22 March 2015

Board Directors Perspective: Data Risk Business Process Reengineering...

The ranks of established Fortune 500 companies have been studied in the latest NYSE Corporate Board Member's Annual Directors Survey.  Spencer Stuart asked several telling questions in the Operational Risk Management (ORM) domain and the results may be enlightening:
Corporate Board Member's 12th Annual Director Survey Delves into How Directors Are Managing Some of Today's Most Pressing Issues for Public Companies While Keeping Their Boards Nimble:

This year we received nearly 500 responses from directors who didn’t mind sharing their opinions and comments on these issues. More than 70% came from those who identified themselves as outside directors, and another 20% said they serve as board chair or lead director. Forty-four percent have served on a board for more than 10 years, and another 33% have served five to 10 years. Just over 30% are at companies whose annual revenues are in the $1.1 billion to $5 billion range.

In fact, 55% of the directors we surveyed don’t believe it’s reasonable to expect that a public company board can ever fully get its arms around all the different aspects of risk in the current corporate environment (Figure 1), particularly the newer forms of technology risk like cyber risk and social media risk.
If you think "Social Media Risk" is NOT on the mind of the Board of Directors these days, then you would be correct:

Figure 2

Has Your Board Put Social Media on the Agenda?

Yes - 35%
No - 65%

The Social Media Risk to the enterprise has yet to be clearly defined to the majority of the Directors these days or they need more education on what the risks really are to the company.

If you think in 2015 a majority of the Board of Directors are still unsure about "Cyber Risk" you would also be correct:

Figure 6

How Confident Are You That Your Board Is Adequately Overseeing Cyber Risk?

Very -15%
Somewhat - 63%
Not Confident - 23%

The oversight of "Cyber Risk" to the enterprise is still in question by 85% of the Directors.  Why?

To quote Spencer Stuart's Report:
Boards must be ready to oversee a myriad of risks, especially those related to cyber security—and the social media realm—which is unfamiliar territory for some current directors (Figure 6). As a result, forward-thinking boards looking to refresh their ranks will want to add members who have technological and social media experience to guide the board in an arena where it is all too easy to make innocent but often damaging corporate blunders. Boards also value directors who have industry, financial, and regulatory experience, our results show.
Unfamiliar territory for Board Members?  Some current directors who are focused on corporate strategy or mergers and acquisitions would certainly not always have the knowledge or understanding of what the real "Operational Risks" are in the cyber and social media categories.  This makes sense.

What about adding new Board Members who have cyber and social media experience?  The enterprise must certainly pivot and adapt to this changing landscape of risks.  Will adding new Board Members make a difference?  Not likely.

There are some who are now advocating a "Presumption of Data Breach" strategy.  Simply put, what are we doing now, that our enterprise has been breached?  Instead of, what will we do if we ever have a data breach?  This subtle shift in thinking around the Board Room might move the percentage higher from only 15% who are "very confident" in overseeing their enterprise Cyber Risk today.

What if the Board of Directors had a discussion with management each meeting about what they were doing to contain the breach?  You see, the shift in mindset begins a whole new set of dialogue that is proactive and working on an existing business problem that requires remediation but also new thinking.  Unlike the reactive strategy of waiting until the legal and regulatory rules mandate the admission that a breach has actually occurred.

Finally, what if the enterprise were to embark on a Data Risk Business Process Reengineering (BPR) initiative?  You remember the BPR era from the 90's right?  Having a "Presumption of Data Breach" strategy should require the complete reengineering of our Data Enterprise Architecture itself.

Is end-to-end encryption the answer?  No.  Is segmentation of network design the answer?  No.  Are Next-Generation-Firewall's the answer?  No.  Is corporate end user education on cyber risks the answer?  No.  Are new rules and legislation the answer?  No.  Is a combination of all of these the answer?  Probably yes.

Data Risk Business Process Reengineering is a topic worthy of discussion at the next Board of Directors Meeting.  Include all the stakeholders.  Allocate the funds and the resources.  Next year the goal will be for 25% of directors to be very confident in the oversight of cyber risk in the Corporate Board Member survey.

In the mean time, the use of encrypted apps will become more pervasive:
Our Privacy Practices, in Brief:

Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.

