19 October 2014

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum. Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers. Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
Abstract
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

05 October 2014

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Technology, Privacy and the Rule of Law.  All three attributes for a robust Operational Risk Management (ORM) system.  The Operational Risk professionals in the critical infrastructure sectors that intersect with personal identifiable information (PII), are experts in the trio of changing technology, new laws and legal decisions while preserving the rights of privacy.  Financial services and Healthcare are currently under a significant barrage of attack.

All of these attributes are just small components of a much larger and more complex system.  The pursuit by all parties including consumers, technology innovators and those charged with our legal governance, is attaining a future state where the majority of humans will judge that system as trustworthy.

Trustworthiness begins with the basis by which you engage with a particular system.  Here is a fundamental example.  The trust that you put into the technology on your wrist or hold in your hand, requires you to take a leap of faith at first.  Can you believe that the chronometer on a MTM Patriot watch, at 132 feet below the surface of the Pacific ocean Scuba diving is accurate at 18 minutes 36 seconds?  If you can't trust the accuracy of this system to count minutes and seconds, a life may be in jeopardy from DCS.

An affirmative "Trust Decision" occurs when actions or rules are executed as a result of the systems design or planning.  A decision to ascend from 132 feet to 66 feet at 19 minutes into the dive is a "Trust Decision" leveraging the system programmed to keep accurate time and the divers planning in advance.

You have come to trust many systems in your lifetime.  Simple computers on your wrist or the complexity of the engineering associated with a BMW, Apple iPhone 6 or IBM Watson, requires the human to experience enough favorable outcomes, to begin to trust that particular system.  Those positive outcomes for safe and secure highway travel or the end-point IoT device will strive to establish trust over time. Even one of the virtual machines (VM) on the massive servers in over 100 Equinix Data Centers across the globe, are the basis for your trust as these particular invisible systems store and retrieve your most personal, sensitive intellectual property.

Think of a specific system that is trusted universally.  Think about all of the computers that support the system.  Each computer has been provided instructions coded in software or firmware.  For the most part, these rules have been programmed by humans.  In many cases, the software has automated a previous system that was manually operated by humans, for decades or longer.  Now this new trusted system is more efficient and the work that it performs saves us time.  It generates economic growth. Eventually, the system becomes trusted by a majority of humans and no one questions the calculus anymore.  Our current banking system in the U.S. is one that is top of mind.

When you have a fusion of Technology, Privacy and the Rule of Law that requires trust, not just by humans, but by systems-to-systems, then you must also have something else.  In order for the complete system and all of it's attributes to be accepted, adopted, codified, tested, ruled-upon, pervasive and universally utilized, it must be trusted by the other "systems" themselves.  Here is another example.

When you look at the architecture of the new "One World Trade Center" (Freedom Tower) scheduled for completion this year in New York City, do you think about:
Structural redundancy, enhanced fireproofing, biological and chemical air filters, extra-wide pressurized staircases, interconnected redundant exits, safety systems incased in three feet concrete wall, dedicated firefighter staircase, special "areas of refuge" on each floor.
You should think about it and so does Skidmore, Owings & Merrill, LLP.  The architect of the Freedom Tower.  If only we could utilize this metaphor for what we have learned about the architecture and construction of the new Freedom Tower.  Will you trust 1 WTC as a system?  Why?

The systems talking to other systems in order to design, build and occupy 1 WTC have been vast.  The technology incorporated to satisfy a complex set of business rules, building codes and privacy or security governance is extraordinary. "Trust Decisions" to accomplish affirmative outcomes have been executed for years by Skidmore, Owings and Merrill (SOM) not only in New York but on a global basis.

The trustworthiness of a system goes far beyond just the edifice.  The device.  The packaging.  The marketing.  The brand.  You will always have to look deeper for your "Trust Decisions".  You must discover how these trusted systems are being utilized, to provide you the affirmative economic results you seek.  And without the positive outcome of the creation of new found time or monetary assets, you will then abandon the tool, the machine, the system and simultaneously your trust.

TrustDecisions...

