15 July 2018

Enterprise Risk: The Future of Public Private Partnerships...

When it comes to the overall Business Resilience in a city or geographic region, there are a plethora of Public Private Partnerships that have been in development for decades between government entities and the private sector.

The goal for some, is the simple exchange of information on relevant topics of community and local or federal jurisdictions. Others have a very distinct role and measurable outcomes designed into their structure, to achieve a mutual purpose. The Houston Ship Channel Security District is a rare example:
The Houston Ship Channel Security District, a unique public-private partnership, improves security and safety for facilities, employees and communities surrounding the Houston Ship Channel.
There are other Public Private Partnerships (PPP) that help address the safety and security of the United States, including the FBI's InfraGard program. This is an approach to engaging with private and public sector individuals in a region or sector of critical infrastructure, as opposed to a specific business entity.

The combination of an individual-based intelligence sharing organization of subject matter experts, combined with a more business owner-operator and city, county and state governments model, is one that needs continuous care and oversight to remain effective.

There are hundreds of other local and national models that converge on the goal of a true public private partnership, that never achieve excellence. They continuously miss the mark from several levels of information exchange, coordination, cooperation and collaboration.

These failed attempts at getting the private sector working in concert with government, still comes back to one key criteria for success; people. Regardless of whether you have the funding resources or not, a single or handful of motivated, dedicated and smart people, can and will make the relationship work.

Simultaneously, people can also be the roadblock, the resistance or the problem in getting a public private partnership working as effectively as it could be, to achieve the mission. This is when the mechanisms of governance, oversight and common sense are needed to guide the respective initiatives and operations of the entity either public or private, in the right direction.

You only have to look at the leadership in many cases to understand why there is continuing success in achieving SMART objectives or why there is failure. Service before self-interest is what becomes a major facet of why many of these organizations perish and then you have to examine who is really the beneficiary of the work being done by these dedicated volunteers.

Another effective public private example is the Intelligence National Security Alliance (INSA):
"INSA provides a nonpartisan forum for collaboration among the public, private, and academic sectors of the intelligence and national security communities that bring together committed experts in and out of government to identify, develop, and promote practical and creative solutions to national security problems."
When you are able to converge the thought leaders from a particular vertical discussion area, to produce the best thinking on an Operational Risk topic, the output is extraordinary. The key is to keep these same set of thought leaders together long enough and often enough, for the trust factors to build and for the true sense of collaboration to emerge.

INSA has accomplished this with the "Homeland Security Intelligence Council". Formed in 2010 and now renamed the "Domestic Security Council" and working continuously on a monthly and even bi-weekly basis, they have produced several valuable outcomes from their work together. One example is the white paper produced soon before the tenth and also the fifteenth anniversary event of 9/11.

Homeland Security Intelligence is a discipline that depends on the successful fusion of foreign and domestic intelligence to produce the kind of actionable intelligence necessary to protect the homeland. INSA is one private private organization that realizes this more than others.
The key to public private partnerships in the U.S., the "Enterprise" is not just government when it comes to intelligence and situational awareness. One only has to look at the number of iPhones and camera enabled devices being carried around by hundreds of millions of people to understand this today. Social Media and global real-time information discovery will remain our continuous situational awareness challenge.

The private sector companies, who in many cases are the owners of critical infrastructure assets in the nation remain the power base. The willingness or reluctance to share the right information at the most appropriate time from government and combine it with private sector capabilities, will always be the largest challenge for the public private enterprise going forward.

08 July 2018

ORM: The Science & The Art...

Operational Risk Management today is a true "science", with the "art" becoming more of a key component in connecting the dots. Yes there are plenty of standards from various disciplines to assist professionals in the assessment and measurement of risk.

The tools that have been developed over decades to help predict risk, dates back to the insurance industries inception. Actuaries are indeed a key component in this evolution of the science. What happens when you put several other factors into the equation? Like dates in time when various events are converging on a single window of potential risk consequences and implications:
Actuaries are those with a deep understanding of financial security systems, their reasons for being, their complexity, their mathematics, and the way they work (Trowbridge 1989, p. 7). They evaluate the likelihood of events and quantify the contingent outcomes in order to minimize losses, both emotional and financial, associated with uncertain undesirable events.

