22 November 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system:
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.

15 November 2015

Mass Movements: Adapting to the Threat...

As if the act of bombing a Russian Airliner Flight 9268 with 224 crew and tourists returning from a Red Sea vacation is not a clear indicator of ISIS as a mass movement, perhaps this attack on Paris will be:

1.  Stade De France - 9:20PM - Suicide Bomber - 1 Killed
2.  Rue Alibert - 9:25PM - 2 Gunmen by car - 15 Killed
3.  Casa Nostra - Moments Later - Same 2 Gunmen - 5 Killed
4.  La Belle Equipe - 9:36PM - Same 2 Gunmen - 19 Killed
5.  Bataclan - 9:40PM - 3 Gunmen - 2 hours later - Suicide Bombers - 89 Killed
6.  Cafe Comptoir Voltaire - 9:40PM - Suicide Bomber - 1 critically injured

As we say our continued prayers for those lost and consider the consequences of just these two single recent terrorist events, you can try to ask yourself, what now?  How will we address this kind of continuous threat and evil going forward?  Why did this happen?

To begin your understanding as a true Operational Risk Management (ORM) professional, you must start here.  In 1951 a migratory worker and longshoreman, Eric Hoffer wrote a book, The True Believer:  Thoughts on the Nature of Mass Movements:

"The readiness for self-sacrifice is contingent on an imperviousness to the realities of life. He who is free to draw conclusions from his individual experience and observation is not usually hospitable to the idea of martyrdom... All active mass movements strive, therefore, to interpose a fact-proof screen between the faithful and the realities of the world. They do this by claiming that the ultimate and absolute truth is already embodied in their doctrine and that there is no truth or certitude outside it. The facts on which the true believer bases his conclusions must not be derived from his experience or observation but from holy writ."

 There are some who know, that Hoffer understood some things about mass movements that pertain to our current state in 2015.  This set of traits and characteristics is essential understanding by all, if we are to begin to develop a strategy for the future.  To quote Hoffer again:  "However different the holy causes people die for, they perhaps die basically for the same thing."

Our future state requires a strategy that we agree on the correct taxonomy.  Whether the battle is being waged on a nation state having sovereign authority or the private enterprises of non-state actors in Cyberspace, without taxonomy, we will continue to struggle with our strategy.  What is terrorism and what is a crime?

CRIME noun 1. an action or an instance of negligence that is deemed injurious to the public welfare or morals or to the interests of the state and that is legally prohibited.

TERRORISM noun 1. the use of violence and threats to intimidate or coerce, especially for political purposes.
First, the actions that you take and the resources that are necessary to address the evil of terrorism vs. an organized crime wave, are clearly different.

Second, you must understand the source of the elements of a "mass movement."
STRATEGY noun, plural strategies. 1. Also, strategics. the science or art of combining and employing the means of war in planning and directing large military movements and operations
Are you working on a strategy right now to address cybercrime? Are you working on a strategy right now to work on cyberterrorism? Is either of these strategies tied to defeating a mass movement?

You see, the tools, tactics and resources that you are using to implement your strategy, may be all wrong. The future outcomes you seek, may not be possible with the strategy you have in place. Once you have come to this realization, there is an opportunity to adapt. However, you must adapt quickly and you must provide the resources instantly to enable the change.

How would you adapt, if you came to the realization that your quest was with adversaries who have actions such as:
  • Steal / Modify / Delete
  • Read / Copy
  • Bypass / Spoof
  • Authenticate
  • Flood
  • Probe / Scan
How would you adapt, if you came to the realization that your quest was with adversaries who have objectives such as:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
How would you adapt, if you came to the realization that your quest was with a Mass Movement?

You now realize that you may have the same problem, that many of our world leaders have today.  It could be time to finally admit, that you must now adapt and it is time to change your strategy.

GODSPEED noun 1. good fortune; success (used as a wish to a person starting on a journey, a new venture, etc.).

08 November 2015

November 11: Serving the United States by the Other 99%...

“As we express our gratitude,
we must never forget that the highest
appreciation is not to utter words,
but to live by them”
-John F. Kennedy-

The United States Veterans Day National Ceremony is held each year on November 11th at Arlington National Cemetery . The ceremony commences precisely at 11:00 a.m. with a wreath laying at the Tomb of the Unknowns and continues inside the Memorial Amphitheater with a parade of colors by veterans' organizations and remarks from dignitaries. The ceremony is intended to honor and thank all who served in the United States Armed Forces. This represents less than 1% of Americans.

How many Soldiers will be on active duty around the globe on Wednesday, November 11 working in their current role, task or assignment, to keep America safe and secure?  So those of us who call the United States their home, may exercise their freedoms and the citizens rights that our nations architects designed for us.

How may Airman will be walking the streets in parades remembering their flights over the Pacific, Vietnam, the Atlantic, Europe, South America, North Africa or the Middle East?  What about all those pilots that have flown at such a high altitude; never to be detected over Russia, North Korea or China?

How many Sailors and Marines will be cruising on, over or under our vast oceans to be present and ready, for our next mission to help others?  How many Submariners will never be detected on their 24 x 7 watch; or with SOF waiting patiently below deck for their next clandestine operation, anywhere in the world?

So on Wednesday, November 11 what will you be doing, John or Mary Citizen, in Anytown U.S.A.?

For some Veterans who experience this day of recognition, it is not easy.  It could be a day that is simultaneously bitter sweet.  There is certainly great pride, yet some within the 1% who are Veterans, look around the country and wonder why the other 99% are not serving their nation, in their full capacity as a U.S. citizen.
Service to your nation doesn't begin or end with a job in the military.  Service to your nation begins for everybody who becomes an American.  What does that mean?
It means that we stand up and believe in the U.S. Constitution.  We defend and negotiate all that it says and what it enables for us to accomplish for ourselves, our families and our fellow believers.  You see, the freedoms and the opportunity to prosper in the United States is there for anybody to grasp.  For anybody to achieve.