We use military-grade encryption. Our encryption is based on 256-bit symmetric AES encryption, RSA 4096 encryption, ECDH521 encryption, transport layer security, and our proprietary algorithm. 
We canʼt see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before (if) it is transmitted to our servers. Because of this we donʼt know — and canʼt reveal — anything about you or how you use the Wickr App.

Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.

You own your data. We do not share or sell any data about our users. Period.

15 March 2015

Digital RubiCON: The Fifth Domain...

Operational Risk Management (ORM) is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step
This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

"Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.

Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. It’s almost like an automated way to digitally case every joint in the world."

07 March 2015

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Payments Processor
  • Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are ex-filtrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?
Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.
You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness or ScoutVision on their corporate networks and Good MDM for their mobile devices, that is not going to be enough.  More from Europol:
A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.
The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

01 March 2015

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets are a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management (ORM) requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps. The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:
  • Design
  • Implementation
  • Configuration
If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:
When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses.

Operational Risk Management (ORM) discipline is an essential element that begins with the tone at the top and one enlightened CEO.

22 February 2015

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

15 February 2015

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:
According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 
These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 
Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 
Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 
Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.
The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

07 February 2015

Frames of Mind: The Risk of Analytic Convergence...

Are there growing Operational Risks to our national security and private sector enterprises as our intelligence communities (IC) continues it's path of convergence?

We are using the tools and software to automate as much of the collection and the work flow as possible before the human "Grey Matter" is necessary to the final analysis. The fact that 80% of the time is spent on collection/searching and 20% on actual human processing, tells us that we have a long way to go.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the "Big Data" bases for unstructured query, yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

It dawned on us again that perhaps the most vulnerable area of our entire mission is the actual analytical process. We have highlighted the "Analysis of Competing Hypotheses" (ACH) methodology in the past:
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
To our own demise, how much time are we teaching people how to create .csv files and excel spreadsheets so they can be imported into a link analysis chart or tool. Getting the correct, clean and accurate data into the tool is very important. Once the intel analysts take over and start the Who, What, When, Where exercises to gain a visual picture of the incidents, actors and cues and clues associated with the "Modus Operandi" (MO) people start to get way to excited about the possible outcomes. That is when it's time to stop, assess and use ACH.

Utilizing an analytic process that incorporates the use of tools and other aides to the human decision maker to increase accuracy is only prudent if you have the time to insure a decision without error. In the absence of time, human intelligence is the only answer. We should not under estimate the "Theory of Multiple Intelligences" put forth by Howard Gardner in his book Frames of Mind.

As you read this book from 1983 and begin to apply the history of what we have learned about human cognition and then use this in the context of an analytic process for intelligence communities, suddenly our current state of the IC and it's attempt to reform itself seems crystal clear. What if we organized the competencies of intelligence organizations more closely to the multiple intelligences that Gardner has been researching for multiple decades?

The people selected, trained and leveraged for their "Grey Matter" would be more closely aligned with what we know about the brain and the way that humans have evolved from a biological perspective in their cognitive capacities. Is it possible that we have the wrong people working in the wrong Intel agencies and the wrong roles?
  • Linguistic Intelligence
  • Musical Intelligence
  • Logical-Mathematical Intelligence
  • Spatial Intelligence
  • Bodily-Kinesthetic Intelligence
  • Personal Intelligence
Is it possible to develop an analytic process that puts the right people in the right sequence of the process so that the outcomes are closer to what we really are seeking?

The answer may lie on one of these pages. They may be the best place to start in order to understand what each of our IC entities is all about at this point in the intelligence analysis and outcomes evolution.

01 February 2015

Think Tank: Leadership of Security Risk Professionals...

"Leadership of Security Risk Professionals" is in the operational risk management think tank.  A program being designed for corporations and other organizations who are raising the bar in their personnel skills, risk knowledge and corporate stewardship of their respective silos of enterprise security risk.

If you think about the typical organization who have dozens of risk managers spread across Legal, Human Resources, Finance, Information Technology and Facilities/Real Estate; they all have their own individual silos and risk landscape.  The challenge is to develop a strategic leadership program for these people and the respective skill sets they all should possess, to provide effective Operational Risk Management in our modern day dynamic enterprise.

