19 February 2017

Problem-Solving: Transparency of Startup Operational Risks...

The lifeblood of an organization is comprised of several key components to sustain and continuously grow the enterprise.  Founders, senior management, engineers, financial and legal subject matter expertise usually comes first.  Then once the minimum viable product or solution is ready for the intended market there is a mad dash to add the sales and business development resources.

Startup mentality that initiates the planning, demand generation and "Go-to-Market" execution for the growth engine have higher Operational Risk exposure.  Many founders and new entrepreneurs who have engineering or operational expertise, underestimate the need for substantial growth engine investment early in the startup timeline.

How many times have you attended "Demo Days" or other such events intended for the startup founders to pitch their new App or service solution, begging for a first customer?  You must recognize that the new Artificial Intelligence interface, the optimized algorithm or the faster encrypted communications is not going to create a new market overnight.

Entrepreneurs require a substantial immersion into the business environment of problem-solving.  It begins with the customer or client who detects that there is an area of risk that needs remediation.  How do you think companies like Symantec and McAfee first started?  The personal computers that were becoming so pervasive were encountering something now called malware.

Solving problems from the customers perspective requires a deep and focused process with the owners, operators and end users.  It requires substantial time being embedded at the customer level or with the people who perform their daily tasks.  You need to understand the risks that the customer is experiencing.

This "Diagnostic-to-Prescriptive" process is not new.  Yet how many times have those "Demo Day" entrepreneurs or "Accelerator" graduates ended their pitch, with a plea for a first customer?  This is a recipe for failure.

How can this be changed or addressed, in order to increase the number of successful new businesses?  What should we be doing to assist these new entrepreneurs in embracing the "Operational Risks" of a customer and inventing a new solution to solve their problems?

The engineers and inventors should embrace the idea of finding customers first, who have real and risk sensitive problems they can solve.  It is not enough to just change an interface, reduce the pricing and copy an App, to do the same general function.  How long will it now take for Snap to begin building their own data centers and infrastructure?

Entrepreneurs that utilize the "Go-to-Market" strategy early in their growth cycle, will simultaneously increase exposure to substantial Operational Risks.  Take that great idea or new "Minimum Viable Product" to an established business in the industry sector you think is going to listen.  Find the right business to adopt you as a problem-solver with this new solution and take the time to learn.

Once you have lived with the same problem across several different businesses, agencies or governments, it might be time to launch the "Go-to-Market" strategy for a single industry sector or country to start.  The learning phase and early adoption of a multitude of business development processes, will establish a more solid foundation for launching the new product / solution.

When you look at Snapchat and its growth cycle, it was not obvious up front, how privacy was going to be such a tremendous risk to the business.  How you can pivot quickly from understanding your customers appetite for transparency, to also provide a robust privacy policy program, is just one way to build a trusted set of repeat customers.
Snapchat Transparency Reports are released twice a year. These reports provide important insight into the volume and nature of governmental requests for Snapchatters' account information and other legal notifications.

13 February 2017

RSA 2017: In Search of the Truth...

The 2017 RSA Conference is set to launch this week in San Francisco.  What is true?  The state of asymmetric warfare across the globe is pervasive and nation states have been negotiating new rules of the game.

As you descend into the keynote sessions, absorb the content from your favorite track or walk the overwhelmed Expo halls, pause for a moment.  Stop, look around and look at what you see.  The ICT (Information, Communications & Technology) ecosystem is no longer a vertical.

The horizontal intrusion of smart devices, IoT and the rapid mobility sensor markets have created a juggernaut ecosystem.  The startup communities across just the United States landscape have entrepreneurs sharing and automating parts of your daily life once thought unthinkable.

The Techstars of the next generation of commerce, understand the platform better than ever.  Meanwhile, the same ambitious individuals with so much creativity are simultaneously in a battle for funding and market share.

It is a new generation of inventions that are AI-driven by Voice Recognition that are becoming the foundation for getting the information we need now; this second, not in a few minutes or even an hour from now.  We want it now and we trust that it will be true.

There are some major themes that you will see and pick-up on while attending RSA this year.  Some established companies with a tenured legacy in the industry are even making a pivot.  Look for how they are starting to craft the new narratives that will consume the marketing airwaves.

Expect plenty of talk about the ongoing ransomware scourge and threats against the Internet of Things (IoT) during RSA Conference 2017, which begins a week from today at the Moscone Center in San Francisco.

The conference will include 15 keynotes, including talks by RSA CTO Zulfikar Ramzan, Microsoft president Brad Smith, and Alphabet CEO Eric Schmidt. The popular cryptographers’ panel will feature Whitfield Diffie (of Diffie-Hellman-Merkle), Ronald Rivest and Adi Shamir (the R and S in RSA encryption), and Susan Landau (creator of Landau’s Algorithm). Paul Kocher, who figured out timing attacks against various RSA and DHM implementations, will moderate the panel.

With this in mind, now start to realize the places that have been behind the innovation curve.  The small and even mega markets, that have been slow to invent or work in such austere environments the tech has not reached it yet.  Start your new journey into these places to see how you can contribute, how you will be able to make a difference:

The Defense Innovation Initiative (DII)
Exploring Ideas to Better Identify the “Art of the Possible” for National Security


The Defense Innovation Initiative (DII) is a Department-wide initiative to pursue innovative ways to sustain and advance the capabilities of the “force of the future.” The U.S. changed the security landscape in the 1970s and 1980s with networked precision strike, stealth and surveillance for conventional forces. Through the DII, the Department will identify a third offset strategy that puts the competitive advantage firmly in the hands of American power projection over the coming decades.

The future of RSA and our way of life for our interconnected nations, economies and daily consumption of the truth is at stake.  We do have the ability to better cooperate, collaborate and communicate our paths forward.  Yet it begins with a conversation in person, face-to-face to establish the emotional and behavioral ties to trustworthiness.

Have a wonderful week in San Francisco...

04 February 2017

Higher Purpose: A Mission of Trust...

As you walk into that next meeting with another co-worker or even a colleague for a coffee catch-up, pause and reflect.  Think about how you could (1) make this encounter not only productive and (2) simultaneously enhance the relationship of trust.

All too often we are focused on getting something of value from the meeting.  We are blinded by the purpose of the meeting or have preconceived ideas on how the time together will be of value, or a waste of time.  Now think differently.

A true professional in any business, unit, agency or organization is there to "Build Trust".  The day-to-day or hour-to-hour interactions you have with others is vital.  A true professional in any domain, industry or vocation, can aspire to a higher purpose than the normal roles of a stated job description.

One thing is certain when it comes to meeting with other people and the value or outcomes obtained, trust is a major factor in the future outcomes of the relationship.  Have you ever wondered why certain people you meet, take so long to trust you?  How are you going to accomplish your intended purpose working with this superior or subordinate if they don't trust you?  What about that new client or business partner?

At the most fundamental level, the trust gurus and authors have been writing about a spectrum of trust for eons:
Zero Trust >>>>>Trust Exists >>>>>Implicit Trust

From ground zero of your first encounters with another person, your goal is to move towards a point on the spectrum where "Trust Exists".  Then your goal is to keep moving to the right and towards a place of "Implicit Trust".  This is when you don't even think about it anymore.  How many people do you know where this is the case, even within your own family?

So what?

As an Operational Risk professional, velocity is everything.  Yet you already know that uncontrolled velocity alone can be fatal.  The risk factors associated with business, government or the manufacturing process of a highly engineered electronic component are always present.  Always changing.  Creating new obstacles or new harm.  In our current state, 24x7x365 pervasively connected society, the trust factors are even more important and vital to moving towards "Implicit Trust".

Here are a few examples in the news this past year, where Operational Risk Management (ORM) was a factor:
Samsung Galaxy Note 7

On 2 September 2016, Samsung suspended sales of the Galaxy Note 7 and announced an informal recall, after it was found that a manufacturing defect in the phones' batteries had caused some of them to generate excessive heat, resulting in fires and explosions. A formal U.S. recall was announced on 15 September 2016.
Yahoo

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.

Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
National Healthcare Fraud

Attorney General Loretta E. Lynch and Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell announced today an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings.
National Security Agency

A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case.

In each one of these few example cases, relationships between people started with a meeting encounter.  Over time, the product, service or personal relationship outcomes involved a failure of people, processes, systems or external events.  The core components of Operational Risk Management (ORM).

Raising the level of trust across personal, business or government encounters is only possible, with effective "TrustDecisions".  The Decisions to Trust another person, product or service have several elements.  These are vital for the mission to grow towards "Implicit Trust" and simultaneously with the safety and security necessary to reduce the risk of failure.

The Mission

The mission as a co-founder of a new startup or the CEO of a Global 500 is to ensure the survival of the organization. We all know the failure rate for new companies. Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days. So beyond just the survival of the organization, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new or established business endeavor. The earlier the Operational Risk Management (ORM) design begins in the trusted relationship evolution, the more resilient you will ultimately become. The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake. Take the time and include the expertise to work on the "TrustDecisions" foundation of your enterprise.

Ensure the survivability of the new products or service solutions, that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your relationships and allow it's presence while it preserves all that you have worked for and dreamed of...

28 January 2017

The Network: 4th Industrial Revolution Strategy...

There is wisdom in continuously sensing and understanding the environment that people are operating in for their daily work or a specific mission.  The culture of an organization will determine why people are focused on the tasks and work they are performing each day; and that is where Operational Risk Management (ORM) begins.

If you are waking up today and know you may not return home alive, how would that change your thoughts about the tasks and environment ahead of you?  What kind of attitude would you have about your ability to improvise, adapt and navigate over the course of your mission that day, to return safe and secure?

Working along side individuals each day that are vital to a "Network" that knows the risk of survival is low, changes you.  The Operational Risks that you will likely encounter, can make you deviate from the primary goal for the mission.  The outcomes that are primary on the minds of each person on the team are the same, until you have to adjust, pivot and adapt on the fly.

This is where the mindset of "Resilience" is born.  The brain learns what is working, and when it encounters a setback, a shock, or a denial of the goal, it quickly responds to the new environment.  You change your tactics to keep moving forward in pursuit of your planed destination.  Resilience and networks have been symbiotic since Genesis.

So where is your environment located today?  Are you waking up in the Hindu Kush or Palo Alto?  Is it going to be sunny in the Sahel or downtown London?  How will you travel today, by foot or in a vehicle that travels fast enough to require a seat belt?  If it requires a seat belt, you are already applying your OP Risk skills to survive the day.

Now pivot your thoughts back to the asymmetric "Network".  You may not be tasked today to travel in a physical environment.  Your mission is to navigate across the globe to a different place, and the map you will use looks like this.  The network you will operate in today, has hundreds of thousands of adversaries.  Most will not be human, they are nodes and machines that will sense your presence and try to deter your assigned mission.

The resilience of the "Network" is not about just the other people on your team.  It is about the intelligence of your abilities to navigate, adapt and survive the minute, hour or day of your mission.  Whether the resilience is in the physical realm or inside the zeros and ones of a virtual cyberspace, there are some similarities to achieve survival.

Whether you have an OODA Loop or "Board Principles of Resilience" does not matter as long as you understand the culture and the environment you will be operating in that day.  Then use it.  Operational Risk Management works when you apply the right tools, tactics and procedures to the time, place and circumstances.  Consider these principles from Future of Digital Economy and Society System Initiative  | World Economic Forum:
  • Responsibility for Resilience
  • Command of the Subject
  • Accountable Officer
  • Integration of Resilience
  • Risk Appetite
  • Risk Assessment & Reporting
  • Resilience Plans
  • Community
  • Review
  • Effectiveness
The "Network," is the new playing field.  The new market.  The new adversary.  The new strategic thinking necessary, to make it through the day safely and securely.  To come home to your loved ones.  Use Operational Risk Management (ORM), in order to thrive and survive:
Against the background of these developments, this year’s Global Risks Report explores five gravity centres that will shape global risks. First, continued slow growth combined with high debt and demographic change creates an environment that favours financial crises and growing inequality. At the same time, pervasive corruption, short-termism and unequal distribution of the benefits of growth suggest that the capitalist economic model may not be delivering for people. The transition towards a more multipolar world order is putting global cooperation under strain. At the same time, the Fourth Industrial Revolution is fundamentally transforming societies, economies, and ways of doing business. Last but not least, as people seek to reassert identities that have been blurred by globalization, decision-making is increasingly influenced by emotions. World Economic Forum - Global Risks Report 2017

21 January 2017

Asymmetric Advantage: Dawn Across Arlington...

One only has to stand behind the "Tomb of the Unknowns" and gaze across the national mall past the Washington Monument to begin to feel the magnitude of the challenges ahead.  As the wind swirls around the grave markers and the sound of sirens and jets are distantly present, you can feel an emotional wave of inspiration.

Today in Washington, D.C., the dawn of a new government administration is waking up and the rest of the world is waiting.  How will the asymmetric problems we face be solved faster?  Why does the decision to use "Solution X" make sense over "Solution Y", to address our nations adaptive Operational Risks?

Why would a U.S. citizen feel inspired this day and from this vantage point in Arlington?  It is because the future will bring new conflicts that are different than years past.  It will bring new opportunities for us to excel.  Every decade that wars occur, there are far less warfighters actually put into harms way.  The number of casualties slows.  Why?

The reason is that the kinetic types of wars are using new inventions and technologies to save lives.  Whether it is MWRAP's or tourniquets built into uniforms, or sophisticated "Geospatial Intelligence", the goal is to keep our warfighters safe and alive.

Now also in parallel, the conflicts are being waged 24 x 7 x 365 in another growing operational domain, where the IO Analyst is navigating electronic networks and complex lines of software code.  Information Operations are full of new challenges and substantial learning curves in order to gain the advantage.

Welcome to the #Virtual Caliphate:
Decades of border disputes, violent conflict, and shifting refugee populations have left millions of Muslims without a clear national identity. ISIL’s virtual caliphate offers them citizenship free from terrestrial constraints, which can be accessed from anywhere in the world.
How the United States responds to this threat of a growing set of virtually-inspired terrorists, who carry out their physical acts in the homeland, remains a substantial problem-set.  What else is in store for our Homeland?

"The U.S. is considered a high-priority intelligence target by many foreign intelligence entities. While traditionally the threat has been to our political, military, and diplomatic interests at home and abroad, the loss of sensitive economic information and technology is a growing threat to our national security. In recent years, economic espionage conducted by foreign intelligence entities, corrupt insiders, and corporate competitors has exploited vulnerabilities in cyberspace that may weaken our economic advantage. Cyber espionage has not replaced traditional espionage as a way to steal secrets, but the ability to focus technology on lesser protected information is a significant and growing threat." DNI.gov Domestic Approach to National Intelligence

The rules will be changing soon.  The tools will be too powerful and the threats too great, for the military to have their hands tied or their legal authorities limited.  The next generation of domestic cyber warfighters will now go into action, side-by-side from CyberCom, Homeland Security, FBI, CIA and a new coalition of advanced private sector contractors.  They will work across the Homeland from SCIFs in every state, with a new enhanced mission and a new unified command.

How will this save lives and give all of our warfighters what they need?

As the billion dollar budgets within the Pentagon shift their focus to platforms such as DIUx, or IARPA, innovative answers will be more apparent.  The growing solutions pipeline will become the basis for rapid deployment to our Operators.  The new Corps of men and women raising their hands from classrooms across the Homeland, will become exponential...they will serve in new roles and in new ways.

The future is bright and the changing of the guard at the "Tomb of the Unknowns", will soon see fewer ceremonies to bury our heroes or even hang another star on a wall in Langley...

15 January 2017

Inspired Outcomes: A Culture of Why...

Why does your organization exist?  Most people answer this question with the kinds of products or services provided.  This is "What you do".  Some people talk about how they provide the service or how the product works.  This is "How you do it".  This does not answer the question.

Most organizations have it backwards.  What >> How >> Why.  Now think, Why >> How >> What.

Why your organization exists, is paramount to understanding the real purpose and DNA of your culture.  It is vital to the people who show up every day, the core reason they perform their role or contribute to the measurable outcomes of the team.  True Operational Risk Management (ORM) professionals discover the "Why" at the beginning.  Without the truth behind "The Why", nothing after it, has enough context.

When you begin the journey to build a better product, or invent a new process you better know the answer to "Why".  Discovering this first, will provide the inspiration, the creativity and the fortitude to get you and your team out of bed the next day, to do it all over again.  Without the "Why", we as humans lose sight of our destined purpose.

Over seven years ago, Simon Sinek was advocating for "Why" in his book and on Ted Talks.  A few years later, he was helping the Air Force hone new leadership skills in it's pilots:
"I told the guys, it's not enough any more to be ace of the base," said Col. Richard "Tex" Coe, commandant of the United States Air Force Weapons School. "We have to bring others with us.

Coe believes the school's new leadership curriculum will translate to success in the global war on terrorism, particularly in the fight in Afghanistan.

"What we're going to be doing is purposely developing these innovative and creative leaders that will go out there and face problems," Coe said.

"We don't even know our problems yet, and we'll be able to put our pieces together and use resources and other people around us to get the mission accomplished."

Coe, a master navigator with more than 3,000 flight hours including 460 combat hours, left Afghanistan in 2002. Today, the country "is a new and different place" he said.

"It's a completely different problem than it was back then. It's ever changing, and we're preparing them for that ever-changing problem."
"What we believe" is not the same as "Why We Exist".  It is different and it could mean the difference to owners, employees, partners and external customers or clients.  Here is just one example from Palantir:
Why
We’re Here

"We believe in augmenting human intelligence, not replacing it.

With good data and the right technology, people and institutions today can still solve hard problems and change the world for the better."
How could you make this even more compelling?  More inspiring and motivating, so that you want to jump out of bed each day at the sound of the morning alarm.

Behind every process, product and service there are humans who must see, feel and smell the "Why".  If and when they do, now they are ready to endure the journey, the quest and the challenges ahead.  They are there for a purpose they can internalize and outcomes that they can pursue vigorously, each day.

Discover the "Why" from your clients and customers, if you have not already done so.  Understand deeply the reason why they are doing business with you.  You may be surprised to know that your clients are paying you more than your competitors, for the same product or service.  You may soon find out the real value of "Trust."

Making the "Decision to Trust" one product or service over another, can not be under estimated.  Yet so many organizations and companies fail to find the truth about "Why" in their ecosystems of followers.  Is it the location, the price, the ease of use, the color, the feel, the endurance, the speed, the intelligence?

Once you have discovered the truth on "Why", you must know "How".  Then the "What" will follow, with the name of your product or brand.  Isn't it interesting that when you are attending a networking or convention event, that when you meet someone new, they may ask:  "What do you do?"

What if you answered the question like this.  "I work with "X" and we exist to "Y".  The cause and reason for your organizations existence transcends everything.  It provides the foundation for why this person is going to trust you and your organization.  Now if they would only start the conversation with:  "Why does your organization exist?"

Once you have a solid foundation for "Why", then you must know "The How" and then "The What".  Here is another example:
SpaceX designs, manufactures and launches advanced rockets and spacecraft. The company was founded in 2002 to revolutionize space technology, with the ultimate goal of enabling people to live on other planets.
Or how about:

"SpaceX exists to enable people to live on other planets.  We manufacture rockets and launch them so that our customers can supply other spacecraft or travel to other destinations beyond Earth."

Now think about your organization.  Take a deep look at your culture.  What is the fuel that will propel it into the future to achieve extraordinary outcomes?  Exponential results...

08 January 2017

Symbiosis: Information Advantage in a Virtual Battlespace...

Symbiosis with machines to gain information advantage, is a challenging problem-set.  The magnitude of Operational Risks will now soar, as we pivot towards machines that are performing more as autonomous colleagues.  Pre-programmed instructions has been the standard for our software-based systems, until now.

The integration challenges ahead on the leading edge of "Information Advantage", produces a spectrum of new-born problems to solve.  User interfaces that are speech driven or by a new Virtual Reality (VR) capability, is just the dawn of a new era.  DARPA (BAA-16-51) is already headed this direction:
The symbiosis portfolio develops technologies to enable machines to understand speech and extract information contained in diverse media, to learn, to reason and apply knowledge gained through experience, and to respond intelligently to new and unforeseen events. Application areas in which machines will prove invaluable as partners include: cyberspace operations, where highly-scripted, distributed cyber attacks have a speed, complexity, and scale that overwhelms human cyber defenders; intelligence analysis, to which machines can bring super-human objectivity; and command and control, where workloads, timelines and stress can exhaust human operators.
"Technological surprise" is a complex area of research.  The problems to be solved are tremendous.  Information advantage in virtual environments has been developing for years.  15 plus years before the U.S. Department of Defense utilized the concept of a public "Bug Bounty" style program for vulnerability discovery on public-facing systems, Bug Bounties were used by the private sector.

Automated Testing tools and the ability to run software scripts that can simulate a human behind the keyboard, were invented more than a decade ago.  It is time for the next generation of information advantage to be addressed; combined with a strategic and policy focused initiative.

Why?

Principal Investigators understand the stakes within the cyber domains.  The myriad of adversaries have advanced far beyond current capabilities and are even utilizing our own infrastructure against us.  Their abilities to adapt and change direction, cloak their presence and attack from new locations is finally being understood in the Board Room.

Yet what is the business problem that is being addressed?  Who are going to be the primary beneficiaries of any new invention or solution?  More importantly, why will they continue to use it?

In between commercial-off-the-shelf (COTS) and military unique systems is the zone we shall be navigating to in the next few years.  Military adapted commercial technology is the place for tremendous opportunity and new innovation.

How will we get there?

Since there is no viable rapid acquisition structure in place, it means that new leadership and resources will be required to deploy these solutions.  The entrants to this area will prosper, if they are able to mobilize strategically and with speed.

Information advantage is a lofty goal and worth the ambition to achieve it soon.  The speed to attain even a slight edge over the adversary is a whole different strategy when you are talking about information operations.  Different than traditional air or sea domains, the speed and ability to scale, deploy and execute with COTS is exponential.

How long did it take start to finish, for physical solutions such as "PackBot", "TALON", "Sand Flea", "BigDog", "Cheetah", "Perdix", "RiSE", "BEAR" and "WASP" to make it onto the operational arena?  The ARGUS-IS camera on a "Global Hawk" UAS generates 1 million terabytes of data daily with a "persistent stare", to track all ground movements in a medium size city from 60,000 ft.  How long did the procurement take to get this capability into the physical domain?

The speed in the current information warfare domain is exponential using COTS and IoT.  Using existing Virtual Machines on AWS-like infrastructure, combined with IP-addressable CCTV cameras to launch a DDoS on a DNS provider in minutes or hours is just one example. The "Mirai botnet" is just another tool (weapon) in the information advantage virtual battlespace.

So what?

Symbiosis with machines to gain information advantage, is a challenging problem-set.  Think about the time it takes to design, procure and deploy a robot solution on the physical field of play.  Now think about the same, in the almost limitless virtual domains across the globe.  The challenges ahead are formidable and the really hard problems to be solved, remain endless...

31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

03 December 2016

Digital Innovation: Architecture for the Future...

You are the Senior Operational Risk Management (ORM) Officer in your organization.  One early morning on a crisp Fall day, your "Black Phone" rings.  It is your boss calling.
"We need your leadership and assistance in the reorganization of our enterprise.  Your job will be to head up the new "Digital Innovation" mission group.  We need you to integrate and collaborate effectively with the other 9 mission centers in our organization."
You hang up the phone and your mind begins to wander.  How will you address the digital challenges ahead?  Where will you start?  Will you combine the current silos of the security and privacy domains?  What will the new Enterprise Architecture reveal about the new focus on the potential "Insider Threat"?  Is your enterprise ready to migrate to AWS?

The time has finally arrived at this point in the organizations maturity, to address and accept the new reality.  In 2016, digital has become pervasive and the undisputed core of the lifeblood of our economy and business.  Not only has this reality started to finally gain traction with Board of Directors and Senior leadership, it is now a mandate for our total reorganization.

What is the key reason why?  Exponential change and development of the operational ecosystems of the world.  Our global ICT (Information, Communications & Technology) infrastructure has created an international trust issue.  Achieving digital TrustDecisions across directorates, business units and international partners is now clearly mission critical.  Encryption is at the center point of the dialogue.

As you glance at your e-mail, after signing in using the "Digital Authenticator" also on your "Black Phone," it hits you square in the face.  The silos of security and privacy across the enterprise will have to be integrated and a new play book will have to be implemented early.  How will you architect this vital component of the mission group?

Digital Innovation going forward requires that you effectively integrate with a previous decades old organizational structure. No longer will the owner of the digital innovation mission, reside with the person or department that runs the "Compute Utility". Whether this has been called the CTO, CIO or VP of xyz does not really matter. They have been overseeing the group who is responsible for the hardware, software and the functions that keep the compute utility running.

The lifeblood of your organization is "Data." This can be found in more than just one place within the organization. This data can be found far beyond just the "Zeros and Ones" being stored as a bulk repository, or "data lake," for analytics; backup & recovery; disaster recovery; and serverless computing.  How will you address the data across the landscape of your field operations with partners, suppliers, 3rd parties and each of their own intellectual capital?  Think about it this way:
  • Compute
  • Storage
  • Database
  • Migration
  • Networking & Content Delivery
Your current architecture is simply a utility.  Nothing more.  You want to turn it on, pay for only what you use when you use it, turn it off when you don't need it and have it available 24x7x365.  Right?  Just like your electric utility.

The new "Digital Innovation" mission center will now have a new mind-set.  A new architecture for the future:
Why?

The truth is, it starts with a model that is decades old.  It has sometimes been called "Backwards from Perfect".  Imagine yourself as one of dozens of "End-Users" in your enterprise.  What data do you need to do your job and fulfill your mission at that particular moment?  What type of device will connect to the utility to allow you to explore and create your model.

How will you build your understanding and the insight you require to fulfill the current question?  The hypothesis?  How will you deploy the new digital innovation with your stakeholders, collaborators and the trusted insiders to your latest mission?

Using a simple model like "Backwards from Perfect" with your Field Rep, Service Agent, Partner Consultant, War Fighter, Station Chief or Mission Program Manager is just the beginning.  Your future success and survival now is directly, tied to where we started.  Operational Risk Management.

There isn't one person, one department or one mission that doesn't need you and your mission to succeed.  The safety and security of your people your business unit and your purpose on the planet is at stake.  They are all depending on you...

Godspeed...

26 November 2016

Proactive Defense: ICT Supercomputers in the Fifth Domain...

The days are numbered for the major and large scale ICT (Information, Communications & Technology) incidents.  Corporations and global 500 organizations are scaling up for the long game, in a new era of Operational Risk Management (ORM).  We are rapidly moving from Fear, Uncertainty and Doubt, to "Proactive Defense."

No longer, is the topic of digital strategy being pushed down on the list of priorities by the Board of Directors; it is now at the top.  E-commerce and digital branding are an integrated dialogue along with EBITA in the corporate board room.  The "Trust Decisions" being made each minute of each hour by the enterprise, are now being calculated by machines, sophisticated algorithms and data analytics.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.--William H. Saito  Special Advisor, Cabinet Office (Government of Japan)
Japan and other nations are racing each other to create the worlds fastest-known supercomputer.  Why?

The deep learning and artificial-intelligence (AI) trend tells us that soon more corporations will be leveraging these government-owned assets for assistance.  Whether it is for medical diagnostics, cyberspace threat intelligence or improving the speed of other humanitarian focused equations, Japan is also joining the supercomputer race for the fastest computer on earth:

"In a move that is expected to vault Japan to the top of the supercomputing heap, its engineers will be tasked with building a machine that can make 130 quadrillion calculations per second - or 130 petaflops in scientific parlance - as early as next year, sources involved in the project told Reuters.

At that speed, Japan's computer would be ahead of China's Sunway Taihulight that is capable of 93 petaflops".


Why is the global race for supercomputer superiority a nation-state issue?  What is the reason for diverting national funds to this project, over others of key importance to the welfare of the majority of the population?  Operational Risk Management of the nation itself.

The "Fifth Domain" after Air, Land, Sea and Space is that infrastructure comprised of our planetary ICT landscape.  Digital infrastructures are now so integrated that cyberspace incidents such as war in Estonia, Stuxnet in Iran, Sony Pictures in the U.S. and the more pervasive "Ransomware" worldwide, are just the initial indicators of what still lies ahead of us.

We must now turn our attention to the positive innovation and continuous "Proactive Defense" of our critical infrastructure.  Nation states such as Japan and others, who are the key gateways for undersea cables, truly understand the vital nature of their ICT assets.

A nation states "Cyberspace Strategy" has now evolved beyond the current state, to the "Fifth Domain".  Global 500 companies are fighting DDoS botnets on a daily basis trying to keep e-commerce running.  This largely invisible war, will continue to evolve as new technologies and supercomputers become the new normal.

"On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

12 November 2016

Exponential Innovation: Systems Risk with Beneficiaries...

When you have the opportunity to watch or attend TED, how does it make you feel?  Do you get the sense that the person behind the story, the idea, the innovation, is more genuine and sincere?

What about those advocating for "Exponential" change?  Individuals and organizations that have made the leap beyond incremental change and invention and are on to the concept of "Exponential Innovation".  The xPrize Foundation is a perfect example.

How can big ideas, bold inventions and people with exponential thinking accelerate their cause, advocate their blueprint or design a creative new alternative?  They need a system.  A model and community platform for ingesting ideas, testing prototypes, adapting designs and fostering continuous experimentation.

Why do you need a new system in your organization?  Let us start with some simple mathematics.  Multiply the number of people in your organization x 2.  Now think about the number of products, initiatives or major changes that you successfully implemented over the course of the last 12 months.  How many?

It is a safe estimate that each of your employees has at least two new ideas or bold ways to improve or change a product or process in your organization each working day.  500 employees x 250 working days = 250,000 potential ideas, changes or exponential innovations.  How did you capture these and utilize a system to capitalize on them, for your organization and those you serve?

What does this new innovation system have to do with Operational Risk Management (ORM)?

The Operational Risks associated with an organizational system for capturing, nurturing and producing new found Intellectual Capital are vast.  The goal however is to simultaneously accelerate, share and produce a collective thought leadership within the greater public-private community.  This in itself creates new challenges, in order to minimize the potential for significant losses and external risk events.

Across all the domains for "Exponential Innovation" from Healthcare, Space Travel, Artificial Intelligence and Ocean studies to name a few, lies one of the greatest barriers to our ultimate progress.  Adapting to the ecosystem of people utilizing the product or service.

Total immersion in the marketplace or with the customer, the beneficiary of the new product, service or invention, is a significant factor for future success.  The single factor of time, being embedded with the actual end user, recipient or beneficiaries of the new found innovation, is directly proportional to the Operational Risk exposures.

Think about it.  When was the last time your CEO or chosen leader was embedded with the customer for more than a few hours or a day?  How often is the scientist, designer or engineer using the product or system side-by-side the beneficiary?  Not often enough or long enough.

Sure we have all heard the mantra about "Managing by Walking Around" for decades, yet why do we continue to see the outcomes of this failure at well managed companies such as Wells Fargo and Samsung.  Operational Risk Management (ORM) shall be a component of any major initiative and a necessary competency in any dangerous or high risk environments.

From the decks of aircraft carriers to the trading on Wall Street and within the test trials of new pharmaceuticals, to the Yottabytes of data across the Internet, Operational Risk Management (ORM) is more relevant than ever on an exponential scale.  Just ask Elon Musk, Warren Buffet, Bill Gates or Ash Carter what they think...

06 November 2016

Internet Hurricanes: Resilient Trust Decisions into the Future...

"Trust Decisions" are made in nanoseconds as a human being.  Your past experiences, data stored in your brain from sensory collection and a clear understanding of the rules and the consequences, assists you in your decision to trust.  To trust someone or some thing.

The science and the research on the process and systemic nature of how TrustDecisions occur, are ongoing.  Humans have for decades designed machines and software to mimic and replace our own decision making process.  It has been replaced with a foundation now found in semiconductors, artificial memory, databases, fiber optics, neural nets and 5G wireless networks.

Even deeper, trust decisions are now embedded in software code.  The machine languages that have created our ability to use the entire Information and Communications Technology (ICT) infrastructure to our advantage.  While simultaneously creating a tremendous vulnerability and opportunity for systemic risk.  Our Critical Infrastructure Sectors are forever integrated, with increasing complexity and intelligence of our man-made machines.

The Fourth industrial Revolution is upon us:

With significant growth in IoT and the cloud, machine learning and big data are becoming ever more important as a significant amount of previously untapped data are collected, assessed and digitized. These newly available data provide billions of dollars to potential businesses that can quickly and effectively evaluate the data.  Additionally, the International Data Corporation (IDC) forecasts global spending on cognitive systems will reach nearly $31.3 billion in 2019.   IDC further sees cognitively-enabled solutions that “offer the tools and capabilities to extract and build knowledge bases and knowledge graphs from unstructured and semi-structured information as well as provide predictions, recommendations, and intelligent assistance through the use of machine learning, artificial intelligence, and deep learning”.
So now what?  Only 50% of the population of our Earth is connected at this point in time.  What will happen over the course of the next two decades as the growth curve accelerates?  How as a corporate enterprise or global organization will we be able to weather the "Internet Hurricanes" that are ahead of us?
Whether it is a systemic cyber risk event or something worse, the opportunity exists now. We begin the journey by revisiting our Trust Decisions. The rules that have defined us and the rules that our machines are executing on our behalf.

The decisions to trust, that are occurring when our iPhone App utilizes wireless networks and GPS to guide us using Google Maps to our next destination.  The decisions to trust, as the bank debits your checking account and routes the funds to your mortgage company.  The decisions to trust, as the doctor reads the vital signs on the monitors attached to your loved one in the ER.

As Operational Risk Management (ORM) professionals, we must adopt a continuous resilience mindset.  We look at the automation and the benefit of the machine and yet we ask ourselves what if?  What if the battery fails?  What if the connection is lost?  What if the data is corrupted?

There is one idea that has been utilized to address this in an organization.  It begins as an exercise in resilience planning and beyond.  Start with a small team or project group.  Announce in advance that on a certain date and time, an "Internet Hurricane" will hit and a systemic cyber event will last 24 hours.  Could you survive?

This is not a new idea.  Clearly, the exercise for Disaster Recovery Planning (DRP) has other nuances yet it serves the point.  When was the last time your team was able to operate without access to data from a networked system?  The time has come to prepare for that next digital storm ahead of us.  Will you be ready to operate in an austere environment of your corporate domain without the Internet?

"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.Achieving Digital Trust - Jeffrey Ritter

30 October 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

23 October 2016

Intelligence-led Enterprise: CIU Success Factors...

Intelligence-led processes applied within the corporate global enterprise, continues its relevance for reasons being published in the popular press. "Operational Risk Management (ORM) Specialists" utilize these processes, to mitigate a growing spectrum of domestic and transnational threats:
Developing relevant intelligence to run daily business decisions in your institution may seem like an important task day to day. The question is, how embedded is the "Corporate Intelligence Unit" in developing the relevant intelligence your decision makers need every few minutes or hours to steer the organization away from significant losses? Is your internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in real-time by the employees in each department or business unit?
Do you have an organized, synchronized media and communications function working within your Corporate Intelligence Unit (CIU), to continuously post the correct content and manage the RSS feeds from each global business unit? Why not?
The "Information Operations" (IO) of your company are the lifeblood of how your employees will make relevant decisions on where to steer clear of significant risk.  Based upon what other business units are doing or what is going on in the external environment of your state, sector or geography, consider these scenarios:
If the internal RSS Feed for the IT department reported that there was a Distributed Denial of Service  (DDos) Attack going on at the moment, how might that impact the decision by the marketing department to delay the posting of the new product release information to the Twitter site? The synchronization of intelligence-led processes is lead by the head of the Corporate Intelligence Unit. The CIU is staffed with people who have a tremendous understanding of the corporate enterprise architecture and have the skills and talents to operate as effective operational risk management professionals.

If the internal RSS Feed for the Facilities Security department reported the presence of a "White Truck Van" with blacked-out windows trolling the perimeter of the corporate parking lot, how might this change the decision for the CEO to leave that minute for her scheduled trip to the airport? Skilled CIU staff within would quickly notify the CEO via the "Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under cover corporate security personnel would then be immediately approaching the vehicle for a recon drive by.

If the internal RSS Feed reported the recent change in industry legislation that would change the way the Federal Trade Commission defined the elements regarding consumer privacy, how might this affect the latest strategy on how the institution was going to encrypt it's data in servers and on laptops? The CIU staff would advise the Chief Information Officer and other Information Security Risk staff to step up the roll-out for the latest version of PGP for the enterprise.
And the list goes on. The modern day intelligence-led Corporate Intelligence Unit (CIU), in concert with other highly specialized Operational Risk Management professionals in the enterprise can keep you safe, secure and keenly aware of new threats to your corporate assets. The degree to which you provide the right resources, funding and continuous testing/exercising of your capabilities will determine your likelihood for loss outcomes.

If your organization has been impacted by loss outcomes that continuously put your employees, stakeholders or assets at risk, then look hard and deep at your "Operational Risk" quotient, to determine if you are the best you can be...

15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.


The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...