To honor and thank those who have served in the Military on Veterans Day, requires so much more:
  • Will you "sleep in" on your day off or volunteer with the local church or non-profit to teach Veterans how to be more effective in the transition to a civilian private sector job?
  • Will you design and code the next iPhone App to locate other Vets in your local town or city to assist each other and your community?
  • Will you meet with local business owners to plan, raise funds and deploy vital programs for families of Veterans?
  • Will you vote to fund and allocate adequate resources for the operations necessary and requested, by those forward deployed on the front lines, in uniform and also in the shadows?
The opportunities to serve our country and all of our Veterans November 11, requires a continuous cycle of thinking beyond just the Soldier, Airman, Sailor or Marine.  It also requires more proof, that a majority of the other 99%, are also serving their country and all that the United States stands for in the world.

So this November 11, 2015 listen to John F. Kennedy...

01 November 2015

Trust Decisions: The Extinction of Risk Management...

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.
Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.
“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

Operational Risk Management (ORM) professionals can better understand the adversaries they Deter, Detect, Defend and Document each hour, of each day.  The metrics have created new thinking on what is required to increase the odds of achieving the specific mission.  That definition of each "Mission" is now the focus of so many, who are charged with the protection of our nations most critical assets.

You have been reading and hearing all about the Internet of Things (IoT) and the exponential math on the number of devices and the data storage requirements, that will be achieved by the year 2020.  The trust decisions that are being made now in nanoseconds from machine-to-machine, system-to-system, are based upon several levels of programmatic rules.  These rules are unknown to many and in some cases only known to a few.

The wealth being created on a daily basis relies on these "Trust Decisions" to execute and carry-out the rule-sets that we have bestowed upon them.  The question remains for the end user, the organization, the company, the government, the nation state.  What are the rules based exercise that encompasses understanding and knowing the rules, fueled by vast collections of unstructured information and then performing mathematical functions?  At light speed.

Here are the qualities of our future "Trust Decisions:"
  • Rules-based
  • Fueled by Information
  • Mathematical
 So what?  To ask this question at this point is imperative.  So what does this have to do with the future of the Internet?  How will this impact my way of life or my job?  Why is speed, a component of true innovation?

All of these questions and more are answered in the book by Jeffrey Ritter, Achieving Digital Trust- The New Rules for Business at the Speed of Light.  "Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted."

The planet Earth has historically provided us early signals of change.  Our scientists are measuring the temperature of oceans and the impact of weather on the ecosystems that sustain life.  No different than the measurements being assessed environmentally, data science is already making forecasts.  The facts and the math don't lie.  IPv6 is now a reality.  The "Cyber Domain" has been recognized across the world as an addition to the other domains to be defended including Air, Land, Sea and Space.  USCYBERCOM has now been established and for vital reasons.

As each human carries that digital device in our pockets, to perhaps utilize to navigate our way to our next destination, we are judging the trustworthiness of the App of choice.  Is Google Maps more trustworthy than another?  As we sit on the train using another App to order that new addition for our home or digital library, the transaction enables logistics, financial and air/ground transportation systems.  Is Amazon more trustworthy than another?

You see, the future domain for dominance in the business and commerce of the globe, is about "Digital Trust".  The innovation and startup ecosystems are all built on the number of people who trust your tool on a daily basis, as the model for success, not always just the quarterly profit.  Trustworthiness is now the new currency for how the valuation of "Enterprise X" will be interpreted by the markets vs. "Enterprise Y".  Think about it.

 The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

25 October 2015

4GW: An Act of Valor in the Private Sector...

Fourth Generation Warfare (4GW) is a stark reality in 2015 and beyond. Are American business interests as prepared as they could be, for the growing Operational Risks in the 21st century?  How many employees do you now have working outside the Homeland?

4GW involves the following key elements:
  • Are complex and long term 
  • Terrorism (tactic) 
  • A non-national or transnational base—highly decentralized 
  • A direct attack on the enemy's culture 
  • Highly sophisticated psychological warfare, especially through media manipulation and lawfare
  • All available pressures are used - political, economic, social and military 
  • Occurs in low intensity conflict, involving actors from all networks 
  • Non-combatants are tactical dilemmas 
  • Lack of hierarchy 
  • Small in size, spread out network of communication and financial support 
  • Use of Insurgency and guerrilla tactics
There are a number of methods that a private sector company can utilize to exercise its own "Business Continuity Plan" in concert with the public sector here in the United States.  Operational Risk Management (ORM) associated with people, process, systems and other potential external events can be shared with local first responders, to establish awareness or alert protocols with your particular organizations incidents. As a private sector business, you should be asking yourself how often your internal incident commanders visit your local fire station or police precinct, to share mutually relevant information. Do you invite these vital community preparedness and response professionals to engage in your own company "Continuity of Operations" and crisis planning and exercises, even if it is just a table top review?

Through public-private collaboration, government and the private sector can:
  • Enhance situational awareness 
  • Improve decision-making 
  • Access more resources and capabilities 
  • Expand reach and access for disaster preparedness and relief communications 
  • Improve coordination 
  • Increase the effectiveness of emergency management efforts 
  • Maintain strong relationships, built on mutual understanding 
  • Create more resilient communities and increase jurisdictional capacity to prevent, protect against, respond to, and recover from major incidents 
Around the country there are certain metro areas that have annual readiness and preparedness exercises because of where they are located. In some cases there are federal laws that mandate these exercises such as seaports. Norfolk, VA, Houston, TX or even the only deep water port between Los Angeles and San Francisco; Port Hueneme, CA have annual tests of their readiness and resources. Each of these seaports are significant assets to our continuous economic well being. They are surrounded by the private sector businesses who supply them with fuel, electric utilities and other critical infrastructure components that play their vital role in these regions.

