25 July 2015

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity.  Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What is less easy to analyze from a threat perspective, are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.
The sources of significant loss events are changing as we speak. Here are a few that should not be overlooked in your Operational Risk Management (ORM) Programs:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full, helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise, as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

19 July 2015

New Horizons: Commitment to the Long War...

What new technology invention or planetary event will change our way of life forever?  As the sun rises over the water, or the high rise buildings or the dew filled rolling meadows, one can only wonder.  The "New Horizons" streaked past Pluto after nine years from it's launch and 3 billion miles from Earth this week.  What other possible achievement is mankind capable of obtaining, that provides new knowledge and insight about our origins and our future.

Operational Risk Management (ORM) has been at the core of the New Horizons mission from its Genesis, until the day the space probe stops sending us more information.  Over these past nine years the observation and collection of data across our solar system, has provided answers to so many questions as we continue our quest for discovery.

Think about that timeline for a minute.  What has your organization accomplished that requires that kind of commitment to ongoing exploration and data analysis?  How would you keep people focused on continuous learning and problem solving, to gain new understanding and perhaps more empathy in your company.  Patience is often hard to find, when the boss is asking you what you have produced since yesterday.

There are tremendous challenges to keeping the mission focus in mind, even for nine years and beyond.  Maybe that is why there are term limits on some roles in public offices and as a result elections are necessary every two or four years.  Term limits puts priorities in perspective and clarifies what should be accomplished first and foremost.

What if you knew when you were going to die.  You knew exactly what would happen when your life ends.  It is written.  How would your thinking change, about what is important and what needs to be accomplished tomorrow.

How would you change your way of living and the vision to accomplish the promise of the future, if you did believe the stories of how it would all turn out.  Would you change the way you live your life, while you had the confidence that you would reach that promised place.  What if you had been taught this by trusted colleagues, read about it in sacred books or on the Internet and was assured that it was attainable.  If you would only believe:
Chattanooga, Tennessee (CNN)  A day after gunman Mohammad Youssuf Abdulazeez ended the lives of four Marines and wounded three other people, hundreds in Chattanooga gathered in prayer to mourn their deaths.

There were Christians. There were Muslims. A cross-section of the Tennessee community packed Olivet Baptist Church for the Friday night vigil.

Authorities are trying to figure out why Abdulazeez -- an accomplished student, well-liked peer, mixed martial arts fighter and devout Muslim -- went on the killing spree.

U.S. Attorney Bill Killian said the shootings are being investigated as an "act of domestic terrorism," but he noted the incident has not yet been classified as terrorism.

Reinhold said there is nothing to connect the attacker to ISIS or other international terror groups. Abdulazeez was not on any U.S. databases of suspected terrorists.

He was not known to have been in trouble with the law except for a DUI arrest in April. He apparently was not active on social media -- one of the common ways police investigate terrorism.
Ones mind has to flashback to the Boston Marathon bombing and the aftermath of that act of domestic terrorism in the United States.  Was this act of jihad on our U.S. citizens, the promise to the future, painted by people these terrorists trusted and respected?  Was this horrific act in Chattanooga against our military, just another blueprint for what our future holds for homegrown violent extremism (HVE) in America?  More on this from the New York Times:
Officials said there was no indication so far of any links to terrorist groups, leaving them to wonder how a young man with no known history of violence or radicalism turned up Thursday with several weapons, spraying bullets at Americans in uniform. Some “lone wolf” attacks have been carried out by people who had no direct contact with extremist groups, but they were influenced by messages online, like those from the Islamic State urging Muslims to take up arms and attack American military sites.

“This attack raises several questions about whether he was directed by someone or whether there’s enough propaganda out there to motivate him to do this,” said a senior American intelligence official, who spoke on the condition of anonymity because the investigation was still underway.
The Charlie Hebdo attack in Paris again was a location with meaning to the actual terrorism act itself by these two brothers inspired by Al-Qaeda in the Arabian Peninsula (AQAP).  It was a target put on a list by people who have a long-term focus and are able to accomplish their goals, even without a nation states resources.  The priority for any nation is to continue a long-term view, on what domestic terrorism and homegrown violent extremism really means, for a local community, in any country.

What is one of the most rewarding ways to connect with the local First Responder community in your U.S. county?  Look no further than your Community Emergency Response Team (CERT) and also your nearest Infragard chapter.  As a new "Citizen Soldier" you will need to learn new skills.  You also have to keep yourself aware of the latest natural or asymmetric threats to your particular community, whether it is a geographical city or a virtual domain in cyberspace.  You can, make a difference.

"Compassion will cure more sins than condemnation”

-Henry Ward Beecher-

It means a renewed commitment to building more resilience into your community.  From the bottom up, at every family household and small business in the town, city or Metroplex.  Operational Risk Management (ORM) doesn't end when you leave your role at the workplace in the warehouse, the cubicle or the executive office of the CSO, CISO or Chief Risk Officer.

