01 May 2016

Innovation: Truth in Data Provenance...

For years mathematicians and computer scientists have written about the trustworthiness of data provenance.  Relying on the integrity of data collection, transport and of course the source of data is a real science.  Our modern day zeros and ones span all aspects of our lives and Operational Risk Management (ORM) professionals have encountered the questions surrounding trust and the process of decision making long before the invention of computing machines.

At the root of decision making with integrity the source of data is questioned.  The reliability and history of previous data from the source.  As the data was transported from Point A to Point B was there any possibility that the data was altered, modified or corrupted.  Couriers and the use of a "Hawala" type system have been used by traders and terrorists for hundreds of years.

"Truth in Data Provenance" is the question mark that enables our trust decisions.  This is why modern day cryptography is at the center of so many arguments and debates, when it comes to the topic of trusted information.  Yet hundreds of years ago, long before telecom and ICT was invented, the trustworthiness of data provenance was a vital factor.  The use of transposition ciphers were in use by the ancient Greeks.

So what?  In 2016 what does the truth in data provenance have to do with our business commerce, our transportation, our banking, even our abilities as governments to maintain our defense against attack?

The topic is vast and deep and worth exploration at the top level of human decision-making.  Yes, it is vital that our computing machines have high-assurance data integrity, in order for our global systems to operate day-to-day.  Yet what impact does trusted information have with humans in an environment of work and daily collaboration?  How does truth in data provenance, affect our decision making and the environments we work in?

In a recent report by LRN, the subject of trust in the work environment as a motivator has become more apparent:
Another fascinating result of the study had to do with two squishy-sounding characteristics of a company: character and trust. Companies deemed by employees to have both strong character and inspired trust performed almost four times better, using the metrics mentioned earlier, than those that had other positive cultural attributes, such as collaboration and celebrating others. (This applied to all three types of companies, though, naturally, culture and trust were much more prevalent in the self-governing ones) What’s more, “high trust” organizations were 11 times as likely to be called more innovative than their competitors. Trust, the How Report suggests, is more important than virtually any other characteristic.
How organizations address the trustworthiness of data provenance is still a new frontier in this day and age.  The use of new sensors, sophisticated analysis of "Big Data" by computer algorithms and the pace at which new data is generated by the "Internet of Things" (IOT) makes this a significant area of focus for our current executives and enlightened organizational leadership.

But what does that really mean? How does one measure the absence or presence of something as abstract as trust? The How survey defines it as “a catalyst that enhances performance, binds people together, and shapes the way people relate to each other.” High trust groups encourage risk-taking, which in turn is what is necessary for true innovation to occur. When innovation fails, says Seidman, it’s because companies don’t put enough faith in employees to let them take risks. The industries with the highest amount of trust were “computers/electronics,” followed by “software/Internet.” Coming in last? Government.
At the most fundamental level, the culture you are operating in has all to do with the trust that exists or is absent.  It has all to do with the trustworthiness of data provenance.  Leadership in any organization, must see the relevance between trust and innovation.  Between innovation and risk-taking.  Your future and your culture depends on it.

23 April 2016

Trust Decisions: The Wealth of Our Cognitive and Digital Transactions...

As you embark on your journey out the door today, you will be required to make dozens of "Trust Decisions".  You and the digital smart machines and the numerous human and digital trust transactions that you will encounter is quite fundamental.  Or is it?  As you walk into your office building the surveillance cameras are watching you and recording your behavior.  The iPhone in your pocket is transmitting your unique signals to digital data sensors embedded in the lobby.  As you press the button on the elevator to go up to your office, you are making another affirmative decision to trust.

When you step off at your floor and approach the door to your office, you might utilize your small "Radio Frequency Identity (RFID) device to swipe a small square mounted on the wall.  You hear the deadbolt unlock and you are now granted access to your office space to start your workday.  Now as you walk to your corner office, you glance at the top of the screen of your iPhone to see if you are connected automatically to the corporate wireless network and the VPN.  When you were granted access to the office, the corporate computer network knew you were now present in the office and you have been automatically granted access for your role on numerous software applications on your computing devices.

Start your day at work and now the number of digital trust encounters has just begun.  The "Trust Decisions" that you and your digital devices will be making, could reach into the hundreds after a long 8 hour day.  Yet there are five principles that emerged in May of 2015 from Oxford professor and author Jeffrey Ritter in his book "Achieving Digital Trust" we should consider now:
  • Every transaction creating wealth first requires an affirmative decision to trust.
  • Building trust creates new wealth.
  • Sustaining trust creates recurring wealth.
  • Achieving trust superior to your competition achieves market dominance.
  • Leadership rises (or falls) based on trust (or the absence of trust).
Think about a day in the life of your entire organization and the number of digital trust transactions that have nothing to do with actual monetary currency transfers.  The wealth that is being described here on first glance may be thought of in terms of dollars or yuan or property, yet what about the wealth of human trust?  A plentiful amount or an abundance of anything.  How tangible is the decision to trust the computing machine before you, or the person sitting across the desk who is a key supplier or that new client half way around the world just sending you a text message?

You see, we walk to work and communicate everyday, making hundreds of trust decisions.  Our corporate computing devices are making tens of thousands or millions of transactions of trust each hour.  The rules, information and calculations are known, because they are being measured.  Jeffrey Ritter says it this way:
Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained? 
 The future is clear and becoming more revealing to us each day.  Digital trust, security and privacy of your organization and our societies are being defined before us in plain sight.  Can you see it?  The Washington Post illustrates a single example:

By Hayley Tsukayama and Dan Lamothe April 22 at 7:22 PM

Ever since Chinese computer maker Lenovo spent billions of dollars to acquire IBM’s personal-computer and server businesses, some lawmakers have called on federal agencies to stop using the company’s equipment out of concerns over Chinese spying.

