ID Analytics: Risk of the Unknown...

Operational Risk Management (ORM) has been at the top of the news in the past few weeks.  Digital media and the metadata of "Big Data" is the topic of choice.  It is a revealing look behind the curtain of what is possible these days, with the tools and capabilities that exist for exploitation and analysis.  Is too much privacy an operational risk to your personal and professional well being?

In the spirit of full disclosure, if you are reading this now, we tracked how you found this blog and perhaps what search terms you used to be referred here.  Some of you, revealed their company identity.  So why do we do this?  The main reason is that we want to make sure that we understand what is on your mind these days, when it comes to the global Operational Risk Management (ORM) universe.  Here are a few examples in the past day or so that caught our eye:

• management of operational risk - Latvia
• operational risk management - Nigeria, Illinois, South Dakota, The Vanguard Group
• common board of directors mistakes - Turkey
• lessons learning from fail in operational risk - Malaysia
• predictive intelligence - North America
• rogue trader operational risk - United Kingdom
• fund industry operation management discussion topic - Luxembourg
• operational risk management game - Unknown
• reputation risk management process - Unknown
• operational risks in bank call center - Qatar
• coso definition of operational risk - Unknown
• black swan incident that occurs once in a lifetime - Unknown
• ubs operational risk case analysis - Unknown
• business resiliency definition - JP Morgan Chase
• "operational risk" outliers - France
• a risk effect on a daily operation - DeVry
• examples of smart objectives risk - United Kingdom
• black swan incident\ - South Carolina
• black swan incident - Computer Sciences Corporation
• what is a black swan incident - South Carolina
• duty of care board of directors - United Kingdom

Collection of data is one thing.  Relevance and sense-making is another.  Can you imagine some of the search terms that are tracked just by Google or Bing?

What about the companies that know us the best?  Those marketing and personal data sites that keep track of where you live, how much you spend on your credit cards and where, or even the name of your pets.  How often do you give them your phone number or e-mail address at the point-of-sale (POS) to get a discount at the local retailer, gas station or pharmacy?  Believe us when we say that there are hundreds of organizations that know more about you in the private sector than some government across the world.

The trail of "digital finger prints" you leave behind everyday are vast.  A snap shot of your face at the local ATM or a snap shot of your desktop when you login to the online banking web site.  In either case, these examples are just a few of the ways that your habits, locations, preferences and lifestyle are profiled each and every day.  Where did all of this begin?  Fraud Management.  Not Homeland Security.

As a citizen traveling across the country or a consumer, you willingly give up these digital bread crumbs of your journey through life.  Your goal now, is to make sure that you are not mistaken for someone else.  After all, you or your organization have developed a profile and a reputation that is being recorded and therefore, it could be a prudent strategy to make sure that you are not mixed up with another person or organization with the same name or brand identity.

How can you do this?  Operational Risk Management (ORM) is about monitoring yourself and your organization to make sure you understand your competition (good or bad) for the same personal or business identity space.  Do you have Biometric and DNA samples of all of your key executives?  If you don't, then the question is why not?  You may have considered this in light of some of the places that your executives are traveling.  Cities and countries across the globe with the risk of kidnapping, improvised explosive devices (IED) and other risks to their lives.

As we look into the crystal ball of our digital futures, we see the scenes from movies past that have already captured our own human imagination.  A world where everyone is known and you may even choose to "opt-in" to be tracked.  After all, you are unique.  You make your own choices in life.  The risks that you face may very well be greater, for those who choose a life to remain private, anonymous and even unknown.

operational risk

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem, who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:

Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.

“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?

The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.

Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.

The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”

When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.

operational risk

Business Resilience: Supply Chain Risk to National Security...

The Operational Risks associated with a disruption in a suppliers' "Supply Chain" is now again at the top of the Board of Directors agenda. Economic discussions inside the corporate risk management executives conference rooms have been focused on Hurricane Sandy USA, floods in China and lean supply chain strategies.

The Global Risks Report 2013 analyses 50 global risks in terms of impact, likelihood and interconnections, based on a survey of over 1000 experts from industry, government and academia.  This year’s findings show that the world is more at risk as persistent economic weakness saps our ability to tackle environmental challenges. The report highlights wealth gaps (severe income disparity) followed by unsustainable government debt (chronic fiscal imbalances) as the top two most prevalent global risks. Following a year scarred by extreme weather, from Hurricane Sandy to flooding in China, respondents rated rising greenhouse gas emissions as the third most likely global risk overall. The findings of the survey fed into an analysis of three major risk cases: Testing Economic and Environmental Resilience, Digital Wildfires in a Hyperconnected World and The Dangers of Hubris on Human Health. In a special report on national resilience, the groundwork is laid for a new country resilience rating, which would allow leaders to benchmark their progress. The report also highlights “X Factors” – emerging concerns which warrant more research, including the rogue deployment of geoengineering and brain-altering technologies.

