13 April 2014

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission

Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.

The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:
  • Design
  • Implementation
  • Configuration
The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission

Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission

Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.


A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business."

06 April 2014

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company. This risk cultures maturity is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team that you will jeopardize the overall mission.

The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office or entire agency of government.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizations culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

The "Quiet Professionals" of certain Operational Risk Management firms are enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

The root cause of Business Assurance and Resilience is the Risk Culture.

30 March 2014

SMART Objectives: The Catalyst for Resilience...

The past four days participating in Alaska Shield of the National Level Exercise Capstone 2014 is a stark reminder of how far we have come and yet how far we still have to go. Operational Risk Management (ORM) is evolving into a discipline with an over arching set of objectives. The organizations and entities that do not understand the purpose and the reason behind, having SMART objectives, might need a refresher:
  • Simple
  • Measurable
  • Achievable
  • Realistic
  • Task-oriented
Without "SMART" objectives, any project will continue to strive for a purpose and a relevant set of outcomes. Constituents, stakeholders and various affected employees that intersect with an internal risk mitigation exercise, will continuously require coaching on how to base the project on "SMART" objectives.

Next, the stakeholders will require a path forward that includes a building block approach to gaining consensus, agreement and a set of written events that will either be simulated or real. These events comprise a master scenario, that the organization will utilize to test a hypothesis or set of operational capabilities. The high reaching outcome, is to determine where there are gaps, vulnerabilities and opportunities to improve.

The building blocks approach may include:
  1. Seminars
  2. Workshops
  3. Table Top Exercises
  4. Games
These provide the stakeholders with the opportunity to converge on their respective areas of expertise and integrate them with the overall scenario being developed. However, these are still based upon first identifying the "SMART Objectives" and the application to your particular business, organization, city, state or country.

Taking the foundation of Operational Risk Management and applying a process for evaluation, requires a set of standards so all of the respective constituents, will be talking and practicing from the same exercise play book. In the United States this standard is HSEEP or "Homeland Security Exercise and Evaluation Program":
The Homeland Security Exercise and Evaluation Program (HSEEP) is a capabilities and performance-based exercise program that provides a standardized methodology and terminology for exercise design, development, conduct, evaluation, and improvement planning.

The Homeland Security Exercise and Evaluation Program (HSEEP) constitutes a national standard for all exercises. Through exercises, the National Exercise Program supports organizations to achieve objective assessments of their capabilities so that strengths and areas for improvement are identified, corrected, and shared as appropriate prior to a real incident.
Whether your organization is new to doing functional or full-scale exercises doesn't matter. Having a process oriented model for program management and project management will provide you with the tools and the foundation to achieve new found learning on where and how to improve your enterprise resilience.

Operational Risk Management professionals are working with an organization or population that is constantly striving to be more resilient. Without testing, without exercising and without the process framework in place to try and achieve measurable objectives, the organization will never gain the vital insight on where and how it can improve rapidly. It will never fully understand where the enemy will try and exploit the weaknesses. The organization will never realize their resilience factor at this point in time.

When was the last time your organization really tested itself, to survive? How long has it been since you re-established the relationships and the trusted connections with your own supply chain? Why has it been that long? There are some elite organizations in the world who understand readiness, that have learned along the way of their evolution why exercising and a trusted supply chain is critical to their own survival before the next incident occurs:
To become a SEAL in the Naval Special Warfare/Naval Special Operations (NSW/NSO) community, you must first go through what is widely considered to be the most physically and mentally demanding military training in existence. Then comes the tough part: the job of essentially taking on any situation or foe that the world has to offer.
Direct action warfare. Special reconnaissance. Counterterrorism. Foreign internal defense. When there’s nowhere else to turn, Navy SEALs are in their element. Achieving the impossible by way of conditioned response, sheer willpower and absolute dedication to their training, their missions and their fellow spec ops team members.
This analogy to the Navy SEALs demonstrates that preparedness long before you are asked to test your own resilience, will save lives. Yet there are so many other ways that our planet and the people on it, are being tested every day outside of the context of counterterrorism or national defense missions.

"Mother Nature" and the magnitude by which she continues to unleash her strength and in many cases her unrelenting path to destruction (hurricanes, earthquakes, drought, pandemic) makes any organization vulnerable and any population exposed to substantial operational risks:
The IDRN is the official arm of the Starfish Community for responding to disasters around the world. No single organization has the resources to respond to every disaster event, but because of the partnerships within the Starfish Community, members are able to leverage the strength of the entire network to provide meaningful help to those in need.

