25 January 2015

Insider Threat: Trusted Systems of the Future...

In the Defense Industrial Base in particular, corporate executives are on edge these days, anticipating the next game changing crisis phone call from the General Counsel.  The conversation is one that every CxO expects to have at some point in their career, yet the pace of multi-million dollar incidents is rapidly increasing.  The origin typically begins somewhere within the Operational Risk Management (ORM) landscape including People, Processes, Systems or External events.

 INTRODUCTION

The Board of Directors are evaluating the current funding levels for Operational Risk Management programs.  The focus on "Insider Threat" is a renewed area of scrutiny in light of the number of intellectual property thefts and national security classified information leaks.  This means increased funding potential for programs of Defensive Counterintelligence.  Next we shall look at the strategic challenges involving Homeland SecurityDomestic Intelligence and Technological Innovation.

STRATEGIC CHALLENGES

You may have heard that Corporate Security and Operational Risk Officers are consistently using the acronym M.I.C.E. to describe the motivations for rogue insider employees. Money, Ideology, Compromise and Ego are the main categories that human behavior can be associated with, when the realization that an incident has occurred.

The "Why" question is asked early on by the General Counsel and the Chief Risk Officer (CRO), to try and understand the motivation by the employee.

One challenge is the current ecosystem of Homeland Security in the United States. Consistently oriented on the protection of catastrophic threats to the homeland in general and not to an individual company, much of the Homeland Security Intelligence (HSI mechanism is myopic and not predictive.  The laws associated with U.S. persons and the current state of employee protections is a white paper in itself. However, the scrutiny of laws associated with the theft of intellectual property and corporate trade secrets is gaining momentum.

The challenges of "Domestic Intelligence" and the intersection of "Technological Innovation" is now on a collision course in the courts.  Previous legal decisions such as United States v. Jones, 132 S. Ct. 945, 565 U.S. ___ (2012) was a Supreme Court Case that sets an example.  As interpretations of the constitutional rights of U.S. citizens are decided where the legal evidence of metadata is collected from technology innovations and is deemed to violate those rights, the challenges for domestic intelligence applications become more apparent.  This includes law enforcement and internal corporate security programs within the private sector enterprises.

CORPORATE CULTURE ISSUES

There are three competing perspectives within the enterprise organization that present a continuous cultural tug-of-war:
  • Human Resources
  • Privacy & Legal Governance
  • Security & Risk Management
In a recent break out session of a private industry focused "Information Sharing Initiative" workshop, the comments were heard by all of us present.  A Chief Security Officer in the room came right out and admitted that his team does everything they can to avoid interaction with personnel from the Human Resources department.  This "Elephant-in-the-Room" topic is one that most corporate officers need to get out on the table.  The cultural friction between a Human Resources department tasked with protecting the privacy and integrity of the employees personal data, typically clashes with those charged with securing the assets of the organization.

Even though the U.S. does not have anything close to the EU Data Protection Directive, the legal precedents are being played out in the courts.  In the U.S., workplace privacy is a rapidly evolving spectrum of technology, metadata and big data analytics:
Employees typically must relinquish some of their privacy while at the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. Although, with this problem of monitoring of employees, many are experiencing a negative effect on emotional and physical stress including fatigue and lack of motivation within the workplace.
RECOMMENDATIONS

The "Insider Threat" and Defensive Counterintelligence strategies are up against the employee privacy and data governance legal battles in the U.S..  However, there is a a way forward to design the future architecture for this particular Operational Risk Management domain, beyond more legally detailed "Acceptable Use Agreements".

Just as any agreement on standards or rules takes a process and a dedicated architecture, so will this arena of human behavior, technology innovations and vital digital information assets.  Effective and transparent "Trust Decisions" that become embedded in the architecture to enable application of the agreed upon rulesets, is the ultimate goal.  Once humans have the confidence in a mechanism for making these Trust Decisions consistently and with integrity, the presence of prudent risk management will then be realized.

The private sector will lead this effort in collaboration with government, yet it will design it's own protocols and rulesets to plug-in to new federal standards.  The application of continuous monitoring of threats within the private sector workplace will evolve quickly by using these new frameworks and new tools.  Trust Decisions will be made in milliseconds, as systems execute the rules that have been coded into software and the latest big data analytics logic.

