21 December 2014

2014 Reflections: Operational Risk Management Forecast...

As 2014 comes to a close and we look into the future of 2015 it is time to reflect.  After 1000+ blog posts on the topic and discipline of Operational Risk Management (ORM) it seems like a blur.  To start off this final post for the year, we looked back on our last post in December 2013.  It is amazing to see how accurate many of our forecasts were for 2014.

Here are some of the Operational Risk Management blog posts that had the most page views this past year:

Cyber Domain: International Law of Asymmetric Warfare...

Memorial Day 2014: The Risk of Service is Understood...

Insider Threat: CSO Priorities...

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Veterans Day 2014: Leading the Enterprise to Victory...

Courage: Risk of Physical & Moral Fear...

Now for the ORM forecast.  2015 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

14 December 2014

Intellectual Property: Material Risks Disclosure- Assumption of Breach...

The rules of the game may have changed across the corporate landscape.  Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:
Sony Pictures Entertainment is fighting back
The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. 
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy. 
In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.
The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen.  The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization.  You see, the use of sophisticated offensive cyber malware is not new.  No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

In the recent book "Countdown to Zero Day" by Kim Zetter, the point is made:
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain.  The rules of the digital game have changed.  Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving.  How many digital files in your corporation contain proprietary Intellectual Property (IP)?  If you don't know the answer, then we recommend that you start counting.  You need to figure out what the value is, of all this data and for good reason.  At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S..  Jeffrey Carr explains here:
“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” 
The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis.  What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in?  What U.S. companies are encouraged to relocate a manufacturing plant overseas?  Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage.  Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing.  The hackers-for-hire trade, is larger than you may know.  How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars?  Mid to high six figures.  Not likely.  7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar.  To disrupt and destroy the capabilities of your adversary.  Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident.  The magnitude and the impact of the destruction is apparent.  Are you sure you don't have an Insider Threat?  See appendix C here:
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.

07 December 2014

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

01 December 2014

Courage: Risk of Physical & Moral Fear...

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral.  What are some examples?  "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors.  "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same.  The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death.  The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within.  This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage?  The answer is yes and it has been a factor of education and training for hundreds of years.  The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits.  The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.
"What are you doing to overcome your fear to save a life?  What are you doing to overcome your fear of reputation loss?  The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."
Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes.  Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the SahelBoard Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required.  In seconds.  The courageous decision you make may cause bodily harm or the end of a career.  What are you going to do to learn and train to deal with the fear that you will encounter?  What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community.  It spans the spectrum of courage from physical to moral.  The question remains,  will you act when the time and moment arises?

23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

16 November 2014

Top Ten Mistakes: Board of Directors Risk...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors, is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

09 November 2014

Veterans Day 2014: Leading the Enterprise to Victory...

The 1% are soon to be recognized on Tuesday, November 11, Veterans Day.  CxO's across the country who have served in the military know all about "Operational Risk Management" (ORM). They understand that the safety and security of their personnel is paramount, if they are to achieve the mission assigned to them by the Board of Directors and the majority stakeholders.

It makes sense that if only 1% of the country serve in the military, and fewer make it to the rank of CxO in commercial industry, why ORM remains so esoteric.  Only an enlightened few truly understand the value of investing in continuous training, cultural and ethical development and the safety and security of not only employees, but also intellectual capital and information assets.