This past week, those lawmakers thought the Pentagon finally heeded their warnings. An email circulated within the Air Force appeared to indicate that Lenovo was being kicked out.

“For immediate implementation: Per AF Cyber Command direction, Lenovo products are being removed from the Approved Products List and should not be purchased for DoD use. Lenovo products currently in use will be removed from the network,” stated the message. The apparent directive was generally welcomed as it circulated around Capitol Hill.

Then the Pentagon’s press office weighed in. Not so fast, it said.
Making "trust decisions" today at work and as you navigate home for the evening will be more apparent.  A heightened understanding of digital trust and how you engage with these transactions each waking hour may assist you in creating new wealth.  Improving the trust you have with computing machines and others at home or work, can make all the difference in life.

Where do you work and live?  Washington, DC.  London.  Moscow.  Beijing.  New Delhi.  Sydney.  It doesn't matter anymore because we are all connected by the Internet.  The opportunity for the societies of our planet to utilize "Information & Communication Technology" (ICT) to produce greater wealth is before us.  How will you proceed with your Trust Decisions?

16 April 2016

Leadership in Crisis: Building Trust with Continuous Training...

How often have you ever heard the leadership management philosophy that you must "Train Like You Fight"?  Here is another way to look at it:
The more you sweat in peace, the less you bleed in war.
Norman Schwarzkopf
The theme is all too familiar with Operational Risk Management (ORM) teams that operate on the front lines of asymmetric threats, internal corruption, natural disasters and continuous adversaries in achieving a "Defensible Standard of Care."

As the senior leader in your unit, department or subsidiary the responsibility remains high for preparedness, readiness and contingency planning.  Your personnel and company assets are at stake and so what have you done this month or quarter to train, sweat and prepare?  How much of your annual budget do you devote to the improvement of key skills for your people in a moment of crisis or chaos?

What will the crisis environment look like?  Will it develop with clouds, water and wind or the significant shift in tectonic plates?  Will it begin with the insider employee copying the most sensitive merger and acquisition strategy to sell to the highest bidder?  Will it start with a single IT server displaying a warning to pay a ransom or lose all possibility of retrieving it's data and operational capacity to serve your business?  Will it end up being another example of domestic terrorism or workplace violence like San Bernadino, Paris or Ft. Hood?

Leaders across our globe understand the waves of risk and the possible issues that they may encounter each year.  Many travel to Davos to the World Economic Forum where the world tackles these disruptive events, with the best minds and exchange of information.  Why?  They understand that vulnerability is what they fear the most.

Yet what can you do in your own community, at your own branch office to address the Operational Risks you face?  How can you wake up each day with the confidence as a leader, that you have trained and prepared for the future events that will surprise you?  It begins with leadership and a will to lead your team into the places no one really likes to talk about.  The scenarios that people fear to train for, because they think they will never happen.

Achieving any level of trust with your employees, your customers and your supply chain revolves around your leadership.  The discipline of "Operational Risk Management" is focused on looking at all of the interdependent pieces of your business mosaic.  The environment you operate in, even the building that houses your most precious assets.  All of these factors are considered in developing and executing your specific plan for training and readiness.

So what?  The question is "Why Don't Employees Trust Their Bosses"?
Why this lack of trust?

There is a disparity, the survey revealed, between areas that employees said were important for trust, and the performance of company leaders in these areas.

For example, half of respondents said it was important for the CEO to be ethical, take responsible actions in the wake of a crisis and behave in a transparent way. However, a much lower number of respondents actually felt their CEO was exhibiting these qualities.

This disparity is in part responsible for trust decreasing as you move down an organization’s hierarchy. So, while two-thirds of executives trust the company, less than half of rank-and-file employees do. Equally, peers were rated as much more credible than CEOs.
As a leader your roles are multi-faceted and there is never enough time or money in the budget.  The leaders who excel in the next decade, will find a way.  They will invest in their teams training and the systems to increase trust, by addressing Operational Risk Management (ORM) as a key component of the interdependent enterprise.

The "TrustDecisions" you require and the understanding developed to insure effective "Trust Decisions" by all of your stakeholders will remain your most lofty goal as a leader.  How you train to fight and how you sweat now will make all the difference in your next war.  From the boardroom to the battlefield your leadership is all that is needed.  Your leadership will make a difference.

09 April 2016

Trade Secrets: Gearing up for DTSA...

The Fortune Global 500 and the smallest research and development organizations in the U.S. have another ruleset to keep their eye on this week.  It is named DTSA or S.1890 - Defend Trade Secrets Act of 2016 has passed the Senate.  Operational Risk Management (ORM) is preparing for the next addition to national laws.

The attribution of cyberespionage adversaries has been gearing up since the Sony Pictures hack.  The private sector has been hunting and identifying those shadow individuals and nation state special units for years.  Now the lawyers can get more aggressive with civil actions.

The question remains, will another law deter the actions by global organized crime and the intelligence community of some significant nations?  How will attribution and more aggressive civil actions in foreign jurisdictions make a difference?

As a global organization, can you access your database of confidential trade secrets?  No different than the task of the identification of information assets that you are going to protect, you need an inventory.  What are they and where are they?  Everyone knows the formula for "Coca-cola" is written on a single piece of paper that is locked up in a vault in Atlanta, GA right?  Or is it?