The art of Risk Assessment and Vulnerability Management extends beyond the guards, gates and fire walls defending your global institutions. The risk of suppliers' "Supply Chain" disruption has grown significantly in the past year as a result of just-in-time (JIT) inventory management. This is further inflamed by the outsourcing momentum as some economies continue their struggle with high unemployment or natural disasters.

Automotive and semiconductor chip companies are feeling the impact of components out of stock and the race to find alternative suppliers to keep production lines at full capacity. The implications and outcomes of a lack of effective supply chain resilience planning can provide exposure beyond just a lost of sales. This myopic approach to effective Operational Risk Management strategy can extend to market share erosion and a tarnished brand image. These quickly translate into the potential loss of shareholder value.  One must remember Fukushima.   Marc Levinson explains:

It is hard to quantify how much supply-chain interruptions have cost business in recent years, because they generally go undisclosed. After all, no company wants to alert its competitors to weaknesses in its business model. And even in the case of the Japanese disaster, many companies with lower profiles than the automakers have yet to announce how they will be affected by shortages of or higher prices for essential components. Public attention has focused on outages at Japanese plants that turn out silicon wafers and memory chips, but there are surely many more obscure products that are in short supply.  The total cost of lost U.S. production due to shortfalls of Japanese components will easily run into the billions of dollars; slowing or closing down auto assembly lines, as several manufacturers have already done, does not come cheap. Other products that are “made in America,” particularly factory equipment, also rely heavily on Japanese electronics, and even if those producers are not forced to close plants temporarily, the risk of delays in filling orders may cause impatient customers to defect to competitors who do not depend on inputs from Japan.

The risk assessment of suppliers' "Supply Chains" will not be overlooked any longer from the Board Room. More prudent audits of current supply chain exposures will take place and the corporate operations management will feel the pain for some time to come. The independent and thorough review of the exposures to the institution are going to make some in procurement and accounting uncomfortable. The risk mitigation strategy going forward will invoke a third party review of most supply chain strategy planning to encompass the use of "Black Swan" scenarios and alternative thinking on the risk of volatility.

Even in October 2010, a survey of resilience professionals conducted by The Business Continuity Institute found that almost three quarters of supply chains had experienced significant disruption in the 12 months prior to the study. With 28 per cent of those occurrences attributed to supplier insolvency and 20 per cent due to failure of outsource service provision, almost half of these supply chain disruptions were down to supplier or service provider failure - in other words, circumstances outside one’s own immediate control.

So how resilient is your supplier's "Supply Chain"? The security and safety of your private sector organizations supply chain is now back on the Board of Directors agenda, so what are you doing about it? Now think about this. What if the security and safety of your country depended upon a specialized semiconductor for an electronic component that was destined for Boeing, Raytheon or Cisco?

The risk of your supplier's "Supply Chain" may have consequences far beyond the bottom line at the next shareholders meeting. It could mean the difference between having a resilient economy or a devastating asymmetric attack on the homeland.

operational risk

Memorial Day 2013: The Courage of Risk Decisions...

Walking through Section 60 at Arlington National Cemetery on Memorial Day weekend 2013 is a stark reminder of the Operational Risk Management challenges we have faced this past decade.  One example can be found in the current budget at the Pentagon to defeat the IED.

Billions of dollars are devoted to the strategies and tactics to keep U.S. "boots on the ground" on foreign lands from becoming KIA, an amputee or another invisible wound such as Traumatic Brain Injury or Post Traumatic Stress Disorder.  Regardless of the dollars devoted, many grave markers in Section 60 have birth dates in the 1980's and 1990's.  Standing there yesterday, a tear rolled down a cheek and the wind quickly blew it away...

Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.^[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.^[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service^[3].

If you are in the military we will thank you for your courage of service on Veterans Day, as we have before.  This day however, is for those in the armed forces who have died while serving.  Simultaneously, we must thank all of the other "Operational Risk Management" subject matter experts.  The "Quiet Professionals" who operate everyday in the shadows.  We hope that their decisions will continue to be the right ones.  They live each day with the burden of managing risk decisions, that could send another U.S. soldier on their way to Section 60.

This Memorial Day and each day after, an average of 22 veterans will take their own lives.  Here in their own home town, in their own country.

The risks that each of us take in our chosen careers and life decisions, is a mosaic of future events that can be managed.  The likelihood and impact of those risks can be assessed and decisions can be made.  What risks will be mitigated, accepted or avoided all together?  It is up to you.  These decisions will determine your risk appetite and your willingness for the consequences of your choice.