Actuarial science
applies mathematical and statistical methods to finance and insurance, particularly to risk assessment. Actuaries are professionals who are qualified in this field through examinations and experience.

Actuarial science includes a number of interrelating disciplines, including probability and statistics, finance, and economics. Historically, actuarial science used deterministic models in the construction of tables and premiums. The science has gone through revolutionary changes during the last 30 years due to the proliferation of high speed computers and the synergy of stochastic actuarial models with modern financial theory (Frees 1990).
The art of Operational Risk comes into play with practitioners and professionals who have the "Grey Matter" to see the big picture. They have the ability to think like the enemy, or examine the window of opportunity. Working with windows in time and the ability to see the convergence of particular events, allows for the creation of scenarios, to draw more strategic insight.

This ability to create filters and extract true meaning from raw data, segmented information and then from cognitive analysis creates the true vision we seek. This is an "Art" as much as it is a "Science".

Forecasters in the hurricane, typhoon and tsunami warning centers around the globe know the meaning of using the science as much as the art of risk management. The nexus of security and terrorism puts another dimension on the meaning of operational risk management and now you have the Terrorism Screening Center (TSC) assisting with the fusion of intelligence to counter potential individuals from terrorist acts.

If you were planning an event for your organization in downtown Washington, DC for the 3rd week in July 2018, what are the factors that are taken into consideration? Have you scheduled to fly in all of your key executives for a Board of Directors Meeting and a round of golf at RTJ?

What about all of the other events and organizers who have made the decision to hold their event the same week or day in July? What impact will any of these other events have on you and your organizations ability to facilitate a safe, secure and productive meeting for your participants, members or customers?

The truth is, that many event planners and organizers are not even tied into the same database or the systems as the Chief Security Officer. The CSO in many cases is not aware that the sales or marketing organization has scheduled a customer summit or new product kick-off the same time as a scheduled anti-[insert activist group here] march. Or maybe it's just a PGA golf tournament.

So what? So what does the "science" of operational risk have to do with the "art" of operational risk?

Think clearly and use both when it comes time to develop your own "Fusion Center" for risk in your organization. Make sure you include the people and the data that could create the perfect storm when a combination of events all take place within the same time window. There are only so many hotels, convention centers and airports for people to utilize for the logistics of these meetings.

The competition is fierce to get the location, dates and venues you seek to impress your audience. It's not always about the number of things going on at the same time, it is the combination of each unique entity that makes the "Art" of Operational Risk imperative.

Any combination of ingredients by itself can be harmless. But when you mix them together in the right amounts, in the right place, you could be facing a loss event that could not have been predicted looking at the science alone...

01 July 2018

4th of July: Risk of Complacency...

This new nation state is turning 242 years old on July 4th, 2018. The United States of America will be celebrating another birthday and the Republic, will reflect on what we have learned, so far.

"Rule of Law" is an ever so powerful component of a democratic way of life and is the envy of so many nations who still seek its most true form. Operational Risk Management permeates the essence of the laws and rights of U.S. citizens in the work place, companies and organizations in global commerce and the government who provides oversight on all of it.

The balance of power between individual citizens and the government responsible for the protection of life, liberty and the pursuit of happiness is always in flux. Yet in the end, "The Union" has endured some of the most significant "Operational Risks" and disruptions one can imagine.

It is the analysis of "The Union" and the incredible resilience of all the moving parts that make the United States what it is today. Weathering the storms of mother nature by hurricanes, tornados, earthquakes and droughts to the economic threats of depression, mortgage or Wall Street implosion has not put a dent in "The Union's" ability to bounce back.

Withstanding the challenges to our Constitution and the rights proclaimed to each and every citizen, has only made us stronger. What cases to the Supreme Court have changed our future?

When you look at your own organization and examine the components of your people, processes, systems and potential external events, does it have what it takes to endure 242 years? Certainly there are risks that exist today that are prevalent in the eyes of shareholders, Board Members and even executive management.