There are trade secrets across America that have been stolen by operatives working inside organizations.  They may be preparing to leave the U.S. for another country outside the reach of law enforcement and the legal process for seizing the stolen property.  That is going to change soon.
The EX-Parte Seizure Order is part of the Trade Secrets bill that allows a trade secret owner to obtain an order from a judge for U.S. marshals to seize back the trade secret from the alleged bad actor without prior warning. This is to protect the trade secret owner from having the alleged bad actor skip the country or destroy the evidence before it is recaptured.
Now that Trade Secrets are in the same legal and enforcement category with patents and trademarks, you can predict that your legal budgets will need to be adjusted, upwards.  In general, what is a Trade Secret?
The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. While a final determination of what information constitutes a trade secret will depend on the circumstances of each individual case, clearly unfair practices in respect of secret information include industrial or commercial espionage, breach of contract and breach of confidence.
The effort to make intellectual property a "Trade Secret" is another strategy in itself. The determinations to designate something a trade secret is going to depend on the invention or the data itself. We understand. So what?
A Chinese businessman pleaded guilty Wednesday (March 23) in federal court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors.

The plea by Su Bin, a Chinese citizen who ran a company in Canada, marks the first time the U.S. government has won a guilty plea from someone involved with a Chinese government campaign of economic cyberespionage.

The resolution of the case comes as the Justice Department seeks the extradition from Germany of a Syrian hacker — a member of the group calling itself the Syrian Electronic Army — on charges of conspiracy to hack U.S. government agencies and U.S. media outlets.
Our adversaries are determined. They are already here. It has been documented for years. Let the next wave of legal indictments and seizures begin. One thing is certain. The "Insider Threat" is still present and your organization can do better. The ability to effectively utilize the correct combination of controls, monitoring, technology and internal corporate culture shifts will make all the difference. What are you waiting for?

03 April 2016

Fifth Discipline: The Evolution of Digital Intelligence...

"Learning organizations themselves may be a form of leverage on the complex system of human endeavors.  Building learning organizations involves developing people who learn to see as systems thinkers see, who develop their own personal mastery, and who learn how to surface and restructure mental models, collaboratively.  Given the influence of organizations in today's world, this may be one of the most powerful steps towards helping us "rewrite the code," altering not just what we think but our predominant ways of thinking.  In this sense, learning organizations may be a tool not just for evolution of organizations, but for the evolution of intelligence."  --Peter M. Senge -The Fifth Discipline - 1990

Many senior executives and a cadre of experienced Ops Risk professionals who are waking up across the globe today, keep this text book within arms reach.  Why?  All 413 pages of wisdom and knowledge transfer, is applicable this moment, even though it was written and practiced several years before the commercial Internet was born.  Our respective cadre of "Intelligence Analysts" spans the organization continuously seeking the truth, analyzing the growing mosaic, applying new context and taking relevant actions.

In an environment now vastly more virtual, far beyond the paper pages of Senge's book, lies the contemporary intelligence of "IBM's Watson."  At the finger tips of the FireEye operators or the Palantir Forward Deployed Engineer, we have new insights almost in real-time.  The "Learning Organizations" are no longer in a traditional hierarchy.  They are flat, agile and capable of tremendous autonomy at light speed.

So what is the opportunity now?  How can we potentially move towards more collaborative systems thinking and "rewrite the code" even in the 2nd decade of the 21st century?  It starts with rewriting the new digital code.  It continues as we reengineer our "Learning Organizations" for a digital environment that operates 24 x 7 and is ever more so fragile where trust is so inherent.  We can still create and deploy systems thinkers to question the truth and learn from the speed and capabilities of our new intelligent machines.

Peter Senge outlines five learning disciplines in his book on three levels:
  • Practices:  What you do
  • Principles:  Guiding ideas and insights
  • Essences:  The state of being of those with high levels of mastery in the discipline
The five disciplines are:
  • Systems Thinking
  • Personal Mastery
  • Mental Models
  • Building Shared Vision
  • Team Learning
The enterprise architecture for our modern day learning organization is in it's infancy.  You see, the technologies and the software has outpaced our human ability to apply it effectively, with the five disciplines.  One of our continued vulnerabilities is the ignorance of information governance as it pertains to the truth of data provenance and how as humans, we apply the disciplines of learning in our digital organizations.
The international hacker who allegedly accessed personal emails and photographs belonging to the family of former president George W. Bush and whose cyber-mischief revealed that Hillary Clinton was using a private email address appeared in a U.S. court for the first time Friday.

Marcel Lehel Lazar — better known by the moniker “Guccifer” that he is said to have affixed to the materials he stole — is charged with cyber-stalking, aggravated identity theft and unauthorized access of a protected computer in a nine-count indictment filed in 2014 in federal district court in Alexandria, Va. He was extradited to the United States recently from Romania, his home country, where he had been serving a sentence for hacking.
 Our organizations are a "plume of digital exhaust" that is invisible to many and crystal clear to some.  As you begin to capture and document the digital footprint of today's knowledge worker, the trail is long and deep.  Even for those shadow planners, logistics experts and operators, they can not escape the digital encounters they have each day.  However, the apparent threat is that they will continuously become more aware and more disciplined.

The art and practice of gaining and preserving "Digital Trust" is at stake for all of us.  The vast and consistent application of understanding "trust decisions" in our digital lives, will forever provide us new found challenges and new discoveries.  How we consistently apply our digital disciplines going forward, will make all of the difference in our prosperity or our future peril.  How we reengineer our learning organizations for 2025 and beyond, is now at our doorstep.
Today, privacy, information security, cyber defenses—all revolve around the same target: achieving trust to sustain electronic commerce and create new wealth. Digital trust is not only required; achieving digital trust will prove to be the competitive differential for the winners of the next generation.  --Jeffrey Ritter
Think about your digital footprints as you interact, communicate, travel and read the news today.  Activity-based Intelligence (ABI) is a business and you are the product.  The question is, how can you and your learning organization move from the "Fifth Discipline" to the next one?  What cognitive strategies and new disciplines will you and your organization deploy this year to attain new levels of prosperity and insight?

The journey will be long and the opportunities will be explored.  It's time that more learning organizations start the reengineering with the right tools and talent.  Yes, this is the next evolution of intelligence.