On our July 4th birthday, we will all remember why we celebrate Memorial Day in the United States.  It is worth the sacrifice, the loss and the tears.  God bless our heroes and this great nation!

operational risk

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management strategy. CAG: Critical Control 20: Red Team Exercises:

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 

This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.

We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:

"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."

Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:

clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"

What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:

1. Measurability - How measureable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This is how and where you extend your physical controls to the actual people who will make the difference before and during a critical incident in your enterprise.

operational risk

Invisible Wounds: Risk to the One Percent...

There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk?

Melanie Haiken, Contributor - Forbes
Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs. By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.

The fact is that about 31% are vets, who are under 50 years old and in the prime of their lives and careers.  The Operational Risks associated with a growing workplace with veterans comes in different areas of concern and opportunity.  The awareness building program within a workplace, that is focused on mitigating risks to the enterprise, should be focused on behaviors and pre-incident indicators.  Especially when it comes to humans.  "Invisible wounds" are just that.  They are hard to see.

Has your organization been faced with an employee, who was a veteran and took their own life?  The cues and clues may not be so obvious.  Human Resources departments, Organizational Development management, senior executives are starting to hear that alarm.

There are people walking around your organization at this very moment, who are at risk and you may be naive to the indicators.  Begin the process today to change this growing epidemic.  Create a mechanism for awareness building, of the potential pre-incident indicators.  More importantly, what are you doing to proactively evaluate and monitor employees who are veterans?

60 Minutes - Invisible wounds of war by David Martin
An estimated quarter million servicemen and women have suffered concussions over the past decade of war. Tens of thousands -- no one knows the precise number -- are dealing with lasting brain damage. The Pentagon, which did not recognize the problem until the war in Iraq was almost over, is now scrambling to treat these invisible wounds. And soldiers suffering from them sometimes end up wishing they had a wound people could see.

There are programs for building awareness with employees and even a growing number of non-profit organizations that are making a difference.  The point is, what is management doing to proactively engage fellow executives to be more proactive on multiple fronts?  Here is one example that you should be investigating immediately.  Pretend for a moment that you as a CEO, are a veteran that is applying for a job at your company.  Go to your own career web site page and apply for a job at your company.  Why?  See how easy it is.  See what happens next.

The reason is clear.  You don't have any idea what a veteran goes through to first apply for a position with your company.  Second, you do not fully understand, how your own HR and recruiters follow-up and provide any feedback to the applicant, once they have navigated the vast maze of your latest outsourced online job platform.

We would also request, that you investigate your organizations process for doing periodic assessments of employee performance?  How is this the same or different for a veteran?  Has it been modified or is it done with a trained professional, who may be able to use substantial experience to provide an early warning system for vets, who may be at risk in your workplace.

Whether you are in the military ranks now as a commander or you are an executive in the government, business or part of a non-profit, you think you know the stakes.  You think you understand the Operational Risks associated with the hiring and employment of veterans.  You do not, because no one does completely.  This complex mosaic of laws, health care and human psychology issues may very well be, one of the greatest operational risk challenges before us as a nation.

Begin your journey to better understanding this, by visiting this U.S. Department of Veteran Affairs web site:  http://www.veteranscrisisline.net

This Memorial Day, we will remember all those heroes who have fallen, especially here at home.  In our own town.  We can and must do better...

operational risk

Offshore Strategies: Global Integrity Risk...

Global 500 organizations are managing Operational Risks across their respective enterprises, utilizing a portfolio of controls, tools and strategies.  One of those strategies, is getting more attention by nation states and treasury departments.  Larger than Wikileaks, this ICIJ investigation, is a digital peek behind the offshore strategy that is legal in many jurisdictions across the world:

An anonymous source has provided extensive insights into a worldwide network of tax evaders. 

Media in more than 30 countries are currently sifting through a mountain of data.
260 gigabytes of documents - that's the printed equivalent of 500,000 copies of the Bible. 

This is the massive amount of data that was passed on more than a year ago by an anonymous whistleblower to the International Consortium for Investigative Journalism (ICIJ) in Washington. More than two million emails and other confidential documents sketch a picture of a dubious shadow world. More than 130,000 people from 170 countries are alleged to have secreted their money in tax havens. Analyzing the data is a mammoth task that is still nowhere near completion.

The governance and the transparency that a global enterprise displays to its shareholders, employees and the governments is continuously at stake.  Some countries are considered more corrupt and global organizations operating in that part of the world, shall be more aware of the risks of doing business there.

Some other interesting revelations:

• The largest shares of the people setting up offshore accounts live in China, Hong Kong, Taiwan, Russia or another former Soviet republic. 
• In turbulent Greece, both the upper and middle class are increasingly keeping their money in undeclared accounts — a situation that finance officials have since vowed to investigate.
• A number of the world’s largest collectors use offshore accounts to buy and sell art without paying taxes. 
• Offshore accounts are popular in Russia, where President Vladimir Putin has repeatedly asked politicians to stop using them: the deputy prime minister’s wife and top managers of Russian military contractors and government-controlled companies are thought to have secret offshore investments. 
• Offshore accounts are a major source of investment in China and Russia. China’s second-largest source of capital investment is the British Virgin Islands.
• You can read the full ICIJ report here.

