Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the Board of Directors.

When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC November 16th, 2006, her words were music to our ears:

“It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change.”

“Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.”

“Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects.”

“Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These types of risk demand new methods of risk management.”

Thinking back to those days, was this a way for the Chief Security Officers (CSO) of the Fortune 500 to finally shift their thinking from just security protection to something less macho?

How could "Resilience" become a platform for a mind set shift to justify new funding?

"After all, now we aren't trying to scare people into the low probability high impact incidents anymore and are focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption."

What are the incidents and areas of risk that insurance won't touch these days?

If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore because you have transferred the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room.

Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Delta?

Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of “Tort Liability” and the loss of reputation remains top of mind these days with every major global company executive.

The threat is real and increasing at a faster rate than many other real operational risks to the enterprise.

Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found.

Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation.

The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

Operational Risk: People, Process, Systems & External Events...

When was the last time your team presented their plan to execute your next major milestone in your important project?

As you lean back in your chair and hear the “What”, “Why”, “Where”, “How” in the bullets and pictures on each of their presentation slides, you might be pleased with what you see.

Now, what is the alternative plan for this particular operation? Just in case.

The more you experience change and the real setbacks of your intended goals, achievements or anticipated outcomes, the realization occurs that you will need a “Plan B”.

You know, a back-up plan. Perhaps you even may need a fail-safe:

fail-safe

adjective

1: incorporating some feature for automatically counteracting the effect of an anticipated possible source of failure.

What is your universal unlock code? What is your alternative plan? How will you ensure the safety, security and service of your intended game plan today?

Unfortunately in business and in any other highly engineered or sophisticated operation that is vital to your growth and success, you will need to create an alternative plan.

Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.

How will you ensure the safety, security and service of your intended game plan today?

The teams who incorporate comprehensive Operational Risk Management (ORM) into each daily process, shall achieve their goals and will outperform the competition…

Comments

Add a comment…

No comments, yet.

Be the first to comment.

Breakpoint: Mastering the Future...

In the early days of any startup business, be prepared. You as an innovator, entrepreneur, or just plain engineer, designer and project manager know what being prepared means.

Or do you?

The pace of change, communications and human emotions reach their extremes in the early stages of most business growth.

Are you ready and prepared to deal with the amount of new challenges you shall now face as each day unfolds before you?

Before you understood what starting and running a new business is really all about, you may have thought for a moment how exciting it would be.

Then one day it begins to dawn on your colleagues, your investors and your potential customers that this idea has some flaws.

The business marketplace you have chosen has not yet arrived at what the real problem-set is, that your particular solution truly solves.

Or is it something else?

You see, it all comes back to the pace of change and the ability for some people to master the new skills, the new vision or the new outcomes unfolding before you.

The more rapidly you and your startup team accelerate upwards and forward to achieve that breakpoint, the sooner you will hit that next part of your own particular growth curve:

Breakpoint and Beyond: Mastering the Future Today

“Assists in predicting and mastering industrial, social, political, and personal change by tracking the pattern of major "breakpoints" in human history and revealing the great truths hidden in them”

As you now stare at the gallery of people on your next “Teams” or “Zoom” session, remember that you are on a real mission together.

After you understand that running a new business involves a tremendous amount of time and resources to get people to perform the way you imagined they would, this is when the breakpoint in your “S” curve takes place.

Are you there yet?

When you and your team start exploring the changes around your startup hypothesis then you are now utilizing the new data, the new feedback and the new human factors into your future achievement.

Keep your chin up.

Now that you have changed your design/prototype, changed your people, changed your market analysis and even changed your purpose for existence, you are mastering your future success…

Godspeed!

Preface: Growing Up in the USA...

As we approach our 248th year celebration of the country named the “United States of America”, think about it with open eyes as you look at our flag waving in the wind on the morning of July 4th.

One of 193 countries in the United Nations on our globe today, our country has become a sought after destination for so many others in the world to see and to actually experience.

Why?

Being born in the USA, our school Principal at our “Riverside Elementary” would get on the speaker system at 8:30AM sharp. Our “Pledge Allegiance” each morning was sacred as we all would stand in our classrooms:

"I pledge allegiance to the flag of the United States of America, and to the republic for which it stands, one nation under God, indivisible, with liberty and justice for all.”

