23 May 2015

Memorial Day 2015: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2015, we reflect on this past year.

In order to put it all in context, we looked back 24 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2015, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

17 May 2015

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.


10 May 2015

Metadata: Evidence of Terrorism vs. Crime...

What are the enterprise risks when metadata is legally defined as property?  Operational Risk Management (ORM) professionals are on high alert these days.  The court systems within the EU and now the United States, are building new cases and establishing new arguments.

As a steward of data and providing oversight on the transparency of how information is tagged, sorted, stored and archived, the ORM professional is right in the middle of the debate.  Metadata relevance is known to those who have been practicing the science and art of digital forensics for years.

Does your organization issue corporate devices for use in the workplace or on the job?  What transparency was provided when the digital device was issued on the use and ownership of the data associated with the device?  How many pages is the "Acceptable Use Policy" at your organization?

These policies on Mobile Device Management (MDM) or Bring Your Own Device (BYOD) are not new, yet they are still evolving.  This is because the technology innovation is so far advanced than the current legal precedence or court rulings.  The law will always catch up to technology and now the law is getting to an important milestone.

This however does not change how our adversaries are operating.  The current environment over the relevance of data, or who owns the metadata on our mobile devices, will not change the appetite for those who seek the data or exploit systems to cause failure or destruction.  If all of the laws in our land would stop crime or malicious intent in its tracks, then we could eliminate the entire legal enforcement structure.

The General Counsel and the outside legal teams at your organization are already working to reduce the risk of adverse litigation by employees, partners and customers.  The Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) are working 24/7 in tandem to operate legally and to insure the confidentiality, integrity and assurance of metadata across the globe.  Unfortunately they operate in an environment that involves humans, using digital devices.

The legal frameworks are quickly responding to the rising digital crime rate across the globe.  They are weary of the "Asymmetric Warfare" being waged by nation states.  Plaintiff lawyers are now preparing their new privacy and data breach cases on a weekly basis.  Organizations are seeking avenues of "Safe Harbor" by using certain products inside their infrastructure.  Yet will this all stem the tide of what weapons the adversaries are deploying, to perpetuate their business or espionage models?

This brings us to a prediction.  We predict the rise of metadata evidence that proves that organizations are the victims of cyber-terrorism, not cyber-crime.  Terrorism not fraud.  And now the courts and the jury pools will now decide what metadata is evidence and what the definition is of "Terrorism" in the cyber realm.  Marketing is a powerful engine to influence buyers.  Buyer beware:
"Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.
The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list."
"The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official 'Act of Terrorism' by the US government."

03 May 2015

Human Behavior: Learning in a New Age of Unreason...

The Human Factors in our organizations continue to be a tremendous challenge.  Operational Risk Management (ORM) has a focus on human behavior because it remains an unpredictable catalyst for substantial loss events in the enterprise.

The decision to trust, is an art that is quickly becoming more of a science.  The ability for the human being to utilize our God given senses of sight, hearing, touch, smell and even cognitive intuition is just not enough to protect us, within our pervasive and expanding digital ecosystem.

Insider information leaks.  Spear phishing.  Intellectual property theft.  Industrial espionage.  You name the vectors involving a human being and you suddenly realize the size and the magnitude of the digital challenge ahead.  The Board of Directors and Executive Management are consistently reminded by the General Counsel about the "Duty of Care" with employees, partners and allies.

So what does all this have to do with your current state of running your organization?  Believe it when we say, that you are not spending enough time or the correct focus of time changing human behaviors in your enterprise.  Historically, the plaintiff lawyers, the States Attorney General or the thousands of international "Black Hat" nation state hackers will make you pay, one way or another.

Your favorite Big Four consulting firm will talk to you all day about errors, omissions and fraud.  The Chief Security Officer (CSO) is operating a sophisticated Security Operations Center (SOC) gathering situational awareness on a 24/7 basis.  So why are we continuously amazed and surprised at our own human behavior and what we are capable of doing?

By now, you have been lectured in depth about having a Layered Defense.  You may have even been told you need an "Active Defense".  Are you still testing new tools and corporate training programs to influence the human behaviors that will ultimately defend or compromise your organization?  Do you recognize the acronym MDM?  Are you as well prepared as you could be for tomorrow's digital work day?  In the cockpit, behind the desktop or navigating at night, across an environmentally austere foreign terrain.

Depending on your up bringing and how you were raised by your parents influences each of us, individually.  Even the types or the content that is taught to us by the institutions we attended in our lifetime, has some impact.  Who do we trust?  What do we trust?  When do we trust?  Why do we trust?  How do we make our "Trust Decisions"?  Trial and error, alone?

