27 June 2015

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:
  1. Security policy - management direction
  2. Organization of information security - governance of information security
  3. Asset management - inventory and classification of information assets
  4. Human resources security - security aspects for employees joining, moving and leaving an organization
  5. Physical and environmental security - protection of the computer facilities
  6. Communications and operations management - management of technical security controls in systems and networks
  7. Access control - restriction of access rights to networks, systems, applications, functions and data
  8. Information systems acquisition, development and maintenance - building security into applications
  9. Information security incident management - anticipating and responding appropriately to information security breaches
  10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  11. Compliance - ensuring conformance with information security policies, standards, laws and regulations
Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

21 June 2015

IP Theft: The Erosion of Homeland Security...

"Above all, watch with glittering eyes the whole world around you, because the greatest secrets are always hidden in the most unlikely places. Those who don’t believe in magic will never find it." —Roald Dahl
What is the latest headline to get your attention this past few weeks?  As an Operational Risk Management (ORM) professional you have to be amazed and in shock from several of the global loss incidents.  Was it from the Financial, Technology, Energy or Government sector or just a tragic crime or terrorist event with significant loss of life somewhere?

The people, processes, systems and external events that make up your particular Operational Risk ecosystem are dynamic.  The threats are evolving both in the physical world and even more so in our data hungry processor driven virtual workplace.  You probably can't remember the last time your organization required you to operate the whole day without the use of computer systems; to operate the business in a manual mode over a Saturday in an orchestrated and scenario-driven Business Continuity exercise.

If you can't remember, then as a corporate leader or head of a Board of Directors audit committee you are in denial.  The attitude that your organization will never have a data breach or become the victim of a natural disaster such as an earthquake, flood or hurricane is naive.  What about the rogue "Insider" who has perpetuated an act of industrial espionage or a long term fraud scheme?  The continued theft of Intellectual Property to the United States has been well documented since 2013:

Key Findings
The Impact of International IP Theft on the American Economy Hundreds of billions of dollars per year.

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.”
When you really sit down and think about the risk to the Homeland Security of the United States today, this has to be at the top of the list.  The reason is that the "IP Theft" threat is not like ICBM's coming over the horizon suddenly.  This metastasized problem set, is eating away at the economic security and our U.S. national security simultaneously.
"While IP theft is not new to the planet, today’s scale of economic impacts—with national security ramifications, international dimensions, significant foreign-state involvement, and inadequacy of legal and policy remedies and deterrents—makes for an unprecedented set of circumstances."  
 CHAPTER 1: THE NATURE OF THE PROBLEM- The Commission on the Theft of American Intellectual Property

What are the solutions?  The answer is plural because there is no single way to address the magnitude and the severity of the threat.  The security of the U.S. Homeland begins with intelligence.  The degree to which the intelligence gathered, analyzed and shared is capable of being absent of bias is a start.

Homeland Security Intelligence (HSI) is quickly evolving beyond the group think of a catastrophic physical terrorist event.  The focus now is on counterintelligence, as much as on counterterrorism and for all of the interdependent connections to the rest of the world.  As your organization begins it's next strategic planning cycle or engages in the thought of a continuity of operations exercise you should think wider and deeper.  The survival of your business and organization is dependent upon your internal counterintelligence mechanism.

As one example, take a minute to better understand the diversity of languages being spoken within your organization.  Who are the people within the enterprise who have the fluent ability to speak and to translate English to some other foreign language?  How does your enterprise engage with other countries to engage in International business?  The degree to which you have multiple languages being translated, or utilized for business transactions and necessary for daily operations is both a risk and an opportunity.

The secrets inside your organization are knowable.  The ability to hedge the Operational Risks to Intellectual Property within your enterprise is greater than you may realize.  The interdependency with U.S. Homeland Security is evident.

13 June 2015

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission

Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.

The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:
  • Design
  • Implementation
  • Configuration
The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission

Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission

Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.


A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business."

07 June 2015

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

31 May 2015

Trust Decisions: Human-to-Human Open Transaction Systems...

"Let us not look back in anger, not forward in fear, but around us in awareness"
-James Thurber-

When you become independent of the core group and the impact of your own bias, a whole new world unfolds before you.  The truth is discovered and the true reality becomes clear.  How often does the Board of Directors convene an emergency meeting as a result of a surprise Operational Risk loss event?