28 September 2014

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.
  • Governance
  • Policies
  • Regulatory and Statutory Concerns
  • Civil rights and Liberties
Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.
Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.
Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.
The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.
Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.
The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.
Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.
E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.
Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

21 September 2014

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making". This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with new APPs such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas. Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan?  --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story. This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime. Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative APPs, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" laying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

14 September 2014

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem, who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:
Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.
“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?
The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.
Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.
The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”
When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.

11 September 2014

9/11 2014: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 13 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 13 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

07 September 2014

Cyber Insurance: The Future of Enterprise Risk Management...

There has been great debate over the years on the topic of cyber security insurance to complement a comprehensive Operational Risk Management (ORM) strategy.  Does the existence of a robust Enterprise Risk Management (ERM) program that includes substantial components of Operational Risk benefit the organization in the eyes of the insurer?

Could the Cyber Insurance industry be heading towards a future model for making the case for "Enterprise Risk Management" in the Cyber Risk Space?  As a parallel example, the banking industry requires homeowners insurance before loans are approved.  This is because there are a hundred plus years of history on fires as a potential threat and the actuaries know the odds for a loss event, especially with the new building materials and the rules on sprinkler systems in certain areas.

We are getting close to the point where data analytics and the history of cyber attack information will be used to assist insurers in writing a "Cyber Risk policy" based upon your industry sector and geographic location. The data being analyzed now on the banking sector and energy sector is vast and these are just two critical infrastructure sectors that have a long history of being attacked by criminal network bots and also nation states, on an hourly basis.

The U.S. Department of Homeland Security (DHS) has been looking into the multi-factors surrounding Enterprise Risk Management in the context of cyber insurance for the past few years:
Based on what it had learned, NPPD hosted an insurance industry working session in April 2014 to assess three areas where it appeared progress could lead to a more robust first-party market: the creation of an anonymized cyber incident data repository; enhanced cyber incident consequence analytics; and enterprise risk management evangelization.
The evangelization of ERM is vital not only for those Global 500 organizations but also for the INC. 500.  The companies that are the supply chain to the enterprise are even more at risk of attack since they provide an on-ramp for modern malware to seek new vulnerabilities.  These supply chain companies will soon be asked about their Enterprise Risk Management (ERM) program strategies and for good reason.

In order for the Global 500 to continue to have confidence in a robust ERM strategy, they must have ways to validate their own supply chain organizations maturity in the cyber risk management domain. So what did the participants in the DHS NPPD cyber insurance roundtable in 2014 recommend as elements of a successful ERM program?
Engagement of senior leadership. A reinsurer commented that effective ERM programs must be implemented at the senior leadership level. Specifically, he advised that they should reflect a corporate culture that features cyber-related ERM discussions at all board meetings and that subjects itself to regular oversight – including through periodic internal risk audits and audits by outside, independent organizations.
Engagement of general counsels. A broker described general counsels and chief compliance officers as key players in successful ERM programs and stated that her company’s risk assessment workshops for corporate leaders are always more successful when these leaders are involved.
Engagement of CISOs. An underwriter added that it is similarly valuable to include a company’s CISO in the ERM process – particularly a CISO who understands the role that insurance can play as part of a comprehensive risk management strategy.
Establishing direct lines of communication. A third underwriter asserted that when it comes to cyber security specifically, a company should establish a direct line for ERM reporting to its board of directors rather than a hierarchal chain that requires many approvals before funds can be spent on someone (e.g., outside cyber forensics support) or something (e.g., a new technology) to address a cyber risk or incident.
So what does all this mean, if my INC. 500 company is part of the supply chain of a Global 500 organization?

It means that your ERM program will be under the magnifying glass if not now, very soon.  If you are considered to be a vital supplier to the Global 500 enterprise, then you most likely are cyber-connected for data exchange or even more.  The digital systems level decisions and the speed of business require that you have cyber data handshakes every few minutes or seconds.  The ability for your product or service to perform, requires this high degree of "Trust Decisions."

The time has come for Cyber Risk insurance to mature and to become another standard component in the Operational Risk Management (ORM) portfolio.  We look forward to seeing the language of the policies themselves as they evolve.  Will attribution of the origin of the cyber attack be a factor in a first-party coverage claim?  We think you can count on it...