Little did any of us truly know at that point in our lives, how precious these words would eventually become to us. Some before we were all grown adults.

It would dawn upon us all decades later, as our team was sitting around our tables with other fellow INSA members in a 2nd Floor conference room on North Stuart Street in Arlington Virginia. Our local professionals had a new important project before us.

Our Homeland Security Intelligence Council (HSIC) had started to tackle the definition of “Homeland Security Intelligence” and we would later develop 16 key recommendations in our 20 page White Paper.

It was finally published in September 2011 and ten years since so many Americans had died on 9/11 and so many others who would fight in the wars international and thereafter domestic.

“Homeland Security Intelligence is information that upon examination is determined to have value in assisting federal, state, local, tribal and private sector decision makers in identifying or mitigating threats residing principally within U.S. borders.”

Intelligence to Protect the Homeland...taking stock ten years later and looking ahead...

Now after returning to our USA once again with your own overseas travel behind you, reach into your pocket for that dark blue "US Passport" with the Eagle emblazoned on the front in Gold and read these words once again on page one:

“The Secretary of State of the United States of America hereby requests all whom it may concern to permit the citizen/national of the United States named herein to pass without delay or hindrance and in case of need to give all lawful aid and protection.”

In 2024, this Independence Day, reflect on all that you have learned and now earned, as a US Citizen protecting our country and as a true proud American.

 “Never Forget”…

Enterprise Security Risk Management (ESRM)

Years ago, “The Gartner Group” has identified three major questions that executives and boards of directors need to answer when confronting information security issues:

> Is your security policy enforced fairly, consistently and legally across the enterprise.

> Would our employees, contractors and partners know if a security violation was being committed?

> Would they know what to do about it if they did recognize a security violation?

In today’s wired world, threats to the information infrastructure of a company or government agency are not static, one time events.

With new ransomware, XaaS, viruses, vulnerabilities, and digital attack tools widely available for download, a “complete information security solution” in place today can easily become incomplete tomorrow.

As a result, a security architecture solution must be flexible, and dynamic.

Presently, news of digital-threat events tends to spread through the computer security world in a “grapevine” manner. Threat information is obtained from websites, e-mail listservs and countless other informal sources.

This haphazard system is incomplete, and therefore raises concern when evaluating the damaging, costly effects of an aggressive, systematic digital attack.

A comprehensive security solution requires the careful integration of People, Processes, Systems and External events.

It shall allow correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

"Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs. Awareness and the ability to make informed decisions are critical."

How "Proactive" are you?

In short, as the electronic economy plays an increasing role in the private and public sectors, organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business disruption).

Furthermore, the cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on increasingly integrated systems.

Your goal into the future is to provide the organization with the following Information Security value propositions:

1. A System with Best Practices to Establish, Implement and Monitor Compliance.
2. Early Warning & Awareness for the Entire Enterprise.
3. Relevant Decision Support.
4. Trusted Threat Information/Analysis.
5. Actionable Threat Countermeasures.

And remember, a Single Enterprise Security Risk Management System (ESRM) will not solve the operational risk problem without the right processes and the correct people to implement such a solution...

Shared Mission: Look to Your Left, Look to Your Right...

Into the future, how will you decide to operate your business, manage your important projects or run your life?

Will it be well thought out or chaotic? Will it be on time and within budget or delayed and asking for more funds?

How often do you find yourself disappointed? Frustrated. Even questioning why you are spending time on this project?

Working with and managing people begins with setting expectations, mutual goals and shared responsibilities. Is your project or life at stake?

Look around your work environment. What do you see?

Is it all in order and does it look tidy and clean? Or, are you wondering who will be doing what next as you operate with clutter across your workspace and wonder where your iPhone is?

So what!

“At every turn, you can sense that, somehow, the critical fabrics of trust that have been woven together for thousands of years and that allow us to live in social systems are unsteady, trembling, and fragile. It is as true in our national governments, corporate boardrooms, and compliance programs as it is in our interactions with sales clerks and neighbors.