When you start listening to the explanation and you hear words such as "complex" and "3rd parties" this should sound an alert.  From the "Boardroom to the Battlefield" executive management is still flying blind on many fronts.  They have become so risk adverse, that in many cases the automated machines have taken over group think with their sophisticated high technology sensors.

Trusted sources from a human perspective are still the basis for vital decision support and monetary transactions.  Human-to-human information transfer via a trusted chain of sources is still thriving.  Trust is at the center of systems for significant transfer of information and assets to this day:
Hawala or Hewala (Arabic: حِوالة‎, meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent, operating outside of, or parallel to, traditional banking, financial channels, and remittance systems.
Does the Hawala have an emerging digital variant?  Why is the understanding of a blockchain-enabled digital ledger important in this day and age?  The reason becomes more apparent as we study how it works and where it is being utilized and for what purpose:

Example A
Silk Road was an online black market, best known as a platform for selling illegal drugs. As part of the Dark Web,[7] it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring. The website was launched in February 2011; development had begun six months prior.[8][9] Initially there were a limited number of new seller accounts available; new sellers had to purchase an account in an auction. Later, a fixed fee was charged for each new seller account.[10][11]
 Example B
NEW YORK, May 11, 2015 (GLOBE NEWSWIRE) -- Nasdaq (Nasdaq:NDAQ) today announced plans to leverage blockchain technology as part of an enterprise-wide initiative. Nasdaq will initially leverage the Open Assets Protocol, a colored coin innovation built upon the blockchain. In its first application expected later this year, Nasdaq will launch blockchain-enabled digital ledger technology that will be used to expand and enhance the equity management capabilities offered by its Nasdaq Private Market platform.

Importantly, the creation of a securities distributed ledger function using blockchain technology will provide extensive integrity, audit ability, governance and transfer of ownership capabilities.

"Utilizing the blockchain is a natural digital evolution for managing physical securities," said Bob Greifeld, CEO, Nasdaq. "Once you cut the apron strings of need for the physical, the opportunities we can envision blockchain providing stand to benefit not only our clients, but the broader global capital markets."
 Whether the "Digital Hawala" continues to thrive in the years ahead will depend on several key market issues.  Transparency, accountability and documentation.  Accurate record keeping.

At the center of this evolving system are two key attributes.  Speed and trust.  That is why you now see the private equity and venture capital community investing in companies such as Ripple Labs:
Ripple Labs (formerly OpenCoin) developed the Ripple protocol. Its team of experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans contributes code to the open-source software and works with financial institutions and payment networks to accelerate the growth of the protocol. The team shepherds a movement to evolve finance so that payment systems are open, secure, constructive and globally inclusive.
"Trust Decisions" are at the heart of the future of trading, decision support and the speed of human knowledge.  The fusion of ancient and modern protocols for global commerce and achieving digital trust are on our door step.  Let your awareness begin...

23 May 2015

Memorial Day 2015: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2015, we reflect on this past year.

In order to put it all in context, we looked back 24 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2015, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

17 May 2015

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.


10 May 2015

Metadata: Evidence of Terrorism vs. Crime...

What are the enterprise risks when metadata is legally defined as property?  Operational Risk Management (ORM) professionals are on high alert these days.  The court systems within the EU and now the United States, are building new cases and establishing new arguments.

As a steward of data and providing oversight on the transparency of how information is tagged, sorted, stored and archived, the ORM professional is right in the middle of the debate.  Metadata relevance is known to those who have been practicing the science and art of digital forensics for years.

Does your organization issue corporate devices for use in the workplace or on the job?  What transparency was provided when the digital device was issued on the use and ownership of the data associated with the device?  How many pages is the "Acceptable Use Policy" at your organization?

These policies on Mobile Device Management (MDM) or Bring Your Own Device (BYOD) are not new, yet they are still evolving.  This is because the technology innovation is so far advanced than the current legal precedence or court rulings.  The law will always catch up to technology and now the law is getting to an important milestone.

This however does not change how our adversaries are operating.  The current environment over the relevance of data, or who owns the metadata on our mobile devices, will not change the appetite for those who seek the data or exploit systems to cause failure or destruction.  If all of the laws in our land would stop crime or malicious intent in its tracks, then we could eliminate the entire legal enforcement structure.