This strategic program developed to address "Leadership of Security Risk Professionals" (LSRP) shall have several key modules:
  • Behavioral Indicators
  • Organizational Factors
  • Personal Factors
  • Information Communication Technology (ICT)
  • Situational Awareness
  • Continuity of Operations
  • Incident Command
  • Crisis Response
Wrapped around all of these educational modules shall be practical exercises, realistic scenarios and hands on testing in a simulated environment.  All delivered within the secure facility of an off-site location, where everyone eats, sleeps and learns together over the course of 2.5 days.  The think tank outcomes so far, have expressed a desire to also include a hands-on layer.  This will be devoted to counterintelligence awareness building and the active pursuit of economic espionage, trade secrets and intellectual property theft.

The LSRP program is currently being architected and will be formally launched in early 2015.  In the mean time, we would like to know what you would like to see included, in terms of skills learned and practiced.  What are the sub-topics that you think the program should not leave out or that should not be over done?  The global nature of business environments and the pervasive use of ICT for traditional core office functions are now blending with social media.  Now the risks become even more diverse, ever more so dynamic.

The convergence of thinking by security risk professionals in an organization is paramount to effective enterprise stewardship.  Does the HR recruiter and the Chief Security Officer think the same about what are red flags in the background check of a new potential candidate?  Does the IT admin think about the same red flags that the finance auditor loses sleep over every night?  Probably not.

The point is that the myriad of security risk professionals inside the organization have there own focus on the red flags that are in their respective domains, not all the others inside the same company. This is a key metric for the outcomes as a result of the delivery of the LSRP educational and skills based program.

We look forward to your ideas, thoughts and comments about "Leadership of Security Risk Professionals" in the weeks and months ahead.

25 January 2015

Insider Threat: Trusted Systems of the Future...

In the Defense Industrial Base in particular, corporate executives are on edge these days, anticipating the next game changing crisis phone call from the General Counsel.  The conversation is one that every CxO expects to have at some point in their career, yet the pace of multi-million dollar incidents is rapidly increasing.  The origin typically begins somewhere within the Operational Risk Management (ORM) landscape including People, Processes, Systems or External events.


The Board of Directors are evaluating the current funding levels for Operational Risk Management programs.  The focus on "Insider Threat" is a renewed area of scrutiny in light of the number of intellectual property thefts and national security classified information leaks.  This means increased funding potential for programs of Defensive Counterintelligence.  Next we shall look at the strategic challenges involving Homeland SecurityDomestic Intelligence and Technological Innovation.


You may have heard that Corporate Security and Operational Risk Officers are consistently using the acronym M.I.C.E. to describe the motivations for rogue insider employees. Money, Ideology, Compromise and Ego are the main categories that human behavior can be associated with, when the realization that an incident has occurred.

The "Why" question is asked early on by the General Counsel and the Chief Risk Officer (CRO), to try and understand the motivation by the employee.

One challenge is the current ecosystem of Homeland Security in the United States. Consistently oriented on the protection of catastrophic threats to the homeland in general and not to an individual company, much of the Homeland Security Intelligence (HSI mechanism is myopic and not predictive.  The laws associated with U.S. persons and the current state of employee protections is a white paper in itself. However, the scrutiny of laws associated with the theft of intellectual property and corporate trade secrets is gaining momentum.

The challenges of "Domestic Intelligence" and the intersection of "Technological Innovation" is now on a collision course in the courts.  Previous legal decisions such as United States v. Jones, 132 S. Ct. 945, 565 U.S. ___ (2012) was a Supreme Court Case that sets an example.  As interpretations of the constitutional rights of U.S. citizens are decided where the legal evidence of metadata is collected from technology innovations and is deemed to violate those rights, the challenges for domestic intelligence applications become more apparent.  This includes law enforcement and internal corporate security programs within the private sector enterprises.


There are three competing perspectives within the enterprise organization that present a continuous cultural tug-of-war:
  • Human Resources
  • Privacy & Legal Governance
  • Security & Risk Management
In a recent break out session of a private industry focused "Information Sharing Initiative" workshop, the comments were heard by all of us present.  A Chief Security Officer in the room came right out and admitted that his team does everything they can to avoid interaction with personnel from the Human Resources department.  This "Elephant-in-the-Room" topic is one that most corporate officers need to get out on the table.  The cultural friction between a Human Resources department tasked with protecting the privacy and integrity of the employees personal data, typically clashes with those charged with securing the assets of the organization.