We recommend that the private sector continue to establish a consortium of cross-sector companies to interface with the new ISE.gov framework entitled "The Data Aggregation Reference Architecture."
The need for greater interoperability is clear. To protect national interests, intelligence and law enforcement agencies must be able to collect, accurately aggregate, and share real-time analytical information about people, places, and events in a manner that also protects privacy, civil rights, and civil liberties. The President’s National Strategy for Information Sharing and Safeguarding (NSISS) recognizes this as a priority national security issue, and speaks directly to this challenge. The Data Aggregation Reference Architecture (DARA) is in direct response to NSISS Priority Objective 10, “Develop a reference architecture to support a consistent approach to data discovery and entity resolution and data correlation across disparate datasets,” The DARA provides a reference architecture that can enable rapid information sharing, particularly for
correlated data, but also for raw data, by providing a framework for interoperability between systems, applications and organizations.
These private sector companies need to standardize across sectors, just as the government is embarking on the mission to improve this across agencies.  You see, the blind spots that the government has discovered in sharing information across it's own departments and agencies is no different in private industry.  The failure of Energy companies sharing information with other Energy companies or the same within the Financial Services industry ISAC model is not new.  However, the speed and integrity of future "Trust Decisions" on Insider Threats will always depend on the timeliness and quality of the data.

The international agreements on ISO standards has a long history.  Quality and Environmental standards are most common.  The 21st century has delivered us privacy and information security "management system" standards established and agreed upon internationally.  The standards and rulesets integrated with government shall have interoperability with the private sector.  The private sector shall collaborate with government on the architecture for information sharing.  The future state outcomes will enhance our trust in the management systems that have been designed from the ground up, to execute the rules.  A good example from ISO follows:
Cloud computing is quite possibly the hottest, most discussed and often misunderstood topic in IT today. This revolutionary concept has reached unexpected heights in the last decade and is recognized by governments and private-sector organizations as major game-changing technology.

In the January/February 2015 ISOfocus issue, we address some of the basic questions surrounding cloud computing (including the savings and business utility the technology can offer). We also explore security concerns of the cloud services industry and how these are addressed by ISO/IEC 27018, the first International Standard on safeguarding personal data in the cloud.
CONCLUSION

 The future of the "Insider Threat" solutions will not be designed by just one company or one government.  Just as the Internet standards that have evolved to support billions of IP addressable devices using data science and machine learning, so too will the private sector discover the way forward on transparency and data governance.  What are the odds that an "Insider Actor" hired at company "A" may then move to Company "B" once and if they determine the controls and processes are too difficult or will catch them in their unauthorized activities?

The safety, security and privacy of our organizations in concert with an international community is imperative.  People must believe in the integrity of the "Trust Decisions" being made each second by the Internet devices they hold in their hands and simultaneously by the organizations they devote their working lives to each day.

18 January 2015

Blackhat: Corporate Counterintelligence Capability...

If you are an Operational Risk Management (ORM) professional you should invest time to see the latest movie on Information Security this weekend.  Michael Mann's latest production is entitled "Blackhat" and it has a few lessons learned including several stark reminders of the current state of industrial asymmetric warfare.

While you may laugh at some of the scenes, there are some effective learning points along the way.  Even better, consider inviting one of your corporate executives to the movie with you.  They could walk away with a better understanding of the active cybercrime and cyberterrorism syndicates that have global operations.

The motivations for these continuous cyber attacks in most cases can be described in one word, "Greed".  The human factors associated with greed continue to become more exemplified in the digital Internet of Things (IoT) domain year-to-year.  So what does Wired Magazine and Cade Metz have to say about this latest hacker movie?
For Parisa Tabriz, who sits at the center of the info-sec universe as the head of Google’s Chrome security team, it’s a Hollywood moment that rings remarkably true. “It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices.” 
Tabriz will also tell you that such accuracy—not to mention the subtlety of the scene with the coffee-stained papers—is unusual for a movie set in the world of information security. And she’s hardly alone in thinking so. Last week, Tabriz helped arrange an early screening of Blackhat in San Francisco for 200-odd security specialists from Google, Facebook, Apple, Tesla, Twitter, Square, Cisco, and other parts of Silicon Valley’s close-knit security community, and their response to the film was shockingly, well, positive. 
Judging from the screening Q&A—and the pointed ways this audience reacted during the screening—you could certainly argue Blackhat is the best hacking movie ever made.
Hollywood, California is getting closer to understanding how to reach a broad audience who are interested in the commercial cyber thriller.  The cyber themed movies have been around for years including "Sneakers" with Robert Redford in 1992.  So what has changed, after all of these attempts to help illustrate the spectrum of Operational Risks impacting the corporate enterprise?  Sabotage on critical infrastructure is ever more present.  So what has remained the same?