Decisions you take as a leader are questioned more intensely. As a team member, business analyst, armchair investor, or family financial officer, you have become more reluctant to accept the decisions of others. Blind faith is no longer an acceptable justification to lead others in a charge over the hill, or a basis on which you choose to follow others. Why is trust under attack at so many levels, across so many economies, and in so many routine, ordinary decisions through which we live our lives?”  —Achieving Digital Trust: The New Rules for Business at the Speed of Light. ©2015 by Jeffrey Ritter

Before you decided to change your future ways, this was your life.

Over the course of your particular future time line, how will you improve? Are you meeting your deadlines and the expectations of those you choose to operate with?

Do others trust you?

This is your opportunity to now answer yourself, “Yes” or “No”.

Again, look around you and what do you see?

The future of your life will continuously depend on “Who is to your left and “Who” is to your right.

Do you trust your fellow team mate with your particular mission today? Will you give them the trust to accomplish their work and their tasks towards achieving success?

Now, you have the true opportunity ahead of you. Continuously “Build Trust” with those you love and those who are on your shared mission…

Organizational Integrity: Trusted Relationships...

Before 9/11, almost all of our countries and organizations current day vulnerabilities were in existence.

Whether you focused on increasing protection from other nations states, the growing regional terrorist sects or the online dark net criminal syndicates, their growing presence and actions were all visible.

What has changed in the past two decades in the continuous and pervasive strategies to provide greater Critical Infrastructure Protection and security and safety to our United States and our citizens?

If there was a simple bullet list of items to address the answer to this question, it would seem:

• Incomplete.
• Short sighted.

Today, our adversaries have substantial new speed and stealth due to technology innovation, such as encryption, 5G and various levels of Aerial/SAT imaging or video.

They have new highly-trained human assets who are continuously recruited online and in-person to travel and impersonate roles in the private sector to attend our key events and meetings.

To get more perspective, one only has to watch the entertaining and educational movie “Duplicity” to learn and remember how our organizations intellectual property and new inventions are under constant assault.

Yet the “Infinite Game” continues across old and new frontiers of our globe, in some of the most unexpected places for the average U.S. citizen, who might not even know the answer to some of our standardized U.S. History 101 questions.

In our Farm lands. In our Schools. In our Private Equity firms. In our Financial institutions. In our Healthcare organizations. In our Utility companies. In our Defense Industrial Base (DIB). In our Global Fortune 100.

How might we improve our abilities to increase our resilience?

We must step up our learning from what has worked more than two decades ago.

Many have forgotten integrity or never experienced what can be accomplished with even more trusted relationships.

You see, it might take your valuable time to make a phone call on that little rectangular camera box in your pocket.

It might take your time to get on a plane or in your car to drive across miles of a freeway to meet someone in person at a coffee shop or for a club sandwich.

The trusted old "One-to-One", "Face-to-Face" ability to build a relationship from a personal introduction to a lasting intellectual and learning experience is our only future hope.

It remains the chance to see and feel another persons true ambition, real emotion or innovative intellectual excellence.

You might think that our world has changed tremendously over the past two decades.

In reality, "Building Trusted Relationships" has a formula that has lasted over centuries…

Memorial Day 2024: "Always be Ready"...

In America, our Memorial Day is a holiday to remember. A day to reflect on all those Americans who have died fighting for our freedom.

Growing up the young son of a U.S. Marine, our home always had our flag flying on Memorial Day.

Yet it wasn’t until a relocation 30 years later, that took our own new family to Northern Virginia and that provided the real understanding of this remembrance day and for it to truly sink in.

Then as a grown adult, walking through Arlington Cemetery toward the “Tomb of the Unknown Soldier” on a May weekend in 1997 with our daughter (8) and son (7), we could feel the real emotions of it come forth.

Seeing a sea of gravestones walking up the path gave us a better understanding of our service members and their ultimate sacrifice, it was also enhanced by watching the “Changing of the Guard” ceremony.

Overlooking the beautiful grounds facing towards the distant Washington Memorial and overlooking our Nations Capital from that hill in Arlington, Virginia is just so epic.