Indeed, this Veterans Day is a time to focus on our 1%.  Those who have served the United States of America in the Armed Forces.  At the top of each of these branches including the Army, Marine Corps, Navy, Air Force and Coast Guard are people that have seen, smelled, heard, felt and lived with the logic and the necessity for Operational Risk Management.  Why is the Navy leadership focused on ORM?
ORM is the guiding Navy instruction for implementing the ORM program. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. 
The most common idea of what ORM revolves around is a simple five-step process that is most frequently used in planning. These five steps are:
  • Identify hazards
  • Assess the hazards
  • Make risk decisions
  • Implement controls
  • Supervise and watch for change
Another level of ORM is Time Critical Risk Management which involves a quick, committed-to-memory process and a set of skills that allow our people to manage risk when in the execution of a plan or event. The standard for the Navy is being developed, however it might be thought of in simple terms such as:
  • What can go wrong or is changing
  • How can I keep it from effecting the mission without hurting me
  • Act to correct the situation
  • Telling the right people if you are unable to take the right action
If you were retired from the Marine Corps and now the CxO of a Global 500 company, do you think that ORM would be a forgotten system?  Would you neglect to focus on this, if you were running FedEx?  Fred Smith is not a former pilot, but was vital as a "Forward Air Controller":

Frederick Wallace "Fred" Smith (born August 11, 1944), is the founder, chairman, president, and CEO of FedEx, originally known as Federal Express, the first overnight express delivery company in the world, and the largest in the world. The company is headquartered in Memphis, Tennessee. 
Smith was commissioned in the U.S. Marine Corps, serving for three years (from 1966 to 1969) as a platoon leader and a forward air controller (FAC), flying in the back seat of the OV-10
As a Marine, Smith had the opportunity to observe the military's logistics system first hand. He served two tours of duty in Vietnam, flying with pilots on over 200 combat missions. He was honorably discharged in 1969 with the rank of Captain, having received the Silver Star, the Bronze Star, and two Purple Hearts. While in the military, Smith carefully observed the procurement and delivery procedures, fine-tuning his dream for an overnight delivery service.[5] 
A primary function of a Forward Air Controller is ensuring the safety of friendly troops. Enemy targets in the Front line ("Forward Edge of the Battle Area" in US terminology) are often close to friendly forces and therefore friendly forces are at risk of friendly fire through proximity during air attack. The danger is twofold: the bombing pilot cannot identify the target clearly, and is not aware of the locations of friendly forces.
Fred Smith not only implemented the mindset of a "Forward Air Controller" running FedEx, he also has been able to build a culture focused on Operational Risk Management (ORM).
FedEx Corporation will produce superior financial returns for its shareowners by providing high value-added logistics, transportation and related business services through focused operating companies. Customer requirements will be met in the highest quality manner appropriate to each market segment served. FedEx will strive to develop mutually rewarding relationships with its employees, partners and suppliers. Safety will be the first consideration in all operations. Corporate activities will be conducted to the highest ethical and professional standards.
Now back to Veterans Day, November 11.  Are you starting to make the connection between the 1%, becoming a global CxO and the reason why ORM has such tremendous applications inside the global enterprise?

The opportunity now is for us to unleash our emerging and proactive "Vetrepreneurs," to take their years of knowledge and understanding of ORM and now apply it within the ranks of their new companies or new positions, just as Fred Smith has done at FedEx.  These veterans have the practical knowledge, skills and valuable use cases on how Operational Risk Management contributes to the overall mission.

If you are a 1% entrepreneur (Vetrepreneur) and have Co-founder or CxO as your title, then your proactive nature should allow you the opportunity to apply ORM within your organization.  Here are three places you can begin your program focus:
Inside:  Develop a culture of trust that begins by teaching employees how to find the truth.  A culture that promotes and teaches people how to apply the rules to the business that you are operating in.  A culture where no one can hide and that understanding our own vulnerabilities makes the overall organization more resilient each day.
Outside:  Architect the enterprise from the ground up to make more informed "Trust Decisions."  The architecture must first assemble and organize the rule-base and contextual framework associated with the environment that you will be operating in both physically and virtually.  The interdependencies of the automated machines developed to operate the enterprise, shall exist in a transparent and highly governed "system-of- systems". 
In-The-Middle:  Create new learning scenarios on a consistent but random basis.  Test the enterprise Inside and Outside with these exercise scenarios.  Determine how the humans and/or machines behave.  Establish what is normal and create your baseline. Continue to test and to measure the gaps of performance and make changes to improve the quality, accuracy or resiliency of the entire enterprise architecture.
On this Veterans Day 2014, scan the horizon for the organizations that stand out and are remarkable. With the 1% at the helm, in the cockpit or now the HQ Board Room, Operational Risk Management (ORM) is leading the enterprise to victory!