Trial and error to this day is a powerful way to change human behavior.  Yet without the continuous education and training to produce new habits and to reinforce quick and sustained responses, it is futile.  The long term reinforcement of human learning changes behavior, with the right incentives in place.  The correct rewards are necessary for the human being to continue achieving, testing and adjusting to any dynamic environment.  At home, at work or out on the frontier of a new and unfamiliar place.  It is a system.  One that we shall design, engineer and replicate with precision.

So the New Age of Unreason is now our Operational Risk Management (ORM) challenge:
  • First, identify where active learning systems are operating within your organization.  There will be formal systems within your HR or training departments, but where are the informal learning systems located; where are the mentors?  Good and rogue actors will exist.
  • Second, document each of these formal and informal learning systems within the enterprise.
  • Third, catalog the human behaviors that each are influencing to serve your customer and/or to protect the organization.
  • Finally, build an interactive learning systems matrix, so that you have the context you need to redesign, upgrade and fill the gaps as you embark on your new learning mission.
We are reminded of the wisdom of Charles Handy:
"We may not, individually, be able to make the world safer from nuclear war, or to preserve the rain forests better, or to keep the ozone layer intact, but, as I argued in the beginning, it is often the little things of life that matter most, the ways we work and love and play, the ways we relate to people, and the manner in which we spend our days as well as our money.  These things we can affect.  We do not have to accept them as they are.  The Age of Unreason is inevitably going to be something of an exploration, but exploring is at the heart of learning, and of changing and of growing.  This is what I believe, and this is what gives me hope."

25 April 2015

Trust Decisions: Beyond RSA and Our Digital Future...

Trust Decisions are being made every few seconds as we navigate our way across the Internet oceans. After attending the RSA Conference 2015 in San Francisco this past week, there are many unanswered questions for the end users and the industry.  CIO's, CPO's and CISO's across the globe must be in awe of what we have created, to try to secure and govern the data flowing through the Internet.

The Operational Risk Management (ORM) landscape at RSA included analytics and forensics, cloud, C-Suite view, data security & privacy, governance risk & compliance, law, mobile security, policy and government and many others.  Walking the North and South Expo Halls at Moscone Center, was an immersion into the complexity and the duplicity of the current state of the information security and privacy ecosystem.

The pursuit of "Digital Trust" is a quest that the human brain is incapable of precise understanding, without the use and aide of our modern computers.  The rulebases are too large and the speed of transactions are too fast, for the human brain to process all of the rules simultaneously.  We know why we designed these tools and machines, to augment our human information processing capabilities.

The trust decisions we make to click on a link or download a new app is based upon many factors.  The evolution of the Internet and the trust we have placed in the links across the World Wide Web are now more scrutinized.  The threat of clicking on the wrong link or downloading a malicious file can cost our enterprise hundreds of millions of dollars in losses.

The RSA Conference is more evidence of our continued digital governance failure.  It is also necessary to achieve future progress.  Is it the manifestation of our inability as humans to establish and maintain the trustworthiness of systems and of standards?  The dawn of a new era for making digital "Trust Decisions" is upon us.  How shall we proceed to enable the next generation of the Internet and why?  Over a decade ago, researchers at the USC Information Sciences Institute were on to something:
Traditional trust management solutions [2] do not adequately address dynamic aspects of trust. The pre-configured, coarse and static specification of trust in conventional systems is not consistent with human intuitions of trust [11], an individual’s opinion of another entity that can evolve based on available evidence. Thus, trust relationships evolve over time and require monitoring and reevaluation. The dynamic and temporal nature of VOs (Virtual Organizations) present additional trust management challenges: 
  • temporary, as opposed to long lived, relationships present a major obstacle for trust development, since short term relationships promote “take and run” behavior; 
  • parties may not have pre-existing knowledge about one another, or any prior interactions with one another.
In our massive systems-of-systems and the growing dynamic of virtual environments, "Trust Decisions" are being made at light speed.  The rulebases that are known and the identities and attributions associated with them are constantly changing.

In the next decade and beyond, bringing order to chaos is the ultimate challenge for our industry and our global persistence.  The necessity for nation states to trade and exchange funds in a digital world is paramount.  The barriers to human communication and pervasive language translation are enabled by our digital creativity.  The ability to detect threats and defend ourselves utilizing sophisticated sensors on land and in space, will continue to help preserve our existence.

There are Operational Risk Management (ORM) inventions and new solutions yet undiscovered, that will provide the model and the global standards for making more precise and effective digital trust decisions.  The future is bright...

19 April 2015

Venture Capital: UAS Operational Risk Management...

