Harnessing Entropy: Innovating Third-Party Risk Management in the Age of Disruption
Introduction
Why write this? The inspiration for this thought leadership emerged from a poignant observation shared on LinkedIn by
Clinton D. Pope
, which resonated deeply with my experiences creating and running the Third-Party Risk Management (TPRM) program. The post highlighted two critical thoughts: (1) the inherent design of systems shaping their outcomes and (2) the inevitable increase of entropy over time. These concepts struck a chord with me, aligning with my observations of escalating third-party breaches despite significant investment in people, process, and tools to better manage risks of our third-parties on our business or organization.. My experience and expertise in the field have led me to realize that traditional TPRM approaches
Overview of Third-Party Risk Management (TPRM)
Third-Party Risk Management (TPRM) is a crucial aspect of business operations, particularly in our digitally interconnected world. It involves identifying, analyzing, and mitigating risks from third-party entities such as vendors, suppliers, and service providers, whether physical or digital. TPRM becomes even more critical in cybersecurity, as third parties often have access to sensitive data or systems, creating potential vulnerabilities and causing significant operational impact. Traditional TPRM strategies have primarily focused on compliance and standard risk assessment methodologies and tend to look backward instead of forward. However, with the increasing sophistication of cyber threats and the evolving digital landscape
The Notion of Stability in TPRM Best Practices
In the realm of Third-Party Risk Management (TPRM), stability has often been synonymous with relying on established protocols, particularly standardized questionnaires. These questionnaires, typically comprehensive (and sometimes overly so), aim to gauge a third party's compliance with security and data protection standards and contractual obligations. However, the over-reliance on such static evaluation tools can lead to a form of rigidity in the risk management process. This rigidity is problematic for several reasons.
Introducing the Concept of Entropy and Boyd's "Destruction and Creation” - aka the third party phoenix."
The concept of entropy, originating from thermodynamics and extending into information theory, is pivotal in understanding the evolving challenges in Third-Party Risk Management (TPRM). Entropy, in its most basic form, represents a measure of disorder or randomness within a system and the tendency for disorder to increase over time. In the context of cybersecurity and TPRM, entropy can be viewed as the unpredictability and complexity inherent in managing risks associated with third parties. As cyber threats become more sophisticated and transformative, the entropy in these systems increases, making the risk landscape more unpredictable and challenging to navigate.
John Boyd's seminal work "Destruction and Creation" provides further insight into dealing with such complex systems. Boyd's paper discusses the concept of breaking down existing structures (destruction) and reassembling them in new, innovative ways (creation).
This process is not merely about dismantling for the sake of change but is a strategic method for understanding and adapting to a constantly evolving environment. Boyd's philosophy encourages a continuous cycle of analysis and synthesis, where existing models and assumptions are regularly questioned and reevaluated in the face of new information.
In the TPRM context, this approach suggests that traditional, static methods are no longer sufficient if they ever were. The increasing entropy in cyber-related risks necessitates a adaptive approach. Boyd's methodology of destruction and creation can be applied to TPRM strategies, urging professionals to regularly deconstruct their current risk models and adapt them to incorporate new threats, and vulnerabilities. This approach aligns with the need for TPRM strategies to be flexible and adaptable, allowing for a more proactive stance in identifying and mitigating risks posed by third parties.
This perspective on entropy and Boyd's philosophies challenges the traditional notion of stability in TPRM. It underscores the need for a shift towards a more fluid and responsive risk management model, one that can evolve as quickly as the threats it aims to mitigate.
Exploring How Entropy and Boyd’s Ideas Enhance Adaptability and Effectiveness in TPRM
This paper posits a transformative approach to Third-Party Risk Management (TPRM), pivoting on the integration of entropy and the strategic concepts articulated in John Boyd's "Destruction and Creation." The thesis hinges on the premise that the conventional, static methodologies in TPRM are increasingly inadequate in the face of a rapidly evolving digital threat landscape. By embracing the concepts of entropy and chaos— the inherent disorder and unpredictability in systems — and Boyd's framework, TPRM strategies can be reinvigorated to become more adaptive, responsive, and effective.