Even though the U.S. does not have anything close to the EU Data Protection Directive, the legal precedents are being played out in the courts.  In the U.S., workplace privacy is a rapidly evolving spectrum of technology, metadata and big data analytics:
Employees typically must relinquish some of their privacy while at the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. Although, with this problem of monitoring of employees, many are experiencing a negative effect on emotional and physical stress including fatigue and lack of motivation within the workplace.

The "Insider Threat" and Defensive Counterintelligence strategies are up against the employee privacy and data governance legal battles in the U.S..  However, there is a a way forward to design the future architecture for this particular Operational Risk Management domain, beyond more legally detailed "Acceptable Use Agreements".

Just as any agreement on standards or rules takes a process and a dedicated architecture, so will this arena of human behavior, technology innovations and vital digital information assets.  Effective and transparent "Trust Decisions" that become embedded in the architecture to enable application of the agreed upon rulesets, is the ultimate goal.  Once humans have the confidence in a mechanism for making these Trust Decisions consistently and with integrity, the presence of prudent risk management will then be realized.

The private sector will lead this effort in collaboration with government, yet it will design it's own protocols and rulesets to plug-in to new federal standards.  The application of continuous monitoring of threats within the private sector workplace will evolve quickly by using these new frameworks and new tools.  Trust Decisions will be made in milliseconds, as systems execute the rules that have been coded into software and the latest big data analytics logic.

We recommend that the private sector continue to establish a consortium of cross-sector companies to interface with the new ISE.gov framework entitled "The Data Aggregation Reference Architecture."
The need for greater interoperability is clear. To protect national interests, intelligence and law enforcement agencies must be able to collect, accurately aggregate, and share real-time analytical information about people, places, and events in a manner that also protects privacy, civil rights, and civil liberties. The President’s National Strategy for Information Sharing and Safeguarding (NSISS) recognizes this as a priority national security issue, and speaks directly to this challenge. The Data Aggregation Reference Architecture (DARA) is in direct response to NSISS Priority Objective 10, “Develop a reference architecture to support a consistent approach to data discovery and entity resolution and data correlation across disparate datasets,” The DARA provides a reference architecture that can enable rapid information sharing, particularly for
correlated data, but also for raw data, by providing a framework for interoperability between systems, applications and organizations.
These private sector companies need to standardize across sectors, just as the government is embarking on the mission to improve this across agencies.  You see, the blind spots that the government has discovered in sharing information across it's own departments and agencies is no different in private industry.  The failure of Energy companies sharing information with other Energy companies or the same within the Financial Services industry ISAC model is not new.  However, the speed and integrity of future "Trust Decisions" on Insider Threats will always depend on the timeliness and quality of the data.

The international agreements on ISO standards has a long history.  Quality and Environmental standards are most common.  The 21st century has delivered us privacy and information security "management system" standards established and agreed upon internationally.  The standards and rulesets integrated with government shall have interoperability with the private sector.  The private sector shall collaborate with government on the architecture for information sharing.  The future state outcomes will enhance our trust in the management systems that have been designed from the ground up, to execute the rules.  A good example from ISO follows:
Cloud computing is quite possibly the hottest, most discussed and often misunderstood topic in IT today. This revolutionary concept has reached unexpected heights in the last decade and is recognized by governments and private-sector organizations as major game-changing technology.

In the January/February 2015 ISOfocus issue, we address some of the basic questions surrounding cloud computing (including the savings and business utility the technology can offer). We also explore security concerns of the cloud services industry and how these are addressed by ISO/IEC 27018, the first International Standard on safeguarding personal data in the cloud.

 The future of the "Insider Threat" solutions will not be designed by just one company or one government.  Just as the Internet standards that have evolved to support billions of IP addressable devices using data science and machine learning, so too will the private sector discover the way forward on transparency and data governance.  What are the odds that an "Insider Actor" hired at company "A" may then move to Company "B" once and if they determine the controls and processes are too difficult or will catch them in their unauthorized activities?

The safety, security and privacy of our organizations in concert with an international community is imperative.  People must believe in the integrity of the "Trust Decisions" being made each second by the Internet devices they hold in their hands and simultaneously by the organizations they devote their working lives to each day.

18 January 2015

Blackhat: Corporate Counterintelligence Capability...

If you are an Operational Risk Management (ORM) professional you should invest time to see the latest movie on Information Security this weekend.  Michael Mann's latest production is entitled "Blackhat" and it has a few lessons learned including several stark reminders of the current state of industrial asymmetric warfare.