As our tears were quickly wiped away, looking at the sunrise East on that early morning, the jets from Reagan Airport roared in the background.

As an American, someday you too, must do the same.

How can you begin to truly appreciate the historical journey we have endured as a nation, preserving your freedom and our way of life in America?

The fallen have helped ensure your ability to grow up in a country like no other. A place where you might see your own children find their destined path in life, with all the opportunities that lay before them.

Walking that day among the headstones and almost a decade later, while attending a burial ceremony of a colleague in Section 60, it really hit me.

"Watching an officer hand a folded U.S. Flag to Neal’s Mother that sky blue day, was a vivid reminder of why we are so blessed to be born in these United States of America and protected by such brave Americans of allFirst Responders."

On this Memorial Day 2024, look at our U.S. Flag waving in the wind, think about just those buried on the 624 acres of Arlington and now multiply that, across all of the other Veterans Cemeteries in America.

With such brave Men and Women to defend us over our nations 248 years, to preserve our way of life, in your own home town, we are so very grateful.

Thank you...Godspeed!

Trust Decisions: EO of ORM...

In our most uncertain times over the past few years, it is again time to revisit several key factors of Operational Risk Management (ORM) within our Global Critical Infrastructure organizations.

Think of examples like Maersk or Boeing and UnitedHealth Group or Silicon Valley Bank.

Into the future, our Risk, Security and Controls personnel shall have equal power with the executives who are responsible for bringing in the revenue.

This means that the future power-base of the Sales and Marketing teams would need to also be on par with the Internal Audit, Security and Risk Management executives.

This internal culture shift is harder to achieve than one would think.

The ego's aside, the people who make it their job to worry about potential losses, look over the horizon and to mitigate risks day in and day out, are just not used to warning everyone each day to every alert, each instance or possible threats.

It is because everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

Not the doom and gloom.

It has been said before, the tone starts at the top.

The CEO and Board of Directors who are cognizant of the necessity for effective risk management objectives must also create a balanced power-base at the top to balance the "Revenue Generators" with the “Risk & Loss mitigators.”

So who are some of these people who deserve a greater exposure to this new born culture shift:

• _Director of Information Security promoted to CISO. (Chief Information Security Officer)

• _Director of Corporate Facilities to CSO. (Chief Security Officer)

• _Director of Regulatory Affairs to CCO. (Chief Compliance Officer)

• _Director of Privacy to CPO. (Chief Privacy Officer)

• _Director of Human Resources to CHO. (Chief Humanity Officer)

If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the:

Executive Office of Operational Risk Management (ORM)

This would be on par with the Chief Financial Officer and might even include the Chief Information Officer.

The new EO of ORM would now be on the same level of power with the EVP of Sales or Marketing and beyond the Chief Operations Officer (COO).

They would be laser focused on mitigating a spectrum of corporate threats, implementing relevant employee education and determining the true effectiveness of any organizational risk controls.

Just not so much on the effectiveness of sales incentives and corporate promotions or the uptime of corporate marketing processes.

So what does someone such as Sherron Watkins, the former VP of Corporate Development at Enron Corporation think the moral is?

You've been asked this one numerous times Sherron, I'm sure, but what's the moral of the story?

“Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.”

Mothers: Brave & Resilient...

Growing up in a small town in the Midwest USA, our Mom was an only child.

Anne was a mother who was so devoted to her four kids in so many ways.

Being a Mom in those early days was about getting you off to the bus stop in the morning, and being there when you walked home from the bus stop in the afternoon.

We had just enough time to get home, drop our books and then head out into the neighborhood on our bike to our friends house or down to the beach on Goguac Lake.

A few hours later, it was about the home dinner routine just after 6:00PM, when Dad walked in the door from his HQ job with a regional restaurant chain.

After dinner, it was time for our homework and baths/showers before bedtime.

Sound familiar?

Moms really are so amazing. They are Gods greatest creation and over time we all witness the extraordinary capabilities of a Mother.

Our particular Mom was a proud Pi Phi at Northwestern University yet her real passion was becoming an Artist. To this day, she still has her oil paintings on our walls in our Living Room.