Do you remember how you felt on September 12, 2001?  That uncertainty and the feeling you had, about the welfare of your closest loved ones or neighbors.  This was the catalyst for a 14+ year battle.  Just as the "New Horizons" hurtles millions of miles past Pluto, this commitment to the "Long War" is not over, and probably never will be.

12 July 2015

Data Rupture: The Risk of Over-Classification...

As a result of the latest "data rupture" at the U.S. Office of Personnel Management (OPM), there are several Operational Risk factors.  The issues that most people are focused on, dwells on a lack of proper information security controls or antiquated technologies, that have not kept up with the speed of the modern day asymmetric threat.

However, this is not the primary problem that needs to be resolved.  The problem definition has been discussed in the wings of government for many years.  The root of the discussion is really a personnel hiring process combined with a human resource function.  The next level of the debate has to do with the classification of information.  The process by which certain types and kinds of information is classified at different levels of sensitivity.

In terms of the private sector vetting of an employee for employment vs. the government employee (contractor) it is very similar for non-executive personnel at the "Secret" level of classification.  You could leap to the analogy, that once you move to an executive level in the private sector, you may be vetted more thoroughly including more extensive looks into references, interviews with others and a deep dive into financial affairs.  This is more in line with the "Top Secret" level clearance in the government.
Call it a “data rupture”: Hack hitting OPM affects 21.5 million
Highly personal data from background clearances are a data bonanza to spies.

by Dan Goodin - Jul 9, 2015 6:10pm EDT

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.
 The tagging of information at the point of creation, inside the walls of the private enterprise or government is the key problem set.  Then making the decision on who and why a person needs this information for them to do their job, is the secondary factor.  We all need information to do our assigned jobs and tasks.  When information is tagged as "For Official Use Only", "Confidential" "Secret" or "Top Secret" in the government, there is a reason.  The Classification system:
The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic.[1] Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.[2]
The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to national security that the release of the information would cause. The United States has three levels of classification: Confidential, Secret, and Top Secret. Each level of classification indicates an increasing degree of sensitivity. Thus, if one holds a Top Secret security clearance, one is allowed to handle information up to the level of Top Secret, including Secret and Confidential information. If one holds a Secret clearance, one may not then handle Top Secret information, but may handle Secret and Confidential classified information.
When you work as an employee of a private company, there is a documented personnel hiring process.  The early part of the process in some cases is outsourced to recruiting agencies, just as the government uses contractors to process many of it's back ground investigations.  In both cases, the reason is evident.  Does this person being considered for employment, pose a risk to the enterprise?

 The purpose of the discussion now is to look at the information.  The tagging of information at its origin.  Whether in the private sector or government.  Who decides what sensitivity to put on the document, picture, video, spreadsheet, text, audio or other data element?  How do you keep only certain people from viewing and reading or listening to the information with the correct level of security clearance? (Access Controls)  Certainly the viewing of the salary levels of all employees inside the private sector company is sensitive and only certain people have the authority and need to see this information.  The assurance of information is critical:  Confidentiality, Integrity and Availability.  No different in the government.  So what is the common thread?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).[1]
The failure at OPM is complex and no different than the complexity of the data breach failure at Target Corporation.  Both incidents were and are the basis for case studies in Information Security classes at the academic level.  Each has idiosyncrasies, in terms of the actual data breach methodologies and the tools used by adversaries.  So what?

One has to question the need for so many people to have "Top Secret" security clearances in the government.  When you look at the numbers it is staggering.  It almost seems that the process for hiring good people in the government made it a requirement, that someone have the ability to obtain a "Top Secret" clearance.  Even though the likelihood that this person would ever be exposed to or asked to review "Top Secret" information was low.  The failure is that so many people were required to obtain Top Secret clearances, when it was not really a factor for the job they were doing or would ever do.

Now that the "Chinese hackers" (the so called suspects) have our SSN, DOB, previous addresses, (same for family members), financial and other references in their database, time will only tell what individuals will be targeted and for what.  So for those "Chinese hackers," here is a news flash:


This is why, much of the hiring and background process that is part of the human resources systems is out of synch, with the information classification process and what someone needs to do their particular tasks in the enterprise.  The level of security clearance has unfortunately become a badge of acceptance and of perceived importance.  Just look at the number of "Linkedin profiles" today, where someone openly declares their "particular level of security clearance" with the government.  Why do people do this?

What is part of the solution to the defined problem set?

1.  Thoroughly address the defined problem of over-classification.

2.  Depends on the success of solving #1.

Operational Risk Management (ORM) is about the risk of loss resulting from inadequate or failed processes, people and systems or from external events.

04 July 2015

July 4: Framework for Liberty...

On this July 4, we can reflect.  In 1776, a courageous man named Thomas Jefferson would never know how the United States would endure.  239 years later, the United States of America is a historical example that the entire world studies.  This Republic, has certainly changed since the design was created by the "Founding Fathers".

As this Independence day unfolds across America, our Operational Risk Management (ORM) professionals are on watch.  They are celebrating in spirit and yet also worried, behind the facade of all the weekends festivities.  Why are so many across the globe in fear of the United States?  What are their motivations, for attacking our people and systems; what are they afraid of?