Still to this day there remains a tremendous amount of complacency on the risk of "Insider Threat." To illustrate this further; what are some of the common factors in all espionage incidents in the U.S. since 1950?
  • More than 1/3 of those who committed espionage had no security clearance. 
  • Twice as many “insiders” volunteered as were recruited. 
  • 1/3 of those who committed espionage were naturalized U.S. citizens. 
  • Most recent spies acted alone. 
  • Nearly 85% passed information before being caught. 
  • Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate malicious contact.
What can a corporation do in an environment of competing resources for talent, new tools and an increasing focus on consumer privacy?  Having an effective counterintelligence program within your organization is paramount to preserving your intellectual property and the integrity of the U.S. industrial supply chain.  So where should you start?

Begin your organizations awareness building with a robust program on cyber security:
Welcome to the InfraGard Awareness Security Awareness Course - We all have a role to play in protecting ourselves and the nation from the impact of cybercrime and identity theft, and that role can begin in the workplace. 
The better you are at protecting your own workplace from cybercrime and identity theft, the fewer opportunities criminals, petty thieves, and even terrorists will have to exploit security vulnerabilities for their own purposes.
  1. "What technologies do you want to protect from your competitors (e.g., R&D, supply chain, pricing and customer service information, contracts, production and maintenance records, etc.)  Do you believe you are adequately protecting them?  Can you rank these items by level of importance?  
  2. What information or technology (including expertise in manufacturing, production, or operations) are foreign competitors lacking that keeps them from being competitive?  Identify the various applications (both military and commercial) of your product or service.
  3. Do you have a reporting program in place to track how and where your critical/emerging technologies are being targeted by domestic and foreign adversaries?  If so, what trends have you seen?"
  • Source:  FBI SPIN:  15-001
The genesis of any mature insider threat program beings with the strategic development of a robust counterintelligence capability within your Operational Risk Management (ORM) framework.  The future of your organization and the safety and economic security of the entire nation is at stake.

11 January 2015

Legal Risk: Forensic Analysis of Supply Chain...

Corporate environments where a dedicated Chief Information Security Officer (CISO) works along side the General Counsel (GC) to tackle Operational Risk Management (ORM), continues to be a significant challenge.  The introduction of court certified tools for forensic analysis of information on both desktop and mobile devices to include phones, tablets and anything with a storage capability (USB Jump Drives) has created an executive level debate.  "What" information will we perform forensic analysis on, "why" and "when" will we do it?

The "Why" question is most obvious, like the analysis of DNA, the zeros and ones (0's and 1's) that make up the digital fingerprints (user names, passwords), blood-type (e-mail, SMS) and other behavioral evidence is important to associate the identity of the person(s) using a certain digital device. In addition, the ability to track the whereabouts of a particular digital device via GPS metadata or IP address, can also provide additional context and evidence, to be considered in the forensic examination.

The "What" information is in many cases going to be preceded by the "When" and has much to do with the policy in place within the corporate environment.  Modern "Acceptable Use Policy" may spell out that any device can be examined at any time, if it is a corporate issued and owned product.  Personal devices allowed in the workplace may be subject to a completely different set of policy doctrine, that falls under state and federal statutes.

The "When" question could be on a continuous basis and tied to a particular event, such as an employee who has given notice to leave the organization.  The event could also be as a result of an alarm or alert that the Information Security team receives from an automated system, within the corporate network.  So back to the challenges faced by the CISO vs. the GC on the Operational Risk Management process and addressing all of these issues.  Is it a legally sound manner that also achieves a "Defensible Standard of Care?"
Now imagine all of this going on oblivious to the confines of a small-to-medium size enterprise (SME). These organizations are typically defined as under 1000 employees yet can be defined further by the type of business and industry.  Now imagine that this particular SME, is operating within the Defense Industrial Base and is in the professional services supply chain of the top three U.S. government contractors, who are bidding on the next generation bomber for the U.S. Air Force.  What do we mean by supply chain?  This particular SME, is one of the outside counsel for Lockheed Martin, Boeing or Northrop. Yes, this law firm is in the information supply chain, working on legal matters associated with a top tier defense contractor.
If you are the GC and CISO at LM, Boeing or Northrop, what controls and policies do you have in place or service level agreements (SLA) that spell out the process to forensically examine the mobile devices of the lawyers and associates of your outside counsel? When?  Why?  The public disclosure of law firms and their associates being the target of nation states espionage is several years old.  When was the last time as a GC or CISO you had a closed door summit with the information supply chain of law firms working for your Defense Industrial Base (DIB) corporation in the U.S.?  If you are a SME law firm, working in the supply chain of the DIB, What, Why and When are you using Forensic Analysis with all of your Partners, Associates, Paralegals and other people in your legal ecosystem?