Beyond the ability for these private sector organizations to engage with local first responders to exercise their continuity planning, is the ability to test new technologies, methods and even research possible ways to improve overall resilience, on a spectrum of new found asymmetric threats. These tests determine our ability to adapt or to utilize new tools in our current 4GW environment. We must remain adaptive during irregular operations by small insurgent groups such as those that have occurred in Mexico, Mumbai, India or the growing real possibility of devastating cyber attacks to our energy and telecommunication sectors.

Why are we encountering these threats on a higher frequency around the globe? You only have to look as far as the foreign published press to find the answer to this question. Or if you haven't got the time to read and translate to your native language what is being said, then make sure you see the movie "Act of Valor" to better understand what lies before us. What follows is from a foreign press article:
"The inability of the majority of the world's countries in the current circumstances to fight globalization's most powerful military machine (primarily the United States) on equal terms has led in recent years to an increase in the number of terrorist acts, armed conflicts, and local wars. Their coalescence into a single antagonistic system is giving rise to a phenomenon designated asymmetric operations by military-political theoreticians (asymmetrical conflicts and even asymmetric wars)."
As a result, we must adapt. The Naval Postgraduate School (NPS) has several educational, training and research centers that are dedicated to the readiness of the military and to the public private partnership mechanism in the United States. The one center that stands out to help us become more adaptive on small conflicts and irregular activities is "The Center for Asymmetric Warfare (NPSCAW)."
The Center for Asymmetric Warfare, or CAW, was established in 1999 as a part of the Naval Air Systems Command to support U.S. military forces, as well as local, state, and federal organizations, in identifying, countering, and controlling the effects of asymmetric warfare in the nation’s Global War on Terrorism. CAW’s initial focus was the development and conduct of multi-agency, multi-jurisdictional homeland security and homeland defense exercise and training programs, in addition to test and evaluation programs for developmental first response technologies. 
Since its inception, CAW has matured into a recognized leader in its field, by providing comprehensive education, training, and exercise programs; technology integration, test, and evaluation programs; and capability assessment and improvement programs to partners across a wide spectrum of jurisdictions. These programs include participation by Department of Defense; local, state, and federal government agencies; private sector and non-governmental organizations; academia; and international government agencies. 
In 2008, CAW was realigned as a satellite division of the Naval Postgraduate School’s National Security Institute, headquartered at Naval Base Ventura County, in Point Mugu, California. Harnessing the capabilities of the four institutes and four schools that comprise NPS, CAW can capitalize on the expertise and experience of a continuously expanding number of alumni, faculty, and students.
The U.S. private sectors proximity to high value targets are many times overlooked. Where on the West coast of the U.S., is the largest concentration of undersea telecom cables coming ashore? You might guess San Francisco or Seattle. Think again. This map will give you an idea what areas of the coastline could be more important to protect and to continuously prepare for, a future attack on these assets. The answer is San Luis Obispo.

As an Operational Risk professional in your private sector organization, make it a priority to get engaged with your local community. Visit your local first responders soon. Reach out to the Regional Fusion Center and other entities designed to facilitate a smooth information sharing process.

This should occur with government and the most valuable assets owned and operated by our private sector constituents. It all comes down to two words. Continuous Vigilance.

18 October 2015

Cyber Allies: A Whole Community Strategy...

The "New Normal" for American business is now apparent.   Operational Risk Management (ORM) is at the center of Board of Directors meetings, due to new laws and the latest attribution reports on nations state cyber hacking.  Disclosure to corporate shareholders of significant data breach or intellectual property theft incidents requires a more laser-focused industry strategy.  A private sector "Whole Community" approach to sharing vital intelligence on threat actors and new malware variants, but also developing trusted allies in industry itself.
As a concept, Cyber "Whole Community" is a means by which business, emergency management practitioners, organizational and community leaders, and government officials can collectively understand and assess the needs of their respective communities and determine the best ways to organize and strengthen their assets, capacities, and interests. By doing so, a more effective path to societal security and resilience is built. In a sense, Whole Community is a philosophical approach on how to think about conducting cyber emergency management. 
For the past decade or more the private sector has toiled at the task of creating public-private-partnerships in the Banking, Energy, Telecom, Retail, Defense and numerous other Critical Infrastructure sectors.  These organizations have focused on the challenge of sharing information that is relevant to the industry group at such a high level, the real value of the intelligence on threats or malware is often just a look in the rear view mirror.  By the time it gets to the report and into the hands of the organizational portal or is pushed via listserve to the member constituents it is stale or not relevant.

What if your corporate headquarters was located in an office park in AnyTown, USA along with several dozen other large, medium and small businesses.  What if those businesses were all tied to the same critical infrastructure for the business park.  Such as electrical power, water, and telecommunications.  In most cases, the energy provider and water supplier will be the same for all businesses in the office park.  Unlike these utilities, the telecommunications providers may be much more diverse.  There could be three or more providers of high capacity voice, data and wireless services to choose from by each of the businesses.

What if these businesses now adopted a Cyber "Whole Community" mind-set.  They would begin the process of cooperation, coordination and collaboration.  They would embark on a bold new strategy to:

 Understand community complexity.

 Recognize community capabilities and needs.

 Foster relationships with community leaders.

 Build and maintain partnerships.

 Empower local action.

 Leverage and strengthen social infrastructure, networks, and assets.

You see, national industry-based organizations are not enough to build the long term resilience your headquarters requires, and your shareholders demand.  The Chief Risk Officer, Chief Financial Officer and Chief Information Officer need to begin to reach out to your business neighbors now. The initiative will be well received by the CEO as they report at the next Board of Directors meeting.