While you may laugh at some of the scenes, there are some effective learning points along the way.  Even better, consider inviting one of your corporate executives to the movie with you.  They could walk away with a better understanding of the active cybercrime and cyberterrorism syndicates that have global operations.

The motivations for these continuous cyber attacks in most cases can be described in one word, "Greed".  The human factors associated with greed continue to become more exemplified in the digital Internet of Things (IoT) domain year-to-year.  So what does Wired Magazine and Cade Metz have to say about this latest hacker movie?
For Parisa Tabriz, who sits at the center of the info-sec universe as the head of Google’s Chrome security team, it’s a Hollywood moment that rings remarkably true. “It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices.” 
Tabriz will also tell you that such accuracy—not to mention the subtlety of the scene with the coffee-stained papers—is unusual for a movie set in the world of information security. And she’s hardly alone in thinking so. Last week, Tabriz helped arrange an early screening of Blackhat in San Francisco for 200-odd security specialists from Google, Facebook, Apple, Tesla, Twitter, Square, Cisco, and other parts of Silicon Valley’s close-knit security community, and their response to the film was shockingly, well, positive. 
Judging from the screening Q&A—and the pointed ways this audience reacted during the screening—you could certainly argue Blackhat is the best hacking movie ever made.
Hollywood, California is getting closer to understanding how to reach a broad audience who are interested in the commercial cyber thriller.  The cyber themed movies have been around for years including "Sneakers" with Robert Redford in 1992.  So what has changed, after all of these attempts to help illustrate the spectrum of Operational Risks impacting the corporate enterprise?  Sabotage on critical infrastructure is ever more present.  So what has remained the same?

Still to this day there remains a tremendous amount of complacency on the risk of "Insider Threat." To illustrate this further; what are some of the common factors in all espionage incidents in the U.S. since 1950?
  • More than 1/3 of those who committed espionage had no security clearance. 
  • Twice as many “insiders” volunteered as were recruited. 
  • 1/3 of those who committed espionage were naturalized U.S. citizens. 
  • Most recent spies acted alone. 
  • Nearly 85% passed information before being caught. 
  • Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate malicious contact.
What can a corporation do in an environment of competing resources for talent, new tools and an increasing focus on consumer privacy?  Having an effective counterintelligence program within your organization is paramount to preserving your intellectual property and the integrity of the U.S. industrial supply chain.  So where should you start?

Begin your organizations awareness building with a robust program on cyber security:
Welcome to the InfraGard Awareness Security Awareness Course - We all have a role to play in protecting ourselves and the nation from the impact of cybercrime and identity theft, and that role can begin in the workplace. 
The better you are at protecting your own workplace from cybercrime and identity theft, the fewer opportunities criminals, petty thieves, and even terrorists will have to exploit security vulnerabilities for their own purposes.
  1. "What technologies do you want to protect from your competitors (e.g., R&D, supply chain, pricing and customer service information, contracts, production and maintenance records, etc.)  Do you believe you are adequately protecting them?  Can you rank these items by level of importance?  
  2. What information or technology (including expertise in manufacturing, production, or operations) are foreign competitors lacking that keeps them from being competitive?  Identify the various applications (both military and commercial) of your product or service.
  3. Do you have a reporting program in place to track how and where your critical/emerging technologies are being targeted by domestic and foreign adversaries?  If so, what trends have you seen?"
  • Source:  FBI SPIN:  15-001
The genesis of any mature insider threat program beings with the strategic development of a robust counterintelligence capability within your Operational Risk Management (ORM) framework.  The future of your organization and the safety and economic security of the entire nation is at stake.

11 January 2015

Legal Risk: Forensic Analysis of Supply Chain...

Corporate environments where a dedicated Chief Information Security Officer (CISO) works along side the General Counsel (GC) to tackle Operational Risk Management (ORM), continues to be a significant challenge.  The introduction of court certified tools for forensic analysis of information on both desktop and mobile devices to include phones, tablets and anything with a storage capability (USB Jump Drives) has created an executive level debate.  "What" information will we perform forensic analysis on, "why" and "when" will we do it?

The "Why" question is most obvious, like the analysis of DNA, the zeros and ones (0's and 1's) that make up the digital fingerprints (user names, passwords), blood-type (e-mail, SMS) and other behavioral evidence is important to associate the identity of the person(s) using a certain digital device. In addition, the ability to track the whereabouts of a particular digital device via GPS metadata or IP address, can also provide additional context and evidence, to be considered in the forensic examination.