Every event is different in location, scope and impact. As different Starfish Community members decide whether or not to respond to any single event, those individuals and/or organizations that choose to respond, can pull together and collaborate with other Starfish Community members through the International Disaster Response Network which is often referred to as the IDRN.
Because disaster response conversations are so specific and time-sensitive, the IDRN has its own dedicated website for sharing information and managing collaboration. It can be found online at: www.idrn.info.
When you think about resilience in the context and relevance of the threats before us, we all have to realize that whether it is the National Level Exercise (NLE), US Navy SEALs or the Starfish Community, only SMART objectives will increase our ability to learn, to save lives and allow for the potential survivability of our organizations or impacted populations.

22 March 2014

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Payments Processor
  • Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are exfiltrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?

Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. If you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.

You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness on their corporate networks and Fixmo MRM for their mobile devices, that is not going to be enough.

The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

16 March 2014

Private Sector Mentoring: Operational Risk Specialists to the Rescue...

The international spectrum of Operational Risk Management (ORM) is playing out before us on a global stage.  A missing Malaysia Airlines 777 for over 7 days is now considered a deliberate act of human behavior, not an accident. Nation states and the airline industry are in full crisis management collaboration.  What will happen when it is found, or detected flying on a new route?

A U.S. government agency, in the Department of Commerce (NTIA), is transitioning control of the Internet's Domain Name System root zone file to ICANN (Think United Nations of the Internet). Is this international fallout, from greater transparency of U.S. Intelligence operations, by the National Security Agency (NSA)?  Probably not.

And while all of this, is distracting our attention, the operational risks associated with volatility on a financial world stage continues to unfold:
International use of the yuan is increasing as China opens up its capital markets. A third of China’s trade will be settled in yuan by 2015 and the currency will be fully convertible within five years, HSBC forecast in a report last year. The yuan surpassed the euro as the world’s second most-popular currency in trade finance in 2013.
What will the future hold for global business commerce and the emerging regions of conflict?  Syria.  Ukraine.  Russia.  Iraq.  Afghanistan.
KABUL, AFGHANISTAN – In his final address to Afghanistan's parliament Saturday, President Hamid Karzai told the United States its soldiers can leave at the end of the year because his military, which already protects 93 percent of the country, was ready to take over entirely.
So where are the opportunities for U.S. Veterans as they return to the Homeland?  As the military goes through it's next phase of optimization, reengineering and total quality management, 1.5 million service members will be transitioning to the private sector in the next five years.

This is where our next generation of "Operational Risk Specialists" will come from, to assist us in our most challenging future of global incidents, crisis and humanitarian requirements.

Yet these million men and women will be competing in an economy that is ultra-competitive.  There are however, innovative ways for us to hedge the risks for U.S. veterans as they look for their next mission in the private sector.  The first step is an old and very effective method called mentoring.


  [men-tawr, -ter]  Show IPA
a wise and trusted counselor or teacher.
an influential senior sponsor or supporter.
verb (used without object)
to act as a mentor: She spent years mentoring to junior employees.
verb (used with object)
to act as a mentor to
1740–50;  after Mentor (< Greek Méntōr )

men·tor·ship, noun

1. adviser, master, guide, preceptor.

It would be in the best interest of the private sector in a world that is challenged by so much change, volatility and uncertainty to have a cadre of "Operational Risk Specialists" who are there at a moments notice.  Working 24 x 7 in concert with all critical business functions, to enhance the resilience of the enterprise.  Yet it will take thousands of mentors to assist these veterans, as they transition to this important role and mission.

Are you a CxO that relies now on a small team of risk minded people, tasked with your supply chain, personnel security, information security, facilities or even insider incidents?  You are the perfect catalyst to get a new program going at your organization.  Begin the process of identifying and tasking the right people in your organization, to be mentors for the new "Operational Risk Specialists," that you should hire over the next few years.

What would happen, if you created a whole new way for you to mentor, hire, mentor, train, mentor and grow, a new generation of risk management professionals for your organization?  How could the performance and the resiliency of your enterprise improve, with the ongoing mentoring of veterans as they begin to understand the business of the private sector.  A different and yet similar environment for the management of operational risks.

Your vision should be to create a "VetAccelerator" for each of your organizational business units.  To engage mentors with new veterans returning and transitioning from over a decade of war.  We have done this before in our U.S. history and it will not be the last.  Let all of us embrace the opportunity to strengthen our business engine and to improve our resilience in the new world order.