The General Counsel and the outside legal teams at your organization are already working to reduce the risk of adverse litigation by employees, partners and customers.  The Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) are working 24/7 in tandem to operate legally and to insure the confidentiality, integrity and assurance of metadata across the globe.  Unfortunately they operate in an environment that involves humans, using digital devices.

The legal frameworks are quickly responding to the rising digital crime rate across the globe.  They are weary of the "Asymmetric Warfare" being waged by nation states.  Plaintiff lawyers are now preparing their new privacy and data breach cases on a weekly basis.  Organizations are seeking avenues of "Safe Harbor" by using certain products inside their infrastructure.  Yet will this all stem the tide of what weapons the adversaries are deploying, to perpetuate their business or espionage models?

This brings us to a prediction.  We predict the rise of metadata evidence that proves that organizations are the victims of cyber-terrorism, not cyber-crime.  Terrorism not fraud.  And now the courts and the jury pools will now decide what metadata is evidence and what the definition is of "Terrorism" in the cyber realm.  Marketing is a powerful engine to influence buyers.  Buyer beware:
"Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.
The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list."
"The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official 'Act of Terrorism' by the US government."

03 May 2015

Human Behavior: Learning in a New Age of Unreason...

The Human Factors in our organizations continue to be a tremendous challenge.  Operational Risk Management (ORM) has a focus on human behavior because it remains an unpredictable catalyst for substantial loss events in the enterprise.

The decision to trust, is an art that is quickly becoming more of a science.  The ability for the human being to utilize our God given senses of sight, hearing, touch, smell and even cognitive intuition is just not enough to protect us, within our pervasive and expanding digital ecosystem.

Insider information leaks.  Spear phishing.  Intellectual property theft.  Industrial espionage.  You name the vectors involving a human being and you suddenly realize the size and the magnitude of the digital challenge ahead.  The Board of Directors and Executive Management are consistently reminded by the General Counsel about the "Duty of Care" with employees, partners and allies.

So what does all this have to do with your current state of running your organization?  Believe it when we say, that you are not spending enough time or the correct focus of time changing human behaviors in your enterprise.  Historically, the plaintiff lawyers, the States Attorney General or the thousands of international "Black Hat" nation state hackers will make you pay, one way or another.

Your favorite Big Four consulting firm will talk to you all day about errors, omissions and fraud.  The Chief Security Officer (CSO) is operating a sophisticated Security Operations Center (SOC) gathering situational awareness on a 24/7 basis.  So why are we continuously amazed and surprised at our own human behavior and what we are capable of doing?

By now, you have been lectured in depth about having a Layered Defense.  You may have even been told you need an "Active Defense".  Are you still testing new tools and corporate training programs to influence the human behaviors that will ultimately defend or compromise your organization?  Do you recognize the acronym MDM?  Are you as well prepared as you could be for tomorrow's digital work day?  In the cockpit, behind the desktop or navigating at night, across an environmentally austere foreign terrain.

Depending on your up bringing and how you were raised by your parents influences each of us, individually.  Even the types or the content that is taught to us by the institutions we attended in our lifetime, has some impact.  Who do we trust?  What do we trust?  When do we trust?  Why do we trust?  How do we make our "Trust Decisions"?  Trial and error, alone?

Trial and error to this day is a powerful way to change human behavior.  Yet without the continuous education and training to produce new habits and to reinforce quick and sustained responses, it is futile.  The long term reinforcement of human learning changes behavior, with the right incentives in place.  The correct rewards are necessary for the human being to continue achieving, testing and adjusting to any dynamic environment.  At home, at work or out on the frontier of a new and unfamiliar place.  It is a system.  One that we shall design, engineer and replicate with precision.