Operational Risk Management (ORM) spans every department and every employee.  It requires prudent application of the use of forensic analysis, as a vital component of a comprehensive counterintelligence program.  And remember the why.  Spear Phishing of law firms has been a major warning since 2009 and over six years later, it is still growing because it remains so effective.

05 January 2015

2015: Risk of Trust Decisions 25 Years Later...

Operational Risk Management (ORM) in 2015 will encompass a higher degree of focus on the corporate enterprise privacy debate.  The "Privacy vs. Security" battlefield has been gaining momentum, as a result of the rapid pace of data breaches and massive corporate data espionage.

General Counsel in collaboration with outside law firms are developing new legal strategies for data loss incidents. "Incident Attribution" and proving harm by nation states is going to be a new defense, as the sophistication of malware payloads approaches the intent of "Stuxnet."

"Trust Decisions" are being made at light speed by a system-of-systems to operate the global banking and e-commerce infrastructure.  Connected globally by billions of computing machines, each of these digitally enabled humans are making dozens if not hundreds of digital trust decisions on a daily basis. Those trust decisions incorporate a number of rulesets known and unknown to the decision maker. The potential legal consequences of the wrong privacy policy or gap in compliance can cost your enterprise millions of dollars:
In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.
In this particular legal case of Facebook, the $6,000,000 in fees to further educate youth, understand socioeconomic status and privacy, assess digital abuse and enhancing privacy technologies will not solve the problem at hand.  This brings us back to "Trust Decisions."

Jeffrey Ritter believes in "Building Digital Trust" and he captures the essence of where the future solutions to help solve the global privacy problem will be found:
I discovered that, to build digital trust, I had to first stop and learn how humans achieve trust itself. In doing so, I figured out that trust is not an emotion; trust is an outcome of a complicated calculus that each of us performs countless times each day as we interact with the world around us. Trust is a decision process. The process is based on catalogs of rules we assemble and the information we gather with which to evaluate whether our assembled rules are being satisfied by the person, the tool, the system, or the information we are deciding whether to trust.
 A "Trust Decision" by a machine, involves the interpretation of a ruleset (databases of rules) that are established for a set of semiconductors and microprocessors to execute.  In most cases the initial ruleset was written in code by a human. Therefore, the software computer code that was written for the machine to execute, will therefore have flaws.  It will be capable of failure, errors or omissions. These instructions query other rulesets (laws, policies, historical precedence) that assist the human in making trust decisions.  This is just one of the reasons for the existence of data breaches.

2015 and beyond will be an opportunity to further define and debate our "Trust Decisions."  The years and decades ahead will be full of asymmetric warfare, that is fought by criminal syndicates for hire and implemented by rogue nation states themselves.  All accomplished utilizing this invention, we call the "Internet."  The same "Zeros and Ones" ecosystem we built to connect our billions of man-made machines.

A recent visit to the Computer History Museum in Mountain View, CA is a reminder about how far we have come and yet how much we are still in our infancy.  The Internet history timeline begins in 1962:
This Internet Timeline begins in 1962, before the word ‘Internet’ is invented. The world’s 10,000 computers are primitive, although they cost hundreds of thousands of dollars. They have only a few thousand words of magnetic core memory, and programming them is far from easy.

Domestically, data communication over the phone lines is an AT&T monopoly. The ‘Picturephone’ of 1939, shown again at the New York World’s Fair in 1964, is still AT&T’s answer to the future of worldwide communications.

But the four-year old Advanced Research Projects Agency (ARPA) of the U.S. Department of Defense, a future-oriented funder of ‘high-risk, high-gain’ research, lays the groundwork for what becomes the ARPANET and, much later, the Internet.
By 1992, when this timeline ends,

  • the Internet has one million hosts
  • the ARPANET has ceased to exist
  • computers are nine orders of magnitude faster
  • network bandwidth is twenty million times greater
We are now arriving at the 25th anniversary of Tim Berners-Lee's first proposal for the World Wide Web.  Little did Tim know, that it would become the core focus for Operational Risk Management (ORM) in our digital enterprises in the year 2015.

21 December 2014

2014 Reflections: Operational Risk Management Forecast...

As 2014 comes to a close and we look into the future of 2015 it is time to reflect.  After 1000+ blog posts on the topic and discipline of Operational Risk Management (ORM) it seems like a blur.  To start off this final post for the year, we looked back on our last post in December 2013.  It is amazing to see how accurate many of our forecasts were for 2014.

Here are some of the Operational Risk Management blog posts that had the most page views this past year:

Cyber Domain: International Law of Asymmetric Warfare...

Memorial Day 2014: The Risk of Service is Understood...

Insider Threat: CSO Priorities...

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Veterans Day 2014: Leading the Enterprise to Victory...

Courage: Risk of Physical & Moral Fear...