The question really is "What are you doing about it?" This in itself, could be the biggest threat to the United States and your own organization. Complacency.


[kuh m-pley-suh n-see]
  1. a feeling of quiet pleasure or security, often while unaware of some potential danger, defect, or the like; self-satisfaction or smug satisfaction with an existing situation, condition.
It is the perception of the quiet pleasure or security of your organization or your own country, that may very well be the greatest threat to it's existence. Ignoring the cues and clues to the deterioration of the balance of power, the rule of law and the economic engine necessary to sustain the necessities of life, such as food, water and cash flow may be the reason for your demise.

Your own business resilience will continue to be a factor of the correct mixture of the ingredients that sustain and organically grow the enterprise. Those who try to grow to quickly without regard to quality will in many cases fail.

Those who let the power base become significantly imbalanced, so too will find the ability to endure a tremendous hardship. Those who ignore the constant requirement for monitoring and governance will suffer the realities of human factors. Motivations that are often defined as greed, jealousy and hate, soon will emerge.
"Relationships remain vital to our family unit, the neighborhood we live in and the cities, counties and states that oversee our way of life."
It is those same relationships within our business and government ecosystems, that will determine whether they perpetuate your healthy growth, or its inevitable deterioration.
Those same family units, neighborhoods, and government jurisdictions have the power and the ability to avoid complacency and mitigate the Operational Risks that will be present in each. Look around the country of the United States or the nations of the world and you will see who has been complacent, and who has been the most effective in OPS Risk Management.

"I pledge allegiance to the flag of the United States of America, and to the republic for which it stands, one nation under God, indivisible, with liberty and justice for all."

The flag consists of 13 alternating red and white stripes that represent the 13 original colonies, and 50 white stars on a blue field, with each star representing a state. The colors on the flag represent:
  • Red: valor and bravery
  • White: purity and innocence
  • Blue: vigilance, perseverance, and justice
Happy Birthday Uncle Sam!

24 June 2018

SOC: Statement of Truth...

Global transnational organizations who provide 24x7 Business Resilience Intelligence and executive security protective details are on the rise. Corporate personnel who must travel to high risk regions of the globe, realize the requirement for a minimal, yet comprehensive security envelope.

Back at the Business Resilience or "Security Operations Center" (SOC), you will find a team of subject matter experts working in concert, to continuously enhance the Operational Risk Management matrix. One set of analysts are tasked with the media review and real-time intelligence collection from Open Sources. One example could be CNN or even more regional sources such as Alhurra:
Alhurra (Arabic for “The Free One”) is a commercial-free Arabic language satellite television network for the Middle East devoted primarily to news and information. In addition to reporting on regional and international events, the channel broadcasts discussion programs, current affairs magazines and features on a variety of subjects including health and personal fitness, entertainment, sports, fashion, and science and technology. The channel is dedicated to presenting accurate, balanced and comprehensive news. Alhurra endeavors to broaden its viewers' perspectives, enabling them to make more informed decisions.
Another set of analysts are sifting through online intelligence portals such as Opensource.gov or Data.gov . However, when you have a specific executive who is traveling to a specific country, there are more detailed plans and substantial advance work that takes place.

These facets of corporate enterprise risk and operational risk management (ORM) are vital to protect human assets and the ongoing continuity of business operations. Situational awareness enhancement is a 24/7 x 365 day process.

Whether your business takes you to Pakistan, Paris, Toronto or London the risk of bombing, or criminal elements are a real potential threat:
LONDON — An 18-year-old Iraqi asylum seeker was sentenced on Friday to life in prison in Britain after he was convicted of attempted murder in the botched bombing last September of a rush-hour train on the London Underground, which injured 30 people.