As young kids sitting on the floor in one of her Art Studio rooms or the corner of a basement, we would watch her paint on a large canvas with colorful oils and gluing various items to give a collage effect. Later...

• _ Mom was also there when we all swam across Goguac Lake in the "Husky Muskie" swimming event each summer, cheering us on with her fingers crossed behind her back.
• _ Mom was there to help Dad with maintaining the yard on weekends before they headed out to a Saturday night party with friends at the nearby Country Club.
• _ Mom was there to pick us up after our 6 weeks at summer camp in another state.
• _ Mom was also quite the snow skier and not to far behind us, on the challenging ski runs of Apres Vous mountain in “Jackson Hole” on our Christmas vacations.

Mothers are just so resilient. They are incredibly versatile. Mothers always want to make sure you are never hungry and when you cry, they will do what ever it takes to make you feel better.

On this Mothers Day 2024, we are thinking of you Mom…it has now been a decade since she went to heaven.

“Happy Mothers Day” to all of the other bravest Moms on our Earth…

Reputation Risk: Is Murphy to Blame?

Any board member or executive today is well aware of the direct impact of an adverse event or significant business disruption can have on shareholder value and customer confidence. When it does happen, how many people just throw up their hands and shout, Murphy's Law!

"Murphy's Law ("If anything can go wrong, it will") was born at Edwards Air Force Base in 1949 at North Base.

It was named after Capt. Edward A. Murphy, an engineer working on Air Force Project MX981, (a project) designed to see how much sudden deceleration a person can stand in a crash."

Murphy is all about managing the "What if's" and planning for their possibility.

More than one business has been subjected to the Law's of Murphy whenever a complex and logistical project or program is underway.

If you are one of those corporate executives who has been unable to use your security badge the Monday after the big office move, you are not alone.

The question is not that it could happen, it's what impact will it have on employee satisfaction the day it happens, and beyond.

In your future planning to mitigate the Operational Risks associated with Murphy and your reputation, we are reminded of a few of our favorite Murphy's Laws:

1._Computer systems are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable.

2._If there is a possibility of several things going wrong the one that will cause the most damage will be the one to go wrong.

3._A difficult task will be halted near completion by one tiny, previously insignificant detail.

4._High speed chases will always proceed from an area of light traffic to an area of extremely heavy traffic.

5._Every emergency has three phases: PANIC... FEAR... REMORSE.

Do you think you're spending too much time with your team planning? You haven’t.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful.

Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day.

Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

Navigating Wisdom: Partners in True Innovation...

Before you were wise, you were prone to be testing, wondering what would happen next.

The more you found yourself exploring, testing and better understanding the results, the more wisdom you created.

Creating the opportunities for gaining new knowledge and learning, requires first an attitude of curiosity.

What is on the other side of that hill? Who lives around the corner? How does a bird fly? Why does the sun shine during the day and the moon at night?

Are you creating curiosity with the purpose of learning more and asking new questions?

After the process has been repeated enough times with the same results, you begin to craft your own hypothesis.

True Innovation begins here.

Beyond your curiosity stage and past your due diligence, now you have arrived at your new hypothesis:

1 a: an assumption or concession made for the sake of argument

b : an interpretation of a practical situation or condition taken as the ground for action

2 : a tentative assumption made in order to draw out and test its logical or empirical consequences

3 : the antecedent clause of a conditional statement

Now your testing begins and you experience the outcomes and results. The evidence of your work will provide you the path for your future navigation.

Too fast, too slow. Too hot, too cold. Too high, too low. Keep testing.

So what kind of “Innovation Navigator” will you become?

Time will tell and much of what happens in your life is going to be a factor of the people you meet.

Who else has the same curiosity as you do? What questions do they ask that you never thought about?

You see, you need a Team Mate. A Wing Man. A Buddy. Together you will discover far more about your growing curiosity and your new tested hypotheses.

You will leverage each others strengths together and you will cover each others vulnerabilities.

How wise will you both become as “Innovation Navigators”…

Dream: Smell the Flowers…

What is your next dream? How might you envision it even more effectively?