02 November 2014

NewCo: Operational Risk Accelerators...

Operational Risk Management (ORM) is an essential component of any serious business.  These are the internal risks you take when you add people, processes and systems together and then operate in a specific industry or geography.  Innovation within the ranks of a new breed of business accelerator, has the opportunity to include "Operational Risk Strategy Execution" as a vital mechanism for the growth of the new born company.

Do you know about a start-up company that is building a product or solution to address one of these Operational Risk categories?  The following lists the official Basel II defined seven event types with some examples for each category:
  1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud - theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets - natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
The start-up phenomenon has taken many metro areas around the United States by surprise.  The typical centers of innovation in Seattle, San Francisco, Los Angeles, Austin, Boston and Washington, DC are now being joined by newcomers such as Cincinnati:
The entrepreneurial world is not an easy one to take on, but for those brave enough to do so, Cintrifuse is here to help. Located in the heart of downtown Cincinnati, Ohio, Cintrifuse acts as a connecter and supporter to create a global destination for entrepreneurial success. 
Cintrifuse connects the region’s high-potential, venture-backable startups to advice, talent, funding, and customers. With over 30 ecosystem partners, 30+ participating local corporations, 75+ mentors and advisors, Cintrifuse leverages the power of its network to serve over 100 startup members and improve their chances of success. 
To amplify the efforts and extend the reach of the entrepreneurial community, Cintrifuse operates a $56MM Fund of Funds, which invests in early-stage venture capital funds both regionally and nationally. The Fund of Funds provides an avenue for corporations and venture capitalists alike to gain further insights into and engagement with the Cincinnati startup community. 
Cintrifuse’s efforts are made possible through support from some of Cincinnati’s most prominent companies
To connect more than 100 startups with venture capital firms, corporations and service providers, Cintrifuse uses a proven membership model. Entrepreneurs gain access to like-minded, driven and engaged individuals, venture capitalists, business leaders and services providers are introduced to startups on the rise.  Grow your business with Cintrifuse by signing up for membership today.
As the focus on innovation continues and NewCo's are being formed across the country, these new entrepreneurs need a foundation in truly understanding "Operational Risk Management". Why?

If these new entrepreneurs are better able to understand the core reasons why a business must operate within a universe of Operational Risks, then their innovation may adapt.  The ideas they have for better managing cyber security, detecting the insider threat or automating the continuity of operations planning may change.

Building a new company with an innovative new product also means understanding the problem sets that a much larger enterprise is encountering on a daily basis.  Innovators today sometimes lose sight of the operational risks that can be addressed by their products, as they are installed and implemented into the larger enterprise.  The value proposition that addresses the decrease in loss events, will soon get the attention of senior management.

What can a business accelerator like "Cintrifuse" do to make sure that the 100+ new start-ups better understand Operational Risk Management?  Perhaps even more importantly, how can their hot new NewCo product fit into the ORM matrix for addressing Enterprise Risk at a Fortune 500 company?

To answer this, just look more deeply at the 75+ mentors and advisors that Cintrifuse has at their disposal.  Has Cintrifuse developed a diagnostic tool to better understand the subject matter expertise of each of those mentors?
  • First,  create an inventory of the skill sets and knowledge of these mentors and develop a database for the start-up entrepreneurs, then they can query who is the best mentor for a specific subject or business problem they are encountering.
  • Second, the mentors themselves would need an orientation on how to assist the start-ups in seeing the nexus with operational risk in their own business model.
  • Third, the mentors would demonstrate how the innovations that the enterprise requires have a nexus with the start-ups products being developed for the mass market.
Remember, ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
When you scan the companies being accepted and graduated from all of the incubators and accelerators across the globe, many will have a product solution that impacts some facet of Operational Risk Management.  The mission now is to make sure that those new entrepreneurs discover how their inventions and patents may address real-world scenarios.  Just look at the current cohort companies at the MACH37 Accelerator in Herndon, Va as one example:

