The wrong type of loop

We all know that information security management only works if we “close the loop”, i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of “Plan, Do, Check, Act”. This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA) loop of “Observe, Orient, Decide, Act”.

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word “study” to check”, which suggests that we don’t spend enough time on it.

But OODA is all about speed. It’s about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that’s exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world. 

So let’s ditch PDCA and embrace OODA. It’s an entirely different philosophy, and one that we all need to adopt.

Enhanced by Zemanta

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I personally don't think the approaches are mutually exclusive. ISO 27001 is focussed on the security management system itself, rather than the day-to-day security operation. So it makes sense to have a slowly-changing continuously improving management system, while being highly responsive in the day-to-day operation where speed can be of the essence. That way you don't keep changing the reporting structures and measurements, allowing them to be compared with earlier ones, while still recognising that the threats move quickly. (I guess a cynical organisation might be able to claim ISO 27001 certification if they had a perfect security management process, that accurately detected and measured their incompetence at actually doing security.)