The OODA Loop Guide to How To Manage Cyber Risk as a Board Director

While cybersecurity has been a focus of many highly functioning corporate boardrooms, the growing cyber threat and systemic risks facing corporations today are making it an even more critical topic. Any director seeking to add value to corporate stakeholders should have an appreciation for this growing risk. And with the US Securities and Exchange Commission (SEC) having published regulations requiring publicly traded corporations to document their risk mitigation measures and name who on the board is a cybersecurity lead, we expect all boards will be revisiting the optimal ways to manage cyber risk.

Corporate Directors should not wait for final rules from the SEC to start gap analysis on how the corporation is managing cyber risk. Some steps that can be taken right away:

• We have found that most boards are already talking with management about how to make sure there is clarity on current corporate processes and procedures for incident response and for cyber risk mitigation governance. Many can also benefit from a gap assessment to assess the difference between best practices and current corporate practices.
• We recommend all directors seek to understand their role in mitigating cyber risk, even if cyber risk mitigation is assigned to a cyber or audit committee. External advisors can rapidly evaluate board expertise relevant to the cybersecurity qualifications (including those about to be required by the SEC) and can recommend additional training for the full board or the board designated cyber expert.
• Every business is different. The threat to your business needs to be contextualized to be mitigated. Although we provide tips on how to do that based on business size here, new threats means new contemplation of what this means for your business is required. For most large complex organizations this will probably mean convening a strategy session with key leaders from across the organization where the new nature of the threat can be discussed. which leads to the next key recommendation, this needs to be treated as a business issue not just a security issue.
• Ensure planning involves business leadership, not just IT and Security. Cyber attacks against the nation’s infrastructure and against infrastructures of other nations where your business or suppliers operate are issues for all leaders, not just cybersecurity and technology leaders. Leaders should examine topics of business resiliency and disaster response with an attitude towards long term business survival vice short term operations and should strongly support actions that will enable improved overall business resilience.
• Many boards will decide to form cybersecurity committees so a few designated board members can work issues with management outside of board meetings. This is an emerging best practice.
• Boards should consider their role in monitoring execution, especially on actions requiring people to think differently. The cyber threat is so different it may be cause for actions many organizations never planned for. For example, organizations may need to rapidly learn to use new “out of band” secure communication systems for executive communications and for communications with staff and all employees. Organizations may need to learn to revert to manual paper copy interactions with suppliers, banks and other stakeholders. Boards may need to meet and exercise governance without access to online data of any sort. All of these are ways that businesses used to operate, but many skills in good governance without technology may have atrophied. Now may be the time to exercise them.
• We most strongly recommend that corporate directors take action to keep informed of emerging cybersecurity, geopolitical and technological developments that contribute to systemic risks. A foundational way to track these key topics is by leveraging the analysis of OODA by signing up for the OODA Daily Pulse and by applying to join the OODA Network.
• Directors seeking a deeper understanding of the nature of cyber risk and best practices in corporate governance can leverage OODA Board Cyber Advisory Services. Our advisory team is comprised of only senior executives who have deep domain expertise combined with executive management functions such as serving on Boards of Directors or managing cyber risk as CEOs, CTOs, and CISOs. We help bridge the gap between Boards and their internal security management teams.
• Additionally, directors seeking insights into the nature of cyber risk and best practices for executives in mitigating risk can leverage the extensive research and reporting of the OODA Loop (reviewing the research reports below can help familiarize you with content before it is needed).

Following is a reference for corporate directors and other executives seeking to explore the impact of cyber risk on the value creation and fiduciary responsibilities of a board of directors.  The reference is organized into the following sections:

• Decision Intelligence and Leadership
• Governmental Cyber Policy and Regulations
• Red Teaming
• Executive Protection
• Scenario Planning/Foresight Strategy
• Cyber Incident Advisories and Mitigation Efforts
• The Future of Cyber Risk
• The Human Factor
• Cybersecurity Innovation and the Emergence of Exponential Technologies
  • Zero Trust Architecture and Strategy
  • Artificial Intelligence and Machine Learning
  • Quantum Science and Quantum Security
  • The Future of Space

Decision Intelligence and Leadership

The evolving responsibilities of board members to cybersecurity and cyber risk were highlighted as a theme in the OODA Almanac 2023 and informed production of our 2024 and 2025 Almanacs. Each provide context that can help board members navigate the complexities of business in an age of continuous innovation and disruption.

Seeking Security Alpha:  In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity.  In the financial industry, there is a term called “seeking alpha” for those investment managers looking to exceed standard performance on a risk-adjusted basis. Recent work by the New York Cyber Task Force implies that CISOs can seek security alpha as well – that is spend a dollar on defense that causes an attacker to spend a disproportionate amount on offense.  In seeking security alpha you should be deploying strategies and solutions that increase the cost to the attacker and provide you with maximum security return on investment for the threats and risks your organization faces.