Eric Whittleton, Cofounder and CEO
Arash Nejadian, Cofounder and CTO 

iAspire is currently addressing the significant pent up demand for fully implemented email encryption in large enterprises by enabling end-to-end encryption that also addresses the need for real-time and in-volume secure email access for forensics, e-Discovery and compliance requirements. Aspire develops standards-based digital key management products that serve as material enablers of the “Trusted Web”. Future products will include additional store and forward applications such as a cloud-based Secure Drop-box as well as mobility solutions.

Virgil Security
Michael W. Wellman Cofounder and CEO
Dmitry Dain, Cofounder and CTO 

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users. Virgil Security’s encryption libraries and services, along with an accompanying public key management infrastructure, ease the pain of developing, deploying, and using strong cryptography. Virgil Security enables a new generation of enhanced privacy and security for applications, cloud services, and the Internet of Things.

Marcus Carey, Founder

FireDrillMe provides a SaaS platform that orchestrates cybersecurity “fire drills” on production networks by imitating attackers. FireDrillMe helps organizations train personnel, evaluate products, and refine procedures for incident response.

Syncurity Networks 
JP Bourget, Cofounder and CEO
Ray Davidson PhD, CoFounder
Mike Volo, CoFounder 

Syncurity Networks develops software for Information Security Process Management and Automation focused on Incident Response (IR) incorporating standard IR processes, automated artifact collection, and standardized report generation. Syncurity helps mid-size businesses respond to incidents faster, document lessons learned, and collect metrics for continuous improvement.

Karthik Bhat, Founder and CEO

SecureDB is an encrypted cloud database for storing sensitive customer information such as authentication credentials, PII, PHI and credit card numbers. SecureDB’s cloud based encrypted database and associated APIs will allow enterprises to secure their customer data by providing strong cryptographic protection against unauthorized access.

Josh Marpet, Cofounder and CEO
Billy Boatright, Cofounder and CMO
Tim Krabec, Cofounder and CTO
Ben Huey, Cofounder and CRO

Compliance requirements are coming downhill to smaller companies, and the bad guys are going after data within companies of all sizes. BiJoTi's turnkey appliance packages the advanced compliance and security benefits that large enterprises enjoy from a dedicated security organization, but at a price that works for small and mid-market businesses.

Ryan Lester, Cofounder and CEO
Josh Boehm, Cofounder and COO 

Cyph is a secure messaging app for Facebook users who aren't security experts, but demand a simple way to chat privately with their friends.

As Operational Risk Management is incorporated into the core capabilities of each new entrepreneurs business plan it will benefit their own launch and better serve their intended customers.

25 October 2014

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:
  1. What is your reputation worth?
  2. Are you being Proactive or Reactive in managing and safeguarding your reputation?
The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:
  • Economic Accountability
  • Information Management
  • Business Integrity
Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:
  1. Intellectual Property and Information Assets
  2. Demonstrations, planned boycotts and social activism
  3. Physical infrastructure including employees and suppliers
  4. Legal threats including class actions, insider trading or whistle-blowers
Microsoft closed its free Internet chat rooms in 28 countries many years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking other Social Media accounts.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

19 October 2014

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum. Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers. Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

05 October 2014

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Technology, Privacy and the Rule of Law.  All three attributes for a robust Operational Risk Management (ORM) system.  The Operational Risk professionals in the critical infrastructure sectors that intersect with personal identifiable information (PII), are experts in the trio of changing technology, new laws and legal decisions while preserving the rights of privacy.  Financial services and Healthcare are currently under a significant barrage of attack.