The "What" information is in many cases going to be preceded by the "When" and has much to do with the policy in place within the corporate environment.  Modern "Acceptable Use Policy" may spell out that any device can be examined at any time, if it is a corporate issued and owned product.  Personal devices allowed in the workplace may be subject to a completely different set of policy doctrine, that falls under state and federal statutes.

The "When" question could be on a continuous basis and tied to a particular event, such as an employee who has given notice to leave the organization.  The event could also be as a result of an alarm or alert that the Information Security team receives from an automated system, within the corporate network.  So back to the challenges faced by the CISO vs. the GC on the Operational Risk Management process and addressing all of these issues.  Is it a legally sound manner that also achieves a "Defensible Standard of Care?"
Now imagine all of this going on oblivious to the confines of a small-to-medium size enterprise (SME). These organizations are typically defined as under 1000 employees yet can be defined further by the type of business and industry.  Now imagine that this particular SME, is operating within the Defense Industrial Base and is in the professional services supply chain of the top three U.S. government contractors, who are bidding on the next generation bomber for the U.S. Air Force.  What do we mean by supply chain?  This particular SME, is one of the outside counsel for Lockheed Martin, Boeing or Northrop. Yes, this law firm is in the information supply chain, working on legal matters associated with a top tier defense contractor.
If you are the GC and CISO at LM, Boeing or Northrop, what controls and policies do you have in place or service level agreements (SLA) that spell out the process to forensically examine the mobile devices of the lawyers and associates of your outside counsel? When?  Why?  The public disclosure of law firms and their associates being the target of nation states espionage is several years old.  When was the last time as a GC or CISO you had a closed door summit with the information supply chain of law firms working for your Defense Industrial Base (DIB) corporation in the U.S.?  If you are a SME law firm, working in the supply chain of the DIB, What, Why and When are you using Forensic Analysis with all of your Partners, Associates, Paralegals and other people in your legal ecosystem?

Operational Risk Management (ORM) spans every department and every employee.  It requires prudent application of the use of forensic analysis, as a vital component of a comprehensive counterintelligence program.  And remember the why.  Spear Phishing of law firms has been a major warning since 2009 and over six years later, it is still growing because it remains so effective.

05 January 2015

2015: Risk of Trust Decisions 25 Years Later...

Operational Risk Management (ORM) in 2015 will encompass a higher degree of focus on the corporate enterprise privacy debate.  The "Privacy vs. Security" battlefield has been gaining momentum, as a result of the rapid pace of data breaches and massive corporate data espionage.

General Counsel in collaboration with outside law firms are developing new legal strategies for data loss incidents. "Incident Attribution" and proving harm by nation states is going to be a new defense, as the sophistication of malware payloads approaches the intent of "Stuxnet."

"Trust Decisions" are being made at light speed by a system-of-systems to operate the global banking and e-commerce infrastructure.  Connected globally by billions of computing machines, each of these digitally enabled humans are making dozens if not hundreds of digital trust decisions on a daily basis. Those trust decisions incorporate a number of rulesets known and unknown to the decision maker. The potential legal consequences of the wrong privacy policy or gap in compliance can cost your enterprise millions of dollars:
In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.
In this particular legal case of Facebook, the $6,000,000 in fees to further educate youth, understand socioeconomic status and privacy, assess digital abuse and enhancing privacy technologies will not solve the problem at hand.  This brings us back to "Trust Decisions."

Jeffrey Ritter believes in "Building Digital Trust" and he captures the essence of where the future solutions to help solve the global privacy problem will be found:
I discovered that, to build digital trust, I had to first stop and learn how humans achieve trust itself. In doing so, I figured out that trust is not an emotion; trust is an outcome of a complicated calculus that each of us performs countless times each day as we interact with the world around us. Trust is a decision process. The process is based on catalogs of rules we assemble and the information we gather with which to evaluate whether our assembled rules are being satisfied by the person, the tool, the system, or the information we are deciding whether to trust.
 A "Trust Decision" by a machine, involves the interpretation of a ruleset (databases of rules) that are established for a set of semiconductors and microprocessors to execute.  In most cases the initial ruleset was written in code by a human. Therefore, the software computer code that was written for the machine to execute, will therefore have flaws.  It will be capable of failure, errors or omissions. These instructions query other rulesets (laws, policies, historical precedence) that assist the human in making trust decisions.  This is just one of the reasons for the existence of data breaches.