31 August 2014

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk Management (ORM) uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

24 August 2014

Inspect v. Study: Quality of Operational Risk Management...

As this weblog reaches it's 1,060th post in the next few months, much has been documented on the course of "Operational Risk" over the past ten years. We have continuously witnessed the dawn of new threats and vulnerabilities that could only have been imagined in the last millennium.

At the same time, we could not have predicted the new found solutions, to many of the same operational risk related incidents that have plagued our institutions, governments and the planet we call Earth. Every time you think you have heard or witnessed it all and that all new future risk events will just be some variant of those that have preceded us in history, we are surprised and blind-sided. The "Black Swan" has visited us once again.

Yet one item that remains consistent over the course of risk incidents and numerous after action findings is this fact. We have not devoted enough resources in preparation and in scenario-based exercises to improve our resiliency. We remain in denial that we could ever be subjected to the 1-in-100 year event. However, there is someone named Warren Buffet who to this day, is still adding reinsurance companies to the Berkshire Hathaway portfolio. Do you think it is because Mr. Buffet is betting on more risk or less in the world over the next decade?

Risk Managers think about the "What if" more than anyone else, in many cases because they are paid to do this on behalf of their employer. Yet as human beings, we take risks every day without even thinking twice about how much risk we are taking on and what the possible outcomes could be. We just move through life in a wait and see totally reactive mode. So how do you get at least a majority percentage of the people walking around the halls of your organization to think more like a savvy risk manager? What does it take to inject a little more "What if" into the consciousness of each person and the roles and jobs that they play in your institution?

The first is to design and engineer your management system to incorporate a risk-based standard for operations. Secondly, to incorporate the applicable risk management controls to produce the rules-based behavior that you are adopting. Finally, to test the rule-sets with a continuous approach to ever so incremental improvement over time. Sounds familiar doesn't it. Plan-Do-Check-Act.

Whether you are trying to improve the awareness, implementation and/or measurement of Operational Risk on the deck of the aircraft carrier, at the FOB, on the trading or manufacturing floor or within the supply chain of the vital resources that fuels your organization, "Plan-Do-Check-Act" (PDCA) works. And you have heard it before, those who are hit by the "Black Swan" event will die or go out of business relative to the previous attention they have paid over the years to PDCA.


PLAN
Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By making the expected output the focus, it differs from other techniques in that the completeness and accuracy of the specification is also part of the improvement.
DO
Implement the new processes, often on a small scale if possible, to test possible effects. It is important to collect data for charting and analysis for the following "CHECK" step.
CHECK
Measure the new processes and compare the results (collected in "DO" above) against the expected results (targets or goals from the "PLAN") to ascertain any differences. Charting data can make this much easier to see trends in order to convert the collected data into information. Information is what you need for the next step "ACT".
ACT
Analyze the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that will include improvement. When a pass through these four steps does not result in the need to improve, refine the scope to which PDCA is applied until there is a plan that involves improvement.


It's clear to the "Operational Risk" professional why PDCA has one little flaw. The "Check" could and should be replaced by "Study" to emphasize analysis over inspection as Dr. W. Edwards Deming has said. To analyze and study takes us to the core of the issue. People are always looking for expected results, not unexpected outcomes. If we are to expect "unexpected" results, perhaps the "Analyze-Study" mindset would then perpetuate the plethora of risk professionals who are still caught up on the "Check". Inspection will get you killed and it will produce more "Black Swans" in your lifetime than you would ever expect. Check = Inspection. Study = Analyze.

So we think it is safe to say, that Warren Buffet is betting on the current trend of a mentality of inspection and not study. He is investing in the future of insurance companies needing insurance to hedge their own underwriting failures. Study and analysis are the ingredients of success for the most sought after risk managers on the globe. Unfortunately, too many still have not figured out that "Check" is out and "Study" is in.

The future quality of Operational Risk Management will lie in the hands of practitioners who are analyzing and studying before they apply new changes to gain new improvements. Now think about your organization. Where are the people who are patient? How long do they take to study the business problem or assess the climate you operate in every day? When you find these individuals you need to keep them close and you will soon find that you are well on your way to a more resilient future.

17 August 2014

Insider Threat: CSO Priorities...