When technology innovation in the military and clandestine community finally makes it's way out to the commercial landscape, venture capital is there to invest.  Operational Risk Management (ORM) is at the center of the strategic capabilities necessary, to accomplish the frontiers of the new markets.  The "Unmanned Aircraft System" (UAS) is now poised to launch new businesses, to address new solutions for identified problems of situational awareness.  18 months ago, The Washington Post highlights the future of the unmanned aerial vehicle (UAV):
As drones evolve from military to civilian uses, venture capitalists move in
By Olga Kharif, Published: November 1, 2013
Commercial drones will soon populate U.S. airspace, and venture capitalists like Tim Draper are placing their bets. 
Draper, an early investor in Hotmail, Skype and Baidu, is now backing DroneDeploy, a start-up that is building software to direct unmanned aircraft on land mapping and the surveillance of agricultural fields. Draper says he even expects drones to one day bring him dinner. 
“Drones hold the promise of companies anticipating our every need and delivering without human involvement,” Draper, 55, wrote in an e-mail. “Everything from pizza delivery to personal shopping can be handled by drones.” 
Venture investors in the United States poured $40.9 million into drone-related start-ups in the first nine months of this year, more than double the amount for all of 2012, according to data provided to Bloomberg News by PricewaterhouseCoopers and the National Venture Capital Association. Drones are moving from the military, where they’ve been used to spy on and kill suspected terrorists, to a range of civilian activities. 
Congress has directed the Federal Aviation Administration to develop a plan to integrate drones into U.S. airspace by 2015 and to move faster on standards for drones weighing less than 55 pounds.
As new commercial businesses invent new ways to adapt the use of a UAS, to replace a pilot inside a cockpit, there are tremendous risks.  Simultaneously there are substantial undiscovered opportunities for business and a new generation of UAS pilots.  The commercial decisions that are made to allow the use of an UAS in a particular air space, for a specific type of task or service, will be questioned and made into political television ads.  As Senators, House Representatives, County Supervisors and City Mayors across the United States, welcome the use of new automated platforms, the debate will be fierce.  The decisions evermore difficult.

From a business perspective the Operational Risk Management (ORM) strategy is essentially the same whenever a new product is launched.  Yet this debate will start much more different than the one we had, as the Personal Computer was launched or the Cellular Telephone.  Privacy was an after thought then. Not any longer.

You see, UAS platforms will be information collectors just as PC's and Smartphones.  So what has changed?  The public has now been more educated on how information can be collected by the businesses who operate these new inventions.  The public better understands how their own personal information may be used for purposes to serve advertisements or optimize a particular information-based service, such as mapping and activity-based intelligence.  They understand how governments may use the information to protect the homeland.

The Venture Capitalist markets for the introduction of UAS technologies have a myriad of Operational Risks, beyond just the privacy debate.  The liability and insurance markets will also be spinning up to address the potential of loss events.  This in itself, will complicate the launch of new products and services to the general public.  So what.  Now turn to the innovations that could be making a difference for mankind.  The marketplace is evidently ready according to this April 14th, 2015 WSJ article:
Chinese consumer drone maker DJI is in talks to raise funding at a valuation as high as $10 billion, according to people familiar with the matter, in what would be a sizable bet by investors that flying robots will overcome looming regulation and safety concerns.
Think about the possibilities.  Think about the ways that a customized UAS could save lives.  Think about how the information collected, with specific sensors may provide new insight.  Think about business decisions beyond those the Venture Capitalists have seen and thought about so far.  The adoption of services, to reduce human intervention and increase efficiency will come first.  But go farther.  Reach beyond these, to unlock how a third dimension of information, perspective, speed and agility may improve our planet.

Think humanitarian.  Think disaster management.  Think ecological. Think about how gaining timely information and applying it to good use, it changes everything.

12 April 2015

Communications Styles: Leadership of Security Risk Professionals...

When you communicate with fellow Operational Risk Management (ORM) colleagues in your organization, what considerations do you take with regard to the other persons communications style?  During any vital crisis communications exchange under extreme levels of stress, whether it be a team of First Responders or JSOC, there is no time or reason to take this into consideration.  This is because, a team of this type has trained together for months if not years, in exercises that put them to the test of how to effectively communicate in multidimensional crisis scenarios.  They know how to effectively communicate what needs to happen and when, not how.  These crisis teams have practiced to the point where they know exactly what to do when a real incident occurs.

In the halls of corporations across the globe, the likelihood of a crisis occurring on a daily basis is high. The consequences and type of threat are unknown.  Whether it be a key disruption in the supply chain for a vital component for manufacturing your products or the data leakage of trade secrets to your competition, the crisis scenario involves multiple inside people.  When you engage in information exchange with your colleagues from HR, to IT and the office of the Chief Security Officer, the personalities and communications styles must be taken under consideration.  Why?

Security Risk professionals in the global enterprise who are part of the Crisis Management Team have been selected for specific reasons.  Maybe it is because of their title or position in the organization.  The Vice-President of Human Resources, Chief Risk Officer, VP of Information Technology, Chief Security Officer (CSO), General Counsel, Chief Privacy Officer and even Chief Executive Officer (CEO) are tasked with the ultimate safety and security of the assets of the institution.  They are called upon in times of crisis to be the face to the public and the heads of leadership during and throughout the time frame of the organizational incident.