All of these attributes are just small components of a much larger and more complex system.  The pursuit by all parties including consumers, technology innovators and those charged with our legal governance, is attaining a future state where the majority of humans will judge that system as trustworthy.

Trustworthiness begins with the basis by which you engage with a particular system.  Here is a fundamental example.  The trust that you put into the technology on your wrist or hold in your hand, requires you to take a leap of faith at first.  Can you believe that the chronometer on a MTM Patriot watch, at 132 feet below the surface of the Pacific ocean Scuba diving is accurate at 18 minutes 36 seconds?  If you can't trust the accuracy of this system to count minutes and seconds, a life may be in jeopardy from DCS.

An affirmative "Trust Decision" occurs when actions or rules are executed as a result of the systems design or planning.  A decision to ascend from 132 feet to 66 feet at 19 minutes into the dive is a "Trust Decision" leveraging the system programmed to keep accurate time and the divers planning in advance.

You have come to trust many systems in your lifetime.  Simple computers on your wrist or the complexity of the engineering associated with a BMW, Apple iPhone 6 or IBM Watson, requires the human to experience enough favorable outcomes, to begin to trust that particular system.  Those positive outcomes for safe and secure highway travel or the end-point IoT device will strive to establish trust over time. Even one of the virtual machines (VM) on the massive servers in over 100 Equinix Data Centers across the globe, are the basis for your trust as these particular invisible systems store and retrieve your most personal, sensitive intellectual property.

Think of a specific system that is trusted universally.  Think about all of the computers that support the system.  Each computer has been provided instructions coded in software or firmware.  For the most part, these rules have been programmed by humans.  In many cases, the software has automated a previous system that was manually operated by humans, for decades or longer.  Now this new trusted system is more efficient and the work that it performs saves us time.  It generates economic growth. Eventually, the system becomes trusted by a majority of humans and no one questions the calculus anymore.  Our current banking system in the U.S. is one that is top of mind.

When you have a fusion of Technology, Privacy and the Rule of Law that requires trust, not just by humans, but by systems-to-systems, then you must also have something else.  In order for the complete system and all of it's attributes to be accepted, adopted, codified, tested, ruled-upon, pervasive and universally utilized, it must be trusted by the other "systems" themselves.  Here is another example.

When you look at the architecture of the new "One World Trade Center" (Freedom Tower) scheduled for completion this year in New York City, do you think about:
Structural redundancy, enhanced fireproofing, biological and chemical air filters, extra-wide pressurized staircases, interconnected redundant exits, safety systems incased in three feet concrete wall, dedicated firefighter staircase, special "areas of refuge" on each floor.
You should think about it and so does Skidmore, Owings & Merrill, LLP.  The architect of the Freedom Tower.  If only we could utilize this metaphor for what we have learned about the architecture and construction of the new Freedom Tower.  Will you trust 1 WTC as a system?  Why?

The systems talking to other systems in order to design, build and occupy 1 WTC have been vast.  The technology incorporated to satisfy a complex set of business rules, building codes and privacy or security governance is extraordinary. "Trust Decisions" to accomplish affirmative outcomes have been executed for years by Skidmore, Owings and Merrill (SOM) not only in New York but on a global basis.

The trustworthiness of a system goes far beyond just the edifice.  The device.  The packaging.  The marketing.  The brand.  You will always have to look deeper for your "Trust Decisions".  You must discover how these trusted systems are being utilized, to provide you the affirmative economic results you seek.  And without the positive outcome of the creation of new found time or monetary assets, you will then abandon the tool, the machine, the system and simultaneously your trust.


28 September 2014

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.
  • Governance
  • Policies
  • Regulatory and Statutory Concerns
  • Civil rights and Liberties
Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.
Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.
Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.
The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.
Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.
The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.
Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.
E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.
Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

21 September 2014

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making". This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with new APPs such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas. Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan?  --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story. This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime. Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative APPs, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" laying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

14 September 2014

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem, who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:
Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.
“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?
The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.
Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.
The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”
When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.