Finally, never forget how all of this latest chapter started.  And how it still continues to play out on a daily basis.  Our vigilance is an imperative and veterans will be our "Operational Risk Specialists" for years to come.

09 March 2014

Digital RubiCON: The Fifth Domain...

Operational Risk Management (ORM) is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step
This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.  
Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. It’s almost like an automated way to digitally case every joint in the world.

01 March 2014

RSA Conference 2014: The Aftermath and the Consequences...

The 2014 RSA Conference USA is complete and yet what have we learned?  Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office.  The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers.  By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk.  Now what.
  • Have some of the largest retailers been the victims of massive data breach hacks?  Yes.  Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information.  Yes.
  • Meanwhile, Operational Risks exist far beyond Moscone and San Francisco.  Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash?  Yes.  
  • Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states?  Yes.
  • Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.
And the Operational Risks to your organization will continue, that is for certain.  How after a week of RSA can you return to your enterprise and know where to begin?  What to change.  What new initiative to begin.  What new vulnerability to remediate.  Don't worry, the list will not be getting any shorter.  The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment."  Here are the key variables for the rows of your matrix:
  1. Loss of life:  Likely fatality count.
  2. Economic damage:  Estimated costs of the attack or hazard.
  3. Psychological impact:  Considerations of change in population behavior toward social functions.
Now, the consequence levels become your columns of the matrix:
  • 0 - None or Negligible
  • 1 - Minor
  • 2 - Moderate
  • 3 - Significant
  • 4 - Catastrophic or Severe
In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix.  So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition?  In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:
JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception. 
The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.
If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise.  None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases."  What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise.  You are imagining an attack or hazard outcome, that impacts that component of your business.  Such as these typical cases:
  • Earthquake destroys data centers
  • Tsunami overcomes nuclear reactors
  • Data hack exposes millions of customers PII
  • Infectious disease outbreak across work force
  • Government prosecutes for violations of regulatory laws
  • Employee sues company for management harassment
  • New Customer Order Management system launch encounters substantial bugs/failures
After you have cleaned off your desk from a week away at RSA, the work really begins.  Start your new "Consequence Assessment" soon.  Gather senior executives for an off-site for two days to review the new scenarios you have designed.  Get their independent feedback and perception of the variables of your matrix.  Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.
“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”
— Marcus Aurelius Antoninius

22 February 2014

Fraud Trends: Hedging Transnational Organized Crime...

The facts and the results of forensic investigations across the cyber domain are telling a significant story.  The question remains, will CxO's take the time to digest and think about what is happening within their Enterprise Risk ecosystem?  Operational Risk Management (ORM) has four key dimensions:

  • People
  • Processes
  • Systems
  • External Events

Each of these dimensions must be looked upon in a holistic and interdependent manner, realizing that they are all indeed interconnected.  One may impact another or managing risk in some but not others could bring the entire enterprise to it's knees.  This is understood.

You are no doubt utilizing a myriad of strategies to deter, detect, defend and document the Operational Risks within your specific industry and associated with the adversaries and regulations pertinent to your business.  So why is this still the state-of-play?
Companies are beginning to change how they think about cybersecurity – viewing it as a business issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past 24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it was likely their organization would suffer from cybercrime within the next 24 months. 
Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent from 2011. U.S. respondents' perception of the risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S. respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were unaware of cybercrime's cost to their organizations, compared to 33 percent of global respondents.

Didier Lavion, PwC principal and lead author of the U.S. report, said, "U.S. corporations need to better leverage and implement the computational and analytical power of cybersecurity technologies to help combat the increasing global presence of cybercrime."  --Source:  PwC's Global Economic Crime Survey 2014

The reason that the state-of-play remains in turmoil, is the inverse of what the survey is reporting. 29% of U.S. respondents have no perception that the risks of cybercrime has increased over the past 24 months. The 29% who do not perceive this, must be in an industry group that is either not connected to the Internet, does not use mobile devices or are using paper and pencils to run their business.
So for the other 71%, the perception of the risks of cybercrime has increased.  Again, what are the business details of these respondents?  What would be interesting is to ask the question:  How many U.S. citizens have been issued a new credit or debit card last year due to fraudulent charges?  Perhaps the 29% are the unbanked population of the U.S. who are not issued cards because they do not participate in the formal banking system?  Unlikely.

Cybercrime analysis needs to go deeper.  As an example, it would be interesting to discover what percent of cyber fraud victims in 2013 currently run a Microsoft-based operating system on their computer? No doubt the highest, due to the vast installed base of Microsoft-based PC's over the years.