Ahmed Hassan was convicted last week after he left the bomb that partially exploded one stop after he had disembarked. The explosion triggered a stampede that injured tens of passengers.
Executive Protection details have been utilizing the compendium of wisdom and research that is found in Gavin De Becker's publication, "Just 2 Seconds" and for good reason:
"Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.
From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers."
Operational Risk is far more pervasive than just the detection of fraud, mitigating the loss events from internal information theft or the "All Threats, All Hazards" approach to the "Continuity of Business Operations."  It's been said here before and it's worth repeating again this statement of truth:

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result to obtain their objective."

Whether you utilize this statement within the context of your digital domains, physical domains or the vast set of processes within the enterprise, it does not matter.

What does matter, is that those individuals responsible for the survivability and the defensible standard of care of the organization,  "Never Forget"...

17 June 2018

Father's Day 2018: 30 Years of Wisdom...

On the dawn of the day in America, known as Father's Day we reflect and we acknowledge him.  For many, their Father was a major influence in their life.  All to often, others never really knew who he was.  Father's are all Operational Risk Management (ORM) professionals in many ways.

This Father has two adult children, a daughter and a son about 19 months apart in their late twenties.  Fatherhood started in mid-September, 1988.  That gives you some perspective on our years of experience together.  So to all those Father's out there, who are planning a family someday, here are a few thoughts.

First off, the role consumes you.  Seeing that first born baby, changes you forever.  You suddenly realize the word "I" is no longer in your vocabulary.  Most certainly, you thought you loved your wife tremendously, before you watched your first daughter born.  Yet the overwhelming feeling of new love you have for your wife at that time and moment, is ever so special.  Incredible!

Second, becoming a Father becomes a life long responsibility and a new life mission.  You find yourself having memory moments, decades later about your children's greatest achievements in life.  The day they walked for the first time.  The special birthday party with friends in that old neighborhood.  The day they walked up on stage to get their College/University Diploma.  At that point in your life, when you were working 12 hour days.

Father's Day as long as you are alive, shall be a day of remembrance, a day of memories and a day of looking into what lies ahead.  You have watched them grow up.  You have counseled them, taught them, trained them and loved them.  When is your role as Father over?  Not until your last day on Earth.

Being a Father makes you a better husband.  It gives you the role of being all those things that your wife can't be or won't be at that particular point in time.  As your kids grow up, you will both find your path, as a mate and a parent.  One thing is for certain.  Being married now 30+ years and raising two kids, who are both college graduates and now in challenging careers, makes you realize you might have made a difference.

Finally, being a Father makes you think about your own Father and how you want to be the same or different.  After all, where did you learn many of the things that will influence how you might parent.  When I saw my Father on the day he died, I cried.  And yet, I saw a look of joy on his face as if to say, I know I was not perfect, but I loved you very much.

On this Father's Day in America, this one is so proud.  This Father loves his wife dearly and realizes that our two kids love us so much too.  Having a son makes you strive to be your best.  To be a model husband, to live ethically, morally and spiritually.  And now that we have a new Son-in-Law, loving him like my own.  Walking my daughter down that aisle, was almost as joyful as the day I saw her born...

Happy Father's Day...Onward!

09 June 2018

Crisis Readiness: Future of Risk Response...

One of the key components of effective Operational Risk Management (ORM) is a robust Crisis and Incident Readiness Response Team. This team shall have practiced and exercised multiple scenarios over the course of their training together. Why?

The ability to adapt on the fly regardless of the kind or type of incident is the core of what OPS Risk professionals are able to do, time and time again. The more unknowns that are encountered in any space of time, requires the ability to Observe, Orient, Decide and Act.

Yet this is not so much about the use of the OODA Loop or any other process in effectively adapting to your new and rapidly changing environment. It is about having the right sensors and early warning capabilities in place to detect and to deter the potential for new threats and new vulnerabilities, that may disrupt your mission.

Why do you read about Global 500 organizations that have seen their stock price erode in a day, week or month due to the ineffective response to a crisis incident? In many cases, it is a simple fact. The Crisis and Incident Response Team was caught in a scenario that they had never imagined.

An unfolding situation that they had never thought of and simply didn't plan for because it's likelihood was just too low. This author has talked about this before and it deserves repeating that exercising for the low likelihood and high impact events is where you need to spend most of your time.