Billionaires and politicians are hedging risks on the advice of tax attorneys, accountants and the financial strategies that are as old as tax laws.  Inside the private business compliance and legal departments, lie a vast staff of dedicated personnel who are tasked with mitigating risks to the organization.  Some global enterprises such as Siemens AG have paid the price, of a governance architecture that was in failure.  Today, those lessons learned are still being taught even as others are implicated in alleged wrong doing:

IBM Says Justice Department Investigating Bribe Allegations
By Sarah Frier on May 03, 2013

International Business Machines Corp. (IBM) is being probed by the U.S. Justice Department over corruption allegations in Poland, Argentina, Bangladesh and Ukraine, adding to bribery charges from the Securities and Exchange Commission. 

The Justice Department is investigating whether IBM violated the Foreign Corrupt Practices Act, the company said in an April 30filing (IBM). In Poland, the department is focusing on a transaction that the Polish Central Anti-Corruption Bureau already was studying, the company said. It involves allegations of a former IBM employee selling to the Polish government. 

The Justice Department probe adds scrutiny in new territory as IBM tries to settle with the SEC over activity in China and South Korea. The global reach of the investigation indicates that this isn’t an isolated matter, said Charles Elson, corporate-governance professor at the University of Delaware. 

“If it happens in one country, you can say it’s an individual,” Elson said. “If it happens in multiple, you have to ask, is it systemic? And how well was the compliance program put in place to prevent it?”

So what can a General Counsel, VP of Operational Risk, Chief Risk Officer or even the Audit Committee do, in light of these continuous incidents?  The trust that any person or organization has with its bankers, outside counsel, compliance subject matter experts, accounting advisory and management consultants is at stake.  The integrity of the entire global payments and economic ecosystem is at risk.  This source of systemic risk to governments, global enterprises, stock markets and average consumers is growing beyond control.

What can be done?  The serious conversation going on right now between your independent counselors  continues to focus on trust and the people who are behind that trust.  You have got to have that serious conversation as a CEO, not with your first line of management Vice-Presidents, but several layers below them in the corporate hierarchy.  Believe us when we say, as the CEO, you can't see two layers below you, where all of the real work on daily transactions is getting done everyday.  You are not on the front lines, where deals are being made and information is being exchanged that can have a material impact on daily business.

You see, it really all still comes back to people communicating information ethically.  How and when people act on that information.  Why people behave the way they do when they learn the information.  As a CEO in charge of a global enterprise you will never have the transparency or the integrity being controlled from HQ on the executive floor, or on your executive analytic GRC dashboard.  Your only chance is to reach those people, who are at the source of doing business in your line processes, not staff, but "line".  The "line" is the life blood of daily business commerce and the power base for making a difference on how business is done and the integrity behind it.  The future of your enterprise depends on these people, communicating information that is true, validated and researched to uncover any possible errors, omissions or other ethical issues.

The power base of the global economy is constantly changing.  The risks to the economic enterprise continues and the investigations are just beginning.  Offshore strategies are at the core of global integrity risk.

operational risk

Social Media Risk: Situational Awareness on Wall Street to Main Street...

It has been a wild few weeks for Twitter and the Operational Risks associated with account hijacking and "Tweets" that may compromise the positions of active police activities. The Boston Police were
warning people via their official Twitter account:

The first official announcement that law enforcement agencies had concluded their manhunt for Boston Marathon bombing suspect Dzhokhar Tsarnaev didn’t come at a press conference by police commissioner Ed Davis or Mayor Tom Menino. It didn’t come from a press release or a dispatch over a police scanner. It came instead from two tweets:

Boston Police Dept. ✔ @Boston_Police#MediaAlert: WARNING: Do Not Compromise Officer Safety by Broadcasting Tactical Positions of Homes Being Searched.   8:52 AM - 19 Apr 2013 

Boston Police Dept. ✔ @Boston_Police#MediaAlert: WARNING - Do Not Compromise Officer Safety/Tactics by Broadcasting Live Video of Officers While Approaching Search Locations 1:14 PM - 19 Apr 2013

Social Media and a hacked AP Twitter account were the catalyst for a sudden drop in the financial markets. As the news service realized what had occurred they contacted their employees in the White House briefing room to refute the information:

Twitter Inc. plans to bolster security on its site after the account of the Associated Press news service was hacked and an erroneous post triggered a stock- market decline, according to a person familiar with the matter. 