26 March 2016

The Rules: Implications and Outcomes of our Decisions...

How often during an average week in your role do you make a "Trust Decision"?  When you think about the factors associated with what really is going on when you make a decision to trust, it is beyond comprehension.  Or is it?

The thousands of "Trust Decisions" that you will make as an Operational Risk Management (ORM) professional this week span every hour of your waking day.  The portfolio of decisions to trust involve other people, processes, machines, computers and rules.  As these words are typed on this computing machine from Apple, many more decisions have already been made about trust.

A recent visit to a California symposium on "Cyber 2026," looked into the crystal ball on how our society and environment will evolve in the next ten years.  Topics included the threat landscape and our levels of machine learning hygiene.  The Internet-of-Things (IoT) was mentioned along with the latest on adding more integration with your "Smart Car" and your "Smart Phone".  This is just the beginning.

What needs to happen next?  The dialogue on digital trust is now becoming a prominent theme with significant effort occurring in the published press and on Amazon.  Business units from pwc and Accenture are pivoting people, resources and thought leadership towards the topic for good reason.  The next reengineering revolution is ready for prime time.

It has taken us the last ten years since 2006 to evolve with the cloud and the trust associated with handing over our data to a third party.  We have migrated vital core software systems to be managed by AWS, Microsoft Azure and Google.  These managed solutions provide the Small-to-Medium-Enterprise with the opportunity to scale their business without tremendous capital expenditure.

Yet we continue to find ourselves making daily and hourly decisions to trust, while interacting with computing machines with that back of the mind feeling, can this really be trusted?  Should I click on this link in my e-mail?  How shall I respond to this LinkedIn message from a person I have never met face-to-face?  As humans we are making "Trust Decisions" without even thinking about the science and systems mechanics of what underlies the components and process.  We just do it.

The rules.  Now think about your daily routine and the "Trust Decisions" you make.  How often are your decisions to trust intersecting with rules.  Rules codified into laws.  Rules codified into software.  Rules codified into religion.  Our world is about rules and how we either interact or ignore the rules:
A month after a Los Angeles hospital was crippled by crypto-ransomware, another hospital is in an "internal state of emergency" for the same reason. Brian Krebs reports that Methodist Hospital in Henderson, Kentucky, shut down its desktop computers and Web-based systems in an effort to fight the spread of the Locky crypto-ransomware on the hospital's network.

Yesterday, the hospital's IT staff posted a scrolling message at the top of Methodist's website, announcing that "Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web-based services.
Unfortunately, the trust decisions that we make each day can be catastrophic.  Whether it be online, or because we are just following the rules in Brussels:
Although this nation of 11.2 million has sent more foreign fighters per capita to the Islamic State than any other country in Europe, Belgium has a relatively small security apparatus. Brussels, the capital, is home to 2,500 international agencies and organizations, including NATO and the E.U. headquarters. Yet nationwide, the Belgian federal police have a total force of approximately 12,000.

The Belgian police have also been hampered by bizarre rules. According to Belgian Justice Minister Koen Geens, just two days after the Paris attacks Abdeslam was “likely in a flat in Molenbeek.” But because of the country’s penal code, which prohibits raids between 9 p.m. and 5 a.m. unless a crime is in progress or in case of fire, police were ordered to wait until dawn to pursue him. By then, Abdeslam was nowhere to be seen.
As we accelerate towards 2026 and beyond, it will require us to better design our systems, society and the rules associated with operating our cities, companies and countries.  How can we hope to achieve this without understanding the root cause and the outcomes of our trust decisions?  How will we reengineer our software to assist the human or artificial intelligence (AI) in writing the rules that shall "Enable Digital Trust of Global Enterprises".

The pace of technological change has far surpassed our ability to write the new rules for our next generation and beyond as humans alone.  We shall now embark on a purposeful mission to enlighten our leadership and the engineers of our vast digital environments, on how to reengineer our rules, for the safety, security and privacy of a more certain future making our daily trust decisions.

20 March 2016

Vigilance: The Casualty of the Truth...

On the other end of a planned cyber threat are the motives and plans by a person.  Sometimes that person puts into play the use of a "Bot" to carry out many of their planned steps in their scheme.  Operational Risk Management (ORM) professionals have been classifying these cybercriminals for a decade or more yet even now in 2016 they are getting more formal profiles:

BAE Systems, the London-based, multinational security company, recently released profiles of “six prominent types of cybercriminals” and detailed how they could hurt companies around the globe, officials say.

Threat intelligence experts at BAE Systems have compiled a list, “The Unusual Suspects,” that has been created from “research that uncovers the motivations and methods of the most common types of cybercriminals,” according to BAE. “The intention of the campaign is to help enterprises understand the various enemies they face so they can better defend against cyberattacks.” BAE Systems officials have profiled six cybercriminal types:
  • The Mule – naive opportunists that may not even realize they work for criminal gangs to launder money;
  • The Professional – career criminals who work 9-to-5 in the digital shadows;
  • The Nation State Actor – individuals who work directly or indirectly for their government to steal sensitive information and disrupt enemies’ capabilities;
  • The Activist – motivated to change the world via questionable means;
  • The Getaway – the youthful teenager who can escape a custodial sentence due to their age;
  • And The Insider – disillusioned, blackmailed or even over-helpful employees operating from within the walls of their own company.
These individuals and groups have caused billions of dollars in losses and caused significant harm to millions of people and organizations.  Now what?

It will be many more years to come, before the laws catch-up to the technology and those who use the vector of the Internet to carry out their crimes against humanity.  Law enforcement has their hands continually tied by the laws and the geographic challenges of a global epidemic.  Governments and politicians are in constant battle over the privacy vs. security philosophy and all the legal issues.

