31 January 2016

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company.  This risk culture maturity, is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.
"What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision, that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team, that you will jeopardize the overall mission."
The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem, is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office, partner or entire agency of government.
Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.
The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizational culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors ecosystem. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

Enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

The root cause of Business Assurance and Resilience is the Risk Culture.

24 January 2016

Adverse Consequences: Enabling Digital Trust of Global Enterprises...

In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:
  1. Cyberattacks
  2. Critical Information Infrastructure Breakdown
  3. Adverse Consequences of Technological Advances
  4. Data Fraud or Theft
#1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

There are two other risks shared in this same Upper Left Quadrant in 2016:
  • Weapons of Mass Destruction
  • Spread of Infectious Diseases
These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?

"Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

"Adverse Consequences of Technological Advances"
:   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 
  • global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
  • global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.
Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)
The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:
As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)
 Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

  • Machine-to-Machine
  • Person-to-Person
  • Business-to-Business
  • Government-to-Government
  • Country-to-Country

Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

Enabling Digital Trust of Global Enterprises...

17 January 2016

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:
Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.
One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:
In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.
This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:
In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).
It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.

10 January 2016

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?
As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.
Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.

03 January 2016

2016: A New Era of Operational Risk...

As we launch into 2016, Operational Risk Management (ORM) professionals are ready for another challenging year.  The current state of global events that includes uncertain political or economic behavior by nation states and the continuous barrage of certainty with "Internet Asymmetric Warfare," is the new normal.

Reflecting back on 2015, here are the top 5 blog posts by number of page views:

Insider Threat: Trusted Systems of the Future...

Trust Decisions: Beyond RSA and Our Digital Future...

Data Rupture: The Risk of Over-Classification...

Trust Decisions: The Extinction of Risk Management...

InTP: Quality of Design in a New Age of Terror...

There is now anticipation that the world economies are going to continue a meager growth rate, as we enter our 8th year since "The Big Short" in 2008:
When the crash of the U. S. stock market became public knowledge in the fall of 2008, it was already old news. The real crash, the silent crash, had taken place over the previous year, in bizarre feeder markets where the sun doesn’t shine, and the SEC doesn’t dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower- and middle-class Americans who can’t pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren’t talking.
From the analysts desktops at "Liberty Crossing" to the Cyber Security Operations Centers (SOC) of dozens of Global 500 private sectors companies, one thing remains certain.  The adversaries are too nimble, unpredictable and ever more so capable of operating on the front lines for months and years in plain sight or even for weeks and months totally undetected.

However, relying on certainty alone and not being simultaneously adaptive or innovative in an accelerating pace of business or Decision Advantage, can get your Board of Directors in real trouble.

In 2016, the dawn of a new Operational Risk Management era shall begin.  In a future state, where people and machines will operate making "Trust Decisions" with greater ease and increasing velocity.  Stay tuned...

27 December 2015

Executive Security: Personal Protection Specialist...

Operational Risk Management (ORM) extends beyond the perimeter with some of your most valuable assets.  The Fortune 500 Chief Executive Officer and their staff team of subject matter experts are continually at risk.  Even if you are the co-founder of a new start-up with that new "Killer App" ready for testing with SOCOM, you may now require several full-time security risk professionals at your side.

In the corporate Protective Security environment, the "Advance Work" being executed by your ORM team will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy, for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality, is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation, may be technology itself. Too much reliance on pervasive high tech tools such as "Google Maps" or even the standard-issue Garmin GPS, will create a vulnerability just at the point in time when your principal says, "Let's change the itinerary or the location of the next meeting".  A "15 Minute Map" comprised from a good old fashioned road atlas, can be the low tech tool that saves lives and potential chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS), who understand the value of the "Advance" and apply it effectively, will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials, have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to rapidly changing political risks and subjective "Rule of Law" in many emerging democracies.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is ever more at risk.  Effective "Advance Work" is the most important and critical aspect of the security operation.  Site and route surveys, "eyes on" residences, airports and hotels, hospitals, police stations, restaurants and convention centers, are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work, including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity, yet is shielded from any lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

"By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself." "The way Jeff Cooper explains it is:"
  • White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
  • Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
  • Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
  • Red - you are actively defending yourself or others against a threat that has presented itself to you.
It's not just about general awareness, it's about positively identifying potential and actual threats, as you go about your daily life. It is this threat identification and acquisition process that is so valuable, that reduces your response time to those threats, if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K&R) insurance. Why?

Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks involving people in your organization exist everyday.  Insuring against losses and protecting against personnel loss events is imperative. Utilizing the correct strategy, tools and professional human assets to comprise the entire security envelope including the effective use of Protective Security Details, can make all the difference in your organizations resilience factor.

19 December 2015

Cyber Domain: International Law of Asymmetric Warfare...

The international laws and human understanding of what crosses a "Red Line" are being defined in cyberspace in real-time.  The operations of the Chief Security Officer (CSO) and Chief Information Security Officer (CISO) are now becoming more adaptive.  The Operational Risk Management (ORM) enterprise architecture, will soon call for three standard mission functions:
  • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
  • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
  • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.
 Computer Network Defense (CND) has been the norm for many organizations and now, that is no longer enough.  Yet before we can determine why we must  add CNA and CNE, we better understand the breadth and depth of the cyber realm.  The "Over-the-Horizon" view, of the reality of that domain, is rapidly developing into a proactive risk management imperative, for Global 500 organizations.  Why?

The non-state actors are organizing and evolving into what could be coined for the laymen, as a modern day "Cyber al-Qaida."  A "Cyber  Taliban."  Or even a "Cyber 1st Amendment or 4th Amendment cadre of affiliated entities.  These digital non-state actors following a set of ideologies, as opposed to a set of true investigative journalists or independent non-partisan watch dogs, are metastasizing at an exponential rate.

This ideology fueled by cyber activism and directed at a particular organization or country, is on a digital battlefield that spans the globe.  It has long been said that the Internet is nothing more than a mirror, of the good and evil in our physical world.  The existence of cyber warriors who are interested in going beyond the goal of financial crimes to kinetic destruction of critical infrastructure, is a well known fact.

Who are these cyber warriors that identify with a movement or cause, that attack the well being of other humans or destroys the property or economic assets of another organization.  They are the same ideologues that have existed long before the Internet.  The difference is that the reach, speed and ubiquitous nature of the digital medium accelerates the threat and the requirement for an effective counter balance.  Putting actual skill sets aside for a moment, the real differentiator has been on a "White Hat" or ethical warrior focus:
Regarding whether there were different rules of armed conflict for cyberwarfare in dealing with states like Iran, versus terror entities like Hamas or al­-Qaida, he first noted that while there is “no consensus,” the “US, Israel, England and others” argue that “self ­defense” principles justify attacks against terror groups, even if they are not states.  --IDF Col. Sharon Afek-- Article by Yonah Jeremy Bob
The CNA, CND and CNE operations in the digital Global 500, will now employ those individuals who have an ideology that is more directly opposed to the worldview of a "Cyber al-Qaida."  In the long war, the cyber "White Hats" will endure.  The asymmetric warfare of the next decade, will encompass operational risk professionals behind the network, who have a different context.  Why? Because they believe in a ideology far more patriotic than their predecessors.  They are the "Quiet Professionals" who have retired from SOCOM active duty and now span the ranks of the corporate private sector.

The international laws of the cyber domain are in play for our prosperity or our peril.

13 December 2015

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:
"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”
Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:
  • Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
  • Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy
"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."
"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

06 December 2015

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:
The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.
The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.
( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”[18])
The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:
As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?
What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:
  • Staff or employees who utilize the InTP incorrectly with intent or by accident
  • Top management loss of reputation by supporting an aggressive InTP Progam
  • Collision course with formal EEOC Whistle blower protections and processes
  • Friction with internal Human Resources relationships
These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:
  1. Relationships with Management & Employees
  2. Investigation of Incidents and Reports
  3. Management Behavior after an Employee Red Flag
  4. Implications of the Culture of Trust
Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...

29 November 2015

Trustworthiness: Accelerating into our Digital Future...

As the moon descends into the Western horizon this morning, there is growing uncertainty across the globe.  We are heading into the last month of 2015 when much of the world gathers family and friends to celebrate.  Our trustworthiness as people, businesses and countries is continuously in question.

The Operational Risk Management ORM) professionals are working 24 x 7 to continue to do what is humanly possible, to make our communities, businesses, religious and educational institutions and governments more safe and secure.

