Who knew that a battle strategy devised for fighter pilots could be repurposed to protect supply chains from cyber threats and other security risks?
John Boyd was a U.S. Air Force fighter pilot and military theorist who greatly influenced the development of both aircraft and battle tactics. He is best known today for formulating the OODA Loop, a decision cycle that draws on human thought processes to fashion a system for responding to a given situation — in its original incarnation, an attack by an enemy pilot.
Standing for Observe, Orient, Decide and Act, the OODA Loop has since been applied to business, medicine, law enforcement, litigation and any number of other instances in which one confronts an antagonist or uncertain scenario.
Now, the OODA Loop is being touted as an approach to mitigating supply-chain risk, especially cyber threats.
The idea can be found in “Innovations in Third Party Continuous Monitoring,” a white paper by the Shared Assessments Program, a consortium for third-party risk management.
According to Shared Assessments, third-party involvement was the leading factor behind an increase in the cost of a data breach in 2017. (Such incursions can come from unexpected directions; recall the theft of payment-card data from Target Corp. in November of 2013, affecting some 110 million customers, where the point of access was an air-conditioning contractor.)
It’s no surprise, therefore, that cybersecurity experts should view their mission in military terms, and draw on the wisdom of a former fighter pilot. One of Boyd’s earliest applications of OODA Loop principles came out of the Korean War, leading to the conclusion that American planes were besting the enemy because their bubble-shaped canopies afforded pilots a wider field of view, enabling them to make decisions more quickly.
Obviously, the stakes are much lower when the OODA Loop is applied to the world of business. But the growing cost of cyber breaches, including reputational damage and lost customers, is high enough to justify its use by risk managers.
At first glance, the routine set forth by Boyd might seem blindingly obvious. “Humans use that process every day. They make lots of observations, such as when they’re crossing the street,” says Bob Maley, consultant and senior leader of information security with The Santa Fe Group. It acts as managing agent of the Shared Assessments Program.
Upon closer examination, however, the OODA Loop can be of value in helping companies formulate strategies for minimizing and avoiding supply-chain risks. It allows organizations to “improve situational awareness, increase risk management program ROI, and reduce compliance costs,” according to the Shared Assessments Program.
More specifically, the group says, the routine can help a company to devise plans in line with its “risk appetite,” prioritize the use of experts who can recognize and act against threats, and draw up a corporate “playbook” for response by less-experienced individuals.
Third-party oversight is more than a case of vetting partners at the beginning of a relationship, notes Charlie Miller, senior vice president with The Santa Fe Group. It incorporates onboarding, contracting and ongoing monitoring. “You want to make sure that you have controls protecting the critical assets of the outsourcer,” he says.
The notion of continuous monitoring, including a system of alerts in the event of a threat or actual breach, “was nascent two years ago,” adds Miller. “But it’s becoming more robust as we go forward.”
Cybersecurity experts tend to be overly tactical in their approach, says Maley. That orientation can lead to a series of “point-in-time” responses that fail to achieve a broader picture of cyber threats. (For risk managers, perhaps, a metaphorical “bubble canopy.”)
“The OODA Loop process helps open peoples’ minds to understanding that tactical solutions are just feeding into an overarching strategy,” Maley says.
For example, third-party risk management often confronts a series of business “siloes,” whereby various functions inside and outside the organization fail to communicate on a regular basis. As a result, multiple units might not all be using the same group of preferred (and properly vetted) suppliers.
In applying the principles of the OODA Loop, companies collect observations from all parts of the supply chain. Take the use of call centers, for which many companies rely on multiple service providers. Do they fully understand the kinds of customer data to which those vendors have access? Have they envisioned the fallout if one of those centers becomes compromised? (At that point, risk managers are moving from “observe” to “orient.”)
That’s valuable guidance for any company, but is it necessary to evoke a buzzterm like “OODA Loop” to describe a model of thinking and reacting that’s just part of human nature?
“People for centuries have been using this decision-making process without knowing it’s called the OODA Loop,” acknowledges Maley. Still, applying a term that emerged from the experience of combat to the everyday business world can help to impress executives with the urgency of shoring up their cybersecurity programs. And it can serve as a path forward for rapid action in the face of a threat.
“The intention is to give those on the ground who are observing the risk the tools and playbooks that can help them make decisions without having to engage the entire governance structure,” explains Miller. “To the extent that decisions and actions are becoming integrated into their playbooks, mindsets and quickness to respond, that’s the benefit.”