The process for developing a more robust Operational Risk Program and sustainable services for your business enterprise, could just be a stones throw from your corporate front door.  Here is the bottom-line.  You need to develop trusted allies in your own neighborhood and community:

Benefits include: 
  • Shared understanding of community needs and capabilities.
  • Greater empowerment and integration of resources from across the community.
  • Stronger social infrastructure.
  • Establishment of relationships that facilitate more effective prevention, protection, mitigation, response, and recovery activities.
  • Increased individual and collective preparedness.
  • Greater resiliency at both the community and national levels.
Just think of the kinds of information or assets you might share with a "Trusted Ally" who is next door to your business or down the street.  What new strategies could you develop together to make yourself even more impervious, to the latest incidents caused by "Anonymous" or "Flame" and even China?
WASHINGTON – For three straight years, a group of Chinese hackers waged a cyber war against a family-owned, eight-person software firm in California, according to court records. Hackers broke into the company's system, shut down its email and web servers, spied on employees using their own webcams and gained access to sensitive company files, according to court records.
Whether you are a small-to-medium-enterprise (SME) or a Fortune Global 1000 company you can develop new trusted allies in your Cyber "Whole Community".  What are you waiting for?

11 October 2015

Culture Risk: Charting a Course for Achieving the Mission...

"It's more fun to be a pirate than to join the Navy" - Steve Jobs

Think about the culture your organization has created, from inception to present day.  What is it about the current state, that draws the kind of new people to want to get on board?  Do you have people lining up behind the recruiting table, to join the Navy or to be a Pirate?

Competition for new talent and fresh perspectives, requires the continuous pursuit of new people to join the firm, company or government agency.  It's already a historical fact, on how many applications Apple or Google receives for every job opening.  Yet other companies are struggling to find anyone to fill the ranks of the new project teams they seek.

As these new recruits come through the doors of the organization, are they ready to work within the rules of the pirate ship or learn a more proven, consistent environment of certainty and longevity? Certainly you can sense what kind of ship you are on right now.  Will your company be around in 2 years or 5 years?  How will you sustain the mission and vision you set out to accomplish?

As you embark on your next voyage with an organization, you can bet that what you see early on, is what you will get for months and years to come.  What is it about the cultural environment and the way people behave within the enterprise that is so appealing to you?  Is it the product, the service or the purpose that gets you out of bed each day, to do the job and accomplish your tasks for the greater benefit of the team?

Enthusiasm is contagious and people who are "Waving the Flag" for their group, team or organization has a tendency to get others attention and it becomes viral.  They start to wonder why there is so much energy and so many people trying to join up and participate.  The "Crowd Effect" is a known marketing strategy that has worked in advertising for decades.

And then there is another strategy that might be counter intuitive and for good reason.  The opposite might be found in slogans such as "Only a Few Good Men" or an "elite community of professionals". Many may want to join, but only the best and the most resilient will achieve the goal of becoming part of the team.

What is it, that is the same about these two kinds of organizations?  Analyze the elements of what makes them both similar and how they are able to persist over time and you will begin to see, what really matters in effectiveness of organizational design and cultural development.  You will begin to understand the essential factors to enhance in order to achieve a long lasting and perpetual enterprise. Here are a few words that would describe and define both environments:

  • Trust
  • Innovation
  • Adaptive
  • Continuous Learning
  • Empathy
  • Belief

The factors you search for with your next organization, company or project team might have some or all of these attributes.  It is up to you to determine what is in your best interest long term, whether to be a pirate or join the Navy.  Once you have made the decision, it will forever define you and shape the way you think, act and behave for much of the rest of your life.

As an Operational Risk Management (ORM) professional, first it is your job to figure out what kind of ship you are on.  Second, it is your job to make sure that the Captain achieves their destination, today, tomorrow or next week.  Finally, you must decide if the ship you are on and the Captain both, will help you fulfill your life long goals and aspirations.

Now, think about your current cultural environment.  What is your organizational course?  Who is commanding the ship?  Are you ready for the next mission with your team?  Why?

Now you are well on your way to having a more clear picture of your destiny and contributing to achieving success of your next mission...

04 October 2015

OPS Risk: Everyday is a Training Day...

When the front lines of privacy and security converge on the digital front, the decisions to trust become more vital.  The questions about what tools and what methods are appropriate to address the 21st century domains for advertising, media and entertainment, news, weather, and thousands of other human interests become more complex.

Operational Risk Management (ORM) is evolving as the dynamic mobile digital environments adapt and continuously change the rules of the game.  Now that Edward Snowden has finally set up his Twitter account, the world can engage with him on a more direct basis.  On the metro, sitting in an industry conference watching him via Skype or your own back yard.

Here's his first tweet -- an apparent Verizon Wireless joke and subtle dig at the spy agency:

Can you hear me now?

— Edward Snowden (@Snowden) September 29, 2015

The world is becoming a more dangerous place, as millions of new IP devices become more connected and human behavior is influenced ever more rapidly.  That favorite App that you encounter tomorrow, may be feeding you interesting content that you believe is being customized according to your requests.  More likely, it has also been modified to fit your history of clicks, location, comments and other online behavior.  Everyday becomes a "Training Day"...

You see, the ICT-based machines are storing and learning your behavior, each second and each minute you are connected to the Internet.  The massive analytics engines are consuming Yottabytes across multiple hard drives and data centers, preparing and adapting to your particular behavior.  The unique "Trust Decisions" that are being made according to the rules coded by humans, are now being executed in nanoseconds.

Where is the future of Operational Risk, destined to arrive in the years ahead and just Over-the-Horizon (OTH)?  Think about how we forecast the weather risks associated with the planet Earth.  Soon we will be utilizing the same kind of forecasting for the ecosystem of digital environments.  Using science and sophisticated engineering sensor data will provide us with early warning of Internet thunderstorms, hurricanes and snow storms.  Soon thereafter even the Cyber Insurance and Cyber Legal domains will become even more robust.  Why?