If you are the CSO of a Fortune 50 company these days you have a few top of mind Operational Risk Management (ORM) priorities. There is only so much you can do with the resources you have been given, to preempt attacks on your enterprise regardless of the origin, internal or external. The time and resources for exercising plans and testing contingencies are getting more scarce. So where and how do you apply your knowledge and priorities to gain the most effective results?

In alphabetical order, here are some of the known attack methods to bring severe economic and human losses to bear on your business and the homeland:
  • Aircraft as a weapon
  • Biological Attack: Human Disease, Livestock, Crop
  • Chemical Attack
  • Cyber Attack
  • Food or Water Contamination
  • Hostage Taking
  • Improvise Explosive Device (IED)
  • Maritime Vessel as a Weapon
  • Nuclear Attack
  • Radiological Dispersal Device
  • Standoff Weapons: Guided
  • Standoff Weapons: Unguided
  • Vehicle-Borne Improvised Explosive Device
Now one could discuss the probability of each of these threats to determine the best strategies for preparing for one vs. another. More importantly, you could group these into clusters so that investing in prevention and preemption activities and tools would impact more than one attack method. Yet as you analyze your own specific critical infrastructure assets in your enterprise, you will then see those attack methods that will have the greatest affinity for that location or type of asset.

It is well known that the private sector owns and operates a majority of these critical assets for national security, now estimated around 85%. If you look at the list of known attack methods and realize who is "perceived" to be responsible for protecting these assets, the problem becomes more clear. The private sector expectation that the government or public sector is going to protect the critical assets that the private sector owns is the going logic. How far from the truth and reality could this perception be today?

As the Chief Security Officer (CSO) of a Fortune 50 company you no doubt have already cataloged your facilities and sub-categorized the assets within each of these facilities. You have included the "Intellectual Property" (IP) considerations for each location such as key people, R&D, Engineering, Software Development and others. You understand the value of these tangible and intangible assets as it pertains to the survivability of your organization. You have already developed the systems to recognize the moves, adds and changes to these facilities and assets so the portfolio of critical infrastructure and intellectual assets is up to date in real-time.

For many of you the last big push was to make sure that the Continuity of Operations and BCP Plans or Disaster Recovery strategies are in place to provide the peace of mind for "What if" scenarios. Your off site hot back-ups and mirrored data are functioning perfectly. The exercises have told you that operating these plans when the time comes will be touch and go but you are confident that you will get through it.

Now let's go back to our original question. So where and how do you apply your knowledge and priorities to gain the most effective results?

Your worst enemy now is your perception that the government is there to protect you first and to keep your private sector assets safe before the company next door or across the street. Your complacent attitude towards sharing vital information with the public sector authorities in your city, county and region is where you have your greatest vulnerability. How can these people who serve the local, state and federal agencies know anything about what is valuable to you if you don't tell them?

You see, it doesn't matter what your adversaries utilize as the their favorite attack method to do you harm. Of course they will want to use the ones that will have the most economic impact on our nation and it's people. Yet, without the continuous exchange of information flow from the private sector to those government officials, your business is just another casualty waiting to happen.

So if the government is working on the external threat through the Department of Homeland Security (TSA), Border Patrol, Coast Guard, CERT and the FBI on Counter Terrorism, Counter Intelligence and Cyber Crime what should you the CSO at your Fortune 50 company be focused on? The Insider Threat. Pure and simple.
“An individual with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
  • Due to a lack of hard data, threat definition remains difficult;
  • While education and awareness can be provided, cultural change remains more difficult and requires: 
  • Investment in structured programs and risk management; 
  • Corporate culture where trust does not run counter to prevention programs; and 
  • Improved workforce communication and cooperation so targeted efforts can address insider threats
  • Use of background checks varies among sectors and are not universally accepted; regulation is controversial; and
  • Multiple legal environments complicate Insider Threat mitigation strategies, not only domestically, between Federal, State, local jurisdictions, but also and more significantly, for those companies operating in multinational environments, complicating cohesive or comprehensive policy efforts.
The Insider Threat is real and requires continuous vigilance across the private sector. Secondly, the interface with your local first responders and law enforcement should be established early and often. Establish your own "Homeland Watch" mechanisms in your business park or metro area mapped to the local fire and police substations. Understand and get to know how they prioritize their response and investigations of suspicious activity and how it could impact you.