2015 and beyond will be an opportunity to further define and debate our "Trust Decisions."  The years and decades ahead will be full of asymmetric warfare, that is fought by criminal syndicates for hire and implemented by rogue nation states themselves.  All accomplished utilizing this invention, we call the "Internet."  The same "Zeros and Ones" ecosystem we built to connect our billions of man-made machines.

A recent visit to the Computer History Museum in Mountain View, CA is a reminder about how far we have come and yet how much we are still in our infancy.  The Internet history timeline begins in 1962:
This Internet Timeline begins in 1962, before the word ‘Internet’ is invented. The world’s 10,000 computers are primitive, although they cost hundreds of thousands of dollars. They have only a few thousand words of magnetic core memory, and programming them is far from easy.

Domestically, data communication over the phone lines is an AT&T monopoly. The ‘Picturephone’ of 1939, shown again at the New York World’s Fair in 1964, is still AT&T’s answer to the future of worldwide communications.

But the four-year old Advanced Research Projects Agency (ARPA) of the U.S. Department of Defense, a future-oriented funder of ‘high-risk, high-gain’ research, lays the groundwork for what becomes the ARPANET and, much later, the Internet.
By 1992, when this timeline ends,

  • the Internet has one million hosts
  • the ARPANET has ceased to exist
  • computers are nine orders of magnitude faster
  • network bandwidth is twenty million times greater
We are now arriving at the 25th anniversary of Tim Berners-Lee's first proposal for the World Wide Web.  Little did Tim know, that it would become the core focus for Operational Risk Management (ORM) in our digital enterprises in the year 2015.

21 December 2014

2014 Reflections: Operational Risk Management Forecast...

As 2014 comes to a close and we look into the future of 2015 it is time to reflect.  After 1000+ blog posts on the topic and discipline of Operational Risk Management (ORM) it seems like a blur.  To start off this final post for the year, we looked back on our last post in December 2013.  It is amazing to see how accurate many of our forecasts were for 2014.

Here are some of the Operational Risk Management blog posts that had the most page views this past year:

Cyber Domain: International Law of Asymmetric Warfare...

Memorial Day 2014: The Risk of Service is Understood...

Insider Threat: CSO Priorities...

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Veterans Day 2014: Leading the Enterprise to Victory...

Courage: Risk of Physical & Moral Fear...

Now for the ORM forecast.  2015 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

14 December 2014

Intellectual Property: Material Risks Disclosure- Assumption of Breach...

The rules of the game may have changed across the corporate landscape.  Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:
Sony Pictures Entertainment is fighting back
The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. 
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy. 
In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.
The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen.  The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization.  You see, the use of sophisticated offensive cyber malware is not new.  No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

In the recent book "Countdown to Zero Day" by Kim Zetter, the point is made:
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain.  The rules of the digital game have changed.  Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving.  How many digital files in your corporation contain proprietary Intellectual Property (IP)?  If you don't know the answer, then we recommend that you start counting.  You need to figure out what the value is, of all this data and for good reason.  At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S..  Jeffrey Carr explains here:
“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” 
The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis.  What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in?  What U.S. companies are encouraged to relocate a manufacturing plant overseas?  Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage.  Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing.  The hackers-for-hire trade, is larger than you may know.  How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars?  Mid to high six figures.  Not likely.  7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar.  To disrupt and destroy the capabilities of your adversary.  Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident.  The magnitude and the impact of the destruction is apparent.  Are you sure you don't have an Insider Threat?  See appendix C here:
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.

07 December 2014

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

01 December 2014

Courage: Risk of Physical & Moral Fear...

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral.  What are some examples?  "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors.  "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same.  The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death.  The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within.  This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage?  The answer is yes and it has been a factor of education and training for hundreds of years.  The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits.  The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.
"What are you doing to overcome your fear to save a life?  What are you doing to overcome your fear of reputation loss?  The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."
Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes.  Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the SahelBoard Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required.  In seconds.  The courageous decision you make may cause bodily harm or the end of a career.  What are you going to do to learn and train to deal with the fear that you will encounter?  What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community.  It spans the spectrum of courage from physical to moral.  The question remains,  will you act when the time and moment arises?

23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.