So the New Age of Unreason is now our Operational Risk Management (ORM) challenge:
  • First, identify where active learning systems are operating within your organization.  There will be formal systems within your HR or training departments, but where are the informal learning systems located; where are the mentors?  Good and rogue actors will exist.
  • Second, document each of these formal and informal learning systems within the enterprise.
  • Third, catalog the human behaviors that each are influencing to serve your customer and/or to protect the organization.
  • Finally, build an interactive learning systems matrix, so that you have the context you need to redesign, upgrade and fill the gaps as you embark on your new learning mission.
We are reminded of the wisdom of Charles Handy:
"We may not, individually, be able to make the world safer from nuclear war, or to preserve the rain forests better, or to keep the ozone layer intact, but, as I argued in the beginning, it is often the little things of life that matter most, the ways we work and love and play, the ways we relate to people, and the manner in which we spend our days as well as our money.  These things we can affect.  We do not have to accept them as they are.  The Age of Unreason is inevitably going to be something of an exploration, but exploring is at the heart of learning, and of changing and of growing.  This is what I believe, and this is what gives me hope."

25 April 2015

Trust Decisions: Beyond RSA and Our Digital Future...

Trust Decisions are being made every few seconds as we navigate our way across the Internet oceans. After attending the RSA Conference 2015 in San Francisco this past week, there are many unanswered questions for the end users and the industry.  CIO's, CPO's and CISO's across the globe must be in awe of what we have created, to try to secure and govern the data flowing through the Internet.

The Operational Risk Management (ORM) landscape at RSA included analytics and forensics, cloud, C-Suite view, data security & privacy, governance risk & compliance, law, mobile security, policy and government and many others.  Walking the North and South Expo Halls at Moscone Center, was an immersion into the complexity and the duplicity of the current state of the information security and privacy ecosystem.

The pursuit of "Digital Trust" is a quest that the human brain is incapable of precise understanding, without the use and aide of our modern computers.  The rulebases are too large and the speed of transactions are too fast, for the human brain to process all of the rules simultaneously.  We know why we designed these tools and machines, to augment our human information processing capabilities.

The trust decisions we make to click on a link or download a new app is based upon many factors.  The evolution of the Internet and the trust we have placed in the links across the World Wide Web are now more scrutinized.  The threat of clicking on the wrong link or downloading a malicious file can cost our enterprise hundreds of millions of dollars in losses.

The RSA Conference is more evidence of our continued digital governance failure.  It is also necessary to achieve future progress.  Is it the manifestation of our inability as humans to establish and maintain the trustworthiness of systems and of standards?  The dawn of a new era for making digital "Trust Decisions" is upon us.  How shall we proceed to enable the next generation of the Internet and why?  Over a decade ago, researchers at the USC Information Sciences Institute were on to something:
Traditional trust management solutions [2] do not adequately address dynamic aspects of trust. The pre-configured, coarse and static specification of trust in conventional systems is not consistent with human intuitions of trust [11], an individual’s opinion of another entity that can evolve based on available evidence. Thus, trust relationships evolve over time and require monitoring and reevaluation. The dynamic and temporal nature of VOs (Virtual Organizations) present additional trust management challenges: 
  • temporary, as opposed to long lived, relationships present a major obstacle for trust development, since short term relationships promote “take and run” behavior; 
  • parties may not have pre-existing knowledge about one another, or any prior interactions with one another.
In our massive systems-of-systems and the growing dynamic of virtual environments, "Trust Decisions" are being made at light speed.  The rulebases that are known and the identities and attributions associated with them are constantly changing.

In the next decade and beyond, bringing order to chaos is the ultimate challenge for our industry and our global persistence.  The necessity for nation states to trade and exchange funds in a digital world is paramount.  The barriers to human communication and pervasive language translation are enabled by our digital creativity.  The ability to detect threats and defend ourselves utilizing sophisticated sensors on land and in space, will continue to help preserve our existence.

There are Operational Risk Management (ORM) inventions and new solutions yet undiscovered, that will provide the model and the global standards for making more precise and effective digital trust decisions.  The future is bright...

19 April 2015

Venture Capital: UAS Operational Risk Management...