Two-step authentication will be introduced to make it harder for outsiders to gain access to accounts, said the person, who declined to be identified because the information isn’t public. In addition to a password, the security measure requires a code sent via text message to a user’s mobile phone, or generated on a device or software. 

Twitter’s defense against password theft came under scrutiny this week after a hacker sent a false post about explosions at the White House, triggering a drop that wiped out $136 billion in value from the Standard & Poor’s 500 Index.

Social Media is becoming a way of real-time situational awareness and organizations that have ignored the potential impact on its Operational Risk are now paying attention. Proactive steps are now being taken to not only monitor the daily feeds on official company twitter accounts and also upgrade the security of those feeds by using multi-factor authentication.

Companies such as Duo Security are going to start seeing an uptick in their web site activity as a result of these latest hacks on Twitter and others. Why? Because it works.

Corporate integration of public relations and information security are not anything new per se. What is getting more attention is how social media has become a catalyst for changing human behavior. Even more revealing is how automated trading systems react to a false tweet on Twitter. Have the algorithms gone too far in high frequency trading? Not really. HFT professionals don't let Twitter change their strategies. Here is a dose of reality:

There is little predictive value in the events of the, "Hack Crash." However, there are some key takeaways for traders. First is the importance of protective stops. One never knows what could happen next. Second, verify news reports. I have the AP's iPhone app, which alerts me to breaking news and had no mention of the tweet until after the fact. Therefore, the corporate disconnect between Twitter and their app was my first clue it was bogus. Finally, cut the high frequency traders some slack. Their programs are based on risk and reward just like our own and the liquidity they provide in times of dramatic events is exactly what allows us to get out of the market and keep some powder dry until the smoke clears.

What will continue to be an ongoing trend in corporate ranks is the need to continuously monitor social media and to spend the time on due diligence to determine what is real and what is simple "Information Operations." (IO) in the corporate ranks and across Wall Street is the name of the game. Those who understand how to manage their monitoring and deal with the daily anomalies will be able to mitigate the major risks to the enterprise.

Our only hope is that the thousands of major law enforcement agencies across the globe, are doing the same. @Boston Police is a good place to start with any lessons learned.

operational risk

Boston Marathon: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explains:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying.
Read more: http://communities.washingtontimes.com/neighborhood/intelligence-and-world-affairs/2012/sep/14/intelligence-best-weapon-war-terror/#ixzz2R1IszHhp 

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that process changes take place and behaviors are modified.

There will be numerous accounts of heroism, people who saw or reported details that helped stop the Boston terror.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.

Godspeed America!

1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.

operational risk

BCOT: Insuring Privacy and Civil Liberties...

The U.S. Nationwide SAR Initiative brings the conversation of privacy and intelligence collection to a point of convergence. Guidance for local, regional and state agencies can be found in the "Building Communities of Trust" (BCOT) program being rolled out across the country.

The continued priority is to safeguard the privacy, civil rights, and civil liberties of United States citizens (including the assurances that not only is information shared appropriately with authorized personnel but that the information that is exchanged is “quality” information). Can a nation continue to increase it's daily home town "Situational Awareness" while simultaneously preserving the constitutional rights and trusted relationship with its own citizens?

The Suspicious Activity Reporting (SAR) initiative is about Homeland Security Intelligence (HSI) engineered for the United States, to insure privacy and civil liberties of its citizens. Governance of vital intelligence data is at the core of the program design, combining the correct process for access and compartmentalization and the retention policies on certain types of relevant information.

The BCOT Guidance describes the challenges that must be addressed by fusion centers, local law enforcement agencies, and communities in developing these relationships of trust. These challenges can only be met if privacy, civil rights and civil liberties are protected. For fusion centers, this requires strong privacy policies and audits of center activities to ensure that the policies and their related standards are being fully met. For law enforcement agencies, it means that meaningful dialog and collaboration with communities needs to occur in a manner that increases legitimacy of the agency in the eyes of that community. Law enforcement must establish legitimacy in the communities they serve if trusting relationships are to be established. For communities, their leaders and representatives must collaborate with law enforcement and share responsibility for addressing the problems of crime and terrorism prevention in their neighborhoods.

Relationships of trust will not be established until key community leaders understand the intent of the information sharing environment and the preventive role that fusion centers and the SAR process plays in protecting the community from crime and violence. A fully transparent explanation can be the foundation for broad community understanding of the importance of these initiatives as well as the critical privacy, civil rights, and civil liberties protections that are in place.

The issue of trust is paramount in any relationship, whether it be personal or a JTTF working in concert with the local Metropolitan Police Department. In either case, the "Four Cores of Credibility" are necessary for humans to operate at the "Speed of Trust":

Integrity - is deep honesty and truthfulness. It is who we really are. It includes congruence, humility and courage. To increase your integrity, make and keep commitments to yourself. Stand for something and then live by it. Be open. Do you seriously consider other viewpoints? 