Now for the ORM forecast.  2015 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

14 December 2014

Intellectual Property: Material Risks Disclosure- Assumption of Breach...

The rules of the game may have changed across the corporate landscape.  Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:
Sony Pictures Entertainment is fighting back
The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. 
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy. 
In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.
The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen.  The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization.  You see, the use of sophisticated offensive cyber malware is not new.  No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

In the recent book "Countdown to Zero Day" by Kim Zetter, the point is made:
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain.  The rules of the digital game have changed.  Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving.  How many digital files in your corporation contain proprietary Intellectual Property (IP)?  If you don't know the answer, then we recommend that you start counting.  You need to figure out what the value is, of all this data and for good reason.  At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S..  Jeffrey Carr explains here:
“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” 
The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis.  What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in?  What U.S. companies are encouraged to relocate a manufacturing plant overseas?  Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage.  Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing.  The hackers-for-hire trade, is larger than you may know.  How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars?  Mid to high six figures.  Not likely.  7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar.  To disrupt and destroy the capabilities of your adversary.  Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident.  The magnitude and the impact of the destruction is apparent.  Are you sure you don't have an Insider Threat?  See appendix C here:
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.

07 December 2014

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

01 December 2014

Courage: Risk of Physical & Moral Fear...

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral.  What are some examples?  "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors.  "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same.  The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death.  The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within.  This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage?  The answer is yes and it has been a factor of education and training for hundreds of years.  The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits.  The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.
"What are you doing to overcome your fear to save a life?  What are you doing to overcome your fear of reputation loss?  The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."
Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes.  Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the SahelBoard Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required.  In seconds.  The courageous decision you make may cause bodily harm or the end of a career.  What are you going to do to learn and train to deal with the fear that you will encounter?  What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community.  It spans the spectrum of courage from physical to moral.  The question remains,  will you act when the time and moment arises?

23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

16 November 2014

Top Ten Mistakes: Board of Directors Risk...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors, is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.


09 November 2014

Veterans Day 2014: Leading the Enterprise to Victory...

The 1% are soon to be recognized on Tuesday, November 11, Veterans Day.  CxO's across the country who have served in the military know all about "Operational Risk Management" (ORM). They understand that the safety and security of their personnel is paramount, if they are to achieve the mission assigned to them by the Board of Directors and the majority stakeholders.

It makes sense that if only 1% of the country serve in the military, and fewer make it to the rank of CxO in commercial industry, why ORM remains so esoteric.  Only an enlightened few truly understand the value of investing in continuous training, cultural and ethical development and the safety and security of not only employees, but also intellectual capital and information assets.

Indeed, this Veterans Day is a time to focus on our 1%.  Those who have served the United States of America in the Armed Forces.  At the top of each of these branches including the Army, Marine Corps, Navy, Air Force and Coast Guard are people that have seen, smelled, heard, felt and lived with the logic and the necessity for Operational Risk Management.  Why is the Navy leadership focused on ORM?
ORM is the guiding Navy instruction for implementing the ORM program. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. 
The most common idea of what ORM revolves around is a simple five-step process that is most frequently used in planning. These five steps are:
  • Identify hazards
  • Assess the hazards
  • Make risk decisions
  • Implement controls
  • Supervise and watch for change
Another level of ORM is Time Critical Risk Management which involves a quick, committed-to-memory process and a set of skills that allow our people to manage risk when in the execution of a plan or event. The standard for the Navy is being developed, however it might be thought of in simple terms such as:
  • What can go wrong or is changing
  • How can I keep it from effecting the mission without hurting me
  • Act to correct the situation
  • Telling the right people if you are unable to take the right action
If you were retired from the Marine Corps and now the CxO of a Global 500 company, do you think that ORM would be a forgotten system?  Would you neglect to focus on this, if you were running FedEx?  Fred Smith is not a former pilot, but was vital as a "Forward Air Controller":

