My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.
Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.
One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail's pace by risk assessments, committees, business cases and budget cycles.
A good question is why we actually need management systems, especially if they introduce delay or distraction. It's a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don't employ such people in your organisation (and many SMEs don't) then it's not logical to implement a management system.
Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.
And it's not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it's not done for more important business operations?