At the root of many of the disputes, conflicts, suits, feuds or wars is the subject of "Trust".  On a wide spectrum in each relationship, domain or system, the decision to trust is something that many never even think about.  At the most fundamental level, the spectrum could be represented like this:

Zero Trust  >>>>>>  Trust Exists  >>>>>>  Implicit Trust

On this spectrum of trust, the rules, conditions, environment, interactions and experience move our human emotions across and back and forth on the scale from zero trust to implicit.  In the human relations scenario our words, behaviors and actions continuously move our level of trust back and forth on this "Trust Spectrum".

What about computing machines?  How often do you think about the "Spectrum of Trust" when it comes to one computer trusting another computer?  If you are a programmer, data scientist, forensics engineer or even an attorney or doctor, this is something you think about all the time.

Now there is a data revolution, that has been evolving for just a short 20 years since the commercial launch of the Internet.  The birth of the iPhone about five years ago, has now accelerated the small light weight radio transmitters for wireless communications into powerful handheld data computers.

Has your level of trust increased on the spectrum when it comes to what you read or see on your iPhone?  The ubiquitous utilization of tools and sensors such as GPS has transformed the way humans can navigate across our planet, sailing, flying, driving or on foot.  The sensors we trust and the computers that are trusting other computers, is something that we rarely even question.

The computing machines have become a way of life now for those children who are learning how to read, do mathematics and solve puzzles even before their first days in a traditional school.  Their trust in the rules, the sensors and the words and pictures they see, shall forever influence their perceptions of trust.

In the early days of trusted computing there were peer-to-peer services such as Napster and Skype. Today there are emerging new technologies gaining momentum such as blockchain.  In essence, a shared trusted ledger that everyone can inspect.  Even "Open Source" software has gained attention because of the transparency issue.

Your decision to trust and computers making "Trust Decisions" are a series of mathematical calculations.  The formula includes rules, information and is happening at light speed.  They are also happening in our brains and the brain is processing all of what it knows about the rules, data and our contextual understanding.

Computers making "Trust Decisions" are the result of humans inventing the languages and algorithms for the computers to understand each other.  We now must transition our thinking from the simplicity of just risk management, to the formality and trustworthiness of "Trust Decisions".  The discipline of engineering and mathematics is making its way towards those places that were once deemed too "Soft" for pure logic or formality.

Perhaps sometime in the near future, our digital identities, travel history, conversations, messaging, patterns of life and activity-based intelligence, will all be merged into a single digital "persona".  What then?

Will this then be transformed into a new 21st century version of the "FICO Score"?  Will our thinking be forever changed about our spectrum of trust?  What if the new "Trustworthiness Score" was on a scale from zero to 100?  What if the rules, information and calculations of the future determined where you stand at any point in time, in terms of your trustworthiness as a human being?

The time has come for our "Trust Decisions" to accelerate, by the use of trusted computers to assist humans, make more informed decisions, human-to-human and machine-to-machine.

22 November 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system:
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.

15 November 2015

Mass Movements: Adapting to the Threat...

As if the act of bombing a Russian Airliner Flight 9268 with 224 crew and tourists returning from a Red Sea vacation is not a clear indicator of ISIS as a mass movement, perhaps this attack on Paris will be:

1.  Stade De France - 9:20PM - Suicide Bomber - 1 Killed
2.  Rue Alibert - 9:25PM - 2 Gunmen by car - 15 Killed
3.  Casa Nostra - Moments Later - Same 2 Gunmen - 5 Killed
4.  La Belle Equipe - 9:36PM - Same 2 Gunmen - 19 Killed
5.  Bataclan - 9:40PM - 3 Gunmen - 2 hours later - Suicide Bombers - 89 Killed
6.  Cafe Comptoir Voltaire - 9:40PM - Suicide Bomber - 1 critically injured

As we say our continued prayers for those lost and consider the consequences of just these two single recent terrorist events, you can try to ask yourself, what now?  How will we address this kind of continuous threat and evil going forward?  Why did this happen?

To begin your understanding as a true Operational Risk Management (ORM) professional, you must start here.  In 1951 a migratory worker and longshoreman, Eric Hoffer wrote a book, The True Believer:  Thoughts on the Nature of Mass Movements:

"The readiness for self-sacrifice is contingent on an imperviousness to the realities of life. He who is free to draw conclusions from his individual experience and observation is not usually hospitable to the idea of martyrdom... All active mass movements strive, therefore, to interpose a fact-proof screen between the faithful and the realities of the world. They do this by claiming that the ultimate and absolute truth is already embodied in their doctrine and that there is no truth or certitude outside it. The facts on which the true believer bases his conclusions must not be derived from his experience or observation but from holy writ."