Frederick Wallace "Fred" Smith (born August 11, 1944), is the founder, chairman, president, and CEO of FedEx, originally known as Federal Express, the first overnight express delivery company in the world, and the largest in the world. The company is headquartered in Memphis, Tennessee. 
Smith was commissioned in the U.S. Marine Corps, serving for three years (from 1966 to 1969) as a platoon leader and a forward air controller (FAC), flying in the back seat of the OV-10
As a Marine, Smith had the opportunity to observe the military's logistics system first hand. He served two tours of duty in Vietnam, flying with pilots on over 200 combat missions. He was honorably discharged in 1969 with the rank of Captain, having received the Silver Star, the Bronze Star, and two Purple Hearts. While in the military, Smith carefully observed the procurement and delivery procedures, fine-tuning his dream for an overnight delivery service.[5] 
A primary function of a Forward Air Controller is ensuring the safety of friendly troops. Enemy targets in the Front line ("Forward Edge of the Battle Area" in US terminology) are often close to friendly forces and therefore friendly forces are at risk of friendly fire through proximity during air attack. The danger is twofold: the bombing pilot cannot identify the target clearly, and is not aware of the locations of friendly forces.
Fred Smith not only implemented the mindset of a "Forward Air Controller" running FedEx, he also has been able to build a culture focused on Operational Risk Management (ORM).
FedEx Corporation will produce superior financial returns for its shareowners by providing high value-added logistics, transportation and related business services through focused operating companies. Customer requirements will be met in the highest quality manner appropriate to each market segment served. FedEx will strive to develop mutually rewarding relationships with its employees, partners and suppliers. Safety will be the first consideration in all operations. Corporate activities will be conducted to the highest ethical and professional standards.
Now back to Veterans Day, November 11.  Are you starting to make the connection between the 1%, becoming a global CxO and the reason why ORM has such tremendous applications inside the global enterprise?

The opportunity now is for us to unleash our emerging and proactive "Vetrepreneurs," to take their years of knowledge and understanding of ORM and now apply it within the ranks of their new companies or new positions, just as Fred Smith has done at FedEx.  These veterans have the practical knowledge, skills and valuable use cases on how Operational Risk Management contributes to the overall mission.

If you are a 1% entrepreneur (Vetrepreneur) and have Co-founder or CxO as your title, then your proactive nature should allow you the opportunity to apply ORM within your organization.  Here are three places you can begin your program focus:
Inside:  Develop a culture of trust that begins by teaching employees how to find the truth.  A culture that promotes and teaches people how to apply the rules to the business that you are operating in.  A culture where no one can hide and that understanding our own vulnerabilities makes the overall organization more resilient each day.
Outside:  Architect the enterprise from the ground up to make more informed "Trust Decisions."  The architecture must first assemble and organize the rule-base and contextual framework associated with the environment that you will be operating in both physically and virtually.  The interdependencies of the automated machines developed to operate the enterprise, shall exist in a transparent and highly governed "system-of- systems". 
In-The-Middle:  Create new learning scenarios on a consistent but random basis.  Test the enterprise Inside and Outside with these exercise scenarios.  Determine how the humans and/or machines behave.  Establish what is normal and create your baseline. Continue to test and to measure the gaps of performance and make changes to improve the quality, accuracy or resiliency of the entire enterprise architecture.
On this Veterans Day 2014, scan the horizon for the organizations that stand out and are remarkable. With the 1% at the helm, in the cockpit or now the HQ Board Room, Operational Risk Management (ORM) is leading the enterprise to victory!

02 November 2014

NewCo: Operational Risk Accelerators...

Operational Risk Management (ORM) is an essential component of any serious business.  These are the internal risks you take when you add people, processes and systems together and then operate in a specific industry or geography.  Innovation within the ranks of a new breed of business accelerator, has the opportunity to include "Operational Risk Strategy Execution" as a vital mechanism for the growth of the new born company.

Do you know about a start-up company that is building a product or solution to address one of these Operational Risk categories?  The following lists the official Basel II defined seven event types with some examples for each category:
  1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud - theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets - natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
The start-up phenomenon has taken many metro areas around the United States by surprise.  The typical centers of innovation in Seattle, San Francisco, Los Angeles, Austin, Boston and Washington, DC are now being joined by newcomers such as Cincinnati:
The entrepreneurial world is not an easy one to take on, but for those brave enough to do so, Cintrifuse is here to help. Located in the heart of downtown Cincinnati, Ohio, Cintrifuse acts as a connecter and supporter to create a global destination for entrepreneurial success. 
Cintrifuse connects the region’s high-potential, venture-backable startups to advice, talent, funding, and customers. With over 30 ecosystem partners, 30+ participating local corporations, 75+ mentors and advisors, Cintrifuse leverages the power of its network to serve over 100 startup members and improve their chances of success. 
To amplify the efforts and extend the reach of the entrepreneurial community, Cintrifuse operates a $56MM Fund of Funds, which invests in early-stage venture capital funds both regionally and nationally. The Fund of Funds provides an avenue for corporations and venture capitalists alike to gain further insights into and engagement with the Cincinnati startup community. 
Cintrifuse’s efforts are made possible through support from some of Cincinnati’s most prominent companies
To connect more than 100 startups with venture capital firms, corporations and service providers, Cintrifuse uses a proven membership model. Entrepreneurs gain access to like-minded, driven and engaged individuals, venture capitalists, business leaders and services providers are introduced to startups on the rise.  Grow your business with Cintrifuse by signing up for membership today.
As the focus on innovation continues and NewCo's are being formed across the country, these new entrepreneurs need a foundation in truly understanding "Operational Risk Management". Why?