The essence of this approach lies in recognizing that the traditional TPRM methods while providing a sense of stability and order, may mask emerging risks and vulnerabilities. In a landscape where cyber threats are characterized by fluidity and unpredictability, a static model is akin to preparing for yesterday's battles. In this context, entropy serves as a reminder of the constant state of flux in cyber threats and the need for TPRM strategies to be equally agile and fluid.
Boyd's ideas, particularly the OODA loop (Observe, Orient, Decide, Act), provide a framework for this adaptive approach. In the realm of TPRM, this translates to a continuous cycle of observing the evolving risk landscape, orienting strategies to address these changes, deciding on the best course of action, and acting promptly. It's about creating a TPRM process that is not only reactive but also anticipatory in nature.
Furthermore, Boyd's concept of 'Destruction and Creation' encourages a periodic reevaluation and adjustments to existing TPRM people, process, and technology . This process involves breaking down current risk models and practices to their fundamental components and reassembling them in innovative ways that better address the current threat environment. It's about fostering a culture of continuous improvement and strategic innovation in TPRM, moving away from a rigid, one-size-fits-all approach to a more tailored and agile methodology.
In summary, this paper advocates for a paradigm shift in the way third-party risk is assessed and managed, guided by the principles of entropy and Boyd's strategic theories. This shift aims to enhance the adaptability and effectiveness of TPRM strategies, ensuring they are robust enough to handle the complexity and unpredictability of modern cyber threats while being flexible enough to evolve with them.
Understanding Entropy and Its Implications
Definition and Explanation of Entropy in Thermodynamics and Information Theory
Entropy in Thermodynamics: In thermodynamics, entropy is a fundamental concept that measures the level of disorder or randomness in a system. Originally formulated in the context of heat and temperature, entropy quantifies the number of ways a system can be arranged, where higher entropy denotes a greater degree of disorder. This concept was first introduced by Rudolf Clausius in the mid-19th century, and it's a cornerstone of the second law of thermodynamics, which states that the entropy of an isolated system tends to increase over time.
In practical terms, energy systems naturally progress from an ordered state to a more disordered one unless external work is done to maintain or reduce the entropy. For example, a melting ice cube in a glass of water demonstrates increasing entropy as it transitions from the ordered structure of a solid to the more disordered state of a liquid. In TPRM, this concept can be paralleled to how cyber threats evolve; without constant vigilance and adaptation, the 'order' of a secure system naturally tends to degrade, leading to increased vulnerability and risk.
Entropy in Information Theory: Entropy, in the context of information theory, as developed by Claude Shannon in the 1940s, represents the degree of uncertainty or unpredictability in a data set. It is a measure of the amount of information that is missing before receiving the data. Higher entropy indicates a higher level of unpredictability or more information content. This concept is crucial in understanding and managing information in various domains, including cybersecurity.
In information theory, entropy is used to quantify the efficiency of a data compression algorithm or the level of unpredictability in a message. For instance, a string of random letters has higher entropy than a string with repeated or predictable patterns. In the context of TPRM, this version of entropy suggests that the more unpredictable and varied the information about third-party risks, the more robust the risk dynamic management strategy needs to be. It underscores the necessity of having an effective and comprehensive approach to monitor and manage third-party risks, as relying on predictable, static methods might leave significant gaps in security.
Understanding entropy in both thermodynamics and information theory provides a valuable framework for TPRM. It highlights the importance of expecting and preparing for change and disorder in both the physical and information realms. In TPRM, this translates to an ongoing need to adapt and evolve risk management strategies to counter the inherently unpredictable nature of cyber threats effectively.