In order for the leadership of security risk professionals to be more effective in the face of any incident, communications style is a significant factor.  Deep down below the facade of a persons title and the office they command is the DNA and the personality of the individual.  The way they process information and the way that the person expresses themselves in a crisis communications encounter, is a vital factor in overall crisis strategy.

How often have you seen the spokesperson from a Fortune 500 company in front of a congressional inquiry, press conference or jury trial answering questions about their organizations or their own behavior?  What kinds of evidence do we have, of the impact of communications and communications style during the heat of a crisis incident?  So we have to go back to the leadership during a crisis.

The leadership of the crisis team, is comprised of people with individual personalities.  In the middle of a crisis, those personal styles of communication will become dominant and take over.  Here are the four communications styles:
  • Analytical
  • Driver
  • Amiable
  • Expressive
In addition, the organizational pulse of your organization, will be made up of a blend of these individuals and their respective communications proclivities.  What would happen if the whole team was made up of "Drivers" or "Amiables"?  How would the performance of the team be affected by having such an overwhelming number of people who have the same style of communication?

The team will not always have a balanced set of communication styles.  The goal is to assign certain roles or accountability, to the person with the best communications style for the tasks assigned.  Is the CEO always the best person to have as the public spokesperson in the middle of a crisis?  It depends on the type of communications style the CEO possesses and also the amount of media training and experience the individual has already accomplished.  BP five years ago this month is a prime example of this:
ON the night of April 20, 2010 — the early morning hours of April 21 in London — the Macondo well erupted below the Deepwater Horizon in the Gulf of Mexico, ripping through the rig, killing 11 people and creating one of the worst environmental catastrophes in United States history. Tony Hayward was having breakfast in a London hotel when he got the news.
By now the events that followed are well known: the desperate efforts to cap the gushing well; the harrowing collapse in BP’s share price; the government inquiries; the multi-billion-dollar cleanup. On July 27, BP said that Mr. Hayward was out. He was replaced by Robert Dudley, the first American chief executive in BP’s history.
What was Tony Hayward's communications style?  What is Robert W. Dudley's?  While the crisis team at BP was in full security risk mode soon after the blow out, it may have been the "Organizational Pulse" that was in need of a change with new leadership.

The "Leadership of Security Risk Professionals" is as much about detecting and understanding your teams communications styles and diversity, as much as practicing together under extreme duress.  Only then will your team know who is the best person to handle some facet of the crisis incident and only then, will the organizational pulse be headed on the right trajectory.

04 April 2015

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of Operational Risk Management (ORM).  It can be utilized with your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:
Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.
What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?

29 March 2015

Intellectual Capital: Mentor or Die...

The Operational Risk Management (ORM) associated with the loss of personnel is real. What mechanisms are in place at your organization to ensure that human capital and intellectual capital is being perpetuated? The education of new employees and the processes, systems and core metrics of the business is vital and in many cases an after thought.

Organizations today that are establishing robust human capital mentorship, education, rotation of duties and continuous training will out last and surpass the competition at some point. That point could be sooner than you think with Baby Boomer retirement or even an unexpected incident that involves catastrophic loss of life within a unit within your enterprise.

What kind of emphasis do you have on teaching the "Craft" and the "Art" of a profession or set of tasks that are the lifeblood of the business you are in? The apprenticeship model is one that has been lost in the last decade to lean work forces and outsourcing tasks that are deemed non essential to the core operations of the business, or are they?

Whether the internship model or the summer staff is how you find the right mix of people for your organization you still must go beyond this to create a sustainable program. Each business unit should then be required to take a percentage of each summer interns to become an apprentice in a business unit or even a section of the public facing organization. There are some leaders at these institutions that realize the risks associated with an aging workforce and the loss of intellectual capital as they retire or go on to another firm for higher pay as a consultant.

Leadership at these enlightened organizations formalizes the ability for units and sections of the business to teach, train, educate and mentor new members of the institution. The understanding that the risk of a loss of personnel is an Operational Risk that can be mitigated through effective human resource capital management and effective staff engagement is the beginning.

Apprenticeship is a system of training a new generation of practitioners of a skill. Apprentices (or in early modern usage "prentices") or protégé

The system of apprenticeship first developed in the later Middle Ages and came to be supervised by craft guilds and town governments. A master craftsman was entitled t (usually a term of seven years), but some would spend time as a journeyman and a significant proportion would never acquire their own workshop.

There are several trades that practice this extensively such as engineering, carpenters, electricians, plumbing and other vocations. The whole industry surrounding the medical profession has its specific path including the residency program as a step towards becoming a M.D.. The law profession has its own steps for becoming a J.D. and working your way up to being able to handle a case all on your own, from start to finish.