Finally, get very familiar with the NIPP. It could be your key to better understanding the mindset of the public sector and safeguarding your corporate assets.

10 August 2014

4th Paradigm: Predictive Risk Innovation...

21st century innovation requires new thinking, new tools and the application of a creative mind.  When it comes to innovating Operational Risk Management (ORM), take a leap towards "Predictive Intelligence".  What has been holding you back?  Is it the right combination of new thinking, new tools and the applications you haven't even thought of yet?

How could we apply the use of a High Computing Cluster (HPC) using Amazons Elastic Compute Cloud (EC2) with the right haystack of data to get the answers we seek?  Without building a new data center and for under $5K.  Think about the possibility of 10,000 plus server instances running across five data centers, with the results we seek in hours.  Utility Super Computing is here today for white hats and also even the "Black Hats."

Predictive Analytics is an art and a science, that is thriving with the use of "Fusion Infrastructure" by the hour. Why do we need to spend tens of millions of dollars on our own data center anymore, to get the rapid answers we require to run our business or to defend our nation?

Now the debate has gone beyond the infrastructure, to look at the other bottle necks.  What about the database architecture itself?  Is the traditional implementation of the disk intensive real-time Relational Database Management System (RDBMS) paradigm over?  Hadoop is here, yet requires new language learning curves and is a batch solution.  This could be one of the answers to predictive risk innovation:
MemSQL is the distributed in-memory database that provides real-time analytics on Big Data, empowering organizations to make data-driven decisions, better engage customers, and discover competitive advantages. MemSQL was built from the ground up for modern hardware to leverage dozens of cores per machine and terabytes of memory. We are entering an era that will be defined by distributed systems that scale as you need capacity and compute, all on commodity hardware.
How long will it take you to stand-up your own "Operational Risk Intelligence Center"?  One or two days or a week, with the right people and skill-sets in place.  What kinds of questions and answers will allow you to predict the future, faster than your competitor or your latest cyber adversary?
If you throw enough money at a problem there’s bound to be a solution, some think. That’s the logic of security expert Dan Geer, who this week told the Black Hat conference in Las Vegas that the U.S. government should throw a heck of a lot of greenbacks at people who discover vulnerabilities. 
How much? Ten times more than anyone else, he said in a keynote address.
Geer, chief information and security officer at In-Q-Tel, a not-for-profit venture capital company that invests in early stage companies making products aimed at U.S. intelligence agencies, maintained the U.S. should corner the market on vulnerabilities.
“Then we make them public and reduce to zero the inventory of cyber weapons that others have,” he was Geer said. “I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference.” including eSecurity Planet and ThreatPost.com.
A number of companies have so-called bug bounty programs, including Microsoft and Google. Nor is Geer the first to say governments should open their wallets. In January, researchers at NSS Labs issued a report arguing that only drastic measures can bring cyber threats under control.
Innovation in the Operational Risk Management spectrum is on the verge of massive change. Operations Security, Fraud Analytics and Supply Chain Management are just the beginning.  The Board of Directors of the commercial enterprise, Military Strategic Commands and virtual chat rooms on the deep web, are debating these very subjects.  Application of "Utility High Performance Computing" in combination with 4th Paradigm databases, puts innovation back at the forefront of the creative mind.

28 July 2014

Global Pulse: Resilience in Development...

The asymmetric threats cast upon the private sector on a daily basis across the globe, are rising and more complex.  As a result, Operational Risk Management is a discipline that has quickly matured in the past decade.  

Today, as we embark on this blog post number 1060 we can reflect on our amazing journey.  When you search Google from our location on "Operational Risk Management Blog" this blog is the number 1 link.