The fabric and infrastructure of our country is more diverse than ever.  The rule of law that governs all citizens are still capable of change, through a documented and proven process.  Change is attainable and civility is alive and well.  The power base of government is held in check, by systems designed to give the people a voice.  The United States is a complex invention that the papers written and agreed upon by Jefferson, Madison, Adams, Franklin and 56 delegates, still remain true to the mission.

When you think about the entire design of the system today in your hometown USA parade; look around.  What do you see and hear?  People of all religions and ethnic backgrounds expressing their ability to assemble and show their signs of affiliation.  Playing their own favorite music.  Celebrating their particular favorite American freedom.  Some by the original nations design and others by the Supreme Court of the United States.

Surrounding all of the expression of these freedoms are those who are on 24/7 watch.  These First Responders are waiting for your call.  Some in uniform and others in the shadows.  Perhaps it is your Mother or Father with Atrial Fibrillation, that may need an EMT in a moments notice.  Perhaps it is a need for assistance when an armed bandit robs your retail establishment.  Perhaps it is your tip or information, that intervenes with those evil-minded people who would attack our churches, public events or even the growing digital infrastructure.

You see, this ecosystem of people operating across America, in pursuit of their own dreams and their daily needs is what many across the world are unable to experience.  Many do not truly understand it, until they have had the chance to experience its feeling for real; to comprehend the emotions of people who are expressing their rights and their liberty.  The United States of America and other nations who are blueprints for democracy, know the vision and understand why it is worth defending at all costs.
 "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness."

27 June 2015

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:
  1. Security policy - management direction
  2. Organization of information security - governance of information security
  3. Asset management - inventory and classification of information assets
  4. Human resources security - security aspects for employees joining, moving and leaving an organization
  5. Physical and environmental security - protection of the computer facilities
  6. Communications and operations management - management of technical security controls in systems and networks
  7. Access control - restriction of access rights to networks, systems, applications, functions and data
  8. Information systems acquisition, development and maintenance - building security into applications
  9. Information security incident management - anticipating and responding appropriately to information security breaches
  10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  11. Compliance - ensuring conformance with information security policies, standards, laws and regulations
Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

21 June 2015

IP Theft: The Erosion of Homeland Security...

"Above all, watch with glittering eyes the whole world around you, because the greatest secrets are always hidden in the most unlikely places. Those who don’t believe in magic will never find it." —Roald Dahl
What is the latest headline to get your attention this past few weeks?  As an Operational Risk Management (ORM) professional you have to be amazed and in shock from several of the global loss incidents.  Was it from the Financial, Technology, Energy or Government sector or just a tragic crime or terrorist event with significant loss of life somewhere?

The people, processes, systems and external events that make up your particular Operational Risk ecosystem are dynamic.  The threats are evolving both in the physical world and even more so in our data hungry processor driven virtual workplace.  You probably can't remember the last time your organization required you to operate the whole day without the use of computer systems; to operate the business in a manual mode over a Saturday in an orchestrated and scenario-driven Business Continuity exercise.

If you can't remember, then as a corporate leader or head of a Board of Directors audit committee you are in denial.  The attitude that your organization will never have a data breach or become the victim of a natural disaster such as an earthquake, flood or hurricane is naive.  What about the rogue "Insider" who has perpetuated an act of industrial espionage or a long term fraud scheme?  The continued theft of Intellectual Property to the United States has been well documented since 2013:

Key Findings
The Impact of International IP Theft on the American Economy Hundreds of billions of dollars per year.

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.”
When you really sit down and think about the risk to the Homeland Security of the United States today, this has to be at the top of the list.  The reason is that the "IP Theft" threat is not like ICBM's coming over the horizon suddenly.  This metastasized problem set, is eating away at the economic security and our U.S. national security simultaneously.
"While IP theft is not new to the planet, today’s scale of economic impacts—with national security ramifications, international dimensions, significant foreign-state involvement, and inadequacy of legal and policy remedies and deterrents—makes for an unprecedented set of circumstances."  
 CHAPTER 1: THE NATURE OF THE PROBLEM- The Commission on the Theft of American Intellectual Property

What are the solutions?  The answer is plural because there is no single way to address the magnitude and the severity of the threat.  The security of the U.S. Homeland begins with intelligence.  The degree to which the intelligence gathered, analyzed and shared is capable of being absent of bias is a start.

Homeland Security Intelligence (HSI) is quickly evolving beyond the group think of a catastrophic physical terrorist event.  The focus now is on counterintelligence, as much as on counterterrorism and for all of the interdependent connections to the rest of the world.  As your organization begins it's next strategic planning cycle or engages in the thought of a continuity of operations exercise you should think wider and deeper.  The survival of your business and organization is dependent upon your internal counterintelligence mechanism.

As one example, take a minute to better understand the diversity of languages being spoken within your organization.  Who are the people within the enterprise who have the fluent ability to speak and to translate English to some other foreign language?  How does your enterprise engage with other countries to engage in International business?  The degree to which you have multiple languages being translated, or utilized for business transactions and necessary for daily operations is both a risk and an opportunity.