The 1-in-100 year events are no longer the case. They are 1-in-50 or less. Just ask your property and casualty insurance carrier about how their actuarial Quants are thinking about this very topic. Whether is it global climate change or unregulated nuclear power industries in emerging nations, the low likelihood and high impact events are becoming more of a risk.

So what is the answer? To begin, you must first start the culture change and mind set shift to the future and to your own Strategic Foresight Initiative. Looking into the future is not exactly the exercise. Pick a point in time, five years, ten or twenty-five years into the future. Select a scenario that you can't even fathom is a possibility of actually coming true that will impact your organization. Then start your own "Backwards from Perfect" strategic foresight initiative.

What this process will do, is to get all the focus on what you still need to accomplish between now and then to get yourself into a position so that your people, systems and organization will be able to withstand the scenario incident. Welcome to Global Enterprise Business Resilience.

Across every sector of society, decision-makers are struggling with the complexity and velocity of change in an increasingly interdependent world. The context for decision-making has evolved, and in many cases has been altered in revolutionary ways. In the decade ahead, our lives will be more intensely shaped by transformative forces, including economic, environmental, geopolitical, societal and technological seismic shifts.

The signals are already apparent with the re-balancing of the global economy, the presence of over seven billion people and the societal and environmental challenges linked to both. The resulting complexity threatens to overwhelm countries, companies, cultures and communities.

FLASHBACK TO THE:  Global Risks 2012 Seventh Edition

What if you happen to be a Non Governmental Organization (NGO)? What are some of the risks that may impact you from a "Geopolitical" perspective that today have a high likelihood?
  • Global Governance Failure
  • Terrorism
  • Failure of Diplomatic Conflict Resolution
  • Pervasive Entrenched Corruption
  • Critical Fragile States
  • Entrenched Organized Crime
  • Widespread Illicit Trade
Crisis impact will be specific to your particular stakeholder group. These will be higher or lower depending on whether you are a:
  • NGO
  • Business
  • Government
  • International Organization
  • Academia
There are however, three main cross cutting observations by all of the these stakeholders from the Global Risks 2012 report and even to present day:
  • Decision-makers need to improve understanding of incentives that will improve collaboration in response to global risks
  • Trust, or lack of trust, is perceived to be a crucial factor in how risks may manifest themselves. In particular, this refers to confidence, or lack thereof, in leaders, in the systems which ensure public safety and in the tools of communication that are revolutionizing how we share and digest information 
  • Communication and information sharing on risks must be improved by introducing greater transparency about uncertainty and conveying it to the public in a meaningful way.
The way that the global citizen decides to digest information in five or twenty years will be different than it is today. The world has already started to see this with the proliferation of mobile smart phone technologies, GPS, cameras, and other Twitter-like knowledge systems networks such as FrontlineSMS and Ushahidi.

Do you really believe that CNN and AlJazeera will be the source of truth in the next two decades? Social Media is here to stay and the only reason that formal news organizations will exist, is to try to validate and verify.

Operational Risk Management (ORM) and Crisis Readiness shall continue to be one of the most dynamic and challenging places for global enterprises for years to come...

03 June 2018

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for within the Operational Risk Management(ORM) discipline? The low consequence high frequency incident or the high consequence low frequency incident?

The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio, yet what about the resilience to the "Black Swan"?

A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

The astonishing success of Google was a black swan; so was 9/11.  For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.
"Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events, that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy.

Yet it is the "Outlier" incident, that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday, it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long.

Just ask those people who had been working 24/7 since on any major incident.  It could have been the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

Remember Target Corporation:

Is Target to Blame for Its Data Breach? Let the Lawsuits Begin

By Joshua Brustein December 26, 2013

The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data.

Another lesson learned from Supply Chain Risk.  Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it.  Perhaps through your most trusted supply chain vendors and partners.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector, because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone.

What is amazing to many in the after-action reporting is still how much we continue to under estimate the magnitude of a lack of planning and resources devoted, to these low frequency high consequence events.

20 May 2018

Memorial Day 2018: The Risk of Service is Understood...