This endless journey encounters new insights and has transversed industry sectors to include financial services, energy, automotive manufacturing, aerospace, defense industrial base, pharmaceuticals and government both local and federal.  It has involved the following four fundamental principles of ORM:
  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions at the right level.
Whether the oversight and pursuit encountered the risks of fraud, economic espionage, workplace violence, natural disasters, terrorism or cyber vulnerabilities does not matter.  The threats and hazards that span the spectrum of Operational Risks to the enterprise are vast and increasingly diverse.  The discipline continues the quest to improve and to learn new lessons from both the private sector and government.  Now both of these need to also include a third dimension, that is evolving and could be the place to look for real innovation:  Non-Governmental Organizations. (NGO)

The NGO community is the environment that has now gone beyond response and is finally becoming more predictive:
Global Pulse is a United Nations initiative, launched by the Secretary-General in 2009, to leverage innovations in digital data, rapid data collection and analysis to help decision-makers gain a real-time understanding of how crises impact vulnerable populations. Global Pulse functions as an innovation lab, bringing together expertise from inside and outside the UN to harness today’s new world of digital data and real-time analytics for global development. The initiative contributes to a future in which access to better information sooner makes it possible to keep international development on track, protect the world’s most vulnerable populations, and strengthen resilience to global shocks.
There are plenty of situational awareness analogies that can be made to the risk management of vital private sector or government assets over the years.  Predictive operations have been evolving for years with the goal of preemptive capabilities to detect an attack on a Homeland.  The analysis of information from disparate sources is nothing new.  Link analysis and other methods of qualitative and human factors analysis give us the cues and clues to a possible evolving pattern of human behavior.

Yet what is fascinating now about the NGO perspective, is the intersection of Big Data and the mobile phone:
Wherever people are using mobile phones or accessing digital services, they are leaving trails behind in the data. Data gathered from cell phones, online behavior, and Twitter, for example, provides information that is updated daily, hourly and by the minute. With the global explosion of mobile phone-based services, communities all around the world are generating this real-time data in ever-increasing volumes. These digital trails are more immediate and can give a fuller picture of the changes, stressors, and shifts in the daily living of a community, especially when compared with traditional indicators such as annual averages of wages, or food and gas prices. This is especially crucial during times of global shocks, when the resilience of families and their hard-won development gains are tested.
These global shocks that are economic, geopolitical or as a result of climate change are at a macro level nothing more than environmental volatility.  This volatility in markets, government leadership, religious conflict and drought are what is driving the NGO development community to be more predictive and to be more preemptive.

In concert with this focus on predictive intelligence is the initiative "data philanthropy".  How can the data sets from our respective countries be shared to work on the really hard global problems together?  Open Data Sites is just the beginning.  You have to make sure that you recognize the attributes of "Big Data for Development" vs. the private sector or purely government:
Big Data for Development sources generally share some or all of these features: 
(1) Digitally generated – i.e. the data are created digitally (as opposed to being
digitised manually), and can be stored using a series of ones and zeros, and thus
can be manipulated by computers; 
(2) Passively produced – a by product of our daily lives or interaction with digital
services; 
(3) Automatically collected – i.e. there is a system in place that extracts and stores
the relevant data as it is generated; 
(4) Geographically or temporally trackable – e.g. mobile phone location data or
call duration time; 
(5) Continuously analysed – i.e. information is relevant to human well-being and
development and can be analyzed in real-time;
What if the private sector and the government started looking through a different lens?  Or perhaps the other way around.  Is the NGO development community capable of learning from the mistakes with data that intersect with privacy and national intelligence?  Operational Risk Management is just as much an imperative in the NGO environment, as we evolve in the integration of Big Data for global humanitarian initiatives.

When you really look at the opportunity and the challenge ahead, you must consider this intersection of data today in context with where development is still in its infancy.  Look at this visualization of Google search volume by language.  Notice the darkest parts of the planet Earth.  These are where the NGO community lives today, with little access to the Internet, regardless of language.  The human resilience factor necessary to evolve in these non-connected IP (Internet Protocol) deprived areas of the world, must be addressed as we aspire to become more predictive risk managers.

20 July 2014

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years. Born from the marketing collateral of the Business Intel (BI) vendors. Essentially, get a whole bunch of GB's of historical data and then use some new tools to mine it for so called insight. The question is, why is this predictive intelligence and not just more "Information."