The concept of transferring the intellectual capital to maintain the "craft" or the "art" of the expert craftsmen or artisan is fading outside the typical union oriented trade groups. Have you seen an apprenticeship program in the core work roles within an Information Technology department? What about the software development teams? And if you really want to determine where you may be most vulnerable in your organization, look no farther than the office of Business Continuity. Do you even have an office of Business Continuity or Crisis Management? What kind of ongoing recruiting is helping to build the expertise and the art of "Continuity of Operations" or "Disaster Preparedness"?

If you think about the Business Impact Analysis (BIA) of your organization you identified the core areas that are vital to your own survivability. These are exactly where you need to start investing in the development of a set of programs that will teach skills, perpetuate the intellectual knowledge and keep your enterprise from being devastated from a sudden loss of skilled personnel.

There are numerous examples of organizations that have prospered and established chapters all over the globe to promote their particular brand of mentoring, whether it be a business entrepreneur to business entrepreneur or a scientist to another scientist. These by all means are important to keep the spirit of mentorship alive. But it is not enough.

Think deep and hard about how much your organization is mitigating the risk of a loss of personnel and intellectual capital. What are the programs you have in place to actually teach the craft or art that is at the core of the persons job or role on a daily basis? Who is the co-pilot to the First Officer on your flight today? Can one of the flight attendants fly the plane if both pilots are incapacitated for any reason? You get the message...Intellectual Capital x Skills Development = Survivability:

How do firms like Hewlett-Packard, DuPont, Dow Chemical, IBM, and Texas Instruments routinely convert the ideas of their employees into profits that sustain the corporation? How can buyers and sellers calculate the assets of the acquired firm in a merger or acquisition? How can an organization affect the firm's stock price using the leverage of intellectual assets? Identifying a firm's assets, especially its intellectual assets-the proprietary knowledge expressed as a recipe, formula, trade secret, invention, program, or process-has become critical to a company's overall vision and strategic plan and essential in such transactions as stock offerings or mergers.

In the era of the knowledge-based company, where the firm's genius and future lies in its ideas, a firm's collective know-how has become a measurable commodity-and as much a part of its bottom line as the condition of its cash investments, plant, and equipment. Extracting and measuring the real value of knowledge is essential for any corporate head who knows how high the stakes have become for corporate survival in the information age-where the innovative idea is as good as, if not better than, gold!

The Operational Risk associated with the mentoring, apprenticeship and skills training in your organization, is a factor of your Intellectual Capital equation. What is yours?

22 March 2015

Board Directors Perspective: Data Risk Business Process Reengineering...

The ranks of established Fortune 500 companies have been studied in the latest NYSE Corporate Board Member's Annual Directors Survey.  Spencer Stuart asked several telling questions in the Operational Risk Management (ORM) domain and the results may be enlightening:
Corporate Board Member's 12th Annual Director Survey Delves into How Directors Are Managing Some of Today's Most Pressing Issues for Public Companies While Keeping Their Boards Nimble:

This year we received nearly 500 responses from directors who didn’t mind sharing their opinions and comments on these issues. More than 70% came from those who identified themselves as outside directors, and another 20% said they serve as board chair or lead director. Forty-four percent have served on a board for more than 10 years, and another 33% have served five to 10 years. Just over 30% are at companies whose annual revenues are in the $1.1 billion to $5 billion range.

In fact, 55% of the directors we surveyed don’t believe it’s reasonable to expect that a public company board can ever fully get its arms around all the different aspects of risk in the current corporate environment (Figure 1), particularly the newer forms of technology risk like cyber risk and social media risk.
If you think "Social Media Risk" is NOT on the mind of the Board of Directors these days, then you would be correct:

Figure 2

Has Your Board Put Social Media on the Agenda?

Yes - 35%
No - 65%

The Social Media Risk to the enterprise has yet to be clearly defined to the majority of the Directors these days or they need more education on what the risks really are to the company.

If you think in 2015 a majority of the Board of Directors are still unsure about "Cyber Risk" you would also be correct:

Figure 6

How Confident Are You That Your Board Is Adequately Overseeing Cyber Risk?

Very -15%
Somewhat - 63%
Not Confident - 23%

The oversight of "Cyber Risk" to the enterprise is still in question by 85% of the Directors.  Why?

To quote Spencer Stuart's Report:
Boards must be ready to oversee a myriad of risks, especially those related to cyber security—and the social media realm—which is unfamiliar territory for some current directors (Figure 6). As a result, forward-thinking boards looking to refresh their ranks will want to add members who have technological and social media experience to guide the board in an arena where it is all too easy to make innocent but often damaging corporate blunders. Boards also value directors who have industry, financial, and regulatory experience, our results show.
Unfamiliar territory for Board Members?  Some current directors who are focused on corporate strategy or mergers and acquisitions would certainly not always have the knowledge or understanding of what the real "Operational Risks" are in the cyber and social media categories.  This makes sense.

What about adding new Board Members who have cyber and social media experience?  The enterprise must certainly pivot and adapt to this changing landscape of risks.  Will adding new Board Members make a difference?  Not likely.

There are some who are now advocating a "Presumption of Data Breach" strategy.  Simply put, what are we doing now, that our enterprise has been breached?  Instead of, what will we do if we ever have a data breach?  This subtle shift in thinking around the Board Room might move the percentage higher from only 15% who are "very confident" in overseeing their enterprise Cyber Risk today.

What if the Board of Directors had a discussion with management each meeting about what they were doing to contain the breach?  You see, the shift in mindset begins a whole new set of dialogue that is proactive and working on an existing business problem that requires remediation but also new thinking.  Unlike the reactive strategy of waiting until the legal and regulatory rules mandate the admission that a breach has actually occurred.

Finally, what if the enterprise were to embark on a Data Risk Business Process Reengineering (BPR) initiative?  You remember the BPR era from the 90's right?  Having a "Presumption of Data Breach" strategy should require the complete reengineering of our Data Enterprise Architecture itself.

Is end-to-end encryption the answer?  No.  Is segmentation of network design the answer?  No.  Are Next-Generation-Firewall's the answer?  No.  Is corporate end user education on cyber risks the answer?  No.  Are new rules and legislation the answer?  No.  Is a combination of all of these the answer?  Probably yes.

Data Risk Business Process Reengineering is a topic worthy of discussion at the next Board of Directors Meeting.  Include all the stakeholders.  Allocate the funds and the resources.  Next year the goal will be for 25% of directors to be very confident in the oversight of cyber risk in the Corporate Board Member survey.

In the mean time, the use of encrypted apps will become more pervasive:
Our Privacy Practices, in Brief:

Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.

We use military-grade encryption. Our encryption is based on 256-bit symmetric AES encryption, RSA 4096 encryption, ECDH521 encryption, transport layer security, and our proprietary algorithm. 
We canʼt see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before (if) it is transmitted to our servers. Because of this we donʼt know — and canʼt reveal — anything about you or how you use the Wickr App.

Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.

You own your data. We do not share or sell any data about our users. Period.

15 March 2015

Digital RubiCON: The Fifth Domain...

Operational Risk Management (ORM) is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step
This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

"Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.

Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. It’s almost like an automated way to digitally case every joint in the world."

07 March 2015

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Payments Processor
  • Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are ex-filtrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?
Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.
You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness or ScoutVision on their corporate networks and Good MDM for their mobile devices, that is not going to be enough.  More from Europol:
A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.
The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

01 March 2015

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets are a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management (ORM) requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps. The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:
  • Design
  • Implementation
  • Configuration
If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:
When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses.

Operational Risk Management (ORM) discipline is an essential element that begins with the tone at the top and one enlightened CEO.

22 February 2015

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

15 February 2015

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:
According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 
These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 
Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 
Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 
Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.
The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

07 February 2015

Frames of Mind: The Risk of Analytic Convergence...

Are there growing Operational Risks to our national security and private sector enterprises as our intelligence communities (IC) continues it's path of convergence?

We are using the tools and software to automate as much of the collection and the work flow as possible before the human "Grey Matter" is necessary to the final analysis. The fact that 80% of the time is spent on collection/searching and 20% on actual human processing, tells us that we have a long way to go.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the "Big Data" bases for unstructured query, yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

It dawned on us again that perhaps the most vulnerable area of our entire mission is the actual analytical process. We have highlighted the "Analysis of Competing Hypotheses" (ACH) methodology in the past:
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
To our own demise, how much time are we teaching people how to create .csv files and excel spreadsheets so they can be imported into a link analysis chart or tool. Getting the correct, clean and accurate data into the tool is very important. Once the intel analysts take over and start the Who, What, When, Where exercises to gain a visual picture of the incidents, actors and cues and clues associated with the "Modus Operandi" (MO) people start to get way to excited about the possible outcomes. That is when it's time to stop, assess and use ACH.

Utilizing an analytic process that incorporates the use of tools and other aides to the human decision maker to increase accuracy is only prudent if you have the time to insure a decision without error. In the absence of time, human intelligence is the only answer. We should not under estimate the "Theory of Multiple Intelligences" put forth by Howard Gardner in his book Frames of Mind.

As you read this book from 1983 and begin to apply the history of what we have learned about human cognition and then use this in the context of an analytic process for intelligence communities, suddenly our current state of the IC and it's attempt to reform itself seems crystal clear. What if we organized the competencies of intelligence organizations more closely to the multiple intelligences that Gardner has been researching for multiple decades?

The people selected, trained and leveraged for their "Grey Matter" would be more closely aligned with what we know about the brain and the way that humans have evolved from a biological perspective in their cognitive capacities. Is it possible that we have the wrong people working in the wrong Intel agencies and the wrong roles?
  • Linguistic Intelligence
  • Musical Intelligence
  • Logical-Mathematical Intelligence
  • Spatial Intelligence
  • Bodily-Kinesthetic Intelligence
  • Personal Intelligence
Is it possible to develop an analytic process that puts the right people in the right sequence of the process so that the outcomes are closer to what we really are seeking?