If these new entrepreneurs are better able to understand the core reasons why a business must operate within a universe of Operational Risks, then their innovation may adapt.  The ideas they have for better managing cyber security, detecting the insider threat or automating the continuity of operations planning may change.

Building a new company with an innovative new product also means understanding the problem sets that a much larger enterprise is encountering on a daily basis.  Innovators today sometimes lose sight of the operational risks that can be addressed by their products, as they are installed and implemented into the larger enterprise.  The value proposition that addresses the decrease in loss events, will soon get the attention of senior management.

What can a business accelerator like "Cintrifuse" do to make sure that the 100+ new start-ups better understand Operational Risk Management?  Perhaps even more importantly, how can their hot new NewCo product fit into the ORM matrix for addressing Enterprise Risk at a Fortune 500 company?

To answer this, just look more deeply at the 75+ mentors and advisors that Cintrifuse has at their disposal.  Has Cintrifuse developed a diagnostic tool to better understand the subject matter expertise of each of those mentors?
  • First,  create an inventory of the skill sets and knowledge of these mentors and develop a database for the start-up entrepreneurs, then they can query who is the best mentor for a specific subject or business problem they are encountering.
  • Second, the mentors themselves would need an orientation on how to assist the start-ups in seeing the nexus with operational risk in their own business model.
  • Third, the mentors would demonstrate how the innovations that the enterprise requires have a nexus with the start-ups products being developed for the mass market.
Remember, ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
When you scan the companies being accepted and graduated from all of the incubators and accelerators across the globe, many will have a product solution that impacts some facet of Operational Risk Management.  The mission now is to make sure that those new entrepreneurs discover how their inventions and patents may address real-world scenarios.  Just look at the current cohort companies at the MACH37 Accelerator in Herndon, Va as one example:

iAspire 
Eric Whittleton, Cofounder and CEO
Arash Nejadian, Cofounder and CTO 

iAspire is currently addressing the significant pent up demand for fully implemented email encryption in large enterprises by enabling end-to-end encryption that also addresses the need for real-time and in-volume secure email access for forensics, e-Discovery and compliance requirements. Aspire develops standards-based digital key management products that serve as material enablers of the “Trusted Web”. Future products will include additional store and forward applications such as a cloud-based Secure Drop-box as well as mobility solutions.

Virgil Security
Michael W. Wellman Cofounder and CEO
Dmitry Dain, Cofounder and CTO 

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users. Virgil Security’s encryption libraries and services, along with an accompanying public key management infrastructure, ease the pain of developing, deploying, and using strong cryptography. Virgil Security enables a new generation of enhanced privacy and security for applications, cloud services, and the Internet of Things.

FireDrillMe
Marcus Carey, Founder

FireDrillMe provides a SaaS platform that orchestrates cybersecurity “fire drills” on production networks by imitating attackers. FireDrillMe helps organizations train personnel, evaluate products, and refine procedures for incident response.

Syncurity Networks 
JP Bourget, Cofounder and CEO
Ray Davidson PhD, CoFounder
Mike Volo, CoFounder 

Syncurity Networks develops software for Information Security Process Management and Automation focused on Incident Response (IR) incorporating standard IR processes, automated artifact collection, and standardized report generation. Syncurity helps mid-size businesses respond to incidents faster, document lessons learned, and collect metrics for continuous improvement.

SecureDB
Karthik Bhat, Founder and CEO

SecureDB is an encrypted cloud database for storing sensitive customer information such as authentication credentials, PII, PHI and credit card numbers. SecureDB’s cloud based encrypted database and associated APIs will allow enterprises to secure their customer data by providing strong cryptographic protection against unauthorized access.

BiJoTi
Josh Marpet, Cofounder and CEO
Billy Boatright, Cofounder and CMO
Tim Krabec, Cofounder and CTO
Ben Huey, Cofounder and CRO

Compliance requirements are coming downhill to smaller companies, and the bad guys are going after data within companies of all sizes. BiJoTi's turnkey appliance packages the advanced compliance and security benefits that large enterprises enjoy from a dedicated security organization, but at a price that works for small and mid-market businesses.

Cyph
Ryan Lester, Cofounder and CEO
Josh Boehm, Cofounder and COO 

Cyph is a secure messaging app for Facebook users who aren't security experts, but demand a simple way to chat privately with their friends.