Now introduce the nexus of "Human Factors". The unexplained behavior of people influenced by environment, interaction with other people or even the substances people put inside their body. Whether it's the coffee kicking in, the hangover from last nights Monday Night Football party or the latest argument with your spouse, it influences your perceptions on information.

Christian Bonilla may be on to something here:
Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes.
What does the fusion of human factors have to do with predictive intelligence? That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report. Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia. Is it possible to predict someone's future behavior even before they commit a crime or become violent?
Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".
Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime." These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.
Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future. Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait? The demise of General Motors and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere. The point is that you have to have context and relevance to the problem being solved or the question being asked.

Predictive analytics extracts information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes. Is it possible that there was and is too much reliance on the numbers and not enough on people's intuition?

This blog has documented the "11 Elements of Prediction" in the past. Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

13 July 2014

ID Analytics: Risk of the Unknown...

Operational Risk Management (ORM) has been at the top of the news in the past few weeks.  Digital media and the metadata of "Big Data" is the topic of choice.  It is a revealing look behind the curtain of what is possible these days, with the tools and capabilities that exist for exploitation and analysis.  Is too much privacy an operational risk to your personal and professional well being?  What "Trust Decisions" did you make to arrive on this page in the universe of the Internet?

In the spirit of full disclosure, if you are reading this now, we tracked how you found this blog and perhaps what search terms you used to be referred here.  Some of you, revealed their company identity. So why do we do this?  The main reason is that we want to make sure that we understand what is on your mind these days, when it comes to the global Operational Risk Management (ORM) universe. Here are a few examples in the past day or so that caught our eye:
  • management of operational risk - Latvia
  • operational risk management - Nigeria, Illinois, South Dakota, The Vanguard Group
  • common board of directors mistakes - Turkey
  • lessons learning from fail in operational risk - Malaysia
  • predictive intelligence - North America
  • rogue trader operational risk - United Kingdom
  • fund industry operation management discussion topic - Luxembourg
  • operational risk management game - Unknown
  • reputation risk management process - Unknown
  • operational risks in bank call center - Qatar
  • coso definition of operational risk - Unknown
  • black swan incident that occurs once in a lifetime - Unknown
  • ubs operational risk case analysis - Unknown
  • business resiliency definition - JP Morgan Chase
  • "operational risk" outliers - France
  • a risk effect on a daily operation - DeVry
  • examples of smart objectives risk - United Kingdom
  • black swan incident\ - South Carolina
  • black swan incident - Computer Sciences Corporation
  • what is a black swan incident - South Carolina
  • duty of care board of directors - United Kingdom
Collection of data is one thing.  Relevance and sense-making is another.  Can you imagine some of the search terms that are tracked just by Google or Bing?

What about the companies that know us the best?  Those marketing and personal data sites that keep track of where you live, how much you spend on your credit cards and where, or even the name of your pets.  How often do you give them your phone number or e-mail address at the point-of-sale (POS) to get a discount at the local retailer, gas station or pharmacy?  Believe us when we say that there are hundreds of organizations that know more about you in the private sector than some government across the world.

The trail of "digital finger prints" you leave behind everyday are vast.  A snap shot of your face at the local ATM or a snap shot of your desktop when you login to the online banking web site.  In either case, these examples are just a few of the ways that your habits, locations, preferences and lifestyle are profiled each and every day.  Where did all of this begin?  Fraud Management.  Not Homeland Security.

As a citizen traveling across the country or a consumer, you willingly give up these digital bread crumbs of your journey through life.  Your goal now, is to make sure that you are not mistaken for someone else.  After all, you or your organization have developed a profile and a reputation that is being recorded and therefore, it could be a prudent strategy to make sure that you are not mixed up with another person or organization with the same name or brand identity.

How can you do this?  Operational Risk Management (ORM) is about monitoring yourself and your organization to make sure you understand your competition (good or bad) for the same personal or business identity space.  Do you have Biometric and DNA samples of all of your key executives?  If you don't, then the question is why not?  You may have considered this in light of some of the places that your executives are traveling.  Cities and countries across the globe with the risk of kidnapping, improvised explosive devices (IED) and other risks to their lives.