Every Director of Every Corporate Board Should Read What Larry Fink Writes:  Odds are very high that any publicly traded company has institutional investors. That is just the way the world works these days. Among America’s largest companies, 72% of their ownership is by institutional investors (the big ones being BlackRock, Vanguard, UBS Group, Fidelity, Statestreet, and Morgan Stanley). These and many other institutional investors also invest in smaller publicly traded companies. Since by law and court, precedent Boards work for their shareholders, every director in every publicly traded firm should care about what these big institutional investors think. The biggest and most influential of all is BlackRock with $9.5 trillion under management.  So when BlackRock CEO Larry Fink takes time to put his views into writing, we should all pay attention.

Cybersecurity Whack-a-Mole In the Boardroom:  Rod Hackman is an experienced business leader whose early career included managing US Navy shipboard nuclear reactors, a position which required him to interview with and work under the famous Admiral Rickover. We found Rod’s insights on how the board of directors should approach cybersecurity to be insightful and in some ways reminiscent of leadership lessons from Admiral Rickover, who long taught that responsibility for critical issues can never truly be delegated.

Four Urgent Actions For The C-Suite To Prepare For High-End Cyberattacks:   We recommend leaders consider the following four strategic actions:

• Understand what is new about the threat
• Contextualize the threat to your business
• Ensure planning involves business leadership, not just IT and Security
• Monitor execution, especially on actions requiring people to think differently

First Federal CISO Greg Touhill on Advanced Cybersecurity by Design:  Touhill is currently the director of the Carnegie Mellon University Software Engineering Institute’s CERT Division. In this capacity, he leads one of the most highly regarded organizations in the cybersecurity community. The CERT is a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists who work together to research vulnerabilities, contribute to long-term changes, and develop cutting-edge information and training to improve the practice of cybersecurity.

11 Habits of Highly Effective CISOs:  Over the past 25 years, I’ve consulted for hundreds of executives on cybersecurity issues including direct support to dozens of CISOs working to effectively manage cyber risk in a wide variety of organizations.  With this post, I’ve attempted to capture some of the best practices from the most effective CISOs I know. In future articles, we’ll look at each of the 10 habits in greater detail, including direct input from the CISO community.

A Global CISO’s Ten Rules for Success:  Neal Pollard is an OODA Network member and is the Global CISO at UBS.  He recently posted his 10 rules for being a successful CISO on LinkedIn and gave us permission to share them here.  It is one of the best top 10 lists we’ve seen.

OODA Network Interview: Neal Pollard:  This post is based on an interview with  Neal Pollard. It is part of our series of interviews of OODA Network members. Our objective with these interviews is to provide actionable information of interest to the community, including insights that can help with your own career progression. We also really like highlighting some of the great people that make our continued research and reporting possible.

Mark Weatherford on the relationship between CISOs and corporate leadership:  Mark Weatherford is an icon in the cybersecurity field. He is widely known as a mission-focused leader who builds teams and gets hard things done. His career included success in the US Navy as a cryptologist, leadership, and management in a major defense integrator, CISO for two states (Colorado and California), CISO of the nation’s regulatory organization for our power grid (the NERC), head of security efforts for the newly formed DHS, and operational CISO roles and advisory board positions for several US corporations.

The Five Modes of HACKthink:   HACKthink is the name I use with to describe applying a hacker’s mindset to solving complex problems or finding innovative solutions.  It is derived from the original endearing definition of a hacker, which implies someone who likes to tinker and take things apart to figure out how they work and to make them better.  As a white hat hacker for over 25 years, I’ve applied HACKthink to a great many information security and technology problems, but have also used the same approach to thinking to solve hard problems in other domains.  In addition to HACKthink being used as an overall methodology for decision-making, risk reduction, and opportunity development – there are five unique sub-modes that can provide value as stand-alone elements. After all, problems are just opportunities with different risk profiles.

Mental Models For Leadership In The Modern Age:    This is part of a series providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making. The full series is available in our special section on Decision Intelligence.  Members are also invited to discuss this topic at the OODA Member Forum.  This post reviews the mental models we recommend all business and government decision-makers master, focused on those models which can help improve your ability to make decisions and drive optimal business outcomes.

Governmental Cyber Policy and Regulations

What Corporate Directors Need To Know About SEC Cybersecurity Rules:  For over a decade the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. The SEC is now on the verge of issuing binding regulations for all publicly traded corporations. Our assessment of these regulations is that they hold the potential of transforming corporate governance in ways not seen since the passing of the 2002 Sarbanes Oxley legislation.

CISA Granted Subpoena Power as Cyber Incident Reporting Bill Signed into Law:  The Senate unanimously passed the Strengthening American Cybersecurity Act, which was actually various bills made into one piece of legislation.  A vital piece of the consolidated legislation was a cyber incident reporting bill, mandating critical infrastructure owners notify the Homeland Security Department within 72 hours of a hack and 24 hours if the organization made a ransomware payment.

FTC Expectations For Corporate Board-Level Oversight of Cybersecurity:  The Federal Trade Commission (FTC) has published expectations for corporate board level oversight of cybersecurity. They advise every member of every board: “Don’t underestimate your role in data security oversight.”