The secrets inside your organization are knowable.  The ability to hedge the Operational Risks to Intellectual Property within your enterprise is greater than you may realize.  The interdependency with U.S. Homeland Security is evident.

13 June 2015

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission

Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.

The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:
  • Design
  • Implementation
  • Configuration
The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission

Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission

Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.


A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business."

07 June 2015

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

31 May 2015

Trust Decisions: Human-to-Human Open Transaction Systems...

"Let us not look back in anger, not forward in fear, but around us in awareness"
-James Thurber-

When you become independent of the core group and the impact of your own bias, a whole new world unfolds before you.  The truth is discovered and the true reality becomes clear.  How often does the Board of Directors convene an emergency meeting as a result of a surprise Operational Risk loss event?

When you start listening to the explanation and you hear words such as "complex" and "3rd parties" this should sound an alert.  From the "Boardroom to the Battlefield" executive management is still flying blind on many fronts.  They have become so risk adverse, that in many cases the automated machines have taken over group think with their sophisticated high technology sensors.

Trusted sources from a human perspective are still the basis for vital decision support and monetary transactions.  Human-to-human information transfer via a trusted chain of sources is still thriving.  Trust is at the center of systems for significant transfer of information and assets to this day:
Hawala or Hewala (Arabic: حِوالة‎, meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent, operating outside of, or parallel to, traditional banking, financial channels, and remittance systems.
Does the Hawala have an emerging digital variant?  Why is the understanding of a blockchain-enabled digital ledger important in this day and age?  The reason becomes more apparent as we study how it works and where it is being utilized and for what purpose:

Example A
Silk Road was an online black market, best known as a platform for selling illegal drugs. As part of the Dark Web,[7] it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring. The website was launched in February 2011; development had begun six months prior.[8][9] Initially there were a limited number of new seller accounts available; new sellers had to purchase an account in an auction. Later, a fixed fee was charged for each new seller account.[10][11]
 Example B
NEW YORK, May 11, 2015 (GLOBE NEWSWIRE) -- Nasdaq (Nasdaq:NDAQ) today announced plans to leverage blockchain technology as part of an enterprise-wide initiative. Nasdaq will initially leverage the Open Assets Protocol, a colored coin innovation built upon the blockchain. In its first application expected later this year, Nasdaq will launch blockchain-enabled digital ledger technology that will be used to expand and enhance the equity management capabilities offered by its Nasdaq Private Market platform.

Importantly, the creation of a securities distributed ledger function using blockchain technology will provide extensive integrity, audit ability, governance and transfer of ownership capabilities.

"Utilizing the blockchain is a natural digital evolution for managing physical securities," said Bob Greifeld, CEO, Nasdaq. "Once you cut the apron strings of need for the physical, the opportunities we can envision blockchain providing stand to benefit not only our clients, but the broader global capital markets."
 Whether the "Digital Hawala" continues to thrive in the years ahead will depend on several key market issues.  Transparency, accountability and documentation.  Accurate record keeping.

At the center of this evolving system are two key attributes.  Speed and trust.  That is why you now see the private equity and venture capital community investing in companies such as Ripple Labs:
Ripple Labs (formerly OpenCoin) developed the Ripple protocol. Its team of experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans contributes code to the open-source software and works with financial institutions and payment networks to accelerate the growth of the protocol. The team shepherds a movement to evolve finance so that payment systems are open, secure, constructive and globally inclusive.
"Trust Decisions" are at the heart of the future of trading, decision support and the speed of human knowledge.  The fusion of ancient and modern protocols for global commerce and achieving digital trust are on our door step.  Let your awareness begin...

23 May 2015

Memorial Day 2015: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2015, we reflect on this past year.

In order to put it all in context, we looked back 24 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2015, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

17 May 2015

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.


10 May 2015

Metadata: Evidence of Terrorism vs. Crime...

What are the enterprise risks when metadata is legally defined as property?  Operational Risk Management (ORM) professionals are on high alert these days.  The court systems within the EU and now the United States, are building new cases and establishing new arguments.

As a steward of data and providing oversight on the transparency of how information is tagged, sorted, stored and archived, the ORM professional is right in the middle of the debate.  Metadata relevance is known to those who have been practicing the science and art of digital forensics for years.

Does your organization issue corporate devices for use in the workplace or on the job?  What transparency was provided when the digital device was issued on the use and ownership of the data associated with the device?  How many pages is the "Acceptable Use Policy" at your organization?

These policies on Mobile Device Management (MDM) or Bring Your Own Device (BYOD) are not new, yet they are still evolving.  This is because the technology innovation is so far advanced than the current legal precedence or court rulings.  The law will always catch up to technology and now the law is getting to an important milestone.

This however does not change how our adversaries are operating.  The current environment over the relevance of data, or who owns the metadata on our mobile devices, will not change the appetite for those who seek the data or exploit systems to cause failure or destruction.  If all of the laws in our land would stop crime or malicious intent in its tracks, then we could eliminate the entire legal enforcement structure.