When technology innovation in the military and clandestine community finally makes it's way out to the commercial landscape, venture capital is there to invest.  Operational Risk Management (ORM) is at the center of the strategic capabilities necessary, to accomplish the frontiers of the new markets.  The "Unmanned Aircraft System" (UAS) is now poised to launch new businesses, to address new solutions for identified problems of situational awareness.  18 months ago, The Washington Post highlights the future of the unmanned aerial vehicle (UAV):
As drones evolve from military to civilian uses, venture capitalists move in
By Olga Kharif, Published: November 1, 2013
Commercial drones will soon populate U.S. airspace, and venture capitalists like Tim Draper are placing their bets. 
Draper, an early investor in Hotmail, Skype and Baidu, is now backing DroneDeploy, a start-up that is building software to direct unmanned aircraft on land mapping and the surveillance of agricultural fields. Draper says he even expects drones to one day bring him dinner. 
“Drones hold the promise of companies anticipating our every need and delivering without human involvement,” Draper, 55, wrote in an e-mail. “Everything from pizza delivery to personal shopping can be handled by drones.” 
Venture investors in the United States poured $40.9 million into drone-related start-ups in the first nine months of this year, more than double the amount for all of 2012, according to data provided to Bloomberg News by PricewaterhouseCoopers and the National Venture Capital Association. Drones are moving from the military, where they’ve been used to spy on and kill suspected terrorists, to a range of civilian activities. 
Congress has directed the Federal Aviation Administration to develop a plan to integrate drones into U.S. airspace by 2015 and to move faster on standards for drones weighing less than 55 pounds.
As new commercial businesses invent new ways to adapt the use of a UAS, to replace a pilot inside a cockpit, there are tremendous risks.  Simultaneously there are substantial undiscovered opportunities for business and a new generation of UAS pilots.  The commercial decisions that are made to allow the use of an UAS in a particular air space, for a specific type of task or service, will be questioned and made into political television ads.  As Senators, House Representatives, County Supervisors and City Mayors across the United States, welcome the use of new automated platforms, the debate will be fierce.  The decisions evermore difficult.

From a business perspective the Operational Risk Management (ORM) strategy is essentially the same whenever a new product is launched.  Yet this debate will start much more different than the one we had, as the Personal Computer was launched or the Cellular Telephone.  Privacy was an after thought then. Not any longer.

You see, UAS platforms will be information collectors just as PC's and Smartphones.  So what has changed?  The public has now been more educated on how information can be collected by the businesses who operate these new inventions.  The public better understands how their own personal information may be used for purposes to serve advertisements or optimize a particular information-based service, such as mapping and activity-based intelligence.  They understand how governments may use the information to protect the homeland.

The Venture Capitalist markets for the introduction of UAS technologies have a myriad of Operational Risks, beyond just the privacy debate.  The liability and insurance markets will also be spinning up to address the potential of loss events.  This in itself, will complicate the launch of new products and services to the general public.  So what.  Now turn to the innovations that could be making a difference for mankind.  The marketplace is evidently ready according to this April 14th, 2015 WSJ article:
Chinese consumer drone maker DJI is in talks to raise funding at a valuation as high as $10 billion, according to people familiar with the matter, in what would be a sizable bet by investors that flying robots will overcome looming regulation and safety concerns.
Think about the possibilities.  Think about the ways that a customized UAS could save lives.  Think about how the information collected, with specific sensors may provide new insight.  Think about business decisions beyond those the Venture Capitalists have seen and thought about so far.  The adoption of services, to reduce human intervention and increase efficiency will come first.  But go farther.  Reach beyond these, to unlock how a third dimension of information, perspective, speed and agility may improve our planet.

Think humanitarian.  Think disaster management.  Think ecological. Think about how gaining timely information and applying it to good use, it changes everything.

12 April 2015

Communications Styles: Leadership of Security Risk Professionals...

When you communicate with fellow Operational Risk Management (ORM) colleagues in your organization, what considerations do you take with regard to the other persons communications style?  During any vital crisis communications exchange under extreme levels of stress, whether it be a team of First Responders or JSOC, there is no time or reason to take this into consideration.  This is because, a team of this type has trained together for months if not years, in exercises that put them to the test of how to effectively communicate in multidimensional crisis scenarios.  They know how to effectively communicate what needs to happen and when, not how.  These crisis teams have practiced to the point where they know exactly what to do when a real incident occurs.

In the halls of corporations across the globe, the likelihood of a crisis occurring on a daily basis is high. The consequences and type of threat are unknown.  Whether it be a key disruption in the supply chain for a vital component for manufacturing your products or the data leakage of trade secrets to your competition, the crisis scenario involves multiple inside people.  When you engage in information exchange with your colleagues from HR, to IT and the office of the Chief Security Officer, the personalities and communications styles must be taken under consideration.  Why?

Security Risk professionals in the global enterprise who are part of the Crisis Management Team have been selected for specific reasons.  Maybe it is because of their title or position in the organization.  The Vice-President of Human Resources, Chief Risk Officer, VP of Information Technology, Chief Security Officer (CSO), General Counsel, Chief Privacy Officer and even Chief Executive Officer (CEO) are tasked with the ultimate safety and security of the assets of the institution.  They are called upon in times of crisis to be the face to the public and the heads of leadership during and throughout the time frame of the organizational incident.

In order for the leadership of security risk professionals to be more effective in the face of any incident, communications style is a significant factor.  Deep down below the facade of a persons title and the office they command is the DNA and the personality of the individual.  The way they process information and the way that the person expresses themselves in a crisis communications encounter, is a vital factor in overall crisis strategy.

How often have you seen the spokesperson from a Fortune 500 company in front of a congressional inquiry, press conference or jury trial answering questions about their organizations or their own behavior?  What kinds of evidence do we have, of the impact of communications and communications style during the heat of a crisis incident?  So we have to go back to the leadership during a crisis.

The leadership of the crisis team, is comprised of people with individual personalities.  In the middle of a crisis, those personal styles of communication will become dominant and take over.  Here are the four communications styles:
  • Analytical
  • Driver
  • Amiable
  • Expressive
In addition, the organizational pulse of your organization, will be made up of a blend of these individuals and their respective communications proclivities.  What would happen if the whole team was made up of "Drivers" or "Amiables"?  How would the performance of the team be affected by having such an overwhelming number of people who have the same style of communication?

The team will not always have a balanced set of communication styles.  The goal is to assign certain roles or accountability, to the person with the best communications style for the tasks assigned.  Is the CEO always the best person to have as the public spokesperson in the middle of a crisis?  It depends on the type of communications style the CEO possesses and also the amount of media training and experience the individual has already accomplished.  BP five years ago this month is a prime example of this:
ON the night of April 20, 2010 — the early morning hours of April 21 in London — the Macondo well erupted below the Deepwater Horizon in the Gulf of Mexico, ripping through the rig, killing 11 people and creating one of the worst environmental catastrophes in United States history. Tony Hayward was having breakfast in a London hotel when he got the news.
By now the events that followed are well known: the desperate efforts to cap the gushing well; the harrowing collapse in BP’s share price; the government inquiries; the multi-billion-dollar cleanup. On July 27, BP said that Mr. Hayward was out. He was replaced by Robert Dudley, the first American chief executive in BP’s history.
What was Tony Hayward's communications style?  What is Robert W. Dudley's?  While the crisis team at BP was in full security risk mode soon after the blow out, it may have been the "Organizational Pulse" that was in need of a change with new leadership.

The "Leadership of Security Risk Professionals" is as much about detecting and understanding your teams communications styles and diversity, as much as practicing together under extreme duress.  Only then will your team know who is the best person to handle some facet of the crisis incident and only then, will the organizational pulse be headed on the right trajectory.

04 April 2015

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of Operational Risk Management (ORM).  It can be utilized with your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:
Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.
What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?

29 March 2015

Intellectual Capital: Mentor or Die...

The Operational Risk Management (ORM) associated with the loss of personnel is real. What mechanisms are in place at your organization to ensure that human capital and intellectual capital is being perpetuated? The education of new employees and the processes, systems and core metrics of the business is vital and in many cases an after thought.

Organizations today that are establishing robust human capital mentorship, education, rotation of duties and continuous training will out last and surpass the competition at some point. That point could be sooner than you think with Baby Boomer retirement or even an unexpected incident that involves catastrophic loss of life within a unit within your enterprise.

What kind of emphasis do you have on teaching the "Craft" and the "Art" of a profession or set of tasks that are the lifeblood of the business you are in? The apprenticeship model is one that has been lost in the last decade to lean work forces and outsourcing tasks that are deemed non essential to the core operations of the business, or are they?

Whether the internship model or the summer staff is how you find the right mix of people for your organization you still must go beyond this to create a sustainable program. Each business unit should then be required to take a percentage of each summer interns to become an apprentice in a business unit or even a section of the public facing organization. There are some leaders at these institutions that realize the risks associated with an aging workforce and the loss of intellectual capital as they retire or go on to another firm for higher pay as a consultant.

Leadership at these enlightened organizations formalizes the ability for units and sections of the business to teach, train, educate and mentor new members of the institution. The understanding that the risk of a loss of personnel is an Operational Risk that can be mitigated through effective human resource capital management and effective staff engagement is the beginning.

Apprenticeship is a system of training a new generation of practitioners of a skill. Apprentices (or in early modern usage "prentices") or protégé

The system of apprenticeship first developed in the later Middle Ages and came to be supervised by craft guilds and town governments. A master craftsman was entitled t (usually a term of seven years), but some would spend time as a journeyman and a significant proportion would never acquire their own workshop.

There are several trades that practice this extensively such as engineering, carpenters, electricians, plumbing and other vocations. The whole industry surrounding the medical profession has its specific path including the residency program as a step towards becoming a M.D.. The law profession has its own steps for becoming a J.D. and working your way up to being able to handle a case all on your own, from start to finish.

The concept of transferring the intellectual capital to maintain the "craft" or the "art" of the expert craftsmen or artisan is fading outside the typical union oriented trade groups. Have you seen an apprenticeship program in the core work roles within an Information Technology department? What about the software development teams? And if you really want to determine where you may be most vulnerable in your organization, look no farther than the office of Business Continuity. Do you even have an office of Business Continuity or Crisis Management? What kind of ongoing recruiting is helping to build the expertise and the art of "Continuity of Operations" or "Disaster Preparedness"?

If you think about the Business Impact Analysis (BIA) of your organization you identified the core areas that are vital to your own survivability. These are exactly where you need to start investing in the development of a set of programs that will teach skills, perpetuate the intellectual knowledge and keep your enterprise from being devastated from a sudden loss of skilled personnel.

There are numerous examples of organizations that have prospered and established chapters all over the globe to promote their particular brand of mentoring, whether it be a business entrepreneur to business entrepreneur or a scientist to another scientist. These by all means are important to keep the spirit of mentorship alive. But it is not enough.

Think deep and hard about how much your organization is mitigating the risk of a loss of personnel and intellectual capital. What are the programs you have in place to actually teach the craft or art that is at the core of the persons job or role on a daily basis? Who is the co-pilot to the First Officer on your flight today? Can one of the flight attendants fly the plane if both pilots are incapacitated for any reason? You get the message...Intellectual Capital x Skills Development = Survivability:

How do firms like Hewlett-Packard, DuPont, Dow Chemical, IBM, and Texas Instruments routinely convert the ideas of their employees into profits that sustain the corporation? How can buyers and sellers calculate the assets of the acquired firm in a merger or acquisition? How can an organization affect the firm's stock price using the leverage of intellectual assets? Identifying a firm's assets, especially its intellectual assets-the proprietary knowledge expressed as a recipe, formula, trade secret, invention, program, or process-has become critical to a company's overall vision and strategic plan and essential in such transactions as stock offerings or mergers.

In the era of the knowledge-based company, where the firm's genius and future lies in its ideas, a firm's collective know-how has become a measurable commodity-and as much a part of its bottom line as the condition of its cash investments, plant, and equipment. Extracting and measuring the real value of knowledge is essential for any corporate head who knows how high the stakes have become for corporate survival in the information age-where the innovative idea is as good as, if not better than, gold!

The Operational Risk associated with the mentoring, apprenticeship and skills training in your organization, is a factor of your Intellectual Capital equation. What is yours?

22 March 2015

Board Directors Perspective: Data Risk Business Process Reengineering...

The ranks of established Fortune 500 companies have been studied in the latest NYSE Corporate Board Member's Annual Directors Survey.  Spencer Stuart asked several telling questions in the Operational Risk Management (ORM) domain and the results may be enlightening:
Corporate Board Member's 12th Annual Director Survey Delves into How Directors Are Managing Some of Today's Most Pressing Issues for Public Companies While Keeping Their Boards Nimble:

This year we received nearly 500 responses from directors who didn’t mind sharing their opinions and comments on these issues. More than 70% came from those who identified themselves as outside directors, and another 20% said they serve as board chair or lead director. Forty-four percent have served on a board for more than 10 years, and another 33% have served five to 10 years. Just over 30% are at companies whose annual revenues are in the $1.1 billion to $5 billion range.