Intent - is your fundamental motive or agenda and the behavior that follows. It includes motive, agenda and behavior. To improve your intent, examine your motives. Are everyone's interests being served? Share the "why" behind the "what" wherever possible. 

Capabilities - is our capacity to produce and accomplish tasks: talents, attitudes, skills, knowledge and style. To build your capabilities run with your strengths. Match your strengths to unique high-value opportunities. Know where you are going and keep the vision in front of you. 

Results - is your track record. People evaluate you on three key indicators of performance. Past, current and anticipated. To improve your results take responsibility and adopt a "results" mind-set. Expect to win and create a climate of high expectations. Finish strong and avoid the "victim mentality." 

Trust in a relationship and an environment of trust in the economy, national security or the stock market makes all the difference. The behaviors that you exhibit in public and behind closed doors with your stakeholders will set the tone for everyone inside and outside the organization. Can you think of any companies or people over the past two years that you have lost trust in?

When a person loses trust in another person, a company or its government, in many cases it comes back to information governance. The time, place and method for information dissemination or sharing will in many cases, become the basis for the reason why trust is maintained or eroded in the eyes of the other.

Suffice it to say that more than ever, "Open Source" information is becoming the starting point for all intelligence collection activities. In the context of the corporate policy regarding the use of systems, most if not all companies have the right to monitor all applications for "Red Flag" indicators of fraud, espionage or other violations of state and federal laws. Corporations are using "Open Source" information to determine the initial profile of potential candidates for open positions including the analysis of FaceBook or LinkedIn social networking sites.

Executive Order 12333 emphasizes US citizens rights:
The Executive Order maintains and strengthens existing protections for Americans' civil liberties and privacy rights. The Executive Order retains and reinforces the provisions in place in the original Executive Order 12333 to ensure that all intelligence activities are conducted in a manner that protects the civil liberties and privacy rights of Americans. All collection, retention, and dissemination of information regarding United States persons must be conducted in accordance with procedures approved by the Attorney General.

The future of "Building Communities of Trust" in the United States will require significant investments in building awareness, training front line officers and implementing effective oversight mechanisms. It will be achieved without the sacrifice of the rule sets established in 1791.

operational risk

Frames of Mind: The Risk of Analytic Convergence...

Are there growing Operational Risks to our national security and private sector enterprises as our intelligence communities (IC) continues it's path of convergence?

We are using the tools and software to automate as much of the collection and the work flow as possible before the human "Grey Matter" is necessary to the final analysis. The fact that 80% of the time is spent on collection/searching and 20% on actual human processing, tells us that we have a long way to go.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the "Big Data" bases for unstructured query, yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

It dawned on us again that perhaps the most vulnerable area of our entire mission is the actual analytical process. We have highlighted the "Analysis of Competing Hypotheses" (ACH) methodology in the past:

Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.

To our own demise, how much time are we teaching people how to create .csv files and excel spreadsheets so they can be imported into a link analysis chart or tool. Getting the correct, clean and accurate data into the tool is very important. Once the intel analysts take over and start the Who, What, When, Where exercises to gain a visual picture of the incidents, actors and cues and clues associated with the "Modus Operandi" (MO) people start to get way to excited about the possible outcomes. That is when it's time to stop, assess and use ACH.

Utilizing an analytic process that incorporates the use of tools and other aides to the human decision maker to increase accuracy is only prudent if you have the time to insure a decision without error. In the absence of time, human intelligence is the only answer. We should not under estimate the "Theory of Multiple Intelligences" put forth by Howard Gardner in his book Frames of Mind.

As you read this book from 1983 and begin to apply the history of what we have learned about human cognition and then use this in the context of an analytic process for intelligence communities, suddenly our current state of the IC and it's attempt to reform itself seems crystal clear. What if we organized the competencies of intelligence organizations more closely to the multiple intelligences that Gardner has been researching for multiple decades?

The people selected, trained and leveraged for their "Grey Matter" would be more closely aligned with what we know about the brain and the way that humans have evolved from a biological perspective in their cognitive capacities. Is it possible that we have the wrong people working in the wrong Intel agencies and the wrong roles?

• Linguistic Intelligence
• Musical Intelligence
• Logical-Mathematical Intelligence
• Spatial Intelligence
• Bodily-Kinesthetic Intelligence
• Personal Intelligence

Is it possible to develop an analytic process that puts the right people in the right sequence of the process so that the outcomes are closer to what we really are seeking?