While the wheels of Parliament, or the U.S. Congress slowly turn and the mechanisms for law enforcement become more robust for evidence collection, investigations and prosecutions, there are significant strategies of resilience that we must focus our respective vigilance.  It is not anything new per se, just a renewed emphasis and a new commitment to redesigning our digital environments.  We can do better.

For now, what if we just pick one cybercriminal type to focus on.  The "Insider".

The "Insider" is most likely in almost every formal organization today, working diligently to mask and perpetuate their goals until they are revealed.  It is your "Duty of Care" to continuously deter, detect, defend and document within your enterprise.  The "Insider" could be anyone and so how can the organization work ever more so vigilantly?

It begins at the core of the business and the culture that surrounds those principles within your company, your team or your relationship with suppliers.  The environment you build and sustain shall have the transparency and the elements necessary to sustain a culture where the "Insider" is incapable of operating.  Where the culture itself, makes the environment impossible for the "Insider" to operate without disclosure.

We would encourage Operational Risk Management (ORM) professionals to incorporate new found strategies, new management tools and a renewed effort to extinguish the "Insider" threat across the globe.  The best way we can do this today, is to work on the culture and to establish the foundations for future "Trust Decisions" within the enterprise.  The root of changing the culture and achieving the desired future environment, begins with every single decision to trust.

The journey ahead will be long and full of new found challenges.  The vision of the future and the outcomes received will soon be more apparent.  Now the real work begins to start the journey with your own organization, with each person and understanding the environment and culture you seek.  And remember:
"In war, truth is the first casualty."
Greek tragic dramatist (525 BC - 456 BC)

    12 March 2016

    Rugged DevOps: Reengineering for our Next Generation...

    The reengineering of the Internet is now underway for our next generation beyond the millennials.  The unification of corporate software development and information security teams are experiencing a deja vu and reminiscent of scenes from the 1993 movie "Groundhog Day."  Operational Risk Management (ORM) is hopeful that we are having a new resurgence of software vulnerability management thinking.  Why?

    "A weather man is reluctantly sent to cover a story about a weather forecasting "rat" (as he calls it). This is his fourth year on the story, and he makes no effort to hide his frustration. On awaking the 'following' day he discovers that it's Groundhog Day again, and again, and again. First he uses this to his advantage, then comes the realization that he is doomed to spend the rest of eternity in the same place, seeing the same people do the same thing EVERY day."  --Groundhog Day

    We are seeing the reunification of 1990's Software Quality Assurance (SQA) thinking, combined with the rigor of new 21st century rapid software development disciplines.  It is called "Rugged DevOps."  Application development life cycles are getting shorter these days.  That is because modern day software development life cycles are taking a more component-based approach, with the reuse of standardized software capabilities.  This makes sense, as long as the use of software quality assurance tools and services are not abandoned and new tools and processes are embraced.

    Welcome to "Rugged DevOps."  This Forrester report, "The Seven Habits of Rugged DevOps" will give you more context:

    Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops

    Habit 2: Understand The Probability And Impact Of Specific Risks

    Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements

    Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices

    Habit 5: Standardize Third-Party Software And Then Keep Current

    Habit 6: Govern With Automated Audit Trails

    Habit 7: Test Preparedness With Security Games

    "Enabling Digital Trust of Global Enterprises" in the next decade will require software development organizations to embrace security and risk professionals simultaneously, on a more consistent and non-adversarial basis:
    DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros' expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyberattacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated life cycle. These new practices are called rugged DevOps. This report presents the seven main principles of rugged DevOps so I&O pros and developers can break down barriers with S&R pros and achieve faster releases with stronger application security.
    Chief Information Officers (CIO), Chief Privacy Officers (CPO), Chief Legal Officers (CLO), Chief Operating Officers (COO), Chief Security Officers (CSO) and maybe the Chief Executive Officers (CEO) are now paying more attention to these issues.

    Here are 9.5 million more reasons why:

    In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.

    The corporate Board of Directors conversations about the topic of "Digital Trust" is now ongoing and the subject of new business units.  Security vs. Privacy has been a recent media frenzy between some of our technology companies and the U.S. government.  Your elected officials in the U.S. House of Representatives are also on the hot seat now, to produce new relevant legislation.  The courts are adding more privacy and data breach cases to the docket each week.  The "Digital Equilibrium Project" is being established and will hopefully include an international set of stakeholders.

    Authoring the rules that everyone understands and everyone can agree on, sets the stage or playing field for the environment of competition to engage with some sense of civility.  Rules will be broken in plain sight and the referee (law enforcement, judges, courts, juries) will impose a penalty, while potentially millions of people watch live.  Is it a penalty kick or just a loss of down?

    Think global.  Think at the speed of light.  Think about the trust of e-commerce transactions where millions of people rely on our computing machines every waking minute of the day.  Where Zettabytes of data are in use.  The rules on the "Digital Playing Field" are vital to our future social and economic well being.

    "Rugged DevOps" is another and necessary component of a safe, private and secure Internet ecosystem.  Operational Risk Management (ORM) professionals are evermore concerned, with the root cause of our current Privacy vs. (soon to be "And") Security headlines.  Digital Trust is hard to achieve and yet easy to forfeit.  It is time for us to begin "Reengineering for our Next Generation".

    05 March 2016

    Zeros and Ones: Context & Proportionality Don't Translate...

    "Context and Proportionality do not translate to Zeros and Ones."  This was a key take away from the 2016 RSA Conference last week in San Francisco.  Thousands of Operational Risk Management (ORM) professionals attended to listen to speakers with titles such as Attorney General, Secretary of Defense and Chief Technology Officer.

    Perhaps more important however, were the actual practitioners in the legal system and those "Quiet Professionals" responsible for our national security, who were clearly outlining the digital landscape and our significant challenges ahead.  For our nation and the future of our social and economic destiny.