As my good friend Matthew Klejwa said, “Entropy is a most difficult concept,” and he has a Master's in Physics. He recommends this video to help understand it: The Most Misunderstood Concept in Physics
The Relevance of Entropy in Dynamic Systems and Decision-Making
Entropy's relevance in dynamic systems, particularly in decision-making in TPRM, is profound and multifaceted. Dynamic systems are characterized by constant change, interaction, and complexity, much like the environments in which TPRM operates. In this context, as Shannon shows, entropy serves as a crucial measure of the unpredictability and disorder inherent in these systems.
In TPRM, organizations must navigate an intricate web of relationships and dependencies. Each third-party entity an organization interacts with can introduce varying degrees of risk. Entropy here represents the unpredictability associated with these external entities. As the number of third-party relationships grows, so does the complexity and entropy of the system, making the risk landscape more challenging to predict and manage.
Entropy directly impacts decision-making processes. In high entropy environments, where there is a greater degree of uncertainty and less predictability, decision-makers must be adept at managing and responding to unforeseen changes. This necessitates a flexible and agile approach to TPRM, where decisions are made based on the most current and comprehensive information available, and strategies are continually adapted to the evolving risk landscape.
The concept of entropy in information theory also plays a role in decision-making. In TPRM, there is often a significant amount of information asymmetry, where the organization does not have complete information about the third-party’s security posture. High entropy in this context indicates a higher level of uncertainty regarding the third-party's risk profile. Effective risk assessment in such scenarios requires strategies that can accommodate this lack of information and still make informed decisions.
The increasing entropy in cyber threats implies that what was once a secure system can become vulnerable over time as new threats emerge and old defenses become obsolete. This dynamic nature of threats requires TPRM strategies to be inherently adaptable and forward-looking, constantly evolving to identify and mitigate new risks as they arise.
Understanding entropy in dynamic systems encourages a shift from a reactive to a proactive stance in TPRM. Instead of merely responding to incidents and known vulnerabilities, continuous monitoring, anticipating potential risks, and preparing for them are needed. This approach involves not just dealing with present risks but also predicting and preparing for future challenges.
Recognizing the role of entropy in agile systems is crucial for effective decision-making in TPRM. It compels organizations to adopt more agile, informed, and anticipatory risk management practices, acknowledging that change is the only constant in a world of increasing complexity and unpredictability.
The Paradox of Low Entropy (Orderliness) Leading to Increased Systemic Risk
The paradox of low entropy, or high orderliness, leading to increased systemic risk is a nuanced and somewhat counterintuitive concept, particularly relevant in the context of Third-Party Risk Management (TPRM). This paradox arises from the assumption that a highly ordered system, characterized by stability and predictability, would naturally be less risky. However, in the dynamic and complex realm of cybersecurity and TPRM, this is not always the case.
TPRM systems with low entropy are often highly structured and rely on predictable, standardized risk assessment frameworks, like the use of questionnaires and checklists. While these methods provide a sense of control and order, they can also lead to a rigid and inflexible approach to risk management. Such systems might not be adept at identifying or responding to novel or evolving threats that fall outside their predefined parameters.
Recommended by LinkedIn
Low entropy in TPRM often results in homogeneity of security practices across different third parties. This uniformity, while seemingly efficient, can make the entire network more susceptible to systemic risks. If all entities in a system use similar security protocols, the compromise of one could expose vulnerabilities in others, akin to a domino effect, or what some describe as cascading risk.
A system with low entropy tends to underestimate the possibility and impact of emerging threats. The predictable nature of such systems can create blind spots, where unforeseen risks are not accounted for until they materialize. This lag in recognition and response can be particularly detrimental in the rapidly evolving cyber threat landscape.
Another risk of a low-entropy TPRM system is the potential for complacency. When a system operates smoothly within its set parameters, there is often little perceived need for change or innovation. This can lead to stagnation and a lack of preparedness for when the risk landscape inevitably shifts.
Decision-making in a low-entropy environment can become overly reliant on past data and trends, which may not indicate future threats. This reliance can lead to a false sense of security, where the absence of apparent risk is mistaken for the absence of any risk, neglecting the need for proactive measures and vigilance.