The General Counsel and the outside legal teams at your organization are already working to reduce the risk of adverse litigation by employees, partners and customers.  The Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) are working 24/7 in tandem to operate legally and to insure the confidentiality, integrity and assurance of metadata across the globe.  Unfortunately they operate in an environment that involves humans, using digital devices.

The legal frameworks are quickly responding to the rising digital crime rate across the globe.  They are weary of the "Asymmetric Warfare" being waged by nation states.  Plaintiff lawyers are now preparing their new privacy and data breach cases on a weekly basis.  Organizations are seeking avenues of "Safe Harbor" by using certain products inside their infrastructure.  Yet will this all stem the tide of what weapons the adversaries are deploying, to perpetuate their business or espionage models?

This brings us to a prediction.  We predict the rise of metadata evidence that proves that organizations are the victims of cyber-terrorism, not cyber-crime.  Terrorism not fraud.  And now the courts and the jury pools will now decide what metadata is evidence and what the definition is of "Terrorism" in the cyber realm.  Marketing is a powerful engine to influence buyers.  Buyer beware:
"Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.
The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list."
"The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official 'Act of Terrorism' by the US government."

03 May 2015

Human Behavior: Learning in a New Age of Unreason...

The Human Factors in our organizations continue to be a tremendous challenge.  Operational Risk Management (ORM) has a focus on human behavior because it remains an unpredictable catalyst for substantial loss events in the enterprise.

The decision to trust, is an art that is quickly becoming more of a science.  The ability for the human being to utilize our God given senses of sight, hearing, touch, smell and even cognitive intuition is just not enough to protect us, within our pervasive and expanding digital ecosystem.

Insider information leaks.  Spear phishing.  Intellectual property theft.  Industrial espionage.  You name the vectors involving a human being and you suddenly realize the size and the magnitude of the digital challenge ahead.  The Board of Directors and Executive Management are consistently reminded by the General Counsel about the "Duty of Care" with employees, partners and allies.

So what does all this have to do with your current state of running your organization?  Believe it when we say, that you are not spending enough time or the correct focus of time changing human behaviors in your enterprise.  Historically, the plaintiff lawyers, the States Attorney General or the thousands of international "Black Hat" nation state hackers will make you pay, one way or another.

Your favorite Big Four consulting firm will talk to you all day about errors, omissions and fraud.  The Chief Security Officer (CSO) is operating a sophisticated Security Operations Center (SOC) gathering situational awareness on a 24/7 basis.  So why are we continuously amazed and surprised at our own human behavior and what we are capable of doing?

By now, you have been lectured in depth about having a Layered Defense.  You may have even been told you need an "Active Defense".  Are you still testing new tools and corporate training programs to influence the human behaviors that will ultimately defend or compromise your organization?  Do you recognize the acronym MDM?  Are you as well prepared as you could be for tomorrow's digital work day?  In the cockpit, behind the desktop or navigating at night, across an environmentally austere foreign terrain.

Depending on your up bringing and how you were raised by your parents influences each of us, individually.  Even the types or the content that is taught to us by the institutions we attended in our lifetime, has some impact.  Who do we trust?  What do we trust?  When do we trust?  Why do we trust?  How do we make our "Trust Decisions"?  Trial and error, alone?

Trial and error to this day is a powerful way to change human behavior.  Yet without the continuous education and training to produce new habits and to reinforce quick and sustained responses, it is futile.  The long term reinforcement of human learning changes behavior, with the right incentives in place.  The correct rewards are necessary for the human being to continue achieving, testing and adjusting to any dynamic environment.  At home, at work or out on the frontier of a new and unfamiliar place.  It is a system.  One that we shall design, engineer and replicate with precision.

So the New Age of Unreason is now our Operational Risk Management (ORM) challenge:
  • First, identify where active learning systems are operating within your organization.  There will be formal systems within your HR or training departments, but where are the informal learning systems located; where are the mentors?  Good and rogue actors will exist.
  • Second, document each of these formal and informal learning systems within the enterprise.
  • Third, catalog the human behaviors that each are influencing to serve your customer and/or to protect the organization.
  • Finally, build an interactive learning systems matrix, so that you have the context you need to redesign, upgrade and fill the gaps as you embark on your new learning mission.
We are reminded of the wisdom of Charles Handy:
"We may not, individually, be able to make the world safer from nuclear war, or to preserve the rain forests better, or to keep the ozone layer intact, but, as I argued in the beginning, it is often the little things of life that matter most, the ways we work and love and play, the ways we relate to people, and the manner in which we spend our days as well as our money.  These things we can affect.  We do not have to accept them as they are.  The Age of Unreason is inevitably going to be something of an exploration, but exploring is at the heart of learning, and of changing and of growing.  This is what I believe, and this is what gives me hope."

25 April 2015

Trust Decisions: Beyond RSA and Our Digital Future...

Trust Decisions are being made every few seconds as we navigate our way across the Internet oceans. After attending the RSA Conference 2015 in San Francisco this past week, there are many unanswered questions for the end users and the industry.  CIO's, CPO's and CISO's across the globe must be in awe of what we have created, to try to secure and govern the data flowing through the Internet.

