Industrial Age Processes in the Information Age?

By Rob Carey, CSC Cybersecurity

One of the many issues we face today is the rapid pace of change. Every few months new smart phones emerge with new capabilities, new social media channels appear, computing takes another step in speed and flexibility and, of course, the cybersecurity threat evolves, continually ahead of those charged with protecting information and networks.

A specific challenge is the inability of organizations (both government and industry) to make decisions as quickly as these threats evolve. Most modern organizations operate with Industrial Age processes that are grossly inadequate in the Information Age.

But what is the root cause? I offer that neither changing technology nor our ability to innovate is the issue; instead it’s an organization’s old Industrial Age decision processes (necessary to take actions) that are the cause. Both business and government lack agility in cybersecurity decision-making and investments.

Most decision-making and investment processes that we use were defined 50+ years ago, and require laborious, time-consuming steps. In comparison, today’s bad guys use the Internet as a vast real-time command-and-control network. They require no time approval for actions; whereas we, their targets, lack any ability to respond operationalKeysly or strategically, at Net-speed.

How long do we take to determine we must shore up our network defenses? Weeks? Months? Quarters? Fiscal years? Our Cyber OODA (Observe, Orient, Decide, Act) loop needs to shorten dramatically.

Military strategist and Air Force Colonel John Boyd developed the OODA decision cycle and applied the concept to the combat operations process to illustrate the importance of decision agility in air warfare, both at the tactical and strategic level. When I was a young engineer at the Naval Sea Systems Command, I was introduced to the Shewart Cycle (Plan, Do, Check, Act), which also illustrates how decision agility can improve control and processes.

How can these two Industrial Age strategies help us frame a path ahead on Information Age thinking?  The advent of the ubiquitous Internet has laid waste to traditional decision making and management processes. Within cybersecurity, one unpatched application or server can mean instant compromise and result in a network’s virtual destruction.

There are many cases in point — Sony Pictures, Target and several places in the U.S. Federal Government — where malicious attacks succeeded in achieving some or all of their objectives. Yet today’s security continues to be challenged by an inability to obtain a quick decision — an end state that is heavily influenced by an organization’s cumbersome and inefficient decision-making processes.

Operationally, network and security operations centers are better and faster at responding, but their parent organizations still lack the ability to make decisions fast enough to stay ahead of threats.  All too often, organizations find themselves deciding how to best clean up the aftermath of the attack, which began (on average) eight months before they discovered it.

Moving from a risk management approach to an effects management approach, such as either of the two mentioned above, requires fundamental shifts in decision cycle times. If we are ever going to get ahead of cyberthreats, we will have to make this move.


Screen Shot 2015-03-23 at 4.46.10 PM

Robert Carey, CSC Global Cybersecurity Public Sector vice president, is responsible for delivering and managing cybersecurity offerings and managed services to the public sector. Before joining CSC, Carey spent 31 years in the public sector, most recently as U.S. Department of Defense Principal Deputy Chief Information Officer.

Comments

  1. The problem with using “OODA” loop here is that it was designed for a direct engagement. The author seems to advocate OODA loop for both direct engagement and the larger view of defense.

    As such, there is no provision for assessment; comprehending what’s occurred and providing some longer term planning/guidance. Without that, this is just a react-to-contact exercise that cannot be won.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: