24 June 2017

Walking the Talk: Asymmetric Lessons Learned...

Operational Risk Management (ORM) is about "Walking the Talk." What are you advocating in your solutions or services and advice to clients or within your own organization? When you "Walk the Talk", this means that you believe in and demonstrate first to yourself and your own organization that you execute and comply with what you say is policy and is a key factor in your own Continuity of Business Operations.

You carry out in a demonstrable form the rule-sets, best practices, ethics and behaviors that you are asking your own customers and your suppliers to follow. Your failure to do so, can have tremendous ramifications.  Nicholas Weaver explains:
The payload of CrashOverride is rather elegant in its simplicity; in a way it’s reminiscent of how a toddler might sabotage the lights at home. Once CrashOverride is running on a control system, it begins by mapping out all the circuit breakers. Once the payload knows where all the switches are, it can launch the primary malicious attack, either by turning off all the switches or—potentially more catastrophically—by repeatedly flipping them on and off until the substation in question is isolated.
Asymmetric Warfare is about an indirect strategy and the ability to compromise your target through non-traditional methods.  You and your organization might just be a pawn in a more sophisticated, planned and smart attack on a much more worthy adversary. Whether the intended target is a Critical Infrastructure organization in the financial, energy or defense industrial base (DIB) doesn't really matter.

Supply Chain Risk Management (SCRM) is not just about validating where and how embedded circuits, EPROMs or other systems software are ensured for quality and without tampering. SCRM is about your vendors themselves being compliant within their own enterprise with the manufacturing of their own products or the operational environment of their solution ecosystem.

The trust and confidence of your extended partners, clients, contractors and key suppliers is ultimately about "Walking the Talk." 
Malicious and trusted insiders pose a range of challenges in terms of counterintelligence risks and physical threats, and experts say policy needs to catch up quickly to the new technologies available to help mitigate the problem.  Mackenzie Weinger is a national security reporter at The Cipher Brief
If you are a prudent CSO or CISO of a critical infrastructure product or services organization, beware. You may just be what the enemy needs to perpetuate their asymmetric operations on the Homeland. Beyond your own reputation being at stake, so too is the trust, safety and security of the entire economic infrastructure of the United States.

17 June 2017

Innovation: Investing in the Linchpins...

There are new innovation initiatives that have been launched across America and internationally over the past few years.  Each has a vertical or horizontal focus to attract a particular set of entrepreneurs, coders, researchers and founders or data scientists.

You may have seen the accelerators, the incubators, training boot camps or even the H4D class being offered in your particular U.S. city or university lately.  Behind these initiatives are leaders, executives and fellow startup founders/practitioners who have developed a combination of methodologies and strategies, to produce new products and problem-solving business platforms.

After several years of practicing and mentoring in this category and recently devoting 30+ hours of first hand observation, there are several insights that were discovered.

First off, the quality and experience of instructors, mentors and the support ecosystem is vital.  You must create a robust program to recruit, train and continuously facilitate the actual people who surround the accelerator, incubator or university class and are devoting their time and resources to volunteer.

The ecosystem itself requires tested and proven processes, business rules and significant buy-in by all contributors.  The volunteers need a set of program prerequisites, a framework and the coaching along the way, to make their experience just as valuable as the participants in the innovation entities program.  Many of the mature innovation programs do this already.

Second, the founders, subject matter experts, linchpins, content providers or problem-set sponsors should have their own meetings and live interactions before and after each iteration of the participants program.  As an example, if the incubator has a cohort that is in-residence over the course of 10 weeks, on Tuesday's from 4:30-7:30PM, then the volunteers should meet for 30 minutes before and 30 minutes afterwards.

Why?

During those 3 hours there are plenty of live interactions, new learning, comments and ideas generated with the actual program participants.  It is just as valuable for the volunteers to share and interact after each iteration or cohort meeting to prepare and to debrief.  Certainly some of the follow-up learning could be captured using Slack or other online tools, yet having those linchpins face-to-face and interacting live is ever so valuable.

So What?

The maturity of the systems and processes associated with the innovation initiative, will be a key factor in the long term success and longevity of a particular program.  Yet even a set of solid systems can be influenced and characterized simply by the combination and quality of people, who are interacting and supporting these systems.  The parallel effort and devotion of one-to-one development, training and post program-metrics of these instructors, mentors, problem-sponsors and facilities or resources donors is paramount.
If you are an innovation engine producing new entrepreneurs and business startups that utilizes an ecosystem of volunteers, your future success will be directly linked to these vital linchpins...

04 June 2017

Decision Advantage: The Business of Information Assurance...

The CxO's in the Global 500 are evermore involved in the state of asymmetric warfare over Intellectual Property (IP), Economic Espionage and the simple but effective use of ransomware.  The "Decision Advantage" and national security implications, intersect with international commerce and the consistent security vs. privacy policy debates.

How would you invest resources to Deter, Detect, Defend and Document (4D) within your enterprise, if you knew that your organization would be continuously vulnerable for the next 6 years?  What would you change, if this was the current state of play:
"A recent study from the RAND Corporation, a global policy think tank, determined that among any given entity's stockpile of zero-day vulnerabilities, only 5.7 percent of these bugs will be discovered and publicly disclosed by a second party within a year's time. (Note that the study does account for additional groups that may also find some of the same bugs but decide to secretly hoard them.) Moreover, the study found that exploits and their corresponding vulnerabilities have an average life expectancy of 6.9 years before they are uncovered and patched."
You won't have to invest more dollars in your pest extermination company such as Orkin to address these kind of bugs.  The software vulnerabilities that exist in your organization, will be unknown to you long enough for the adversaries to live and operate freely inside your company, for months if not years.

The mindset shift that is necessary now, is to view the enterprise as any major change management initiative.  One that is continuously evolving based upon market shifts and new product introductions.  You have to be "Adaptive" and you must respond to the competitions new marketing campaigns.

Why is it so hard for you, to take the "Strategy of Business" and make the leap to the "Strategy of Information Security?"

When the competitor launches a new feature set and the corresponding Ad campaign, how do you pivot?  What do you do to counter the potential erosion of your market share?  How much money and resources are devoted to the new roll-out, brand recognition and sales events?

Can you imagine sitting back and doing nothing for months or years, while your adversaries in business are exploiting your slow and weak response in the marketplace?

The nation-states and Crime, Inc. is betting on the reality that you don't take Information Security seriously in your organization.  They do their research to see what Global 500 organizations are keeping their Information Technology budgets flat, year-to-year.  They use this Intelligence to stack rank their list of targets for the software vulnerabilities they are buying each day on the "Deep Web."

Is your Chief Information Security Officer (CISO) still reporting to the Chief Information Officer (CIO)?  Is your Chief Privacy Officer (CPO) even part of your Senior Staff?  Can you show a line item increase for Information Security in your year-to-year budget, to address the change management reality and strategy of your enterprise?

Have you and your Board of Directors had a briefing yet on "The Shadow Brokers?"  What does it all mean for your enterprise?

It means that the traditional way of thinking about protecting and defending your organization is over.  It means that the standard "Go-to-Market" strategy and "Competitive Intelligence" investments that you are making should incorporate a parallel "Information Assurance" program.

The business of an "Adaptive Enterprise Architecture" and "Decision Advantage" requires bold new thinking and even harder changes of personal and organizational behavior.

So what?

The truth and reality of your business survival means a significant change in strategy and in investment.  Do your own research within your own organization this week.  Get the numbers and the data to show how much you are spending next budget cycle on Information Assurance vs. last year.

Find out where the budget is being allocated year-to-year and why?  You know how to do this.  Just like you have been doing it, with the Marketing and Sales Department.

What is the opportunity?

Sometimes the digital truth is difficult and in the end, the trusted reality becomes almost "Darwinian".  Survival in the next decade will be about your "Decision Advantage" at the speed of Digital Trust...

28 May 2017

Memorial Day 2017: Honoring All of Our Fallen...

On Memorial Day 2017 in the United States, we remember those who have defended our freedoms and our Republic.  As the sound of modern aircraft lift off in the distance and the 50 stars and 13 stripes of our flag wave in the wind, we pause.

This day, is about a visit to Arlington National Cemetery or another ceremony, to stand and remember those who you once knew:


Neil was just one of those who have served our country with distinction and honor in Special Operations.  A man who did not die, as a result of fighting in the Civil War, World War I or II, the Korean War, or Vietnam.  He served our country with courage in the Global War on Terrorism (GWOT):

"Neil Christopher Landsberg of Frederick, Maryland, passed away May 9, 2013. Born January 13, 1980 in Wichita, Kansas, he attended Thomas Johnson High School, Frederick, MD and Valley Forge Military Academy in PA. He graduated from the Citadel, Charleston, SC and served with distinction as a Captain in USAF Special Operations receiving the Air Force Commendation Medal, Air Force Achievement Medal, Meritorious Service Medal, Defense Service Medal, Afghanistan Campaign Medal, and Global War on Terrorism Service Medal. He was employed by Blackbird Technologies."

As we bow our heads this Monday, May 29, 2017, think about our United States and about the less than 1%.  The less than 1% of U.S. citizens who have made so many sacrifices in life, for our country.  You also have to include a tremendous thank you, to all of those family and friends who were and still are the support system for our service members.

Just up the Potomac River in Langley Virginia, there are 125 or so Stars on a Memorial Wall.  These remember those individuals from the CIA who have also fallen, in the line of duty to our nation.  They too are acknowledged and remembered this Memorial Day.

 What can you do on this day to "Honor our Fallen":
  • Donate or volunteer for a cause that was important to them
  • Write them a letter
  • Talk about them
  • Fly the American flag high
As you navigate your daily routine on Tuesday, reflect on all that Neil and the hundreds of thousands of others have given their life for:
"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

20 May 2017

Board of Directors: 4D Strategy Revisited...

The Board of Directors are convening this week and there is an item back on the agenda, we haven't seen for sometime:

Recovery Time Objective (RTO) Recovery Point Objective (RPO)

These Business Continuity (BC) and Disaster Recovery (DR) parameters are being addressed for good reason.  WannaCry and the impending Tsunami of cyber worms attacking our critical infrastructure across the globe.

Designing a resilient and fault-tolerant architecture for your Operational Risk Management (ORM) strategy shall focus on critical assets and the impact of unidentified single points of failure.  Implementing a highly available IT infrastructure and resilient applications to quickly respond to major incidents or a disaster scenario is vital in our 24x7x365 operations.

Beyond a revisit to the ability to recover from a sudden disaster, the Board of Directors may be asking Senior Management about the global standard for Information Security:  ISO 27001:
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
 More importantly for organizations who may say to themselves, "well we are safe because we are in the cloud" is the standard ISO 27017:

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.


As an example, Amazon Web Services Cloud Compliance enables customers to leverage their utilization of ISO 27001 standards.  Yet there are shared responsibilities  that you must be aware of within the shared responsibility model when it comes to the relationship with your organization and AWS:

While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.


So what?

If you retain ownership and control over your content within a cloud implementation architecture, what about answers to these highly relevant questions:
  1. What does our organization need to comply with the laws pertaining to privacy and data protection?
  2. Who will have access to content?
  3. Where will storage of content be located physically /  geographically?
  4. How will the content be secured both physically and virtually?
So in this environment of shared responsibility let us ask a simple question.  Who is accountable for the configuration of the AWS provided security group firewall?  This is an area of your responsibility including all operating system, network and firewall configurations.

The Board of Directors needs to revisit Business Continuity Planning and Disaster Recovery with the CIO and all IT stakeholders at your organization, including ISP's and any third party infrastructure suppliers.

Why?

The "Business" is in many cases out of "Synch" with the Information Systems / Data Management / Privacy / Security side of the enterprise.  The WannaCry issues may not impact your organization directly because you have already patched or your systems and are beyond the vulnerabilities of this Operating System specific threat.

Where the business is heading in the next six to nine months with mergers, acquisitions and even consolidation, will impact your overall enterprise architecture. The business pace of change will most likely be months even years ahead, of where the IT infrastructure is today and it must become more resilient.

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion

You must create the culture and the due diligence to see that your IT strategy becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective.  These "4D" lessons should put you on the way to creating a more survivable business.

14 May 2017

Digital Illiteracy: Trust Decisions in a Global Race...

Executive Management and the Board of Directors are asking Chief Information Officers (CIO) and CISO's about WannaCry this weekend.  The illiteracy and complacency of key officials in business and governments across the globe are again evident today:
"The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries."
If you are an Operational Risk Management (ORM) professional in your particular organization, you may be on high alert.  You may have had a few sleepless nights since Friday, as the wave of infections propagated across systems and networks running Microsoft operating systems.

Are you or your organization a victim?  Why?

The illiteracy and complacency of senior management across commercial and government enterprises about information security, continues to plague our critical infrastructure sectors and institutions.  In 2017, this fact is our greatest vulnerability and threat.

How does any legitimate organization both public and private explain being subjected to an exploit, that has been known about for months?  What excuse could there possibly be, for not having patched a system, that is most likely far beyond "Out-of-Date"?  There will be many excuses told and so many others trying to explain to the Board of Directors about the lack of funding or the vast complexity of a systems network.  Yet here we are in 2017, with the same set of complacent attitudes and practices still in existence.

Emily Dreyfuss at Wired.com sums it up nicely from a government perspective:
"All of this underscores how digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy. It takes a multi-pronged, concerted approach, with smart internal policies, federal legislation, tech savvy diplomats, and a willingness to realize information security is a critical skill for the defense of the nation—all of which is incredibly difficult to achieve even when a government is functioning well."
At the dawn of the World Wide Web, many of us in the "Information, Communications & Technology" (ICT) industry, understood and studied the new ecosystem and battle space evolving before us.  All of those subject matter experts and government officials, have been immersed in the Internet environment for over 20 years.  Even to this day, we wonder why executives still "Don't get it."

In many cases we understand that not every executive is going to understand the tech vulnerabilities of ransomware.  Yet are the same executives capable of understanding the simple concept of Disaster Recovery Planning?  The ability to accomplish incremental and daily back-ups of data?  We think they also can understand the concept of patching systems that are vulnerable.

The budgets devoted to ICT are in many cases a mystery to illiterate executives.  CIO's and Chief Information Security Officers (CISO) would most likely say in general, that they do not have enough resources to fight the battle.  This is known.

TrustDecisions that occur within the ranks of senior management are now maturing to the point of focus on building digital trust across the enterprise.  The decisions to trust between humans is different than the decisions to trust between machines.  Or is it?

Achieving Digital Trust requires a vast yet easily comprehended set of rules and policies.  Is the United States losing the race for "Digital Trust?"  Consider this blog post from Jeffrey Ritter:

"Advances toward digital trust, whether enabling commerce or government autocracy, require enormous resources to create the inter-dependencies and inter-operabilities that enable digital information to be functional and useful. The conspicuous absence of those resources is simply leaving the United States on the sideline. The disruption of digital trust may likely gain such momentum that no amount of “catch-up” investments will enable the combined assets of government and industry to catch up in the global, wired marketplace that now exists."

Executive management across America has a choice.  You as an individual could raise your education and awareness level on your ICT landscape, in several ways.  This in turn, may reduce the overall level of illiteracy and complacency across our critical infrastructure domains.  This will eventually lower our vulnerability over time.  Here is one solution:  StaySafeOnline.org

Let us start the lesson by defining the landscape and the battle space.  What is the "Deep Web?"  It is that part of the online universe, that is not indexed by traditional search engines.  But how large is it?  When asked this question to many executives, they have no idea.  Not a clue.

The "Deep Web" is 500+ times larger than the surface web and growing.  The "Deep Web" is 7500+ terabytes vs. 19 terabytes that Google and others capture.  Wake up and realize the magnitude of the problem-set, as you consider the next budget allocations for the safety and security of your enterprise.

The Trust Decisions you make with your colleagues, partners, employees, customers, communities and countries, will either make you more trustworthy, or will erode and erase trust.  At the pinnacle of your next major Trust Decision, ask yourself whether you are truly "Achieving Digital Trust..."

06 May 2017

Quiet Professional: A Leader Remembered...

Leadership has been written about since humans have been writing and recording history.  How leaders have been described, documented and chronicled over our existence here on Earth, comes back to the definition of leadership:  noun, the act or instance of leading - the office or position of a leader.

The leader and the characteristics of a particular person, are typically what is written about to document someone who is in a position of leadership.  It may start as an oldest sibling, leading younger sisters or brothers when Mother or Father is not around, or even deceased.

It may have all started in a school or church group, or as camp counselor, President of that social group, and then someday even also as a Mother or Father.  Leaders and leadership have so many facets and is in many cases just present, or absent in someone's life.

Over history, the definition of a person who has been or is a current leader, has several synonyms:

Synonyms boss man, captain, chief, foreman, head, headman, helmsman, honcho, jefe, kingpin, boss, master, taskmaster

In the broad and complex world we live in, these synonyms only describe a small facet of what true leadership is all about.  The vast realm of Operational Risk Management (ORM) also gives us additional context, when it comes to true leadership and the goal of ever increasing our overall safety, security and trust.

When someone writes your eulogy as an Operational Risk Leader, what will they say.  How will they describe you?  Perhaps none of the synonyms above are even mentioned.  Why?

It is because you are known as a "Quiet Professional."  Someone who is a leader and continues to exemplify the act of leading in so many ways and far too detailed to describe in words.  Yet you continue to aspire to improve, to listen, to learn.  You don't know it yet, but at your eulogy, others will describe you as a "Quiet Professional."

The "Quiet Professional" operates through life serving others, doing their best to continuously learn and improve on their greatest skills.  Yet at the same time, the true leader also recognizes the areas of knowledge and expertise they don't possess and so they will create alliances with others who do.

The small group, the team, the cohort, the class, the board, the executive office, the assembly, the country - they have a combination of leaders who are diverse in their skills, knowledge and aspirations and yet simultaneously, they have the same single mission.

How others will describe you and your leadership at your eulogy, is completely in your control as a human.  What are the characteristics of your particular way of leading and operating as a "Quiet Professional (QP)?"  Maybe it will sound like this:

QP was a person that not many people knew very well and that was just fine with them.  QP worked on becoming and performing each day, as the best they could be, with each person they encountered in life, one-to-one.  As a brother or sister, as a mother or father, as a friend and servant leader of others.

QP was always watching out for others.  Looking around the corner or over the horizon.  It was for three reasons.  Curiosity, building trust and continuous learning.  It was because QP always wanted to improve and to aspire for that next level of perfection.  QP wanted others close to them to feel safe and secure.

QP wanted others to feel as if they could do anything and could achieve anything.  What ever their particular mission was that day, month or year.  QP wanted those closest to them to know, they were always going to be cared for and looked after,  no matter what happened.

QP will always be remembered for their kind heart and tremendous courage.  QP will be remembered for their fierce competitiveness and simultaneous compassion.  They will be remembered for their ability to love.  Their ability to forgive.  And QP will always be remembered for their leadership.

Are you a "Quiet Professional?"...

30 April 2017

Complacency Risk: The Next Attack...

 In Ronald Kessler's book "The Terrorist Watch" you get the impression that this journalist, author and nonfiction story teller is walking a thin line. A line between telling us too much, because it could compromise national security and not telling us enough, so that the public can really visualize what the truth is.

"Inside the desperate race to stop the next attack". This book tag line says it all.
Drawing on unprecedented access to FBI and CIA counterterrorism operatives, New York Times bestselling author Ronald Kessler presents the chilling story of terrorists’ relentless efforts to mount another devastating attack on the United States and of the heroic efforts being made to stop those plots.

Kessler takes you inside the war rooms of this battle—from the newly created National Counterterrorism Center to FBI headquarters, from the CIA to the National Security Agency, from the Pentagon to the Oval Office—to explain why we have gone so long since 9/11 without a successful attack and to reveal the many close calls we never hear about. The race to stop the terrorists, Kessler shows, is more desperate than ever.

Never before has a journalist gained such access to the FBI, the CIA, the National Counterterrorism Center, and the other agencies that are doing the unheralded work of finding and capturing terrorists.

Ronald Kessler’s you-are-there narrative tells the real story of the war on terror and will transform the way you view the greatest problem of our age.
OK, so what? So how does this war on terror and media leaks within the context of Operational Risk impact your institution or organization? Here are a few ways:
  • Will your company have staffing challenges as a result of new immigration legislation or limits on H1-B Visas? Remember the 9/11 hijackers?
  • Will your institution require new systems and processes to meet increased compliance or regulatory mandates? Remember the Patriot Act?
  • Will you or a senior staff member be the target of a kidnapping, ransom or extortion plot at the hands of a terrorist cell? Remember Danny Pearl?
  • Will your organization be impacted by the leaks in the press regarding your operational strategy or Board Room discussions? Remember pretexting at Hewlett Packard (HP)?
Sharing information. Too much or not enough. The paradox of our generation as we all go digital. The speed of business in the connected economy and 24 hour news cycles has created a beast that will not ever be tamed or controlled.

Operational risks are a result of the continuous challenges to the collection, dissemination and analysis of information. Think about your own institution and those who hold the keys to the most valuable information.

Those who disclose operational secrets could be putting that "deal" in jeopardy just as easily as putting that "life" in harms way. Those who try to sleep at night in close proximity of their "Blackberry" know the feeling of information overload, or starvation. Both represent operational risks that keep the same people grabbing the Prilosec OTC or the AmbienCR.

Ronald Kessler's book is a wake-up call for all of us in the United States. A Presidential election is behind us and there has been over eight years of testing and waiting by those who wish to do us harm.
"To many fail to recognize that al Qaeda's long-term goal is to send the US the way of the Roman Empire. And too many in the press are willing to take the chance of compromising the lives of innocent Americans by running stories that gratuitously disclose operational secrets."
The risk of complacency is and will continue to be our greatest threat...

22 April 2017

Go Fast or Go Far: Professionals of Operational Risk...

As the sun sets less than a mile from the Pacific ocean, dozens of security researchers from across Los Angeles are converging on this modern technology office park.  The meeting presentation this evening, will be focused on unveiling vulnerabilities within one of sixteen U.S. Critical Infrastructures.  Why?

Operational Risk Management (ORM) is a discipline that is a dynamic matrix, of columns and rows of the architecture and intersections of your entire enterprise.  The places and ways that the organization is exposed to potential failures of people, processes, systems or other external events.

Think about how many people you have working with you, the number of locations they work and travel, the number of technology devices running software to compute algorithm operations to enable your particular mission.  Think about all the potential ways that adverse weather and natural disasters or the simple loss of electrical power or communications in a few square blocks of your city, will impact you today.

Security researchers are also converging into a conference room somewhere in your organization this week, to discuss and show evidence of your organizations vulnerabilities today.  They might be experts in "Ruby on Rails" or how to optimize "SecDevOps".

They might be experts in counterintelligence or the detection of rogue/activist human behavior by analyzing open source social media.  They might be experts in using offensive tools, operating armored vehicles and flying aircraft into hostile environments.  Among them are also your legal experts in privacy and regulatory compliance.

Why these individual professionals are working 24x7 to expose, document and provide evidence of your vulnerabilities is complex.  Yet you should know, that they are doing it because they understand that your adversaries are also hard at work, to do the same.  Is it a competitor or a nation state?  Is it a disgruntled employee or an external extremist?  Is it the next tornado, hurricane or earthquake?  The landscape is vast and is continuously changing by the minute.

As an executive within your organization, when was the last time you devoted an hour or even two, to lock yourself in the same room with your Operational Risk professionals.  To see what they are working on to Deter, Detect, Defend and Document, all that is happening in their environment today.

What if you had that hour to turn off your busy executive life and so what might you learn?
You might learn that your organization is being attacked every day by "Spear Phishing" experts from the other side of the globe.  More importantly, the source of the attacks is by an organized cadre of criminal experts in social engineering and SQL injection.

You might learn that one of your employees has set up a Twitter account with an anonymous user name and identity.  The daily "Tweets" are telegraphing your corporate strategy to your competitors or leaking proprietary internal protected information about rogue co-workers behavior.

You might learn that the Commercial-Off-The-Shelf (COTS) sensor you utilize within your flagship transportation vehicle, is being exploited by a highly trained clandestine military unit from another country.

You might learn that a key manufacturing location is about to be surrounded by environmental activists who are planning to camp out on your entrance until their demands are met.
So what?

The question is necessary to get to the bottom line.  It helps to define the purpose for why you have these resources working with you.  The reason that they are working 24x7 to keep you and your organization even more aware and resilient.  Why they are converging on a conference room in Los Angeles after working all day to learn about new vulnerabilities?

Take the time this week to meet with them.  Ask them the question.  Listen to their answers.  You might be surprised at what you hear.  You will probably learn something new.  Work with them to improve the Operational Risk Management (ORM) capabilities and functions within the enterprise.

"If you want to Go Fast go alone.  If you want to Go Far, go together".
--African Proverb

15 April 2017

Insider Threat: Duty of Care in the Workplace...

The summer of 2017 is approaching and soon thereafter the world will view the new documentary film "Risk" by Laura Poitras, about Wikileaks founder Julian Assange.  This week in Washington, DC, the CIA characterized Wikileaks as a "non-state hostile intelligence service".

Almost the same day, another case of insider threat was unveiled by the US Attorney for the Southern District of New York.  The alleged theft of proprietary trading code for a trading platform from a financial services firm by a software engineer named Dmitry Sazonov will not be the last case in 2017.

The ongoing theft of trade secrets and proprietary data from both private organizations and our governments remains a global epidemic.  A tremendous amount of effort continues by Operational Risk Management professionals, to address the growing plague.  Insider Threat's as a whole and the theft of trade secrets, continues as a significant challenge for CISO's, Chief Privacy Officers and the Human Resources executives.

Whether the incident is the lone software engineer, the contractor analyst, or a disgruntled employee does not matter.  They all are motivated for different reasons to carry out their actions as a "Trusted Insider".  Mark Pomerleau explains that technology alone may not be the answer:

Insider threats have disclosed and improperly removed troves of sensitive information from government networks that compromise secrets and highly secretive security programs. While various technical and cyber-enabled monitoring tools have been applied to prevent such actions, the intelligence community’s top counterintelligence officer believes understanding the human element is the most important component.

“The mind of the insider threat: That is what I believe to be the critical component of stopping, if we can,” the individual that wants to be nefarious and do malicious behavior, said William Evanina, the national counterintelligence executive within the Office of the Director of National Intelligence.


All the technology and software will not be able to eliminate this kind of "Insider Threat" for continuous monitoring.  It is however a key component no different than any other layered-defense risk management system.  Sometimes, it just comes down to good management practices from one person to another.

The education necessary for mid-tier management is imperative, if this layer of defense in the enterprise is going to work effectively.  Observing first hand an fellow employees behavior in the workplace or after hours in social settings, could be the "Early Warning System" each organization has been seeking for decades.

The learning and education associated with elevating managements understanding and policy implications in the workplace around counterproductive work behaviors is vital.  A malicious insider who is trusted in the workplace environment may be there operating for years.  Yet what are some of the key areas of observable behaviors:
  • Production Deviance:  Poor attendance, poor quality of work, misuse of resources and time
  • Property Deviance:  Destruction of property, misuse of information and theft
  • Indirect Aggression:  Unsafe behaviors, politically deviant behaviors
  • Direct Aggression:  Inappropriate verbal or physical behavior
Source:  Assessing The Mind of the Malicious Insider  White Paper - Security Policy Reform Council - INSA - Insider Threat Subcommittee
"Introducing sophisticated new tools and effective monitoring immediately raises a host of questions that require further discussion to assess how best to incorporate them in Continuous Evaluation programs. These include how to balance privacy and security, assess the impact on workplace morale, determine the triggers for undertaking additional monitoring and action, and incorporate oversight and protections for civil liberties."
The 21st century organization with flexible work schedules, telecommuting, work from home policies and the utilization of cloud computing will accelerate the "Insider Threat".  The naive enterprise that perpetually operates without a comprehensive education and continuous learning program in place, does so at its own peril.

Simultaneously, the organization shall utilize the corporate governance tools known for years as the Office of Professional Responsibility, Employee Assistance Program (EAP) and other emerging capabilities such as Ginger.io.

You have an opportunity to provide your organization with the protection of your intellectual property and trade secrets, while synchronizing the privacy and civil liberties of your employees.  Wikileaks or some other entity will exist for years to come.  Your particular "Trusted Insider" will not be the last person to steal proprietary or classified information or be the perpetrator of workplace violence.

As a senior executive in your organization, your "TrustDecisions" will make the Duty of Care difference...

09 April 2017

Critical Infrastructure: Maritime Cyber Resilience...

The Maritime Cyber Resilience evolution continues in the United States.  Strategic ports for commerce and our Transportation Command (TRANSCOM) of the Department of Defense, are adapting to the threat.  The Critical Infrastructure Protection domains and the Operational Risk Management professionals are continuously on alert.

The resilience standards for protecting the Critical Infrastructure of U.S. ports and the Cyber domain, traditionally would fall to U.S. Homeland Security and then the United States Coast Guard (USCG).  TRANSCOM also has its own Cyber components that may interface with the seaport maritime infrastructure including our commercial ports.

There is significant collaboration that must be coordinated with commercial private sector carriers and companies:

Military Sealift Command (MSC) provides high-quality, efficient and cost-effective ocean transportation for the Department of Defense and other federal agencies during peacetime and war.

USTC will execute sealift movements through Military Sealift Command (MSC) and Surface Deployment and Distribution Command (SDDC). Planners within these organizations will work together to provide optimal transportation solutions that are cost efficient and operationally effective and are within policy and law.

  • Surface Deployment and Distribution Command (SDDC) provides commercial sealift for customers through Liner Service.
  • Charter vs. Liner Vs Organic: By policy USTRANSCOM must consider commercial assets before organic assets. Charter and Liner services are commercial methods of moving cargo with different benefits.
How vast is the Cyber landscape for the U.S. Coast Guard's mission regarding Homeland Security across the maritime facilities across the nation?
The U.S. Coast Guard (USCG) oversees approximately 800 waterfront facilities that, among other activities, transfer hazardous liquids between marine vessels and land-based pipelines, tanks or vehicles. These “maritime bulk liquid transfers” increasingly rely on computers to operate valves and pumps, monitor sensors, and perform many other vital safety and security functions. This makes the whole system more vulnerable to cybersecurity issues ranging from malware to human error, and is the reason behind a new voluntary cybersecurity guide for the industry.
 So what?

The current cyber threat environment for TRANSCOM is a parallel focus with the USCG, as they are both operating at commercial maritime facilities and seaports.  The single set of standards they rely on for establishing, maintaining and testing their respective Cyber Domain readiness, is the NIST Cybersecurity Framework:

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order "Improving Critical Infrastructure Cybersecurity" has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

TRANSCOM and the USCG are both operating in maritime domains, in concert with private commercial enterprises.  The growing interdependent systems being utilized for cargo logistics, navigation and other computer automation systems, provides some insight into the vulnerability landscape from a Cyber perspective.

Still to this day, other Critical Infrastructure sectors that are far more advanced in their defense of their Cyber domains, are trying to increase their resilience.  The current nation state adversaries who are operating within the Financial and Commercial Facilities sector alone, gives us some degree of awareness on the magnitude of the current problem-set.

Utilizing the NIST standard across Critical Infrastructure sectors as the baseline is only the start.  Raising the bar of Cybersecurity Readiness and Defense across the maritime and seaport domains adds tremendous new challenges.

As the U.S. Department of Defense moves personnel, supplies and utilizes commercial port facilities they will be constantly interacting with private sector entities and assets they have little control over. The Cyber domain vulnerabilities that may occur with these commercial enterprises is unknown.  The U.S. Coast Guard does not regulate the commercial companies and their state of Cyber readiness directly:

American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.

In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.


The Maritime Cyber Resilience challenges are similar to other Critical Infrastructure sectors, yet how mature is the collaboration with Defense, Homeland Security and Commercial Private Sector organizations?

01 April 2017

True North: A Decision to Trust...

When you awakened this morning did you immediately know your "True North"?  Are you heading in the direction of your passion in life?  How do you know when you are off course and need to correct your path before it is too late?

This metaphor for knowing and feeling whether you are on the right path for your passion, begins with a visual sign.  A star in the distance to keep you focused and on track.  A reminder.  You know the one I am talking about.  Maybe it's the magnet on your refrigerator.  Is it a person?  Is it a place?  Or just a 3M Post-It note, placed strategically at your desk, to keep you centered.

Your particular "True North" is what keeps you going every day.  At certain intervals however, course corrections are always necessary, yet you don't want to deviate too long away from your desired outcome.

Any Operational Risk "Professional" understands the true mission because somewhere along the path, they have encountered difficulties and significant hardships.  And they have adapted.  They have pivoted.  They have endured the negative emotions and counter productive environment, to survive another day.

Now, think about the most difficult time in your life and how you were able to navigate back to "True North".  How did you do it?  How were you able to stay on course?  This is how.  You made a series of "Trust Decisions".

You made a decision to trust someone, something or some direction to navigate towards your "True North".  Who is it?  What is it?  Where is it?  Perhaps more importantly, Why is it?

Whether you are heading in the right direction requires a perseverance and a belief.  It means that you will have many emotions as you travel forward in the hours, weeks, years and decades ahead.  You can expect that to be the case, no matter what happens.

As you navigate your path towards your "True North" you must reflect along the journey.  What have you learned?  Why is this important?  It is because of these lessons and the knowledge that you have learned, that will now make a difference and influence your next "Trust Decision".
  • A Decision to Trust incorporates data that comes from a network of sensors.  These points of data collection are important to the future of your survival.  They are where you must continue to improve, correct and test in order to be assured that they are operating effectively and as planned.
  • A Decision to Trust is a series of calculations, that involves the data you are collecting from sensors.  The calculations and formula is different for each node or mechanism, that you are utilizing to achieve the outcomes you seek.
  • A Decision to Trust becomes automated, once you have the highest assurances that you can rely on your sensors and believe in the calculations.
Once you have determined your course and are relying on your sensors to be accurate, discipline is the final quest.  What discipline do you follow?  This is where you may now have the greatest risk of failure.  The risk you deviate from your discipline.  You forget your "True North".

Your direction and your ability to reach your destination, will be ultimately determined by your discipline...

God speed!

27 March 2017

Privacy Law: Scanning the Legal Horizon...

As our new knowledge-based organizations begin the startup phase, the thought of all of the implications of collecting and storing information may be secondary to raising capital.  However, once you have the core team in place and the business begins to scale, maybe it is time to look over the horizon.

Once you have reached the point in your companies growth curve to consider the hiring of a CFO and even an outside "General Counsel", the regulatory engine must be established within the enterprise.  Today, even the CISO in any major business across the United States has been challenged by rapidly changing digital privacy laws the past two years.

Especially in California, the CalECPA went into effect January 1, 2016 and in general is focused on law enforcement:
The landmark California Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.
The simple fact that a company is doing business in the State of California and has employees operating there, puts a significant set of requirements and compliance issues that are top of mind.  This is why you see technology-oriented companies who have their Headquarters based here, developing robust guides for working within federal and state privacy laws.

A "Chief Information Security Officer" is not only charged with protecting the data within a confidentiality, integrity and assurance framework, but also working in tandem with the General Counsel and a Chief Privacy Officer.  The standards and the laws have significant hurdles that also require prudent Operational Risk Management strategies.

Now take all of this into consideration as your begin to plan for implementing an "Insider Threat Program" (InTP) within your organization.  The addition of a Human Resources component, Chief Information Officer and even perhaps 3rd Party Cloud supply chain vendors will all be in play.

So What?

So what is the legal profession in California focused on these days?  Just take a look at the Agenda for a March 2017 event at Berkeley Law:

Cybersecurity Regulatory Enforcement

New regulators, new laws, and new norms are causing cybersecurity responsibilities to proliferate. This discussion will feature insights on how cybersecurity lawyers navigate the growing thicket of information security rules from the perspective of both companies pursued by the FTC and multinationals operating under different legal regimes. It will consider challenges posed by insider breaches and obligations arising from the General Data Protection Regulation.


Practitioners Panel

Privacy practitioners from leading law firms and major online companies will share insights on how to stay afloat in increasingly turbulent waters.

Privacy Award

BCLT is proud to bestow its annual Privacy Award this year on

Susan Freiwald, University of San Francisco Law School
Nicole Ozer, ACLU of California

in recognition of their leadership in securing passage of CalECPA, which establishes the “gold standard” of a judicial warrant for government access to communications, location data and other information about our daily lives.


Keynote: Too Close for Comfort – AI, Cloud Computing, and Privacy 

Recent advances in artificial intelligence, robots, and machine learning are enabled by big data, digital cameras, and cloud computing. These advances open an enormous Pandora’s box in terms of security and privacy. Groundbreaking AI researcher Ken Goldberg will present potential responses, such as a concept for “Respectful Cameras,” a privacy-preserving system for industrial automation. He will explain why claims of an impending “Singularity” are greatly exaggerated and will propose an alternative, “Multiplicity,” where diverse groups of humans work together with diverse groups of machines to innovate and to solve complex problems.

Government Access

With digital evidence central to an increasing number of criminal and foreign intelligence investigations, government demands for access seem to steadily increase. From varying perspectives, this panel will explore emerging issues in government access to data stored with third parties.

Artificial Intelligence and the Right to an Explanation

The General Data Protection Regulation requires that organizations explain to individuals the logic behind decisions rendered by algorithms. This policy is aligned with growing efforts in the machine learning community to improve the interpretability of outputs. This panel will examine a broad range of efforts to address interpretability and potential biases in complex algorithmic systems.

Consent and Contract under EU Data Protection Law


EU privacy regulation continues to have worldwide relevance, especially affecting U.S.-based companies. This session will examine how consumer data can continue to be collected and used given the different approaches in the EU and U.S. to consensual mechanisms for authorizing personal data processing.


The CISO and the entire team of Operational Risk Management professionals at your organization, should be monitoring and creating new strategies to protect the organization.  Scanning the legal horizon on what the new challenges are and how to prepare, is the sign of a sound business strategy.

19 March 2017

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:
"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."
Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:
"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."
So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:
"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."
How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."


Welcome to the new era of achieving Digital Trust...

12 March 2017

Vault 7: Adapt to Live Another Day...

When you spend enough time in any austere environment, you begin to respect it's abilities to change rapidly.  You begin to respect the changing natural forces and how these new potential threats could become a new Operational Risk in just minutes.  The decisions that you make in the next few seconds, could mean a positive outcome or a significant catastrophe.

Will you turn right or go left?  Will you accelerate or slow down?  Will you ascend or descend?  These decisions that you make in your quest to adapt to your changing austere environment will forever be remembered.  Whether they are stored in the synapses of the brain or the log files of an autonomous system executing code, the trust decision is evident.

How long has it been since you really took a deep look at your decisions the past minute, hour or day?  This analysis of the evident decisions made and the environment that you are operating in will forever allow for growth or death.

Systems thinking and the continuous learning of a changing environment can happen at 12,000 feet above sea level at minus 10 degrees, or within the climate-controlled data centers or corporate offices of your global enterprise.  What are you doing today to help achieve new levels of trust, in order to survive another day?

Why is it that so many individuals are surprised when they get a call from their CxO or even corporate counsel that sounds like this?  "It looks like our Intellectual Property or Trade Secrets, are now in the hands of our competition".  "Our enterprise is encountering significant new risks to our ongoing operations and we must adapt immediately'.
Introduction
Just as American and European critical infrastructure executives were beginning to wrap their minds around the devastation of the Office of Personnel Management, ransomware erupted onto the scene. We then experienced concentrated DDoS attacks such as the Mirai botnet attack on Dyn, which enabled a quantum leap for cyber criminals of even the most novice of technical aptitude to wreak havoc on targeted organizations at the click of a button or for less than one bitcoin. Unfortunately, adversaries continue to evolve, and cyber defense remains a reactionary culture. Numerous, persistent and adaptive, cyber-adversaries can more easily, remotely and locally besiege critical infrastructure systems, than information security personnel can repel the incessant barrage of multi-vector attacks. Now, all techno-forensic indicators suggest that an under-discussed cyber-kinetic attack vector will ubiquitously permeate all critical infrastructure sectors due to a dearth of layered bleeding-edge military grade cyber security solutions. Unless organizations act immediately, in 2017 The Insider Threat Epidemic Begins.
Some people are surprised.  Yet it is the small team of "Operational Risk Professionals" in your enterprise, that have been continuously training, operating in clandestine and unknown environments and learning each day, for this moment.  They are not surprised.  They are the people who have designed their operations and systems to be resilient, to endure austere environments and to adapt to live another day.

Seek out these people in your organization.  Find the expert individuals in each of the departments or business units, that also interface with your external environment and supply chain.  Now look inside and in the mirror.  Where are the vulnerabilities inside?  How can you adapt your operations to create trust with employees and simultaneously make your organization more resilient?
Take the “Vault 7” CIA data Wikileaks released this week. Assuming it is legitimate, it originated from a network that presumably has a very small attack surface. Wikileaks expressly claims that the data is from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina,” and experts agree that seems likely. And knowing that CIA networks are probably secure and defended supports the notion that the the data was either leaked by someone with inside access, or stolen by a well-resourced hacking group. It’s far less likely that a random low-level spammer could have just casually happened upon a way in.
 Build digital trust in your organization by better understanding the entire surface for potential attacks.  Analyze the rules that are in place now and how they might need to be changed according to the continuously changing environment you operate in.

Finally, adapt to live another day...

26 February 2017

Linchpin: Trust in a Continuously Changing Environment...

In the early morning nautical twilight on a cold winter morning, thoughts about how the world is changing comes into clarity.  What do you believe in?

As the asymmetric threats seem to grow and our respective thoughts scan a vast Operational Risk landscape of people, processes, systems and external events; there is a mission worth pursuing.  It is a mission that is uncertain, full of unexpected change and potential catastrophes.

The outcomes that you seek will not always materialize as you wish, yet that is to be expected.  After all, what would an organization, state, region or country be like, without any substantial changes, unexpected events or new challenges?  You see, humans do not thrive in environments where behavior or events are 100% predictive.

We work best when there is a problem to solve, an environment or challenge that we can explore.  We can conquer or adapt to, in order to survive another day.  It is this ability to explore, to test, to solve problems that sets us apart from the current state of "Artificial Intelligence", for now.

Now, pivot your thoughts to the current ecosystem of people you encounter on a daily basis.  How does that environment change each day?  What mechanisms do you have in place to mitigate the risks that could create negative consequences and outcomes?  Think about all of the behaviors, tools and ways that you operate each day to deal with risks in your life.

The truth is, humans are curious and seek out risk.  Even if you get to a place where there is a perception that no risks are present, that no risks are over the horizon, we will look for new adventure, new learning and ways to adapt to a new environment.  So what really is the top priority for a parent, big brother/sister, manager, instructor, chief executive, commander or other organizational/constituent leader?

To create an environment of trust.  In a place where people have the ability to create the rules, teach the rules and operate within the rules.  Think about any environment where humans can't create the rules, or rely on the rules.  Where they are not effectively communicated or where people don't follow the rules.  Trust breaks down and uncertainty permeates our consciousness.  The decisions to trust become questionable.

Your goal, is to become a "Linchpin".  As Seth Godin has described in Linchpin:  Are you Indispensable?:
"Is there anyone in an organization who is absolutely irreplaceable?  Probably not.  But the most essential people are so difficult to replace, so risky to lose, and so valuable that they might as well be irreplaceable."
How many linchpins do you have on your team?  Guess what?  If everyone is so specialized, so vital and there is little or no backup and redundancy, you may have a single point of failure.  This is why as a linchpin, you need to be continuously training and teaching to be replaceable.  If you are not confident that you have done all you can do, to become replaced, then you as a linchpin have failed.  Your resilience factor is zero.

Your tasks will create more redundant linchpins and you shall create a consistent and highly trusted environment, physical or virtual.  A changing environment is inevitable.  Achieve a culture where trust is paramount and the team, class, cohort, company and community that creates the rules, communicates the rules, enforces the rules and follows the rules.

We as curious humans seek out unpredictable places, full of risk and simultaneously we wish the environment can be trusted?  Yes we do.

Onward!

19 February 2017

Problem-Solving: Transparency of Startup Operational Risks...

The lifeblood of an organization is comprised of several key components to sustain and continuously grow the enterprise.  Founders, senior management, engineers, financial and legal subject matter expertise usually comes first.  Then once the minimum viable product or solution is ready for the intended market there is a mad dash to add the sales and business development resources.

Startup mentality that initiates the planning, demand generation and "Go-to-Market" execution for the growth engine have higher Operational Risk exposure.  Many founders and new entrepreneurs who have engineering or operational expertise, underestimate the need for substantial growth engine investment early in the startup timeline.

How many times have you attended "Demo Days" or other such events intended for the startup founders to pitch their new App or service solution, begging for a first customer?  You must recognize that the new Artificial Intelligence interface, the optimized algorithm or the faster encrypted communications is not going to create a new market overnight.

Entrepreneurs require a substantial immersion into the business environment of problem-solving.  It begins with the customer or client who detects that there is an area of risk that needs remediation.  How do you think companies like Symantec and McAfee first started?  The personal computers that were becoming so pervasive were encountering something now called malware.

Solving problems from the customers perspective requires a deep and focused process with the owners, operators and end users.  It requires substantial time being embedded at the customer level or with the people who perform their daily tasks.  You need to understand the risks that the customer is experiencing.

This "Diagnostic-to-Prescriptive" process is not new.  Yet how many times have those "Demo Day" entrepreneurs or "Accelerator" graduates ended their pitch, with a plea for a first customer?  This is a recipe for failure.

How can this be changed or addressed, in order to increase the number of successful new businesses?  What should we be doing to assist these new entrepreneurs in embracing the "Operational Risks" of a customer and inventing a new solution to solve their problems?

The engineers and inventors should embrace the idea of finding customers first, who have real and risk sensitive problems they can solve.  It is not enough to just change an interface, reduce the pricing and copy an App, to do the same general function.  How long will it now take for Snap to begin building their own data centers and infrastructure?

Entrepreneurs that utilize the "Go-to-Market" strategy early in their growth cycle, will simultaneously increase exposure to substantial Operational Risks.  Take that great idea or new "Minimum Viable Product" to an established business in the industry sector you think is going to listen.  Find the right business to adopt you as a problem-solver with this new solution and take the time to learn.

Once you have lived with the same problem across several different businesses, agencies or governments, it might be time to launch the "Go-to-Market" strategy for a single industry sector or country to start.  The learning phase and early adoption of a multitude of business development processes, will establish a more solid foundation for launching the new product / solution.

When you look at Snapchat and its growth cycle, it was not obvious up front, how privacy was going to be such a tremendous risk to the business.  How you can pivot quickly from understanding your customers appetite for transparency, to also provide a robust privacy policy program, is just one way to build a trusted set of repeat customers.
Snapchat Transparency Reports are released twice a year. These reports provide important insight into the volume and nature of governmental requests for Snapchatters' account information and other legal notifications.

13 February 2017

RSA 2017: In Search of the Truth...

The 2017 RSA Conference is set to launch this week in San Francisco.  What is true?  The state of asymmetric warfare across the globe is pervasive and nation states have been negotiating new rules of the game.

As you descend into the keynote sessions, absorb the content from your favorite track or walk the overwhelmed Expo halls, pause for a moment.  Stop, look around and look at what you see.  The ICT (Information, Communications & Technology) ecosystem is no longer a vertical.

The horizontal intrusion of smart devices, IoT and the rapid mobility sensor markets have created a juggernaut ecosystem.  The startup communities across just the United States landscape have entrepreneurs sharing and automating parts of your daily life once thought unthinkable.

The Techstars of the next generation of commerce, understand the platform better than ever.  Meanwhile, the same ambitious individuals with so much creativity are simultaneously in a battle for funding and market share.

It is a new generation of inventions that are AI-driven by Voice Recognition that are becoming the foundation for getting the information we need now; this second, not in a few minutes or even an hour from now.  We want it now and we trust that it will be true.

There are some major themes that you will see and pick-up on while attending RSA this year.  Some established companies with a tenured legacy in the industry are even making a pivot.  Look for how they are starting to craft the new narratives that will consume the marketing airwaves.

Expect plenty of talk about the ongoing ransomware scourge and threats against the Internet of Things (IoT) during RSA Conference 2017, which begins a week from today at the Moscone Center in San Francisco.

The conference will include 15 keynotes, including talks by RSA CTO Zulfikar Ramzan, Microsoft president Brad Smith, and Alphabet CEO Eric Schmidt. The popular cryptographers’ panel will feature Whitfield Diffie (of Diffie-Hellman-Merkle), Ronald Rivest and Adi Shamir (the R and S in RSA encryption), and Susan Landau (creator of Landau’s Algorithm). Paul Kocher, who figured out timing attacks against various RSA and DHM implementations, will moderate the panel.

With this in mind, now start to realize the places that have been behind the innovation curve.  The small and even mega markets, that have been slow to invent or work in such austere environments the tech has not reached it yet.  Start your new journey into these places to see how you can contribute, how you will be able to make a difference:

The Defense Innovation Initiative (DII)
Exploring Ideas to Better Identify the “Art of the Possible” for National Security


The Defense Innovation Initiative (DII) is a Department-wide initiative to pursue innovative ways to sustain and advance the capabilities of the “force of the future.” The U.S. changed the security landscape in the 1970s and 1980s with networked precision strike, stealth and surveillance for conventional forces. Through the DII, the Department will identify a third offset strategy that puts the competitive advantage firmly in the hands of American power projection over the coming decades.

The future of RSA and our way of life for our interconnected nations, economies and daily consumption of the truth is at stake.  We do have the ability to better cooperate, collaborate and communicate our paths forward.  Yet it begins with a conversation in person, face-to-face to establish the emotional and behavioral ties to trustworthiness.

Have a wonderful week in San Francisco...

04 February 2017

Higher Purpose: A Mission of Trust...

As you walk into that next meeting with another co-worker or even a colleague for a coffee catch-up, pause and reflect.  Think about how you could (1) make this encounter not only productive and (2) simultaneously enhance the relationship of trust.

All too often we are focused on getting something of value from the meeting.  We are blinded by the purpose of the meeting or have preconceived ideas on how the time together will be of value, or a waste of time.  Now think differently.

A true professional in any business, unit, agency or organization is there to "Build Trust".  The day-to-day or hour-to-hour interactions you have with others is vital.  A true professional in any domain, industry or vocation, can aspire to a higher purpose than the normal roles of a stated job description.

One thing is certain when it comes to meeting with other people and the value or outcomes obtained, trust is a major factor in the future outcomes of the relationship.  Have you ever wondered why certain people you meet, take so long to trust you?  How are you going to accomplish your intended purpose working with this superior or subordinate if they don't trust you?  What about that new client or business partner?

At the most fundamental level, the trust gurus and authors have been writing about a spectrum of trust for eons:
Zero Trust >>>>>Trust Exists >>>>>Implicit Trust

From ground zero of your first encounters with another person, your goal is to move towards a point on the spectrum where "Trust Exists".  Then your goal is to keep moving to the right and towards a place of "Implicit Trust".  This is when you don't even think about it anymore.  How many people do you know where this is the case, even within your own family?

So what?

As an Operational Risk professional, velocity is everything.  Yet you already know that uncontrolled velocity alone can be fatal.  The risk factors associated with business, government or the manufacturing process of a highly engineered electronic component are always present.  Always changing.  Creating new obstacles or new harm.  In our current state, 24x7x365 pervasively connected society, the trust factors are even more important and vital to moving towards "Implicit Trust".

Here are a few examples in the news this past year, where Operational Risk Management (ORM) was a factor:
Samsung Galaxy Note 7

On 2 September 2016, Samsung suspended sales of the Galaxy Note 7 and announced an informal recall, after it was found that a manufacturing defect in the phones' batteries had caused some of them to generate excessive heat, resulting in fires and explosions. A formal U.S. recall was announced on 15 September 2016.
Yahoo

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.

Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
National Healthcare Fraud

Attorney General Loretta E. Lynch and Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell announced today an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings.
National Security Agency

A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case.

In each one of these few example cases, relationships between people started with a meeting encounter.  Over time, the product, service or personal relationship outcomes involved a failure of people, processes, systems or external events.  The core components of Operational Risk Management (ORM).

Raising the level of trust across personal, business or government encounters is only possible, with effective "TrustDecisions".  The Decisions to Trust another person, product or service have several elements.  These are vital for the mission to grow towards "Implicit Trust" and simultaneously with the safety and security necessary to reduce the risk of failure.

The Mission

The mission as a co-founder of a new startup or the CEO of a Global 500 is to ensure the survival of the organization. We all know the failure rate for new companies. Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days. So beyond just the survival of the organization, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new or established business endeavor. The earlier the Operational Risk Management (ORM) design begins in the trusted relationship evolution, the more resilient you will ultimately become. The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake. Take the time and include the expertise to work on the "TrustDecisions" foundation of your enterprise.

Ensure the survivability of the new products or service solutions, that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your relationships and allow it's presence while it preserves all that you have worked for and dreamed of...