In fact, 55% of the directors we surveyed don’t believe it’s reasonable to expect that a public company board can ever fully get its arms around all the different aspects of risk in the current corporate environment (Figure 1), particularly the newer forms of technology risk like cyber risk and social media risk.
If you think "Social Media Risk" is NOT on the mind of the Board of Directors these days, then you would be correct:

Figure 2

Has Your Board Put Social Media on the Agenda?

Yes - 35%
No - 65%

The Social Media Risk to the enterprise has yet to be clearly defined to the majority of the Directors these days or they need more education on what the risks really are to the company.

If you think in 2015 a majority of the Board of Directors are still unsure about "Cyber Risk" you would also be correct:

Figure 6

How Confident Are You That Your Board Is Adequately Overseeing Cyber Risk?

Very -15%
Somewhat - 63%
Not Confident - 23%

The oversight of "Cyber Risk" to the enterprise is still in question by 85% of the Directors.  Why?

To quote Spencer Stuart's Report:
Boards must be ready to oversee a myriad of risks, especially those related to cyber security—and the social media realm—which is unfamiliar territory for some current directors (Figure 6). As a result, forward-thinking boards looking to refresh their ranks will want to add members who have technological and social media experience to guide the board in an arena where it is all too easy to make innocent but often damaging corporate blunders. Boards also value directors who have industry, financial, and regulatory experience, our results show.
Unfamiliar territory for Board Members?  Some current directors who are focused on corporate strategy or mergers and acquisitions would certainly not always have the knowledge or understanding of what the real "Operational Risks" are in the cyber and social media categories.  This makes sense.

What about adding new Board Members who have cyber and social media experience?  The enterprise must certainly pivot and adapt to this changing landscape of risks.  Will adding new Board Members make a difference?  Not likely.

There are some who are now advocating a "Presumption of Data Breach" strategy.  Simply put, what are we doing now, that our enterprise has been breached?  Instead of, what will we do if we ever have a data breach?  This subtle shift in thinking around the Board Room might move the percentage higher from only 15% who are "very confident" in overseeing their enterprise Cyber Risk today.

What if the Board of Directors had a discussion with management each meeting about what they were doing to contain the breach?  You see, the shift in mindset begins a whole new set of dialogue that is proactive and working on an existing business problem that requires remediation but also new thinking.  Unlike the reactive strategy of waiting until the legal and regulatory rules mandate the admission that a breach has actually occurred.

Finally, what if the enterprise were to embark on a Data Risk Business Process Reengineering (BPR) initiative?  You remember the BPR era from the 90's right?  Having a "Presumption of Data Breach" strategy should require the complete reengineering of our Data Enterprise Architecture itself.

Is end-to-end encryption the answer?  No.  Is segmentation of network design the answer?  No.  Are Next-Generation-Firewall's the answer?  No.  Is corporate end user education on cyber risks the answer?  No.  Are new rules and legislation the answer?  No.  Is a combination of all of these the answer?  Probably yes.

Data Risk Business Process Reengineering is a topic worthy of discussion at the next Board of Directors Meeting.  Include all the stakeholders.  Allocate the funds and the resources.  Next year the goal will be for 25% of directors to be very confident in the oversight of cyber risk in the Corporate Board Member survey.

In the mean time, the use of encrypted apps will become more pervasive:
Our Privacy Practices, in Brief:

Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.

We use military-grade encryption. Our encryption is based on 256-bit symmetric AES encryption, RSA 4096 encryption, ECDH521 encryption, transport layer security, and our proprietary algorithm. 
We canʼt see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before (if) it is transmitted to our servers. Because of this we donʼt know — and canʼt reveal — anything about you or how you use the Wickr App.

Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.

You own your data. We do not share or sell any data about our users. Period.

15 March 2015

Digital RubiCON: The Fifth Domain...

Operational Risk Management (ORM) is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step
This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

"Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.

Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. It’s almost like an automated way to digitally case every joint in the world."

07 March 2015

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Payments Processor
  • Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are ex-filtrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?
Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.
You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness or ScoutVision on their corporate networks and Good MDM for their mobile devices, that is not going to be enough.  More from Europol:
A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.
The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.