Uncertainty in Internet weather patterns, will create new products and services in order to find more certainty.  The current state of the Cyber Insurance industry, is in it's infancy as a result of the few documented historical events and actuarial knowledge on data breaches.  Yet as insurance corporations and the legal frameworks grow towards enterprise risk, so too will the ability to more effectively hedge the cyber risk.  The likelihood that a Fortune 50 company will now file a claim is at 50% and growing, as each company becomes insured by the modern Cyber Insurance policy product.

The assumption of data breach is now becoming the new normal.  Boards of Directors are preparing for the organizations inevitable need to file a claim, with one of the myriad of insurance companies that are now operating in the Cyber Domain.  The Cyber Reinsurance business, is now starting up.

High Risk / High Frequency events, become insured and the mitigation tools for dealing with the potential for high levels of capital being paid out for remediation, introduces exposure to the bottom line.  Cyber Insurance is a risk mitigation tool to the enterprise, just as any substantial class action law suits trend and other litigation exposure.  So what?
Where are the professional Operations Risk Officers going to focus, after these kinds of events?
We shall make our way to the next major area that could bring down the entire organization.  It is in another Quadrant of High Risk / Low Frequency.  Why?  This is where your organization is now most vulnerable.  This is where the next risk exposure becomes so great, that you may not survive the next major loss event.  Think about the environment you operate in and the stakeholders you answer to, on a daily and quarterly basis.  The stakeholders have little understanding of where you are actually concentrating your thinking, expertise and resources.  You are focused on the next unknown:  High Risk x Low Frequency = Next Target Zone.

Where is the emerging target zone within your enterprise today?  What are you working on to address this, in the time frame that it takes, for the rest of the risk mitigation products and industry to mature.  Will you catch-up to the reality of the actual threat and the potential loss to the enterprise?

So what and where is the mindset of the most highly trained and capable Operational Risk experts concentrating today:
  • Operations that use tried-and-true technologies
  • Operations that rely only on general knowledge and that attackers can obtain easily
  • Operations that require clandestine activities
Your adversaries are using these three, to ensure their success.  It makes the possibility go up in their favor, that they will achieve their goal.  Their target.  Their mission.

As you convene your next meeting on the digital privacy and security issues that will occur in the next few months, where will you be focused?  How will you allocate resources?  Will your enterprise be ready and waiting in that Target Zone of High Risk and Low Frequency?

Your Operational Risk strategy shall evolve.  The elements may include both looking through an Internal and External environment.  Intentional Misconduct and Negligent Conduct are major factors.  It is time to increase the RPM's.  Recognizing, Prioritizing and Mobilizing (RPM).  Now Execute.

Everyday is a "Training Day"....

27 September 2015

Safe Harbor: Achieving a Defensible Standard of Care...

"Achieving a Defensible Standard of Care" within the enterprise requires an astute and proactive legal framework.  Operational Risk Management becomes a key component of the legal framework in multiple junctions of technology, data science and privacy law.

U.S. National Security continues to be in the center of the legal jousting between the European Union and the United States.  Underlying the debate is the data flowing through the Internet from data centers in Europe owned by U.S. companies.

What are the implications of a change in the Rule of Law and the rules associated with the collection, storage and analysis of data by companies such as Facebook?  How will the future of Operational Risk decisions impact the safety and security of nation states?  Is "Safe Harbour" ready for legal reengineering and a new updated global data privacy architecture for the Internet of Things (IoT).

III –  Conclusion 237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:

Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
  Chief Privacy Officers and General Counsel within the ranks of Amazon, Google and Facebook are on a proactive mission quest.  How to keep business models fueled by advertising from erosion of data flows from outside the U.S. if precluded and if, all data from the EU must stay within the EU.

The Office of the Director of National Intelligence (ODNI) will be tracking the data privacy legal frameworks across the globe and the continuous changes that will be necessary to stay in compliance with U.S. laws.  Henry Farrell sums this up nicely in his WP analysis:
Thus, if the court rules as expected, the U.S. has to choose between two unattractive options. The first is to refuse to make any concessions on surveillance, hence endangering the business models of big and influential U.S. e-commerce firms, and making life much harder for other big corporations that e.g. have to transfer personnel files across borders. The second is to make real concessions to the EU on spying, moving away from indiscriminate surveillance to a system that would provide real protections for European citizens.
We are on the edge of many years of new business process reengineering (BPR), but this time it is not about the demise of proprietary client / server architectures and the addition of Internet Protocols.  The new data privacy BPR is now just underway and it has all to do with creating the sound contractual negotiations of digital devices across borders.  More importantly, the trusted business assurance questions being asked by Operational Risk Officers and the building of digital trust as data and rules are executed at the speed of light.

Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted. 

As you pick up your mobile device to access Messenger, or Wickr, the rule of law is being put in motion in nanoseconds.  When you type the message to your colleague in Ireland or Germany from Detroit, your data is being processed across data centers in multiple countries.  Machines executing business rules with other machines.  Are the rules correct?  Are they all legal?

"Achieving a Defensible Standard of Care" in the next decade will be one of our most interesting challenges.  The Safe Harbor of our way of life may go beyond the simple integrity and assurance that the message simply gets delivered.

19 September 2015

Trust Decisions: Future Risk Architecture...

Leadership within the enterprise requires "Trust Decisions" that they can count on.  Operational Risk Officers have a fiduciary duty to provide top executives with the confidence that the data and information they provide is trusted.

So how do you assist any corporate leader, who has the responsibility and accountability to the Board of Directors to make informed and sound decisions?  The answer is, that it depends on how willing the CxO's in the enterprise are to engineer a "Trust Decision" model and framework for the business.