    The software engineers and companies who are writing millions of lines of software code are at risk.  Here is why.  Context and Proportionality do not translate to Zeros and Ones because lawyers are writing words with "Semantically Intentionally Ambiguous Meaning" (SIAM), in the pursuit of achieving digital trust.  Privacy and security intent in the translation from lawyers to software engineers, has been lost for a long time.

    How can we summarize the entirety of what just took place this past week at RSA:
    • Visibility
    • Threat Protection
    • Compliance
    • Data Security
    These four pillars are where the industry is still categorized in the majority, yet we came across some very interesting companies and products that are creating a new buzz.  Walking the halls and observing the presentations, the mobile computing generation was in full force.  As everyone shuffled between sessions like the overcrowded high school hallways, the only safe location was on an escalator where you could stare at your iPhone for 20 seconds with a little peace.  Can you imagine the amount of intellectual property intelligence being collected by competitors and adversaries using digital sensors and good old fashioned trade craft during the week?

    So what?  In the spirit of all the talk and debate, the sales and marketing, the presentations and powerpoint slides, what have we learned?

    "Context and Proportionality do not translate to Zeros and Ones."

    Why is this so important to grasp?

    At a certain point in the accelerating evolution of technology innovation there are disruptive bifurcations.  It means that the rise of a particular system achieves a point in time when instead of rising and growing on the "S" curve, the system begins its descent and erosion, until it is outdated or no longer trusted as a standard.

    We are soon to reach a new bifurcation in the digital systems that run our businesses, markets and governments.  The organizations who rely on the Internet in their daily operations need to adapt.  Quickly.  Those that are able to accomplish rapid reengineering will survive.  And those who wait or miss the signals to adapt, will perish or become absorbed by the digital environment surrounding them.

    27 February 2016

    RSA 2016: Ascending into a Trust Mindset...

    Building awareness to a vulnerability, potentially heightens ones sensitivity to defend or build resilience to minimize damage or loss.  This is one of the foundations of Operational Risk Management (ORM), understanding what your assets are and what vulnerabilities exist.  Good old fashioned Risk Management 101, tells us to mitigate risks in the enterprise and even in our personal lives.

    Is traditional Risk Management dead?  We think it is and through the eyes and inspiration of others we can now see why.  Our ability to make "Trust Decisions" is far more complex than just an emotion.  As we have evolved away from small villages where the food and water and other life essential resources were shared, trust factors have become more distant.  More shallow and less personal.  Our digital lives spanning continents and countries at light speed, now has given us a new perspective.  We must find our Trust Mindset.

    As the RSA Conference opens on February 29, 2016 in San Francisco, thousands of eager professionals will converge on an event that has it's foundation and it's future built on "Achieving Digital Trust".  As we walk the Moscone Exhibition Halls observing, learning, engaged in dialogue or debate we must remind ourselves of the wisdom that comes from Jeffrey Ritter:

    I have always viewed the emergence of the Internet and global computing as powerful tools to increase the velocity of the next solutions that enabled greater inter-dependence, greater accessibility to commerce, and more small steps toward peace. Through my work, however, I learned those tools were vulnerable unless, as a global society, we determine how to also build across the digital dimensions of cyberspace the capacity for humans to achieve what each transaction first requires—an affirmative decision to trust.

    Jeffrey's latest book has been an inspiration for so many that have researched and lived in the Venn Diagram of the Law, Digital Technology and eCommerce.  Yet what about those people who have studied and modeled the human skills and behaviors to build trust with others that have yet to read Jeffrey's' book?  What is the fusion between the factors associated with building trust human-to-human and in a world of machines-to-machines?

    "Trust Decisions" are being made by humans and computers each second of each day.  And one thing is certain about the decisions to trust by people and by the machine in your pocket, brief case or purse.  It is continuously learning and sharing.

    The halls of the RSA Conference will be buzzing about trust.  In all of it's manifestations, the ecosystem of the event is about "Trust Decisions" and in many cases, man and machine.  The iPhone vs. the FBI.  Security vs. Privacy.  Cloud vs. Hybrid Cloud.  Secret Clearance or Top Secret Clearance.  Pre-hire background check.  FICO.  LinkedIn profile.  You name it and the fundamental question set, comes back to a "decision to trust."

    Living an ethical life of integrity and willingness to share begins at an early age.  Sharing information responsibly with your peers, director or commander, requires a process for building trust over time and with each transaction of information exchange, either building or eroding the future decision to trust.

    Here is one recent example.  Sitting in a room with a dozen strangers the other day was a mini-case study.  The purpose of this particular meeting was for this group of people to establish a forum for future trusted information exchange.  We were all part of the same ISAO if you will, not the same company.

    The agenda called out for each person to introduce themselves, all for the first time.  The specific rules for the introductions were not spelled out by the host and then agreed by all of the meeting participants.  What happens next is a classic example of trust erosion, when the rules are absent.  As we proceeded around the room, each person took it upon themselves to determine how much or little information they would share with the rest of the group.

    Some people introduced themselves with their name, company affiliation and a "one liner" on the business they were in.  Others in addition, took the opportunity to tell us all about their entire product/service line and why the solution was something that we should be interested in.  The first impressions were already building or eroding our perceptions of trust.  Our own reality.

    It should be our ambition to continuously heighten our sensitivity to behavior in an environment absent of rules and how this builds or erodes our future trust decisions.  When you share, do you always have an expectation of reciprocity?  When you boast about yourself or your organization, is it for your own ego or self-satisfaction?  Do you ever even ask the question, "How are you" or "How can I help" you?  What are the rules?

    Extraordinary trust is rare these days.  True Leadership is scarce.  Courage is almost extinct.  Think about how you can stand out and at the same moment, project a feeling of care, of concern and generosity.  Giving without any expectation of return, is what is going to help you build trust in your life.  And when you achieve that with your wife, husband, children, church, business partners, employees, clients and suppliers, then you know you are well on your way to substantial well being.