Executive Management of companies with over 1000 employees who do not perceive the risk of cybercrime on the rise, may have other more pressing issues.  Labor, raw materials, weather, or other factors that may be impacting their business.  It makes some sense.

Over the next decade, the tide will turn on the motivation to pursue petty cybercrime and fraud.  Not because the laws and enforcement are more effective.  Not necessarily because the fraud opportunity becomes too difficult because of the effectiveness of new technology. Not even because the Microsoft Operating System installed base, dwindles to a minority percentage.  Why?

It is because the best cyber Transnational Organized Crime (TOC) organizations will become allies with nation states or even terrorist non-state actors.  They will be paid much more handsomely and they may not even have to disclose their true identities.  The stakes and the fortunes to be made in TOC are rising.  The cyber domain is now a race for superiority.  The best of these skills and knowledge will come from the "dark side" to start, and at a high premium.  So what are you to do, if you are the CxO of a top Global 500 organization?

Pray longer.  Allocate a treasure chest to invest in your long digital war ahead.  Hedge the risk...
New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit 
Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone). 
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. Several reasons make us believe this could be a nation-state sponsored campaign.

15 February 2014

Cyber Domain: International Law of Asymmetric Warfare...

The international laws and human understanding of what crosses a "Red Line" are being defined in cyberspace in real-time.  The operations of the Chief Security Officer (CSO) and Chief Information Security Officer (CISO) are now becoming more adaptive.  The Operational Risk Management (ORM) enterprise architecture, will soon call for three standard mission functions:
  • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
  • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
  • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.
 Computer Network Defense (CND) has been the norm for many organizations and now, that is no longer enough.  Yet before we can determine why we must  add CNA and CNE, we better understand the breadth and depth of the cyber realm.  The "Over-the-Horizon" view, of the reality of that domain, is rapidly developing into a proactive risk management imperative, for Global 500 organizations.  Why?

The non-state actors are organizing and evolving into what could be coined for the laymen, as a modern day "Cyber al-Qaida."  A "Cyber  Taliban."  Or even a "Cyber 1st Amendment or 4th Amendment cadre of affiliated entities.  These digital non-state actors following a set of ideologies, as opposed to a set of true investigative journalists or independent non-partisan watch dogs, are metastasizing at an exponential rate.

This ideology fueled by cyber activism and directed at a particular organization or country, is on a digital battlefield that spans the globe.  It has long been said that the Internet is nothing more than a mirror, of the good and evil in our physical world.  The existence of cyber warriors who are interested in going beyond the goal of financial crimes to kinetic destruction of critical infrastructure, is a well known fact.

Who are these cyber warriors that identify with a movement or cause, that attack the well being of other humans or destroys the property or economic assets of another organization.  They are the same ideologues that have existed long before the Internet.  The difference is that the reach, speed and ubiquitous nature of the digital medium accelerates the threat and the requirement for an effective counter balance.  Putting actual skill sets aside for a moment, the real differentiator has been on a "White Hat" or ethical warrior focus:
Regarding whether there were different rules of armed conflict for cyberwarfare in dealing with states like Iran, versus terror entities like Hamas or al­-Qaida, he first noted that while there is “no consensus,” the “US, Israel, England and others” argue that “self ­defense” principles justify attacks against terror groups, even if they are not states.  --IDF Col. Sharon Afek-- Article by Yonah Jeremy Bob
The CNA, CND and CNE operations in the digital Global 500, will now employ those individuals who have an ideology that is more directly opposed to the worldview of a "Cyber al-Qaida."  In the long war, the cyber "White Hats" will endure.  The asymmetric warfare of the next decade, will encompass operational risk professionals behind the network, who have a different context.  Why? Because they believe in a ideology far more patriotic than their predecessors.  They are the "Quiet Professionals" who have retired from SOCOM active duty and now span the ranks of the corporate private sector.

The international laws of the cyber domain are in play for our prosperity or our peril.

09 February 2014

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:
Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.
What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?

02 February 2014

Future Risk: What is True...

On the dawn of the U.S. Super Bowl XLVIII, Operational Risk Management (ORM) professionals are on edge.  Readiness and contingencies are at their highest level in anticipation of a globally televised event.  The same crisis management environment exists four or more times a year within the confines of the Board Room and Executive suite.

Operating at the "Speed of Business" and effectively managing daily, weekly, and quarterly risk management tasks requires an adaptive and resilient culture.  A culture that has been born and evolved from its Genesis to a daily run rate based upon two main components.  Trust is the first one and to many a given in any high performing environment.  To be able to trust the person to your left and to your right requires many tests.  It builds over time yet it must start with the right elements and be nurtured for it to flourish.