The truth is, most executive managers have their own way of doing this.  The process that the CEO makes decisions, is quite different from how the CFO makes decisions and the COO may have a documented and tested way to make their decisions.  The point is, that major "Trust Decisions" for the good and welfare of the enterprise are being made by people who are each doing it differently.  These human decision makers are relying on a number of ways to get to the final answer.  The decisions from leadership are not as trusted and reliable as they could be.

As an Operational Risk executive charged with making timely and correct decisions you have no choice but to have the tools and the trusted sources to enhance your situational awareness.  The safety and security of the facility, information or peoples lives are at stake.  That is why you test and continually improve the process so your analytics dashboard, intelligence feeds and data sensors are all operating with integrity and in real-time.

You are relying on information that changes by the nanosecond and a system designed to provide decision support.  Intelligence-led investigations or reacting to the latest incident requires systems designed and tested to support human "Trust Decisions."  Now back to the executive leadership and their process for decision-making.  What is it?  How does the CEO make the final decisions for the future wealth of the company and it's stakeholders?  Are they trustworthy?

Unless you have seen the "Trust Decision" process and trusted data framework engineered for your enterprise, then probably not.  Think about all of the leadership level projects and how they turned out.  How did executive leadership decide to buy that other company or merge with their favorite supplier?  What process did they use to ensure all of the due diligence data was correct?  Why are the sources of data trusted?

We have the opportunity to improve and to arrive at a point where we make "Trust Decisions" our priority and a prerequisite.  After all, our employees, customers, shareholders and even mankind deserve it.  The challenge begins.

Whenever you encounter your next major business decision with your CxO, ask them how they arrived at the decision.  Ask them to explain the process they used and the sources of trusted data they relied on.  Ask them why they think the architecture of the decision at hand, is the most sound and trusted decision that can be made with the time available.

You are now well on your way to better understanding the power and the future risk architecture of TrustDecisions.

11 September 2015

9/11 2015: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 14 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 14 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

06 September 2015

Rule of Law: The Privacy vs. Security Paradox...

Chief Privacy Officers and Operational Risk Officers are watching with anticipation as Microsoft argues it's case with the U.S. Court of Appeals in New York, USA on September, 9, 2015.

The trustworthiness of data and the future of "Achieving Digital Trust" for companies and countries is a priority.  The wealth created from the management, storage and processing of data across global borders is at stake.  The "Rule of Law" that intersects with that data and the legal disclosure to government authorities, has been accelerating in countries such as Ireland, Belgium and Brazil.
The company hasn’t always been so eager to comply. A year earlier, it rebuffed a request from the Department of Justice for a suspected drug trafficker’s e-mails. Those were in a data center in Dublin -- and according to Microsoft, the arm of American law enforcement doesn’t extend to Ireland. That set in motion a legal challenge putting Microsoft and its general counsel, Brad Smith, in the lead of a charged battle between the U.S. technology industry and the U.S. government.
More than two dozen companies, including Apple Inc. and Cisco Systems Inc., have filed briefs on Microsoft’s behalf in the case, which is about due process and the right to privacy, and money. Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws -- and from unilateral U.S. search-and-seizure missions.
The privacy vs. security business is apparent and a defensible standard of care remains vital.  Several companies in the data privacy industry have made the decision to establish their legal business entity in Switzerland.  Silent Circle, Proton Mail and Golden Frog are a few examples.  Why?

It is because the business of privacy is becoming a big business.  It is creating wealth.  Data privacy and the use of cloud-based products and services is now so pervasive across borders, that the collision of private companies and governments was inevitable.  Nation states are making it easier for global companies to locate, manage and operate in their data privacy friendly countries.

Digital Trust is at the center of the dialogue.  Operational Risk Management (ORM) surrounds the core conversations as you analyze the implications of building a data-centric business with the ability to comply with all of the regulatory and legal requirements.  The Electronic Communications Privacy Act (ECPA) of 1986 is being interpreted in Microsoft v. United States of America:

The Government’s brief confirms this much: Nowhere did Congress say that ECPA should reach private emails stored on providers’ computers in foreign countries. Small surprise for a statute written in 1986, before the creation of the global internet, when the notion of storing emails halfway across the globe was barely imaginable.

Congress can and should grapple with the question whether, and when, law enforcement should be able to compel providers like Microsoft to help it seize customer emails stored in foreign countries. Microsoft has outlined many reasons why Congress would be wary of granting that power: It would establish a norm that would allow foreign governments to reach into computers in the United States to seize U.S. citizens’ private correspondence, so long as those governments may assert personal jurisdiction over whatever company operates those computers. It would offend foreign sovereigns.

Business and Government across the globe are working diligently to create a balanced, legally sound and vital information sharing environment.  Consumers will continue to have a choice, on what vendor, device or data hosting company they utilize for their communications.  The features, functions and benefits will be carefully thought out, by the marketing and business executives.  Yet the question will be asked by each companies respective stakeholders:  What is the value of trustworthiness in the markets we operate in and how will we decide to create "Digital Trust"?

The consumer must also understand how these tools are being utilized by the dark and evil components of our human society.  Citizens must better understand the motivations for government to protect consumers and those organizations who choose to use certain tools on the Internet.  Those who have a fear of government also like the idea of law enforcement protecting their neighborhoods.  There are two sides to the private enterprise:
They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us. If they are to meet this challenge, it means coming up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.
As private companies and nation states collaborate to attract new business commerce and tax revenues, your privacy and your company will be at the center of the negotiation.  The consumers preference of where you want your data stored and the legal environment where you want your data to be subjected to legal jurisdictions will continue.  For the good guys and the bad guys.  "Achieving Digital Trust" will be with all of us for some time to come.  As mankind evolves and the most valuable assets of our world become virtual, we can only hope "Trust Decisions" and the "Rule of Law" will stand the test of time.