 There are some who know, that Hoffer understood some things about mass movements that pertain to our current state in 2015.  This set of traits and characteristics is essential understanding by all, if we are to begin to develop a strategy for the future.  To quote Hoffer again:  "However different the holy causes people die for, they perhaps die basically for the same thing."

Our future state requires a strategy that we agree on the correct taxonomy.  Whether the battle is being waged on a nation state having sovereign authority or the private enterprises of non-state actors in Cyberspace, without taxonomy, we will continue to struggle with our strategy.  What is terrorism and what is a crime?

CRIME noun 1. an action or an instance of negligence that is deemed injurious to the public welfare or morals or to the interests of the state and that is legally prohibited.

TERRORISM noun 1. the use of violence and threats to intimidate or coerce, especially for political purposes.
First, the actions that you take and the resources that are necessary to address the evil of terrorism vs. an organized crime wave, are clearly different.

Second, you must understand the source of the elements of a "mass movement."
STRATEGY noun, plural strategies. 1. Also, strategics. the science or art of combining and employing the means of war in planning and directing large military movements and operations
Are you working on a strategy right now to address cybercrime? Are you working on a strategy right now to work on cyberterrorism? Is either of these strategies tied to defeating a mass movement?

You see, the tools, tactics and resources that you are using to implement your strategy, may be all wrong. The future outcomes you seek, may not be possible with the strategy you have in place. Once you have come to this realization, there is an opportunity to adapt. However, you must adapt quickly and you must provide the resources instantly to enable the change.

How would you adapt, if you came to the realization that your quest was with adversaries who have actions such as:
  • Steal / Modify / Delete
  • Read / Copy
  • Bypass / Spoof
  • Authenticate
  • Flood
  • Probe / Scan
How would you adapt, if you came to the realization that your quest was with adversaries who have objectives such as:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
How would you adapt, if you came to the realization that your quest was with a Mass Movement?

You now realize that you may have the same problem, that many of our world leaders have today.  It could be time to finally admit, that you must now adapt and it is time to change your strategy.

GODSPEED noun 1. good fortune; success (used as a wish to a person starting on a journey, a new venture, etc.).

08 November 2015

November 11: Serving the United States by the Other 99%...

“As we express our gratitude,
we must never forget that the highest
appreciation is not to utter words,
but to live by them”
-John F. Kennedy-

The United States Veterans Day National Ceremony is held each year on November 11th at Arlington National Cemetery . The ceremony commences precisely at 11:00 a.m. with a wreath laying at the Tomb of the Unknowns and continues inside the Memorial Amphitheater with a parade of colors by veterans' organizations and remarks from dignitaries. The ceremony is intended to honor and thank all who served in the United States Armed Forces. This represents less than 1% of Americans.

How many Soldiers will be on active duty around the globe on Wednesday, November 11 working in their current role, task or assignment, to keep America safe and secure?  So those of us who call the United States their home, may exercise their freedoms and the citizens rights that our nations architects designed for us.

How may Airman will be walking the streets in parades remembering their flights over the Pacific, Vietnam, the Atlantic, Europe, South America, North Africa or the Middle East?  What about all those pilots that have flown at such a high altitude; never to be detected over Russia, North Korea or China?

How many Sailors and Marines will be cruising on, over or under our vast oceans to be present and ready, for our next mission to help others?  How many Submariners will never be detected on their 24 x 7 watch; or with SOF waiting patiently below deck for their next clandestine operation, anywhere in the world?

So on Wednesday, November 11 what will you be doing, John or Mary Citizen, in Anytown U.S.A.?

For some Veterans who experience this day of recognition, it is not easy.  It could be a day that is simultaneously bitter sweet.  There is certainly great pride, yet some within the 1% who are Veterans, look around the country and wonder why the other 99% are not serving their nation, in their full capacity as a U.S. citizen.
Service to your nation doesn't begin or end with a job in the military.  Service to your nation begins for everybody who becomes an American.  What does that mean?
It means that we stand up and believe in the U.S. Constitution.  We defend and negotiate all that it says and what it enables for us to accomplish for ourselves, our families and our fellow believers.  You see, the freedoms and the opportunity to prosper in the United States is there for anybody to grasp.  For anybody to achieve.