    If you are alone and without many true and deep relationships in your life without cyberspace, there is a good reason why.  Achieving and building trust inside your organization (company or family) has been written about for years.  Happy employees make happy customers.  You have heard this before no doubt.   Building awareness to a vulnerability, potentially heightens ones sensitivity to defend or build resilience to minimize damage or loss.  This is where we started this blog post.

    As we descend on the RSA Conference with the focus on "Trust Decisions", it will be with an ascent towards a continuous mindset of sharing, of caring and of learning.

    20 February 2016

    Predictive Intelligence: Data or Precogs...

    The use of the term "Predictive Intelligence" has been around for a few years in the Operational Risk Management (ORM) community.  Born from the marketing collateral of the Business Intel (BI) vendors, it essentially requires hundreds of gigabytes or even terabytes of historical data and then is analyzed or data mined for so called insight.  The question is, why is this "Predictive Intelligence" and not just more "Information" in a different context?

    Now introduce the nexus of our own "Trust Decisions" and the "Human Factors" associated with the science of cognitive decision making.  How do we as humans make our decisions to trust vs. how computers make their decisions to trust?  Are they not executing rules written by humans?  When is it information in a different format as opposed to true intelligence?

    Christian Bonilla may be on to something here:
    "Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes."
    What does the fusion of human factors have to do with predictive intelligence?  That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report.  Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia.  Is it possible to predict someone's future behavior even before they commit a crime or even become violent?
    Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".
    Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime."  These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.
    Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future.  Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

    The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait?  The demise of the banking sector and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere in 2007/2008 time frame.  The point is that you have to have context and relevance to the problem being solved or the question being asked.
    The real story of the crash began in bizarre feeder markets where the sun doesn't shine and the SEC doesn't dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower--and middle--class Americans who can't pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren't talking.
    Predictive analytics extracts relevant information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes.  Is it possible that there was and is too much reliance on the numbers and not enough on people's cognitive intuition?

    This blog has documented the "11 Elements of Prediction" in the past.  Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and raw numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

    The future state of Predictive Intelligence will combine the science of "Trust Decisions" with the art of "Data Analytics" to achieve our desired outcomes.

    14 February 2016

    Workplace Violence: Cues and Clues to Teach...

    Operational Risk Management (ORM) is your foundation for crisis leadership. It will also prepare the enterprise for the potential for Homegrown Violent Extremism (HVE).  Is there a nexus with the cues and clues of traditional workplace violence and domestic terrorism? A domestic terrorist differs from a homegrown violent extremist in that the former is not inspired by, and does not take direction from, a foreign terrorist group or other foreign power.

    All work locations have distinct categories of threats that are relevant to the site, people and type of business. Assessing the violent factors is the role of Senior FBI profiler (retired) Mary Ellen O'Toole and there are four categories according to a study entitled: "The School Shooter: A Threat Assessment Perspective:"
    1. A Direct Threat
    2. An Indirect Threat
    3. A Veiled Threat
    4. A Conditional Threat
    Employees must be trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational. Based on the O'Toole study these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:
    • Low tolerance for frustration
    • Poor coping skills
    • Failed relationships
    • Signs of depression
    • Exaggerated sense of entitlement
    • Attitude of superiority
    • Inappropriate humor
    • Seeks to manipulate others
    • Lack of trust/paranoia
    • Access to weapons
    • Abuse of drugs and alcohol
    Source: O'Toole, Mary Ellen, "The School Shooter: A Threat Assessment Perspective," by the Critical Incident Response Group (CIRG), the National Center for the Analysis of Violent Crime (NCAVC) and the FBI Academy.
    The court and the jury will look upon your employers ability to apply the basics of workplace violence and threat assessment. What did you know? When did you know it? What have you done about it? They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace. What grade would you give your company today for these fundamentals?

    Let's take it to the next step in terms of your ability to even meet the requirement by the Occupational Safety and Health Administration (OSHA) in the United States. Awareness programs are expected on the four primary types of workplace crimes:
    1. Those crimes committed by people not connected to the workplace.
    2. Aggression by third parties including customers, clients, patients, students, or any others for whom you provide a service or product.
    3. Employee-to-Employee violence or a former employee who returns to the workplace with the intention to injure a former supervisor.
    4. Aggression related to a personal relationship inside or outside the workplace.
    The organization who understands the foundation for creating a proactive and preventive team for incidents in the workplace should not stop there. Once you have developed the framework for Incident Command, Emergency Operations Center, Shelter in Place, Medical Triage and Evacuation you have a good baseline to extend to a complete "Continuity of Intelligence Operations" strategy. This requires a deeper analysis into the threats inside your organization that may put you out of business entirely:
    The ISIS assault on Paris and the ISIS-inspired massacre in San Bernardino, California, share a disturbing fact, no one saw them coming. Today, the biggest terrorist threat to the United States is not like al Qaeda. ISIS is wealthy, agile, sophisticated online, and operates freely in a vast territory of its own. It prefers to be called the Islamic State. The U.S. government calls it ISIL. Reporters tend to call it ISIS for the Islamic State in Iraq and Syria. But whatever the name, it has the manpower, means and ruthlessness to attack the U.S. The man who is supposed to stop that attack is John Brennan, the director of the CIA. And tonight, in a rare interview, we talk to Brennan about a world of trouble and we start with the most pressing danger.
    Once the organization has adopted the "All Threats - All Hazards" intelligence mentality then it is well on it's way to becoming a survivable business.  Operational Risk Management (ORM) is a discipline that incorporates this approach and enables owners, operators and business suppliers with the tools, methods and strategy to handle workplace violence incidents or a catastrophic act of mother nature.

    07 February 2016

    Trusted Enterprise: Digital Science in Business...