30 August 2015

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management (ORM) strategy. CAG: Critical Control 20: Red Team Exercises:
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 
This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:
"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."
Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:
clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"
What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization, in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes, along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far, to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise, you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:
1. Measurability - How measurable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This is how and where you extend your physical controls to the actual people, who will make the difference before and during a critical incident in your enterprise.  Revisit the Consensus Audit Guidelines (CAG) for your enterprise.  It just might help you find that one place where the continuity of the business is at risk after a significant disruption or the one threat that still is hiding in the shadows.

23 August 2015

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:
As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

16 August 2015

Decision Advantage: Operational Risk Strategic Vision...

When the Board of Directors asks for a report on the Operational Risk Strategic Vision for the enterprise, will you have it ready?  The execution of strategy with the discipline of Operational Risk Management (ORM), requires a look "Over-the-Horizon" (OTH).  Why?

You have to realize the pace at which technologies are advancing.  You have to realize how your competitors are creating a decision advantage.  How will you apply the use of new data science, advanced hardware and software capabilities to augment your Human Capital, to replace Human Cognition?  So what are some of the categories that you should be researching, testing and implementing?   New strategic systems to secure, protect and improve the situational awareness or resilience of your organization?

Many of the places you will need to address, have to do with enhanced processing and management of data, from disparate places:
  • Coping with Scale - Advanced Analytics
  • Very Large Dataset - 4D Visualization
  • Data Standards and Governance - Sensor Priority Processing, Optimized Data Movement
Bringing tools to the data, data trust and provenance tracking, are a subset of governance.  Machine translation and wire speed language recognition, are subsets of a Multi-lingual textual data processing platform.

So what?  Why is all of this innovation required in the modern Operational Risk domain and why is it so important?  The simple answer is, international competition, from your adversaries.  Dynamic, Smart Metadata, metadata relationships and data that finds the analyst, are challenging areas today.  Natural language processing techniques and wire speed data tagging are vital.

"Data Mining will bring us "Cyber Situational Awareness", "Human-Assisted Machine Learning" and "Pattern of Life modeling".  Decision and intelligence advantage, is the key to many of these strategic initiatives."

Again, from a business perspective, so what?  If your organization is in the Information Technology Sector, then of course you understand that the competition is tough and your new advanced VM and/or shiny systems "Box" does need to stand out, with it's unique features and differentiators in the marketplace.  It must have some value-proposition to the customers, that few or no one else can provide at the moment.  Otherwise, why would you spend the money on educating the market, writing a check to Gartner, advertising, sales and business development?  Right?

The Board of Directors today might just understand the concept of "Decision Advantage."  What if you went to the next meeting of the outside directors and provided a narrative and presentation on "Decision Advantage"?  You want them to authorize the substantial budget for your own Operational Risk R&D.  You are asking them to invest in the future risk mitigation of the enterprise, that they have a fiduciary responsibility to safeguard for the shareholders.

You see, you are way behind the international competition.  When you view this visual of the current state-of-play going on this hour, this minute and this second, you really don't have the time to waste on authorizing more resources, to address many of the areas previously discussed here.  The future of your enterprise and the livelihood of your country is at stake.

The Research & Development (R&D) budgets for Operational Risk Strategy execution are tremendous.  Add it all up.  The question is, how effective is it for the enterprise to spend risk management and mitigation funds in each individual department of IT, HR, Marketing, Sales, Finance and Facilities.  Without a complete understanding and vision of how the spectrum of risks, threats and mitigations, are all interconnected and what tools, processes or technology are actually interdependent.

When something such as Enterprise Risk Management or even National Security is so mutually dependent,  (depending on each other) you have to ask the Board of Directors to pause, and to require the Operational Risk Strategic Vision.  Once completed, you will see what new technologies to invest in for your total budget of Research & Development funds, and where to spend it.

Perhaps the most important reason for this vision, is also to ensure your "Intelligence Advantage"...

09 August 2015

Leadership: Adaptive Risk for an Uncertain Future...

As the political season in the U.S. starts earlier and earlier each four year cycle, the question remains consistent from the rest of the world.  Will America lead the Cyber cold war in the next four years?  Operational Risk Management (ORM) is a necessary and vital component of any mission or project, from the Situation Room, inside your company, on the flight deck or on the front lines of conflict torn regions of the Sahel.

Transnational Organized Crime (TOC) and their proxies are constantly waging new malware campaigns on our global economic and intellectual property ecosystems, utilizing sophisticated new toolkits.  There are three key attributes to modern day "Threat Intelligence" and Eric Olson from Cyveillance explains:

1. Relevance – The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives

2. Actionable – It must be specific enough to prompt some response, change, action or decision, or to dictate an explicit and informed decision not to act

3. Value – Even if relevant and actionable, if the data (and the action) does not contribute to any useful business outcome, there is no value

When threat activity, known actors, historical tactics, or attack information can be combined with vulnerabilities, activity data, or other particulars present in your network and environment, then the information becomes relevant, actionable intelligence.

As a leader in the private sector the waves of globalization and regulatory mandates keep you striving for the entrepreneurial spirit, yet constantly constrained by new rule-sets and compliance initiatives.  Mitigating risks to the enterprise requires leadership that can span the visions of an environment with creativity and simultaneously the spirit of autonomy.  Modern day risk management is not only a leadership challenge, it is also a cultural challenge.  How do I get my people to think like a true entrepreneur and simultaneously provide them with the skills and knowledge they will need to survive in a hostile environment?
  • First off, you have no doubt heard somewhere along the way that High Performing Teams are the way to accomplish new fixes to software code or even to ensure the last mile of due diligence to get the leveraged buy-out to become a reality.  These High Performing Teams must be diverse and they need to have the time to cross-train each other in the specific skill sets necessary, to fullfill the desired outcomes.  If one person comes down with the flu or worse; you may be the one who has to fill in and pick up the slack.
  • Second, the cultural mind set shift must take place to becoming continuously adaptive.  Being adaptive means that you have to be able to incorporate both readiness and resilience in the same effort.  Making decisions that are rapid without time for formal planning, is foreign to some on the team.  You have got to get everyone to be as adaptive as the designated leader, because they will not always be there, to tell you or show you what to do next.
  • Finally, leadership decisions on the floor of the exchange, in the EOC or sitting across the table from your newest prospective client means that you have got to practice.  This capability of assets calls for you to continuously train and experience the emotions and see the results of your actions.  Good and bad.  These skills are perishable and require a tremendous investment in time and resources to make sure that the risks of failure are mitigated almost to zero.
What are you willing and able to do, to lead America in 2015 and beyond?  Think service before self-interest and you will be leading beyond the risks of an uncertain future for yourself and our country.