While a low-entropy, orderly TPRM system offers predictability and a sense of control, it paradoxically may increase systemic risk by not being sufficiently adaptable and responsive to new, unforeseen challenges. This paradox highlights the need for a balanced approach in TPRM, where stability is complemented by flexibility, and orderliness is tempered with an openness to change and innovation.
Overview of "Destruction and Creation"
Summary of key concepts
John Boyd's paper, "Destruction and Creation," emphasizes the cognitive process of dynamically adapting to a changing environment. It advocates for breaking down established concepts and reassembling them in innovative ways to create new understanding. This process of continuous deconstruction and reconstruction of mental models is crucial for effective strategy and decision-making, particularly in complex fields like risk management. Boyd's philosophy underlines the importance of not being rigidly anchored to existing frameworks but being agile and responsive to new information and changing circumstances. This approach is particularly relevant in the rapidly evolving field of Third-Party Risk Management (TPRM), where static strategies may fail to address emerging challenges effectively/
The process of breaking down and reassembling ideas
In the paper, the process of breaking down and reassembling ideas is a key concept. It involves deconstructing existing mental models and frameworks to understand their underlying assumptions and components. This 'destruction' phase is not just about dismantling; it's a critical analysis to identify what elements of the current understanding are still relevant and which are outdated or inadequate. The 'creation' phase involves reassembling these components, often along with new information and insights, to form a new, more relevant model. This dynamic process of continuous analysis and synthesis is vital for adapting to and understanding complex, changing environments like those encountered in Third-Party Risk Management.
Application of Boyd’s Philosophy to Strategic Thinking and Innovation
John Boyd's philosophy, as outlined in "Destruction and Creation," significantly impacts strategic thinking and innovation, particularly in complex areas like Third-Party Risk Management (TPRM). This philosophy advocates for a continuous cycle of breaking down existing models and assumptions (destruction) and reassembling them with new insights (creation). This approach fosters adaptability in strategic thinking, allowing for rapid response to changing environments. It encourages a departure from rigid, traditional strategies, promoting innovation by integrating diverse perspectives and new information. In TPRM, this means continuously updating risk models and strategies to address emerging threats, ensuring that risk management remains effective and relevant. Boyd's approach underlines the importance of flexibility and a willingness to challenge and evolve established practices in the face of new challenges.
Stability vs. Adaptability in TPRM
Analysis of traditional TPRM practices and their inherent stability
Traditional TPRM practices are characterized by their inherent stability, which stems from established procedures and standardized methodologies. These practices typically involve comprehensive questionnaires, regular audits, and reliance on certifications to assess the security posture of third parties. While such practices provide a structured and methodical approach to risk assessment, they often lack flexibility. This rigidity can be a significant drawback in the rapidly changing landscape of cyber threats, where new risks emerge constantly. Traditional TPRM, in its quest for stability and control, may not be agile enough to adapt to these evolving threats, potentially leaving organizations vulnerable to unforeseen risks. The stability in traditional TPRM practices, therefore, while beneficial for consistency and predictability, can be a double-edged sword in the face of dynamic cyber challenges.
Risks associated with overly stable, predictable TPRM strategies.
Each of these risks highlights the necessity for TPRM strategies to be dynamic, adaptable, and forward-looking, capable of evolving alongside the changing cyber threat landscape.
Hypothetical examples of failures in rigid TPRM systems
These examples illustrate how a lack of flexibility and adaptiveness in TPRM systems can lead to significant oversights and vulnerabilities.
Applying Entropy and Boyd’s Theories to TPRM
Introducing controlled entropy into TPRM for enhanced unpredictability and resilience
Introducing controlled entropy into TPRM involves strategically incorporating unpredictability and flexibility elements to enhance risk management systems' resilience. This concept, inspired by entropy in thermodynamics and information theory, suggests that a certain degree of disorder can be beneficial in complex systems like TPRM.