To honor and thank those who have served in the Military on Veterans Day, requires so much more:
  • Will you "sleep in" on your day off or volunteer with the local church or non-profit to teach Veterans how to be more effective in the transition to a civilian private sector job?
  • Will you design and code the next iPhone App to locate other Vets in your local town or city to assist each other and your community?
  • Will you meet with local business owners to plan, raise funds and deploy vital programs for families of Veterans?
  • Will you vote to fund and allocate adequate resources for the operations necessary and requested, by those forward deployed on the front lines, in uniform and also in the shadows?
The opportunities to serve our country and all of our Veterans November 11, requires a continuous cycle of thinking beyond just the Soldier, Airman, Sailor or Marine.  It also requires more proof, that a majority of the other 99%, are also serving their country and all that the United States stands for in the world.

So this November 11, 2015 listen to John F. Kennedy...

01 November 2015

Trust Decisions: The Extinction of Risk Management...

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.
Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.
“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

Operational Risk Management (ORM) professionals can better understand the adversaries they Deter, Detect, Defend and Document each hour, of each day.  The metrics have created new thinking on what is required to increase the odds of achieving the specific mission.  That definition of each "Mission" is now the focus of so many, who are charged with the protection of our nations most critical assets.

You have been reading and hearing all about the Internet of Things (IoT) and the exponential math on the number of devices and the data storage requirements, that will be achieved by the year 2020.  The trust decisions that are being made now in nanoseconds from machine-to-machine, system-to-system, are based upon several levels of programmatic rules.  These rules are unknown to many and in some cases only known to a few.

The wealth being created on a daily basis relies on these "Trust Decisions" to execute and carry-out the rule-sets that we have bestowed upon them.  The question remains for the end user, the organization, the company, the government, the nation state.  What are the rules based exercise that encompasses understanding and knowing the rules, fueled by vast collections of unstructured information and then performing mathematical functions?  At light speed.

Here are the qualities of our future "Trust Decisions:"
  • Rules-based
  • Fueled by Information
  • Mathematical
 So what?  To ask this question at this point is imperative.  So what does this have to do with the future of the Internet?  How will this impact my way of life or my job?  Why is speed, a component of true innovation?

All of these questions and more are answered in the book by Jeffrey Ritter, Achieving Digital Trust- The New Rules for Business at the Speed of Light.  "Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted."

The planet Earth has historically provided us early signals of change.  Our scientists are measuring the temperature of oceans and the impact of weather on the ecosystems that sustain life.  No different than the measurements being assessed environmentally, data science is already making forecasts.  The facts and the math don't lie.  IPv6 is now a reality.  The "Cyber Domain" has been recognized across the world as an addition to the other domains to be defended including Air, Land, Sea and Space.  USCYBERCOM has now been established and for vital reasons.

As each human carries that digital device in our pockets, to perhaps utilize to navigate our way to our next destination, we are judging the trustworthiness of the App of choice.  Is Google Maps more trustworthy than another?  As we sit on the train using another App to order that new addition for our home or digital library, the transaction enables logistics, financial and air/ground transportation systems.  Is Amazon more trustworthy than another?

You see, the future domain for dominance in the business and commerce of the globe, is about "Digital Trust".  The innovation and startup ecosystems are all built on the number of people who trust your tool on a daily basis, as the model for success, not always just the quarterly profit.  Trustworthiness is now the new currency for how the valuation of "Enterprise X" will be interpreted by the markets vs. "Enterprise Y".  Think about it.

 The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

25 October 2015

4GW: An Act of Valor in the Private Sector...

Fourth Generation Warfare (4GW) is a stark reality in 2015 and beyond. Are American business interests as prepared as they could be, for the growing Operational Risks in the 21st century?  How many employees do you now have working outside the Homeland?

4GW involves the following key elements:
  • Are complex and long term 
  • Terrorism (tactic) 
  • A non-national or transnational base—highly decentralized 
  • A direct attack on the enemy's culture 
  • Highly sophisticated psychological warfare, especially through media manipulation and lawfare
  • All available pressures are used - political, economic, social and military 
  • Occurs in low intensity conflict, involving actors from all networks 
  • Non-combatants are tactical dilemmas 
  • Lack of hierarchy 
  • Small in size, spread out network of communication and financial support 
  • Use of Insurgency and guerrilla tactics
There are a number of methods that a private sector company can utilize to exercise its own "Business Continuity Plan" in concert with the public sector here in the United States.  Operational Risk Management (ORM) associated with people, process, systems and other potential external events can be shared with local first responders, to establish awareness or alert protocols with your particular organizations incidents. As a private sector business, you should be asking yourself how often your internal incident commanders visit your local fire station or police precinct, to share mutually relevant information. Do you invite these vital community preparedness and response professionals to engage in your own company "Continuity of Operations" and crisis planning and exercises, even if it is just a table top review?