Can We Rethink Critical Infrastructure Cybersecurity?  The United States has developed several strategies and roadmaps during different presidential administrations to address critical infrastructure security including but not limited to: Executive Order 14028 on Improving the Nation’s Cybersecurity, a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, a National Infrastructure Protection Plan, Presidential Policy Directive 21, and NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The most current effort to safeguard these infrastructures is in Congress where a bill seeks to amend the annual defense policy legislation that incorporates cyber security for the nation’s “most vital infrastructure.”  It is clear that the highest levels of government acknowledge the need to ensure that these vital sectors do not suffer a catastrophic or debilitating cyber attack.

Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates:  Following is a ‘big picture’ update of CISA press releases, global incidents, and impacts to assess more of the strategic challenge ahead with the Log4Shell vulnerability and the potential for executables within your systems.

Red Teaming

CISA Releases Red Team Assessment on Critical Infrastructure:  The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.

10 Red Teaming Lessons Learned Over 20 Years:  I’ve been a red teamer for twenty years now, perhaps even longer, but I didn’t know what to call it until 1995 when I started working with the Department of Defense. I’ve also been fortunate to participate in or lead hundreds of red teams within many divergent disciplines ranging from strategic and tactical cyber to physical security threats like infectious diseases or nuclear power plant targeting to more abstract items like Joint Operating Concepts.  I often get asked what lessons I’ve learned over the past twenty years, so I started putting together this list of 10 lessons learned over 20 years of red teaming a few years ago. Given that I’ve officially hit the twenty-year mark, I figured it was time to hit the publish button. While many of these feel like concepts, vice lessons learned, I hope the reader finds them thought-provoking as they formulate and execute red teams of their own. As always, feedback and comments are welcome.

Executive Protection

OODA Releases a Traveling Executive’s Guide to Cybersecurity: One of the most frequent questions we are asked by global executives and their security teams is how to protect their information and technology systems while traveling abroad.  With this in mind, we built this reference with an eye toward serving the OODA members who travel abroad for business, especially those who will operate in a nation that is not a Western-style liberal democracy.  Of course, these tips also apply to individuals traveling abroad for non-business purposes or who just want to improve their overall individual security posture.

For Executive Protection, Physical and Cyber Security Have Fully Converged:  Corporate and private security teams have well-established procedures and practices for protecting the safety and security of their executives and clients which can include high net-worth families and celebrities.  This can include tried and true measures like bodyguards, physical security measures around facilities and homes, secured vehicles with trained drivers, and a whole suite of protective monitoring technologies such as cameras, sensors, alarm systems, and panic buttons.  In the cyber domain, security teams are less practiced in personnel protection and often focus their efforts on protecting work systems and credentials.  In today’s hyper-connected world, physical and cyber security have fully converged and must be looked at as one unified security effort.  Consider the following ways in which cybersecurity can impact the physical security of an at-risk executive.

Scenario Planning/Foresight Strategy

Scenario Planning for Global Computer Chip Supply Chain Disruption: Results of an OODA Stratigame:  This report is the outcome of our first OODA wargame, which we have branded as a Stratigame (Strategic Game), focusing on the global computer chip supply chain issues.  Over 25 members of the OODA Network of Experts participated in this Stratigame where the OODA research team developed four scenarios and then led a structured discussion in which experts provided unique insights into potential impacts of these scenarios, adjacent risks, and opportunities, and recommended actions that would allow us to avoid the negative impacts of a particular scenario or nudge us into a more favorable scenario.

With the U.S. Delegation in Asia, We Revisit our OODA Stratigame Insights about Taiwan:  We thought the best version of OODA Loop ‘coverage’ of the recent trip by Pelosi et. al. to Taiwan is to return to our Fall 2021 Stratigame. The objective here is a “cheat sheet” of questions the OODA Loop readership should bring to bear in their analysis of the impact of the visit – a list of alternative, more sophisticated framing of the issues at hand.  Our analysis is neither prescriptive nor predictive but offers a framing of the issues which achieves better and more informed questions and insights about the impact of this geopolitical maelstrom.

“The Worst-Case Scenario is the Least Probable” and Other Cognitive Biases: Global Drought, Catastrophic Monsoons and Floods and “Zombie Ice”:  It is also our responsibility to position some negative metrics and trends as part of our overall sensemaking on behalf of the membership.  And we consider even our own aversion to bad news part of our research discipline as well, and we have mechanisms to break through it and achieve something resembling a stoic, balanced stance on most information we are handling at any given time. OODA Network Member Dr. Lisa Porter describes” a risk-based approach that recognizes I am always making a tradeoff.  And to do it with my eyes open.”  We think that captures what we are trying to provide here on a daily basis.  We also use scenario planning to tell the story of the future as we are seeing it – to influence risk strategies and decision-making processes for our member organizations.  So, with that:  Are you sitting down?  Because I have some bad news, along with a mental model through which to analyze its implications.

Cyber Incident Advisories and Mitigation Efforts

OODA has specific expertise in Board Cybersecurity including supporting the nexus between technical cybersecurity and corporate governance risk management and looks forward to supporting a wide range of companies by either placing a cybersecurity expert directly on the board or working as a consultant to the board to help guide their strategic initiatives and ensure they are exercising due care in managing cyber risks.