As we look into the crystal ball of our digital futures, we see the scenes from movies past that have already captured our own human imagination.  A world where everyone is known and you may even choose to "opt-in" to be tracked.  After all, you are unique.  You make your own choices in life.  The risks that you face may very well be greater, for those who choose a life to remain private, anonymous and even unknown.

06 July 2014

4th of July: Resilience of Your Team...

The United States is celebrating the birth of the American nation this weekend.  238 years ago the formation of the Republic set the course for the country that it is today.  The Declaration of Independence was born.

A key aspect of any prudent Operational Risk Management (ORM) program is focused on people.  The risk of people and the whole dynamics of what is going on in peoples lives.  As Thomas Jefferson, John Adams, Ben Franklin, Robert Livingston and Roger Sherman toiled over the draft; what do you think was also going on in their individual lives at the time?
While political maneuvering was setting the stage for an official declaration of independence, a document explaining the decision was being written. On June 11, 1776, Congress appointed a "Committee of Five", consisting of John Adams of Massachusetts, Benjamin Franklin of Pennsylvania, Thomas Jefferson of Virginia, Robert R. Livingston of New York, and Roger Sherman of Connecticut, to draft a declaration. Because the committee left no minutes, there is some uncertainty about how the drafting process proceeded—accounts written many years later by Jefferson and Adams, although frequently cited, are contradictory and not entirely reliable.[62]What is certain is that the committee, after discussing the general outline that the document should follow, decided that Jefferson would write the first draft.[63] The committee in general, and Jefferson in particular, thought Adams should write the document, but Adams persuaded the committee to choose Jefferson and promised to consult with Jefferson personally.[2] Considering Congress's busy schedule, Jefferson probably had limited time for writing over the next seventeen days, and likely wrote the draft quickly.[64] He then consulted the others, made some changes, and then produced another copy incorporating these alterations. The committee presented this copy to the Congress on June 28, 1776. The title of the document was "A Declaration by the Representatives of the United States of America, in General Congress assembled."[65]
The ecosystem of this set of committed custodians of a new nation also included the personal lives of each one of them.  No different than the ranks of any organization who has executives and key staff members who are steering the daily direction of the enterprise.  Each individual on that team has a work life and a personal life they are managing simultaneously while doing the work of the country or the corporate business.
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness, That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.
So think for a minute about your team within the enterprise.  Each person on your staff or within your division is managing and coping with life events that are occurring in real-time each day.  How much are you in tune with all those emotions and potential changes in a fellow employees life, to see how it may impact their work?

Organizations across the globe utilize Operational Risk Management (ORM) as a discipline for those safety and security events that could produce significant risks.  The same can be applied to each person and their individual ecosystem.  Each person on the team may be in different phases of their lives and need only a few pieces of the entire ORM mosaic for their personal lives.  Contingency planning however is still one of those easy exercises that most people can do on their own and in their own personal environments.

The power of the "What if" questions that you ask yourself on a daily basis is a healthy way to begin and to continuously provide effective Operational Risk Management (ORM) outcomes.  "What if" you developed a ORM college within the enterprise to educate all those new employees and existing with the skills, knowledge and capabilities available to them?  As they say "Life Happens."  Each person shall have an ecosystem of both personal and professional risks that they are encountering every day.

It could be imagined that people such as Ben Franklin had a few other items on his mind at the time.

The person to your right and to your left on the front lines of the organization, who you engage with everyday; has their own set of risks to manage in life.  A strategy for each individual to better plan, develop and deploy effective risk management individually provides the entire team with the focus they require long term.  They have been trained on using the effective continuous process for ORM:
  • Identify
  • Assess
  • Decide
  • Implement
  • Audit
  • Supervise
Imagine your organizational unit, whether it be Congress, your Family, your work out partners at Pilates or the entire executive staff all in synchronicity, with the use of Operational Risk Management. The principles of enhancing your life or your country will require a life long devotion to the rules and to the risks to a breakdown in rules of governance.  Personally or professionally.

Consider the peace of mind as your country endures the challenges to it's "Declaration of Independence" and knowing that it has a longevity of 200 plus years.  Think about the confidence and the assurance you will have about your team or family unit as each of them manage their life events and risks.  The resilience factor is strong and the safety and security of the people you care about the most, will endure.