The wrong type of loop

| 1 Comment
| More

We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of "Plan, Do, Check, Act". This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA) loop of "Observe, Orient, Decide, Act".

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word "study" to check", which suggests that we don't spend enough time on it.

But OODA is all about speed. It's about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that's exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world. 

So let's ditch PDCA and embrace OODA. It's an entirely different philosophy, and one that we all need to adopt.

Enhanced by Zemanta

1 Comment

I personally don't think the approaches are mutually exclusive.

ISO 27001 is focussed on the security management system itself, rather than the day-to-day security operation.

So it makes sense to have a slowly-changing continuously improving management system, while being highly responsive in the day-to-day operation where speed can be of the essence. That way you don't keep changing the reporting structures and measurements, allowing them to be compared with earlier ones, while still recognising that the threats move quickly.

(I guess a cynical organisation might be able to claim ISO 27001 certification if they had a perfect security management process, that accurately detected and measured their incompetence at actually doing security.)

Leave a comment

About this Entry

This page contains a single entry by David Lacey published on December 22, 2015 3:36 PM.

In praise of the Digital Catapult was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.



-- Advertisement --