The answer may lie on one of these pages. They may be the best place to start in order to understand what each of our IC entities is all about at this point in the intelligence analysis and outcomes evolution.

operational risk

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government in terms of regulation and compliance, it is often considered another risk to its operations.  Why?  More rules and the need to report on oversight creates new obstacles to other more valuable revenue producing activities.  CDOs are an example of a financial product that explains why the government regulation mechanism continues to exist.  Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community.  This paradox is something that continues to occur in the cyber risk management domain:

Systemic risk as a result of banks' cyber interconnectivity is becoming a key risk for financial institutions, delegates at OpRisk North America in New York heard this week. The transfer of data occurring through this interconnectivity can put many banks at risk in the event of certain types of cyberattack, warned Adrienne Haden, assistant director, operational risk and IT risk policy at the board of governors of the Federal Reserve System. "Some of the key areas of concern for risk management in terms of capital involve information security and cyber security," she told the conference.

The dawn of Internet banking spawned the Operational Risks associated with using public networks for our various banking transactions.  The oversight of cyber risk management in the financial institution is becoming more mature by the day.  Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

In the last few months, the newest strategies for cyber risk management have been a robust topic of global conversation.  New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:

Deadly force against organized hackers could be justified under international law, according to a document released Thursday by a panel of legal and cyber warfare experts.  Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.  Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.

Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service.  A kinetic response is much more clear, based upon the source or attribution evidence of the attack.  In the cyber domain, the word "Attribute" has some very interesting ramifications.

Seoul, South Korea (CNN) -- The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. 

The Korea Communications Commission, a South Korean regulator, said that after "detailed analysis," the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code.  It said, though, that "the government has confirmed that the attack was from a foreign land."

The State-of-Play will remain the same and for good reason.  The governments of the world do not have issue with each other performing reciprocal cyber espionage.  This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy.  However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all.  The question remains, what is a cyberattack?  Jim Lewis says:

“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."

operational risk

Legal Risk: Over-The-Horizon Digital Radar...

Operational Risk Management is a primary responsibility with an organizations General Counsel. Why?

"The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities."

So if you are a General Counsel or the Chief Legal Officer, your radar is consistently tuned to the "Over -The-Horizon" (OTH) risks that may impact your company, right?  The fact is that managing risk from the General Counsels office may be significantly different than what managing risk means from the CIOs office.

Loss events associated with peoples workplace behavior are many times treated differently than those events associated with a computer "intrusion" or a data breach, that was also caused by human behavior.  The law is a battleground that continues to keep an entire industry busy with offensive and defensive activities and the transfer of risks from one party to another.

What is the legal risk difference between the diversion of company funds to pay bribes in a foreign country and the theft of company trade secrets?  You see, the laws associated with these loss events have different statutes, penalties and legal risk:

On December 17, 2012, Germany-based insurance and asset management company Allianz SE paid more than $12.4 million to settle with the SEC over violations of the books and records and internal control provisions of the FCPA. The activity in question concerned improper payments to government officials in Indonesia. Following common FCPA procedure, Allianz did not deny or admit the SEC’s inquiry. The company disgorged $5.3 million in profits, paid a penalty of $5.3 million, with $1.8 million in prejudgment interest. 

The SEC stated that it uncovered 295 insurance contracts on government projects that were obtained or kept by improper payments totaling $650,626. The payments were made by Allianz’s Indonesian subsidiary. 

The conduct occurred from 2001 to 2008, at which time Allianz was considered an “issuer” under the FCPA because of its activity on the New York Stock Exchange. Even though it was not listed on the exchange, the presence of its bonds and shares on the market made it an issuer and subjecting it to the jurisdiction of the FCPA. The investigation was initiated internally using outside counsel after a whistleblower complaint in 2009.

On December 28, 2012, President Obama signed the Theft of Trade Secrets Clarification Act. S. 3642 (112th). The Clarification Act is a direct response to the Second Circuit’s decision in U.S. v. Aleynikov, 676 F.3d 71 (2nd Cir. 2012). (See details below.) In Aleynikov, the Second Circuit overturned a criminal conviction under the Economic Espionage Act 18 U.S.C. § 1831, et seq., after the court determined that the stolen source code was only used internally for a high-frequency trading system and was not “related to or included in a product that is produced for or placed in interstate or foreign commerce.” The Clarification Act expands Section 1832(a) to cover internal trade secrets “related to a product or service used in or intended for use in” commerce. In addition to the source code at issue in Aleynikov, this expansion could include internal processes of doing business or gathering information that may not qualify for traditional patent protection. More broadly, the quick reaction shows the importance that Congress attaches to this area of the law and puts individuals and companies on notice that increased indictments may occur down the line.

The ethics, compliance and legal components of Operational Risk Management comes down to "Achieving a Defensible Standard of Care" in your organization.  The risk exposures that face your organization will also occur from a more immediate impact, due to a loss of reputation and potential loss of market value.  On all fronts, the stakes remain high.