The Operational Risk Management (ORM) landscape at RSA included analytics and forensics, cloud, C-Suite view, data security & privacy, governance risk & compliance, law, mobile security, policy and government and many others.  Walking the North and South Expo Halls at Moscone Center, was an immersion into the complexity and the duplicity of the current state of the information security and privacy ecosystem.

The pursuit of "Digital Trust" is a quest that the human brain is incapable of precise understanding, without the use and aide of our modern computers.  The rulebases are too large and the speed of transactions are too fast, for the human brain to process all of the rules simultaneously.  We know why we designed these tools and machines, to augment our human information processing capabilities.

The trust decisions we make to click on a link or download a new app is based upon many factors.  The evolution of the Internet and the trust we have placed in the links across the World Wide Web are now more scrutinized.  The threat of clicking on the wrong link or downloading a malicious file can cost our enterprise hundreds of millions of dollars in losses.

The RSA Conference is more evidence of our continued digital governance failure.  It is also necessary to achieve future progress.  Is it the manifestation of our inability as humans to establish and maintain the trustworthiness of systems and of standards?  The dawn of a new era for making digital "Trust Decisions" is upon us.  How shall we proceed to enable the next generation of the Internet and why?  Over a decade ago, researchers at the USC Information Sciences Institute were on to something:
Traditional trust management solutions [2] do not adequately address dynamic aspects of trust. The pre-configured, coarse and static specification of trust in conventional systems is not consistent with human intuitions of trust [11], an individual’s opinion of another entity that can evolve based on available evidence. Thus, trust relationships evolve over time and require monitoring and reevaluation. The dynamic and temporal nature of VOs (Virtual Organizations) present additional trust management challenges: 
  • temporary, as opposed to long lived, relationships present a major obstacle for trust development, since short term relationships promote “take and run” behavior; 
  • parties may not have pre-existing knowledge about one another, or any prior interactions with one another.
In our massive systems-of-systems and the growing dynamic of virtual environments, "Trust Decisions" are being made at light speed.  The rulebases that are known and the identities and attributions associated with them are constantly changing.

In the next decade and beyond, bringing order to chaos is the ultimate challenge for our industry and our global persistence.  The necessity for nation states to trade and exchange funds in a digital world is paramount.  The barriers to human communication and pervasive language translation are enabled by our digital creativity.  The ability to detect threats and defend ourselves utilizing sophisticated sensors on land and in space, will continue to help preserve our existence.

There are Operational Risk Management (ORM) inventions and new solutions yet undiscovered, that will provide the model and the global standards for making more precise and effective digital trust decisions.  The future is bright...

19 April 2015

Venture Capital: UAS Operational Risk Management...

When technology innovation in the military and clandestine community finally makes it's way out to the commercial landscape, venture capital is there to invest.  Operational Risk Management (ORM) is at the center of the strategic capabilities necessary, to accomplish the frontiers of the new markets.  The "Unmanned Aircraft System" (UAS) is now poised to launch new businesses, to address new solutions for identified problems of situational awareness.  18 months ago, The Washington Post highlights the future of the unmanned aerial vehicle (UAV):
As drones evolve from military to civilian uses, venture capitalists move in
By Olga Kharif, Published: November 1, 2013
Commercial drones will soon populate U.S. airspace, and venture capitalists like Tim Draper are placing their bets. 
Draper, an early investor in Hotmail, Skype and Baidu, is now backing DroneDeploy, a start-up that is building software to direct unmanned aircraft on land mapping and the surveillance of agricultural fields. Draper says he even expects drones to one day bring him dinner. 
“Drones hold the promise of companies anticipating our every need and delivering without human involvement,” Draper, 55, wrote in an e-mail. “Everything from pizza delivery to personal shopping can be handled by drones.” 
Venture investors in the United States poured $40.9 million into drone-related start-ups in the first nine months of this year, more than double the amount for all of 2012, according to data provided to Bloomberg News by PricewaterhouseCoopers and the National Venture Capital Association. Drones are moving from the military, where they’ve been used to spy on and kill suspected terrorists, to a range of civilian activities. 
Congress has directed the Federal Aviation Administration to develop a plan to integrate drones into U.S. airspace by 2015 and to move faster on standards for drones weighing less than 55 pounds.
As new commercial businesses invent new ways to adapt the use of a UAS, to replace a pilot inside a cockpit, there are tremendous risks.  Simultaneously there are substantial undiscovered opportunities for business and a new generation of UAS pilots.  The commercial decisions that are made to allow the use of an UAS in a particular air space, for a specific type of task or service, will be questioned and made into political television ads.  As Senators, House Representatives, County Supervisors and City Mayors across the United States, welcome the use of new automated platforms, the debate will be fierce.  The decisions evermore difficult.

From a business perspective the Operational Risk Management (ORM) strategy is essentially the same whenever a new product is launched.  Yet this debate will start much more different than the one we had, as the Personal Computer was launched or the Cellular Telephone.  Privacy was an after thought then. Not any longer.