The second component is far more complex.  It requires you to embark on a continuous discipline with yourself and the people to your left and right, to know "What is True."

"What is True" means one set of reality for you and perhaps something different for those around you.  Your mission is to get to a single version and reality of what is true faster than your competition, your adversary or your partner.  Survival will be a factor of your speed to understanding as a team, "What is True" and then your adaptive nature to the consequences of your actions.

Are you accountable for your outcomes?  Have you accepted the consequences of your behavior?  So what does all of this have to do with Operational Risk Management?  It has everything to do with it. The most high consequence event to any risk matrix, is the fact that people do not see themselves or others in a "True" perspective.  They are not operating in reality.

What is your willingness to bring current problems to everyone to dissect, understand and solve?  Those who continue to operate without a proactive problem-solving environment are headed towards disaster.  Surprises.  Being blind-sided.  Never saw it coming.  When you hear people saying these things.  You have someone who has not been proactive in the continuous identification of problems and communicating those problems to the team to be solved.

You see, leadership is about continuously testing, designing and improving the process or the product.  The thinkers and the doers, the blueprint and the construction, the designers and the operators must be in a synchronous harmony together.  The "Speed of Business" is the environment and the successful outcome we all seek and is captured in three words.  "What is True."

Ask yourself; how is this movie unfolding compared to the script that was written?  How has the change and the rate of change had consequences?  What have I and my team done to adapt, by changing the design or the people to achieve the mission?  Last fall, on the eve of September 11, Katherine Zimmerman outlined the problem for the United States:
The reality is that despite more than a decade of direct and indirect warfare against the group, al Qaeda continues to be a threat to the United States and its interests. The closure of more than 20 diplomatic posts across the Middle East and North Africa on August 4, 2013, underscores the group’s continued virulence and reach. AQAP, the affiliate from which that threat allegedly emanated, has spearheaded efforts to target the United States using innovative tactics. Its rise in the network was predictable in retrospect, yet America’s strategy did not adjust to effectively counter it. 
Understanding precisely which groups contribute to the al Qaeda network and how they operate within that network will better enable American policymakers and decision makers to develop a comprehensive strategy to defeat al Qaeda. Absent that understanding, the United States will continue to engage in a tactical battle that promises only occasional battleground victories, but no real prospect of winning the war.
"What is True."  As we approach the kick-off of the Super Bowl later today, or the lighting of the Olympic torch in Sochi, Russia the question remains.
(Reuters) - Bomb attacks of the kind that tore through mass transit sites in Russia ahead of the upcoming Sochi Olympics are a top concern of security officials preparing for Sunday's Super Bowl, the head of the New Jersey State Police said on Wednesday.
While law enforcement officials said they were not aware of any specific threats targeting the February 2 National Football League championship in East Rutherford, New Jersey, attacks like those that killed 34 people in two days in Russia late last year are their biggest worry. 
"Of particular concern to us is what was going on overseas in Volgograd in regard to the Sochi Olympics. As you know both of those bombings were targeting mass transit," Rick Fuentes, superintendent of the New Jersey State Police, told reporters. "That is a concern with the mass transit; we've prepared ourselves for it."

Officials have sharply limited parking at MetLife Stadium, where Sunday's game will be played, and expect as many as 30,000 people to arrive by bus or rail. Security screening will start at train stations, where fans will not be able to board stadium-bound trains or buses without tickets to the game, officials said.

25 January 2014

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:
Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.
And this little item in the "Privacy Policy" caught our eye:
5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.
So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.
Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.
It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?
The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 
As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail coud eavesdrop on its users communications when presented with a court order.

18 January 2014

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk? By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee. The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition. Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measureable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

11 January 2014

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector at Nova Datacom:
WASHINGTON- April 11, 2013—Nova Datacom LLC, a Northern Virginia company, and its former president, Min Jung Cho, pled guilty today to federal charges stemming from their roles in a bribery and kickback scheme involving corrupt public officials from the U.S. Army Corps of Engineers and the Department of the Army, as well as various government contractors.  Nova Datacom admitted to paying more than $15 million in bribes to three public officials in return for contracts awarded through the Army Corps of Engineers and the Department of the Army. In addition, Nova Datacom admitted paying more than $790,000 in kickbacks to executives of two companies that channeled government sub-contracts to the firm.
Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics:
  • Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
  • Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy
"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."
"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".