The modern day legal enterprise is still reactive and slow to respond to the changing environment around it.  The daily battle with legal risk is slow, compared with other risk management fronts within the institution.  The speed of response and the focus on preventive, preemptive or proactive actions is what sets apart the mental states of all of your security risk professionals.  Some people have seconds or minutes to decide and act, others have the luxury of days, months and years.

Unfortunately, for most the costs associated with legal risk are high, no matter who prevails in an incident or case. This fact alone, is why the introduction of a new generation of automated tools and the memory of computer-based evidence is so important.  Decision Advantage.  The law and the law industry is quickly playing catch up.  Practitioners from the technology and legal industry are now even more integrated, while the courts interpret the implications of their rulings on an accelerating mobile digital global society.

You and your team have a tremendous amount of new knowledge to gain, or your enterprise will be consumed by the volume of new Operational Risks unfolding before it.  How complex could this be?

From 'WarGames' to Aaron Swartz: How U.S. anti-hacking law went astray

The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.

operational risk

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:

According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 

These findings, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 

Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 

Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 

Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.

The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

operational risk

Digital RubiCON: The Fifth Domain...

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks-like incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure. 

Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses. 

It’s almost like an automated way to digitally case every joint in the world.

operational risk

Cyber Allies: A Whole Community Strategy...

The "New Normal" for American business is now apparent.   Operational Risk Management is at the center of Board of Directors meetings, due to new laws and the latest attribution reports on nations state cyber hacking.  Disclosure to corporate shareholders of significant data breach or intellectual property theft incidents requires a more laser-focused industry strategy.  A private sector "Whole Community" approach to sharing vital intelligence on threat actors and new malware variants, but also developing trusted allies in industry itself.

As a concept, Cyber "Whole Community" is a means by which business, emergency management practitioners, organizational and community leaders, and government officials can collectively understand and assess the needs of their respective communities and determine the best ways to organize and strengthen their assets, capacities, and interests. By doing so, a more effective path to societal security and resilience is built. In a sense, Whole Community is a philosophical approach on how to think about conducting cyber emergency management. 

For the past decade or more the private sector has toiled at the task of creating public-private-partnerships in the Banking, Energy, Telecom, Retail, Defense and numerous other Critical Infrastructure sectors.  These organizations have focused on the challenge of sharing information that is relevant to the industry group at such a high level, the real value of the intelligence on threats or malware is often just a look in the rear view mirror.  By the time it gets to the report and into the hands of the organizational portal or is pushed via listserve to the member constituents it is stale or not relevant.

What if your corporate headquarters was located in an office park in AnyTown, USA along with several dozen other large, medium and small businesses.  What if those businesses were all tied to the same critical infrastructure for the business park.  Such as electrical power, water, and telecommunications.  In most cases, the energy provider and water supplier will be the same for all businesses in the office park.  Unlike these utilities, the telecommunications providers may be much more diverse.  There could be three or more providers of high capacity voice, data and wireless services to choose from by each of the businesses.

What if these businesses now adopted a Cyber "Whole Community" mind-set.  They would begin the process of cooperation, coordination and collaboration.  They would embark on a bold new strategy to:

 Understand community complexity. 

 Recognize community capabilities and needs. 

 Foster relationships with community leaders. 

 Build and maintain partnerships. 

 Empower local action. 

 Leverage and strengthen social infrastructure, networks, and assets. 

You see, national industry-based organizations are not enough to build the long term resilience your headquarters requires, and your shareholders demand.  The Chief Risk Officer, Chief Financial Officer and Chief Information Officer need to begin to reach out to your business neighbors now.  The initiative will be well received by the CEO as they report at the next Board of Directors meeting.  The process for developing a more robust Operational Risk Program and sustainable services for your business enterprise, could just be a stones throw from your corporate front door.  Here is the bottom-line.  You need to develop trusted allies in your own neighborhood and community:

Benefits include: 

• Shared understanding of community needs and capabilities.
• Greater empowerment and integration of resources from across the community.
• Stronger social infrastructure.
• Establishment of relationships that facilitate more effective prevention, protection, mitigation, response, and recovery activities.
• Increased individual and collective preparedness.
• Greater resiliency at both the community and national levels.

Just think of the kinds of information or assets you might share with a "Trusted Ally" who is next door to your business or down the street.  What new strategies could you develop together to make yourself even more impervious, to the latest incidents caused by "Anonymous" or "Flame" and even China?

WASHINGTON –  For three straight years, a group of Chinese hackers waged a cyber war against a family-owned, eight-person software firm in California, according to court records.  Hackers broke into the company's system, shut down its email and web servers, spied on employees using their own webcams and gained access to sensitive company files, according to court records.

Whether you are a small-to-medium-enterprise (SME) or a Fortune Global 1000 company you can develop new trusted allies in your Cyber "Whole Community".  What are you waiting for?

operational risk