You see, UAS platforms will be information collectors just as PC's and Smartphones.  So what has changed?  The public has now been more educated on how information can be collected by the businesses who operate these new inventions.  The public better understands how their own personal information may be used for purposes to serve advertisements or optimize a particular information-based service, such as mapping and activity-based intelligence.  They understand how governments may use the information to protect the homeland.

The Venture Capitalist markets for the introduction of UAS technologies have a myriad of Operational Risks, beyond just the privacy debate.  The liability and insurance markets will also be spinning up to address the potential of loss events.  This in itself, will complicate the launch of new products and services to the general public.  So what.  Now turn to the innovations that could be making a difference for mankind.  The marketplace is evidently ready according to this April 14th, 2015 WSJ article:
Chinese consumer drone maker DJI is in talks to raise funding at a valuation as high as $10 billion, according to people familiar with the matter, in what would be a sizable bet by investors that flying robots will overcome looming regulation and safety concerns.
Think about the possibilities.  Think about the ways that a customized UAS could save lives.  Think about how the information collected, with specific sensors may provide new insight.  Think about business decisions beyond those the Venture Capitalists have seen and thought about so far.  The adoption of services, to reduce human intervention and increase efficiency will come first.  But go farther.  Reach beyond these, to unlock how a third dimension of information, perspective, speed and agility may improve our planet.

Think humanitarian.  Think disaster management.  Think ecological. Think about how gaining timely information and applying it to good use, it changes everything.

12 April 2015

Communications Styles: Leadership of Security Risk Professionals...

When you communicate with fellow Operational Risk Management (ORM) colleagues in your organization, what considerations do you take with regard to the other persons communications style?  During any vital crisis communications exchange under extreme levels of stress, whether it be a team of First Responders or JSOC, there is no time or reason to take this into consideration.  This is because, a team of this type has trained together for months if not years, in exercises that put them to the test of how to effectively communicate in multidimensional crisis scenarios.  They know how to effectively communicate what needs to happen and when, not how.  These crisis teams have practiced to the point where they know exactly what to do when a real incident occurs.

In the halls of corporations across the globe, the likelihood of a crisis occurring on a daily basis is high. The consequences and type of threat are unknown.  Whether it be a key disruption in the supply chain for a vital component for manufacturing your products or the data leakage of trade secrets to your competition, the crisis scenario involves multiple inside people.  When you engage in information exchange with your colleagues from HR, to IT and the office of the Chief Security Officer, the personalities and communications styles must be taken under consideration.  Why?

Security Risk professionals in the global enterprise who are part of the Crisis Management Team have been selected for specific reasons.  Maybe it is because of their title or position in the organization.  The Vice-President of Human Resources, Chief Risk Officer, VP of Information Technology, Chief Security Officer (CSO), General Counsel, Chief Privacy Officer and even Chief Executive Officer (CEO) are tasked with the ultimate safety and security of the assets of the institution.  They are called upon in times of crisis to be the face to the public and the heads of leadership during and throughout the time frame of the organizational incident.

In order for the leadership of security risk professionals to be more effective in the face of any incident, communications style is a significant factor.  Deep down below the facade of a persons title and the office they command is the DNA and the personality of the individual.  The way they process information and the way that the person expresses themselves in a crisis communications encounter, is a vital factor in overall crisis strategy.

How often have you seen the spokesperson from a Fortune 500 company in front of a congressional inquiry, press conference or jury trial answering questions about their organizations or their own behavior?  What kinds of evidence do we have, of the impact of communications and communications style during the heat of a crisis incident?  So we have to go back to the leadership during a crisis.

The leadership of the crisis team, is comprised of people with individual personalities.  In the middle of a crisis, those personal styles of communication will become dominant and take over.  Here are the four communications styles:
  • Analytical
  • Driver
  • Amiable
  • Expressive
In addition, the organizational pulse of your organization, will be made up of a blend of these individuals and their respective communications proclivities.  What would happen if the whole team was made up of "Drivers" or "Amiables"?  How would the performance of the team be affected by having such an overwhelming number of people who have the same style of communication?

The team will not always have a balanced set of communication styles.  The goal is to assign certain roles or accountability, to the person with the best communications style for the tasks assigned.  Is the CEO always the best person to have as the public spokesperson in the middle of a crisis?  It depends on the type of communications style the CEO possesses and also the amount of media training and experience the individual has already accomplished.  BP five years ago this month is a prime example of this:
ON the night of April 20, 2010 — the early morning hours of April 21 in London — the Macondo well erupted below the Deepwater Horizon in the Gulf of Mexico, ripping through the rig, killing 11 people and creating one of the worst environmental catastrophes in United States history. Tony Hayward was having breakfast in a London hotel when he got the news.
By now the events that followed are well known: the desperate efforts to cap the gushing well; the harrowing collapse in BP’s share price; the government inquiries; the multi-billion-dollar cleanup. On July 27, BP said that Mr. Hayward was out. He was replaced by Robert Dudley, the first American chief executive in BP’s history.
What was Tony Hayward's communications style?  What is Robert W. Dudley's?  While the crisis team at BP was in full security risk mode soon after the blow out, it may have been the "Organizational Pulse" that was in need of a change with new leadership.