    Digital Trust has been a cornerstone for any serious organization in our 21st century era.  The foundation for an Operational Risk Management (ORM) design, begins with the engineering science of a sound and endurable platform for "Enabling Digital Trust of Global Enterprises."
    The Accenture Technology Vision 2016 verifies "Digital Trust" as one of five major trends:
    As every digital advancement creates a new vector for risk, trust becomes the cornerstone of the digital economy. Without trust, digital businesses cannot use and share the data that underpins their operations. To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future.  Source:  Accenture Technology Vision 2016
    The concept of data ethics as a significant component of establishing "Digital Trust" is vital.  When you introduce the concept of ethics to the dialogue on software engineering in the global enterprise, there are several key considerations.  Adding the moral governance of actions taken as a result of insights derived from the analysis of information, is also a valid vector in the design of trustworthiness for modern digital applications.  Yet this means nothing, without first understanding how humans make their decisions to trust.  How effective the entire ecosystem of "Digital Trust" becomes will always come back to the root.  Digital Ground zero.

    Ground zero for "Digital Trust" is the actual "Trust Decision" itself.  The science of the "Trust Decision" elements and process has been the focus of researchers and academic study for years.  In order for us to truly understand how to achieve digital trust in business, we must first grasp the science and evidence of the core elements and root of our "TrustDecisions."  Does "Achieving Digital Trust" in the enterprise ensure that, as a business you are "Achieving a Defensible Standard of Care"?   Not necessarily.

    The two concepts are mutually exclusive, yet they still have affinity for each other.  Accenture's Technology Vision, provides the enterprise with sound reasoning about how to create a path towards improving digital trust, especially as it pertains to the reputation benefits associated with the "Brand."  Adding the element of ethics, drives the consumer thinking that the business has addressed privacy requirements in terms of the legal rules and usability factors.

    Incorporating the conversation in the Board Room about data ethics (collection and use) or how as an enterprise you must design-in legal controls in order to alleviate liability, requires something new.  It requires all interested parties to go back to the root.  How does the human make a decision to trust?  How does a computer make a decision to trust another computer?

    The people sitting around the Board Room table are thinking about creating more wealth.  They are not asking themselves, how do computers trust other computers?  In our digital age where decisions are being made as a result of the execution of zeros and ones at light speed, someone has to be designing the trust architecture with the right people in the enterprise.  The question is now at hand, who is that person or business unit?

    The answer is going to be different in each business or organization.  What is the maturity of the particular digital ecosystem and how vast is the landscape for the computing assets?  One fact that must be acknowledged early on, is that it probably does not entirely exist today.  The ideal unit of people and systems that are necessary to achieve digital trust, are currently spread out across the typical silos of a business architecture.  IT, Marketing, Legal, Info Security, Privacy perhaps.  However, the dedicated and funded "Digital Trust" team, task force or department, has yet to be established.  So what?

    Continue to operate as you are.  Without the advantage of truly understanding the elements of "Trust Decisions" and how this is relevant to "Achieving a Defensible Standard of Care."  A trustworthy computing division, may have existed in the past at your organization, yet initially with another focused mission,  "Cyber Crime" intervention.  You see, the idea of trust and why it is so vital to the success of the information technology industry is not new.  Smart malware researchers and software engineers understood this at the dawn of the Internet.  So why is this any different?

    Trustworthy computing in the 90's is not the same as the application of "Trust Decisions" in the year 2016 and beyond.   Especially today, with the speed of cloud computing adoption and the outsourcing of core data transactions across borders.  The international implications of privacy laws and the routing and storing of data outside of your native country, is now in play.  Negotiations by a Nation State to bypass traditional use of mutual legal assistance treaty (MLAT) is the new normal:
    If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies such as Facebook or Google with a wiretap order for the online chats of British suspects in a counter­terrorism investigation.

    The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.  Source:  Washington Post
    The requirements have changed.  The next era of "Achieving Digital Trust" requires so much more.  It now requires standing up and providing substantial resources to the "TrustDecisions" Unit within the enterprise.  What does this mean to the future of the Trusted Enterprise?

    It means that the Chief Information Officer (CIO), Chief Privacy Officer (CPO), General Counsel and Chief Information Security Officer (CISO) will be using data and Digital Science to design a new architecture for the Trusted Enterprise.  They will deliver it to the desk of the Chief Executive Officer (CEO) very soon.

    31 January 2016

    Risk Culture: The Root Cause of Business Assurance...

    There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company.  This risk culture maturity, is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

    A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.
    "What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision, that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team, that you will jeopardize the overall mission."
    The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

    The risk culture problem, is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office, partner or entire agency of government.
    Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.
    The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

    Leadership is charged with the state of their organizational culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors ecosystem. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

    It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

    Enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

    The root cause of Business Assurance and Resilience is the Risk Culture.

    24 January 2016

    Adverse Consequences: Enabling Digital Trust of Global Enterprises...

    In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

    Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:
    1. Cyberattacks
    2. Critical Information Infrastructure Breakdown
    3. Adverse Consequences of Technological Advances
    4. Data Fraud or Theft
    #1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

    The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

    There are two other risks shared in this same Upper Left Quadrant in 2016:
    • Weapons of Mass Destruction
    • Spread of Infectious Diseases
    These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

    Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?

    "Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

    "Adverse Consequences of Technological Advances"
    :   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 
    • global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
    • global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.
    Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)
    The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:
    As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)
     Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

    • Machine-to-Machine
    • Person-to-Person
    • Business-to-Business
    • Government-to-Government
    • Country-to-Country

    Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

    You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

    Enabling Digital Trust of Global Enterprises...

    17 January 2016

    Duty of Care: Board of Directors OPS Risk...

    The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

    Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

    The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

    Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

    The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:
    Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.
    One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:
    In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.
    This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

    The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:
    In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).
    It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.