As Operational Risk Management is incorporated into the core capabilities of each new entrepreneurs business plan it will benefit their own launch and better serve their intended customers.

25 October 2014

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:
  1. What is your reputation worth?
  2. Are you being Proactive or Reactive in managing and safeguarding your reputation?
The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:
  • Economic Accountability
  • Information Management
  • Business Integrity
Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:
  1. Intellectual Property and Information Assets
  2. Demonstrations, planned boycotts and social activism
  3. Physical infrastructure including employees and suppliers
  4. Legal threats including class actions, insider trading or whistle-blowers
Microsoft closed its free Internet chat rooms in 28 countries many years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking other Social Media accounts.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

19 October 2014

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum. Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers. Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
Abstract
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

05 October 2014

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Technology, Privacy and the Rule of Law.  All three attributes for a robust Operational Risk Management (ORM) system.  The Operational Risk professionals in the critical infrastructure sectors that intersect with personal identifiable information (PII), are experts in the trio of changing technology, new laws and legal decisions while preserving the rights of privacy.  Financial services and Healthcare are currently under a significant barrage of attack.

All of these attributes are just small components of a much larger and more complex system.  The pursuit by all parties including consumers, technology innovators and those charged with our legal governance, is attaining a future state where the majority of humans will judge that system as trustworthy.

Trustworthiness begins with the basis by which you engage with a particular system.  Here is a fundamental example.  The trust that you put into the technology on your wrist or hold in your hand, requires you to take a leap of faith at first.  Can you believe that the chronometer on a MTM Patriot watch, at 132 feet below the surface of the Pacific ocean Scuba diving is accurate at 18 minutes 36 seconds?  If you can't trust the accuracy of this system to count minutes and seconds, a life may be in jeopardy from DCS.

An affirmative "Trust Decision" occurs when actions or rules are executed as a result of the systems design or planning.  A decision to ascend from 132 feet to 66 feet at 19 minutes into the dive is a "Trust Decision" leveraging the system programmed to keep accurate time and the divers planning in advance.

You have come to trust many systems in your lifetime.  Simple computers on your wrist or the complexity of the engineering associated with a BMW, Apple iPhone 6 or IBM Watson, requires the human to experience enough favorable outcomes, to begin to trust that particular system.  Those positive outcomes for safe and secure highway travel or the end-point IoT device will strive to establish trust over time. Even one of the virtual machines (VM) on the massive servers in over 100 Equinix Data Centers across the globe, are the basis for your trust as these particular invisible systems store and retrieve your most personal, sensitive intellectual property.

Think of a specific system that is trusted universally.  Think about all of the computers that support the system.  Each computer has been provided instructions coded in software or firmware.  For the most part, these rules have been programmed by humans.  In many cases, the software has automated a previous system that was manually operated by humans, for decades or longer.  Now this new trusted system is more efficient and the work that it performs saves us time.  It generates economic growth. Eventually, the system becomes trusted by a majority of humans and no one questions the calculus anymore.  Our current banking system in the U.S. is one that is top of mind.

When you have a fusion of Technology, Privacy and the Rule of Law that requires trust, not just by humans, but by systems-to-systems, then you must also have something else.  In order for the complete system and all of it's attributes to be accepted, adopted, codified, tested, ruled-upon, pervasive and universally utilized, it must be trusted by the other "systems" themselves.  Here is another example.

When you look at the architecture of the new "One World Trade Center" (Freedom Tower) scheduled for completion this year in New York City, do you think about:
Structural redundancy, enhanced fireproofing, biological and chemical air filters, extra-wide pressurized staircases, interconnected redundant exits, safety systems incased in three feet concrete wall, dedicated firefighter staircase, special "areas of refuge" on each floor.
You should think about it and so does Skidmore, Owings & Merrill, LLP.  The architect of the Freedom Tower.  If only we could utilize this metaphor for what we have learned about the architecture and construction of the new Freedom Tower.  Will you trust 1 WTC as a system?  Why?

The systems talking to other systems in order to design, build and occupy 1 WTC have been vast.  The technology incorporated to satisfy a complex set of business rules, building codes and privacy or security governance is extraordinary. "Trust Decisions" to accomplish affirmative outcomes have been executed for years by Skidmore, Owings and Merrill (SOM) not only in New York but on a global basis.

The trustworthiness of a system goes far beyond just the edifice.  The device.  The packaging.  The marketing.  The brand.  You will always have to look deeper for your "Trust Decisions".  You must discover how these trusted systems are being utilized, to provide you the affirmative economic results you seek.  And without the positive outcome of the creation of new found time or monetary assets, you will then abandon the tool, the machine, the system and simultaneously your trust.

TrustDecisions...