The answer may lie on one of these pages. They may be the best place to start in order to understand what each of our IC entities is all about at this point in the intelligence analysis and outcomes evolution.

01 February 2015

Think Tank: Leadership of Security Risk Professionals...

"Leadership of Security Risk Professionals" is in the operational risk management think tank.  A program being designed for corporations and other organizations who are raising the bar in their personnel skills, risk knowledge and corporate stewardship of their respective silos of enterprise security risk.

If you think about the typical organization who have dozens of risk managers spread across Legal, Human Resources, Finance, Information Technology and Facilities/Real Estate; they all have their own individual silos and risk landscape.  The challenge is to develop a strategic leadership program for these people and the respective skill sets they all should possess, to provide effective Operational Risk Management in our modern day dynamic enterprise.

This strategic program developed to address "Leadership of Security Risk Professionals" (LSRP) shall have several key modules:
  • Behavioral Indicators
  • Organizational Factors
  • Personal Factors
  • Information Communication Technology (ICT)
  • Situational Awareness
  • Continuity of Operations
  • Incident Command
  • Crisis Response
Wrapped around all of these educational modules shall be practical exercises, realistic scenarios and hands on testing in a simulated environment.  All delivered within the secure facility of an off-site location, where everyone eats, sleeps and learns together over the course of 2.5 days.  The think tank outcomes so far, have expressed a desire to also include a hands-on layer.  This will be devoted to counterintelligence awareness building and the active pursuit of economic espionage, trade secrets and intellectual property theft.

The LSRP program is currently being architected and will be formally launched in early 2015.  In the mean time, we would like to know what you would like to see included, in terms of skills learned and practiced.  What are the sub-topics that you think the program should not leave out or that should not be over done?  The global nature of business environments and the pervasive use of ICT for traditional core office functions are now blending with social media.  Now the risks become even more diverse, ever more so dynamic.

The convergence of thinking by security risk professionals in an organization is paramount to effective enterprise stewardship.  Does the HR recruiter and the Chief Security Officer think the same about what are red flags in the background check of a new potential candidate?  Does the IT admin think about the same red flags that the finance auditor loses sleep over every night?  Probably not.

The point is that the myriad of security risk professionals inside the organization have there own focus on the red flags that are in their respective domains, not all the others inside the same company. This is a key metric for the outcomes as a result of the delivery of the LSRP educational and skills based program.

We look forward to your ideas, thoughts and comments about "Leadership of Security Risk Professionals" in the weeks and months ahead.

25 January 2015

Insider Threat: Trusted Systems of the Future...

In the Defense Industrial Base in particular, corporate executives are on edge these days, anticipating the next game changing crisis phone call from the General Counsel.  The conversation is one that every CxO expects to have at some point in their career, yet the pace of multi-million dollar incidents is rapidly increasing.  The origin typically begins somewhere within the Operational Risk Management (ORM) landscape including People, Processes, Systems or External events.


The Board of Directors are evaluating the current funding levels for Operational Risk Management programs.  The focus on "Insider Threat" is a renewed area of scrutiny in light of the number of intellectual property thefts and national security classified information leaks.  This means increased funding potential for programs of Defensive Counterintelligence.  Next we shall look at the strategic challenges involving Homeland SecurityDomestic Intelligence and Technological Innovation.


You may have heard that Corporate Security and Operational Risk Officers are consistently using the acronym M.I.C.E. to describe the motivations for rogue insider employees. Money, Ideology, Compromise and Ego are the main categories that human behavior can be associated with, when the realization that an incident has occurred.

The "Why" question is asked early on by the General Counsel and the Chief Risk Officer (CRO), to try and understand the motivation by the employee.

One challenge is the current ecosystem of Homeland Security in the United States. Consistently oriented on the protection of catastrophic threats to the homeland in general and not to an individual company, much of the Homeland Security Intelligence (HSI mechanism is myopic and not predictive.  The laws associated with U.S. persons and the current state of employee protections is a white paper in itself. However, the scrutiny of laws associated with the theft of intellectual property and corporate trade secrets is gaining momentum.

The challenges of "Domestic Intelligence" and the intersection of "Technological Innovation" is now on a collision course in the courts.  Previous legal decisions such as United States v. Jones, 132 S. Ct. 945, 565 U.S. ___ (2012) was a Supreme Court Case that sets an example.  As interpretations of the constitutional rights of U.S. citizens are decided where the legal evidence of metadata is collected from technology innovations and is deemed to violate those rights, the challenges for domestic intelligence applications become more apparent.  This includes law enforcement and internal corporate security programs within the private sector enterprises.