Through public-private collaboration, government and the private sector can:
  • Enhance situational awareness 
  • Improve decision-making 
  • Access more resources and capabilities 
  • Expand reach and access for disaster preparedness and relief communications 
  • Improve coordination 
  • Increase the effectiveness of emergency management efforts 
  • Maintain strong relationships, built on mutual understanding 
  • Create more resilient communities and increase jurisdictional capacity to prevent, protect against, respond to, and recover from major incidents 
Around the country there are certain metro areas that have annual readiness and preparedness exercises because of where they are located. In some cases there are federal laws that mandate these exercises such as seaports. Norfolk, VA, Houston, TX or even the only deep water port between Los Angeles and San Francisco; Port Hueneme, CA have annual tests of their readiness and resources. Each of these seaports are significant assets to our continuous economic well being. They are surrounded by the private sector businesses who supply them with fuel, electric utilities and other critical infrastructure components that play their vital role in these regions.

Beyond the ability for these private sector organizations to engage with local first responders to exercise their continuity planning, is the ability to test new technologies, methods and even research possible ways to improve overall resilience, on a spectrum of new found asymmetric threats. These tests determine our ability to adapt or to utilize new tools in our current 4GW environment. We must remain adaptive during irregular operations by small insurgent groups such as those that have occurred in Mexico, Mumbai, India or the growing real possibility of devastating cyber attacks to our energy and telecommunication sectors.

Why are we encountering these threats on a higher frequency around the globe? You only have to look as far as the foreign published press to find the answer to this question. Or if you haven't got the time to read and translate to your native language what is being said, then make sure you see the movie "Act of Valor" to better understand what lies before us. What follows is from a foreign press article:
"The inability of the majority of the world's countries in the current circumstances to fight globalization's most powerful military machine (primarily the United States) on equal terms has led in recent years to an increase in the number of terrorist acts, armed conflicts, and local wars. Their coalescence into a single antagonistic system is giving rise to a phenomenon designated asymmetric operations by military-political theoreticians (asymmetrical conflicts and even asymmetric wars)."
As a result, we must adapt. The Naval Postgraduate School (NPS) has several educational, training and research centers that are dedicated to the readiness of the military and to the public private partnership mechanism in the United States. The one center that stands out to help us become more adaptive on small conflicts and irregular activities is "The Center for Asymmetric Warfare (NPSCAW)."
The Center for Asymmetric Warfare, or CAW, was established in 1999 as a part of the Naval Air Systems Command to support U.S. military forces, as well as local, state, and federal organizations, in identifying, countering, and controlling the effects of asymmetric warfare in the nation’s Global War on Terrorism. CAW’s initial focus was the development and conduct of multi-agency, multi-jurisdictional homeland security and homeland defense exercise and training programs, in addition to test and evaluation programs for developmental first response technologies. 
Since its inception, CAW has matured into a recognized leader in its field, by providing comprehensive education, training, and exercise programs; technology integration, test, and evaluation programs; and capability assessment and improvement programs to partners across a wide spectrum of jurisdictions. These programs include participation by Department of Defense; local, state, and federal government agencies; private sector and non-governmental organizations; academia; and international government agencies. 
In 2008, CAW was realigned as a satellite division of the Naval Postgraduate School’s National Security Institute, headquartered at Naval Base Ventura County, in Point Mugu, California. Harnessing the capabilities of the four institutes and four schools that comprise NPS, CAW can capitalize on the expertise and experience of a continuously expanding number of alumni, faculty, and students.
The U.S. private sectors proximity to high value targets are many times overlooked. Where on the West coast of the U.S., is the largest concentration of undersea telecom cables coming ashore? You might guess San Francisco or Seattle. Think again. This map will give you an idea what areas of the coastline could be more important to protect and to continuously prepare for, a future attack on these assets. The answer is San Luis Obispo.

As an Operational Risk professional in your private sector organization, make it a priority to get engaged with your local community. Visit your local first responders soon. Reach out to the Regional Fusion Center and other entities designed to facilitate a smooth information sharing process.

This should occur with government and the most valuable assets owned and operated by our private sector constituents. It all comes down to two words. Continuous Vigilance.