The "Leadership of Security Risk Professionals" is as much about detecting and understanding your teams communications styles and diversity, as much as practicing together under extreme duress.  Only then will your team know who is the best person to handle some facet of the crisis incident and only then, will the organizational pulse be headed on the right trajectory.

04 April 2015

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of Operational Risk Management (ORM).  It can be utilized with your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:
Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.
What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?

29 March 2015

Intellectual Capital: Mentor or Die...

The Operational Risk Management (ORM) associated with the loss of personnel is real. What mechanisms are in place at your organization to ensure that human capital and intellectual capital is being perpetuated? The education of new employees and the processes, systems and core metrics of the business is vital and in many cases an after thought.

Organizations today that are establishing robust human capital mentorship, education, rotation of duties and continuous training will out last and surpass the competition at some point. That point could be sooner than you think with Baby Boomer retirement or even an unexpected incident that involves catastrophic loss of life within a unit within your enterprise.

What kind of emphasis do you have on teaching the "Craft" and the "Art" of a profession or set of tasks that are the lifeblood of the business you are in? The apprenticeship model is one that has been lost in the last decade to lean work forces and outsourcing tasks that are deemed non essential to the core operations of the business, or are they?

Whether the internship model or the summer staff is how you find the right mix of people for your organization you still must go beyond this to create a sustainable program. Each business unit should then be required to take a percentage of each summer interns to become an apprentice in a business unit or even a section of the public facing organization. There are some leaders at these institutions that realize the risks associated with an aging workforce and the loss of intellectual capital as they retire or go on to another firm for higher pay as a consultant.

Leadership at these enlightened organizations formalizes the ability for units and sections of the business to teach, train, educate and mentor new members of the institution. The understanding that the risk of a loss of personnel is an Operational Risk that can be mitigated through effective human resource capital management and effective staff engagement is the beginning.

Apprenticeship is a system of training a new generation of practitioners of a skill. Apprentices (or in early modern usage "prentices") or protégé

The system of apprenticeship first developed in the later Middle Ages and came to be supervised by craft guilds and town governments. A master craftsman was entitled t (usually a term of seven years), but some would spend time as a journeyman and a significant proportion would never acquire their own workshop.

There are several trades that practice this extensively such as engineering, carpenters, electricians, plumbing and other vocations. The whole industry surrounding the medical profession has its specific path including the residency program as a step towards becoming a M.D.. The law profession has its own steps for becoming a J.D. and working your way up to being able to handle a case all on your own, from start to finish.

The concept of transferring the intellectual capital to maintain the "craft" or the "art" of the expert craftsmen or artisan is fading outside the typical union oriented trade groups. Have you seen an apprenticeship program in the core work roles within an Information Technology department? What about the software development teams? And if you really want to determine where you may be most vulnerable in your organization, look no farther than the office of Business Continuity. Do you even have an office of Business Continuity or Crisis Management? What kind of ongoing recruiting is helping to build the expertise and the art of "Continuity of Operations" or "Disaster Preparedness"?

If you think about the Business Impact Analysis (BIA) of your organization you identified the core areas that are vital to your own survivability. These are exactly where you need to start investing in the development of a set of programs that will teach skills, perpetuate the intellectual knowledge and keep your enterprise from being devastated from a sudden loss of skilled personnel.

There are numerous examples of organizations that have prospered and established chapters all over the globe to promote their particular brand of mentoring, whether it be a business entrepreneur to business entrepreneur or a scientist to another scientist. These by all means are important to keep the spirit of mentorship alive. But it is not enough.

Think deep and hard about how much your organization is mitigating the risk of a loss of personnel and intellectual capital. What are the programs you have in place to actually teach the craft or art that is at the core of the persons job or role on a daily basis? Who is the co-pilot to the First Officer on your flight today? Can one of the flight attendants fly the plane if both pilots are incapacitated for any reason? You get the message...Intellectual Capital x Skills Development = Survivability:

How do firms like Hewlett-Packard, DuPont, Dow Chemical, IBM, and Texas Instruments routinely convert the ideas of their employees into profits that sustain the corporation? How can buyers and sellers calculate the assets of the acquired firm in a merger or acquisition? How can an organization affect the firm's stock price using the leverage of intellectual assets? Identifying a firm's assets, especially its intellectual assets-the proprietary knowledge expressed as a recipe, formula, trade secret, invention, program, or process-has become critical to a company's overall vision and strategic plan and essential in such transactions as stock offerings or mergers.

In the era of the knowledge-based company, where the firm's genius and future lies in its ideas, a firm's collective know-how has become a measurable commodity-and as much a part of its bottom line as the condition of its cash investments, plant, and equipment. Extracting and measuring the real value of knowledge is essential for any corporate head who knows how high the stakes have become for corporate survival in the information age-where the innovative idea is as good as, if not better than, gold!

The Operational Risk associated with the mentoring, apprenticeship and skills training in your organization, is a factor of your Intellectual Capital equation. What is yours?