There are three competing perspectives within the enterprise organization that present a continuous cultural tug-of-war:
  • Human Resources
  • Privacy & Legal Governance
  • Security & Risk Management
In a recent break out session of a private industry focused "Information Sharing Initiative" workshop, the comments were heard by all of us present.  A Chief Security Officer in the room came right out and admitted that his team does everything they can to avoid interaction with personnel from the Human Resources department.  This "Elephant-in-the-Room" topic is one that most corporate officers need to get out on the table.  The cultural friction between a Human Resources department tasked with protecting the privacy and integrity of the employees personal data, typically clashes with those charged with securing the assets of the organization.

Even though the U.S. does not have anything close to the EU Data Protection Directive, the legal precedents are being played out in the courts.  In the U.S., workplace privacy is a rapidly evolving spectrum of technology, metadata and big data analytics:
Employees typically must relinquish some of their privacy while at the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. Although, with this problem of monitoring of employees, many are experiencing a negative effect on emotional and physical stress including fatigue and lack of motivation within the workplace.

The "Insider Threat" and Defensive Counterintelligence strategies are up against the employee privacy and data governance legal battles in the U.S..  However, there is a a way forward to design the future architecture for this particular Operational Risk Management domain, beyond more legally detailed "Acceptable Use Agreements".

Just as any agreement on standards or rules takes a process and a dedicated architecture, so will this arena of human behavior, technology innovations and vital digital information assets.  Effective and transparent "Trust Decisions" that become embedded in the architecture to enable application of the agreed upon rulesets, is the ultimate goal.  Once humans have the confidence in a mechanism for making these Trust Decisions consistently and with integrity, the presence of prudent risk management will then be realized.

The private sector will lead this effort in collaboration with government, yet it will design it's own protocols and rulesets to plug-in to new federal standards.  The application of continuous monitoring of threats within the private sector workplace will evolve quickly by using these new frameworks and new tools.  Trust Decisions will be made in milliseconds, as systems execute the rules that have been coded into software and the latest big data analytics logic.

We recommend that the private sector continue to establish a consortium of cross-sector companies to interface with the new ISE.gov framework entitled "The Data Aggregation Reference Architecture."
The need for greater interoperability is clear. To protect national interests, intelligence and law enforcement agencies must be able to collect, accurately aggregate, and share real-time analytical information about people, places, and events in a manner that also protects privacy, civil rights, and civil liberties. The President’s National Strategy for Information Sharing and Safeguarding (NSISS) recognizes this as a priority national security issue, and speaks directly to this challenge. The Data Aggregation Reference Architecture (DARA) is in direct response to NSISS Priority Objective 10, “Develop a reference architecture to support a consistent approach to data discovery and entity resolution and data correlation across disparate datasets,” The DARA provides a reference architecture that can enable rapid information sharing, particularly for
correlated data, but also for raw data, by providing a framework for interoperability between systems, applications and organizations.
These private sector companies need to standardize across sectors, just as the government is embarking on the mission to improve this across agencies.  You see, the blind spots that the government has discovered in sharing information across it's own departments and agencies is no different in private industry.  The failure of Energy companies sharing information with other Energy companies or the same within the Financial Services industry ISAC model is not new.  However, the speed and integrity of future "Trust Decisions" on Insider Threats will always depend on the timeliness and quality of the data.

The international agreements on ISO standards has a long history.  Quality and Environmental standards are most common.  The 21st century has delivered us privacy and information security "management system" standards established and agreed upon internationally.  The standards and rulesets integrated with government shall have interoperability with the private sector.  The private sector shall collaborate with government on the architecture for information sharing.  The future state outcomes will enhance our trust in the management systems that have been designed from the ground up, to execute the rules.  A good example from ISO follows:
Cloud computing is quite possibly the hottest, most discussed and often misunderstood topic in IT today. This revolutionary concept has reached unexpected heights in the last decade and is recognized by governments and private-sector organizations as major game-changing technology.

In the January/February 2015 ISOfocus issue, we address some of the basic questions surrounding cloud computing (including the savings and business utility the technology can offer). We also explore security concerns of the cloud services industry and how these are addressed by ISO/IEC 27018, the first International Standard on safeguarding personal data in the cloud.

 The future of the "Insider Threat" solutions will not be designed by just one company or one government.  Just as the Internet standards that have evolved to support billions of IP addressable devices using data science and machine learning, so too will the private sector discover the way forward on transparency and data governance.  What are the odds that an "Insider Actor" hired at company "A" may then move to Company "B" once and if they determine the controls and processes are too difficult or will catch them in their unauthorized activities?

The safety, security and privacy of our organizations in concert with an international community is imperative.  People must believe in the integrity of the "Trust Decisions" being made each second by the Internet devices they hold in their hands and simultaneously by the organizations they devote their working lives to each day.