As a young kid one of the books Mom & Dad would read to us started off like this:

“Once upon a time in Spain there was a little bull and his name was Ferdinand. All the other little bulls he lived with would run and jump and butt their heads together, but not Ferdinand. He liked to sit just quietly and smell the flowers.”—By Munro Leaf & Robert Lawson - Copyright 1936 - Viking Press

In your own life journey in search of “New”, new change, new environments, new people, new places and where your next destination will be, you shall continuously Innovate, Adapt, Test and become even more Resilient.

You see, your dream is out there. You can see it and you are able to feel it.

The reality is that you are impatient. You will not have time to test long enough.

This is when the surprises become a reality. You are caught off guard, you experience an error, you experience a loss.

What is your back up “Just-in-Time” plan?

How shall you implement the plan of actions with scarce resources?

Do you have a path to eliminate the delay or to restore the loss quickly? How will you achieve true resiliency?

Our true professionals in Operational Risk Management (ORM) dream just like everyone else.

Yet, they dream and envision the “What ifs” and the possible ways to respond. They anticipate the ways to bounce back, restore balance and move forward:

• Accept risk when benefits outweigh the cost.
• Accept no unnecessary risk.
• Anticipate and manage risk by planning.
• Make risk decisions in the right time at the right level.

Now, envision your dream with some interruptions. Then see yourself quickly recovering to achieve your planned “Mission Objective”.

What have you learned this year, this month or this week?

In 2024 and beyond, our International Globe and its people will continue to challenge all of us.

Our countries and their businesses are accelerating towards the future with exponentially more data and with so much less understanding. We may also have less empathy.

You and your team can change this as you strive together to understand more about the “Why” and the “How”.

Will you grow with your new trusted partners to be even more empathetic?

Always be Ready…and try to take time to ”Smell the Flowers”.

Godspeed!

Corporate Business Survival: 4D | Deter. Detect. Defend. Document.

Critical Infrastructures are those systems and assets - whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.

As ransomware attacks continue to grow, organizations need to improve their security posture to protect against an attack.  Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place.

The landscape of how we work has changed since the onset of the global pandemic.  We must assess vulnerabilities in a new way and with increased due diligence.

Our Corporate Critical Assets are "Under Attack".

4D = Deter. Detect. Defend. Document.

"Attackers use Tools to exploit Vulnerabilities. They create an Action on a target that produces an Unauthorized result."

Attackers do this, to obtain their Objective.

LESSON 1- DETER.

• What corporate critical assets are most valuable in the eyes of your adversary?
• Increase deterrence with these assets first.
• MFA / Layered Access.  [SMS vs. Authy or Authenticator]]
• Segmented Networks.
• Data / Network Encryption.
• People motivated by Financial Gain, Damage/Disruption or the Challenge.

LESSON 2 – DETECT.

• Detect the use of tools by the Attackers.
• Some tools are High Tech, others are "Social Engineered".
• They will discover vulnerabilities in:

Design.

Implementation.

Configuration.

You must continuously detect the use of attackers methods and tools to exploit your vulnerabilities.

LESSON 3 – DEFEND.

• Defend the target assets from actions by the attackers.
• Targets may include people, facilities, accounts, processes, data, devices, networks.
• Actions against the target are intended to produce the unauthorized result include:

Probe.

Spoof.

Steal.

Delete / Encrypt.

LESSON 4 – DOCUMENT.

• Document the "Normal" so you know when and where there is an Unauthorized result:

Increased Access.

Disclosure or Corruption of Information.

Denial of Service or Theft of Resources.

• Continuous Documenting and using a "Collection Management Framework"  (Logs) and how to access it for effective Incident Response.

1_ In order to understand how to defend your corporate critical assets, use Red Teams, Bug Bounties or internal testing resources.

2_ Maintain offline, encrypted backups of data and regularly test your backups.

3_ Review Third Party or Managed Service Provider (MSP) policies for maintaining and securing your organizations backups.

4_ Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.

The cost of a cyberattack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future.

Public Private Partnerships of Critical Infrastructure organizations with CISA.gov and FBI.gov are vital to enhance our National Security...

Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…

Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a security violation was being committed?
3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…