In summary, controlled entropy in TPRM is about deliberately introducing variability and adaptability into the system. This approach aligns with Boyd's philosophy of constant adaptation and reevaluation, ensuring that TPRM strategies remain effective and resilient in the face of an ever-changing cyber threat landscape.
The process of 'destructive creation' in reevaluating and evolving TPRM practices
The process of 'destructive creation' in reevaluating and evolving TPRM practices, a concept derived from Boyd's work, involves a radical reassessment and restructuring of existing risk management frameworks. This approach requires breaking down current TPRM practices to their core components, critically examining their effectiveness, and then innovatively reassembling them to suit the current threat environment better.
In essence, the 'destructive creation' process in TPRM is about continuously challenging and reinventing existing risk management practices to better align with the complex and ever-evolving nature of cyber threats. This dynamic approach ensures that TPRM strategies remain effective, relevant, and resilient.
Balancing order and chaos for effective risk management
Balancing order and chaos in risk management, especially in TPRM, involves maintaining a delicate equilibrium between structured, predictable strategies and adaptable, innovative approaches. This balance is key to effective risk management.
Balancing order and chaos in TPRM is about creating a dynamic and responsive risk management system that leverages the strengths of both structured and flexible approaches. This balance ensures that the risk management strategies are both reliable and adaptable to the ever-changing cyber threat landscape.
Conclusion
In conclusion, this paper underscores the criticality of incorporating the principles of entropy and John Boyd's theories into Third-Party Risk Management (TPRM). It highlights how entropy, representing the inherent unpredictability of cyber threats, necessitates a more dynamic and adaptable approach to TPRM. Boyd's concepts of continuous adaptation and strategic reevaluation further reinforce this need. By integrating these ideas, the paper advocates for a transformative TPRM strategy that is not only responsive to current threats but also agile and forward-thinking, ready to adapt to the ever-evolving digital landscape. This integration is pivotal for the evolution and effectiveness of TPRM practices, ensuring that organizations can manage risks in a robust and proactive manner.
The future
The future of Third-Party Risk Management (TPRM) in an ever-evolving threat landscape is poised for significant transformation. As cyber threats become increasingly sophisticated and unpredictable, TPRM must evolve from static, compliance-focused models to more dynamic, adaptive frameworks. This shift will involve integrating real-time threat intelligence, employing advanced analytics, and fostering a culture of continuous innovation and agility. Future TPRM strategies will need to be proactive, leveraging technologies such as AI and machine learning for predictive risk analysis. This evolution is essential for organizations to effectively manage and mitigate the risks associated with an increasingly interconnected and digital business environment.
Final Thoughts In the final analysis, achieving a balance between stability and adaptability in risk management is essential. Stability provides a reliable foundation and consistent approach, necessary for any effective risk management system. However, in the face of an ever-changing cyber threat landscape, adaptability becomes equally crucial. This balance ensures that while the core principles and methodologies of risk management remain sound and dependable, they are also flexible and dynamic enough to accommodate and respond to new and unforeseen threats. The future of risk management lies in this equilibrium, where steadfastness meets agility, ensuring robust and resilient strategies in an unpredictable digital world.
Reference Material
What’s my superpower? —-> I'm always learning!
8moThanks, Bob Maley, lots of good thoughts here. I highly recommend Thomas Kuhn’s book, “The Structure of Scientific Revolutions.” It had a large influence on Boyd. Entropy is often defined as a quantity of unusable energy. And likewise in Boydian terms entropy can be defined as a quantity of unusable concepts or patterns. Thus the need to differentiate or disassemble concepts and patterns into constituent parts, so they can be reassembled in novel, innovative ways, so they can be used, effectively reducing entropy. Boyd described two driver or regulators… entropy and goal-seeking. Entropy naturally is increases over time, triggering our goal-seeking (survival on our own terms) behavior, which results in this sine wave of constant adaptation to maintain an acceptable range of entropy.