Tackling Cybersecurity With the OODA Loop Approach

When you work in technology, you have to be familiar with the industry alphabet soup that comes with the job—it seems there’s an acronym for everything. But during a recent CompTIA Volley podcast, guest Chris Cochran, co-founder of Hacker Valley Media and Advisory CISO at Huntress, introduced us to a new one: The OODA loop. While it sounds like a type of cereal, it’s actually a highly effective decision-making process originally created by a military strategist to inform fighter pilots dealing with high-risk combat scenarios.

The OODA loop (observe, orient, decide, act) correlates nicely with MSPs engaging in their own cyber wars against bad actors. But what exactly does it mean, and how can you leverage this concept to improve your security posture?

What Does OODA Loop Mean?

According to Cochran, the OODA loop is a four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision while also understanding that changes can be made as more data becomes available.

Here’s how it breaks down:

1. Observe: Gather data
2. Orient: Analyze the data
3. Decide: Come up with a plan
4. Act: Execute that plan

The “loop” allows this process to be continually relevant. It can help you reflect on the results of your decisions and keep improving them until you achieve optimal outcomes or as you gather new data.

Of course, since the OODA loop was designed for combat operations, the emphasis has been on quick decision-making, which lends itself to incident response. But MSPs can also apply this concept in their cybersecurity strategy and risk analysis.

How To Apply the OODA Loop to Cybersecurity

You can apply the OODA loop to many different areas of cybersecurity—including tactical plays like patching and more strategic plays like risk analysis.

Step 1: Observe

Whether you’re working in the weeds or at a higher level, the first step is gathering data. To do this, you need to fully understand the problem, the environment and applicable factors. During incident response, it’s essential to make sure you’re filtering out any irrelevant data to improve your reaction time. A more strategic approach allows you the time to document your organization’s current state and observe what’s happening in the world. Are companies in your industry being targeted? Are your competitors changing the market? How do these factors affect your risk appetite?

Step 2: Orient

In this phase, you’ll take a look at all the information and data you’ve gathered and consider the next steps. This step gives you situational awareness and allows you to marinate in what’s happening. Again, in an incident response scenario, you should compare your baseline data to what you’re seeing and flag unusual activity to understand the root problem. In a risk analysis scenario, you can consider the decisions that could be made and make a case for them before choosing a course of action.

Step 3: Decide

Making a decision is arguably the most difficult but important part of the OODA loop. Your plan should be timely and flexible when responding to a breach. You need to be able to act quickly and pivot accordingly in response to your attacker’s actions. In a more strategic scenario, the decision phase takes all the potential outcomes into consideration during meetings or discussions focused on creating a cybersecurity roadmap for your company. You’ll be deciding where to invest, where to mitigate and how to protect your “crown jewel,” according to Cochran.

Step 4: Act

The final step is executing your plan. When in crisis mode, your goal is to get to this step as soon as possible. And while time is of the essence during a breach, make sure your team is documenting their workflows—and the results—to help build out your playbooks for future use. This reporting is also critical to organizations using the OODA loop to build out a risk analysis. Once you’ve put your decisions to work, it’s essential to measure the effectiveness, the cost, the workload, etc. Then, put that new data back into the OODA loop and rinse and repeat.

Is the OODA Loop Right for Your Company?

Only you’ll be able to determine if the OODA loop process will be beneficial to your organization. If decision-making has been a problem in the past, implementing the OODA loop can help you create less friction, bring more transparency and situational awareness, and emphasize preparation as a key to success.