02 August 2015

Trusting Women: The Future of Irregular Warfare...

The economic engine of successful countries and the single family household, is typically the result of a dedicated and conscientious woman.  If your organization is planning to be more resilient and capable of continued growth, then make sure you have women in the most strategic Operational Risk Management (ORM) roles possible.

You may already understand why and there is continuing evidence that men, are just not the ideal person to be in certain positions of decision-making and other skilled business professions of the future.  The stories and the examples flow from the most clandestine and remote regions of Africa, to the valley associated with Silicon.

Women are now breaking through new barriers in all types of roles and in places that traditionally they have been forbidden.  Here is just one example of a trend to grow rapidly from Dan Lamothe at the Washington Post:
Only the swamps of Florida stand between two female soldiers becoming the first women to ever graduate from the Army’s famously difficult Ranger School.  The women have completed the school’s Mountain Phase, and will move on to the third and final phase of training, Army officials said Friday.

The women are attending for the first time as part of an ongoing assessment by the military about how it should better integrate women into combat roles in the military. It follows a 2013 decision by Pentagon leaders to open all jobs in the military to women by 2016.
When you really think about what the future roles of the new 21st Century Army and the trends of our asymmetric threats, are not women our best strategic weapon?  Irregular warfare will be dominating most days of our human conflicts into the future and women are well equipped to be the leaders of this trend.

Yes, there is evidence that earning the "Ranger Tab" requires physical stamina.  Simultaneously, the elite Army course requires superior problem-solving skills and adaptive intuition involving teamwork, where women excel.  Now you are starting to see why, it is vital to have women on any high-performance team, whether in the Hindu Kush or on the Internet front lines of "Achieving Digital Trust" with the next generation of our youngest knowledge workers.
Irregular warfare is warfare in which one or more combatants are irregular military rather than regular forces. Guerrilla warfare is a form of irregular warfare, and so is asymmetric warfare.  Irregular warfare favors indirect and asymmetric warfare approaches, though it may employ the full range of military and other capabilities, in order to erode the adversary’s power, influence, and will. It is inherently a protracted struggle that will test the resolve of a state and its strategic partners.[1][2][3][4][5] Concepts associated with irregular warfare are older than the term itself.[6][7]
As the future conflicts evolve into our pervasive digital domains and require the collection and analysis of relevant information on the front lines, women are the strategic choice.  History tells us clearly, that this is the case.  It is this kind of intellect and patience for building and sustaining relationships, that so many policy makers have recognized, across both public and private sector operations.

So who is just one good example?  Our future strategy must include the development of armies of women with the skills and talents of leaders like Sheryl Sandberg:
Sheryl Kara Sandberg (/ˈsændbərɡ/; born August 28, 1969)[3] is an American technology executive, activist, and author. She is the Chief Operating Officer of Facebook. In June 2012, she was elected to the board of directors by the existing board members,[4] becoming the first woman to serve on Facebook's board. Before she joined Facebook as its COO, Sandberg was Vice President of Global Online Sales and Operations at Google and was involved in launching Google's philanthropic arm Google.org. Before Google, Sandberg served as chief of staff for the United States Secretary of the Treasury.
You see, the Fortune 500 is now starting to wake up, to the reality of the current state of corporate "Irregular Warfare".  The ability to erode the competitions power, influence and will, is just the beginning of the conversation in creating reliable and growing shareholder value.  When you really start to evaluate the entire success of the Silicon Valley ecosystem or even the future economic engines of unknown villages across our globe, you begin to realize how it is driven and continuously being improved, by the skills and superiority of women.

So what is just one good example?  Our future strategy must include the development of armies of women with the strategic foresight of Opportunity International:
Opportunity International Trust Groups help entrepreneurs break free from the limitations of poverty by promoting solidarity and maintaining accountability.  Trust Groups consist of 10-30 entrepreneurs, mostly women, who meet once a week to share personal and business advice, receive financial training, and vote on loan-related topics.  Trust Groups build a safety net by guaranteeing each other’s loans -- if one member defaults on a weekly payment, everyone else must cover the costs.  This method has led to a loan repayment rate of 98%.
Vicki Escarra joined Opportunity International in 2012 as US CEO. Previously she has led several major initiatives to create a long-term strategic plan, rebrand the organization, streamline operations and increase global fundraising by 30 percent in 2013 to expand the organization’s work around the world. Before joining Opportunity International, Escarra spent six years as president and chief executive officer of Feeding America, the nation’s largest domestic hunger relief organization. Prior to Feeding America, Escarra spent nearly 30 years at Delta Air Lines Inc., where she rose to chief marketing officer. As one of the highest-ranking women in the aviation industry at the time, she oversaw $15 billion in revenue and led a workforce of 52,000.
When you hear a woman like Vicki, Sheryl (or Cheryl) talk about providing our organizations large and small with the training, education and the "Trust Decisions" to create and sustain growth, you can only imagine what is really possible.  If you have ever had the lucky chance to work with a woman like these three for months or decades, you understand the multitude of advantages.  You understand the reasons, why having women on every high performance team is imperative.  You can see their outstanding results.