11 September 2014

9/11 2014: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 13 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 13 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

07 September 2014

Cyber Insurance: The Future of Enterprise Risk Management...

There has been great debate over the years on the topic of cyber security insurance to complement a comprehensive Operational Risk Management (ORM) strategy.  Does the existence of a robust Enterprise Risk Management (ERM) program that includes substantial components of Operational Risk benefit the organization in the eyes of the insurer?

Could the Cyber Insurance industry be heading towards a future model for making the case for "Enterprise Risk Management" in the Cyber Risk Space?  As a parallel example, the banking industry requires homeowners insurance before loans are approved.  This is because there are a hundred plus years of history on fires as a potential threat and the actuaries know the odds for a loss event, especially with the new building materials and the rules on sprinkler systems in certain areas.

We are getting close to the point where data analytics and the history of cyber attack information will be used to assist insurers in writing a "Cyber Risk policy" based upon your industry sector and geographic location. The data being analyzed now on the banking sector and energy sector is vast and these are just two critical infrastructure sectors that have a long history of being attacked by criminal network bots and also nation states, on an hourly basis.

The U.S. Department of Homeland Security (DHS) has been looking into the multi-factors surrounding Enterprise Risk Management in the context of cyber insurance for the past few years:
Based on what it had learned, NPPD hosted an insurance industry working session in April 2014 to assess three areas where it appeared progress could lead to a more robust first-party market: the creation of an anonymized cyber incident data repository; enhanced cyber incident consequence analytics; and enterprise risk management evangelization.
The evangelization of ERM is vital not only for those Global 500 organizations but also for the INC. 500.  The companies that are the supply chain to the enterprise are even more at risk of attack since they provide an on-ramp for modern malware to seek new vulnerabilities.  These supply chain companies will soon be asked about their Enterprise Risk Management (ERM) program strategies and for good reason.

In order for the Global 500 to continue to have confidence in a robust ERM strategy, they must have ways to validate their own supply chain organizations maturity in the cyber risk management domain. So what did the participants in the DHS NPPD cyber insurance roundtable in 2014 recommend as elements of a successful ERM program?
Engagement of senior leadership. A reinsurer commented that effective ERM programs must be implemented at the senior leadership level. Specifically, he advised that they should reflect a corporate culture that features cyber-related ERM discussions at all board meetings and that subjects itself to regular oversight – including through periodic internal risk audits and audits by outside, independent organizations.
Engagement of general counsels. A broker described general counsels and chief compliance officers as key players in successful ERM programs and stated that her company’s risk assessment workshops for corporate leaders are always more successful when these leaders are involved.
Engagement of CISOs. An underwriter added that it is similarly valuable to include a company’s CISO in the ERM process – particularly a CISO who understands the role that insurance can play as part of a comprehensive risk management strategy.
Establishing direct lines of communication. A third underwriter asserted that when it comes to cyber security specifically, a company should establish a direct line for ERM reporting to its board of directors rather than a hierarchal chain that requires many approvals before funds can be spent on someone (e.g., outside cyber forensics support) or something (e.g., a new technology) to address a cyber risk or incident.
So what does all this mean, if my INC. 500 company is part of the supply chain of a Global 500 organization?

It means that your ERM program will be under the magnifying glass if not now, very soon.  If you are considered to be a vital supplier to the Global 500 enterprise, then you most likely are cyber-connected for data exchange or even more.  The digital systems level decisions and the speed of business require that you have cyber data handshakes every few minutes or seconds.  The ability for your product or service to perform, requires this high degree of "Trust Decisions."

The time has come for Cyber Risk insurance to mature and to become another standard component in the Operational Risk Management (ORM) portfolio.  We look forward to seeing the language of the policies themselves as they evolve.  Will attribution of the origin of the cyber attack be a factor in a first-party coverage claim?  We think you can count on it...