into (a) a rapid response playbook/IRP with checklists and roles, or (b) a crisis communication protocol template (internal and external). Let me know which you prefer and I will prepare it.

Did you like it? Don’t keep it to yourself — share it like juicy gossip! 😏