Memorial Day weekend will soon be upon us in the U.S. and on the final Monday of May 2018, we reflect on this remembrance.

In order to put it all in context, we looked back 5 years to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was also one of the 22 that day in early May, that could not defeat the legacy of demons he fought each night, as he fell deep asleep.

On Memorial Day 2018, we again honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have sacrificed and defended our freedoms for 242 years. Simultaneously, we do the same for the people behind the "Stars" on a wall in Langley, Va for those officers who have done the same.

Together we are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from a UAS.  We are all the same, in that we share the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this Memorial Day weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

13 May 2018

InTP: Insider Threat Via Critical Infrastructure...

The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats.  Securing Critical Infrastructure sectors includes:
  • Chemical:
  • Commercial Facilities:
  • Communications:
  • Critical Manufacturing:
  • Dams:
  • Defense Industrial Base:
  • Emergency Services:
  • Energy:
  • Financial Services:
  • Food and Agriculture:
  • Government Facilities:
  • Healthcare and Public Health:
  • Information Technology:
  • Nuclear Reactors, Materials, and Waste:
  • Transportation Systems:
  • Water and Wastewater Systems:
The National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.
Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

We realize that there are many facets of CIP, yet where should we be allocating resources?  The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:
"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.

Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat" and our resilience.

More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode, waiting to strike.

And while the scenario could be well contained, the timing could create opportunities for the "Black Swan" outlier inside your enterprise.

It's never to early to plan for the unimaginable, all happening in the same geography and the same time frame.  Revisit your "Insider Threat Program" (InTP) and Critical Infrastructure Resilience today...

06 May 2018

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22
"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”
A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:
  • Hacker
  • Spies
  • Terrorists
  • Corporate Raiders
  • Professional Criminals
  • Vandals
  • Voyeurs
Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:
  • Attackers
  • Tool
  • Vulnerability
  • Action
  • Target
  • Unauthorized Results
  • Objectives
Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:
  • Existence addresses the question of who is hostile to the assets of concern?
  • Capability addresses the question of what weapons have been used in carrying out past attacks?
  • History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
  • Intention addresses the question of what does the potential threat element hope to achieve?
  • Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?
Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

22 April 2018

Unthinkable: Adapting in New World Disorder...

Will 2018 bring more data breaches, lost laptops and insider threats than 2017?  This is why CSO's, CPO's and corporate General Counsels have their teams working overtime.

When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised organizational intellectual and data assets, the future horizon becomes ever more clear. 

The statistics don't lie.  1579 documented Data Breaches occurred in 2017. Up 44.7% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.  It is the new normal.

The Insider Threat Program (InTP) however, remains a key focus for Operational Risk Management (ORM) professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may have never considered doing something to jeopardize their reputations, may now be up against a wall.

When there is no obvious exit and no way out, people will do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life.

In Joshua Cooper Ramo's book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system:
"A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt".  Being Adaptive.  However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy investigator on how she solved the case and you may hear just that, "I had a hunch."

Talk with a Chief Privacy Officer in any Global 500 company.  You might get them to admit they have a sense that their organization will be the target of an "Insider data breach" incident in the coming year or two.

Do you remember signing off on reading and your acceptance of the employee handbook?  When did your organization last make changes to the Corporate Employee policies?  We would start with the updates to the following sections:
Due to the increasing complexity of IT systems, cloud computing, data networks and the hundreds or thousands of laptops and mobile devices circling the globe with company executives and employees is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively.  Proactive Intuition.

Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

15 April 2018

Social Strategy 140: Direct Action #Risk...

Twitter real-time direct action (DA) "Information Warfare" between nation states is a daily task. Current and future Operational Risk Management (ORM) priorities will encompass the imperative to staff "Corporate Intelligence Unit" Fusion Centers.

A prudent Operational Risk strategy, shall include a "Big Data" capability combined with deep social intelligence analysis. Here is a historical FLASHBACK in time, to one example of why leadership is devoting new resources and investment to these internal risk management capabilities:
New Diplomatic Avenue Emerges, in 140-Character Bursts
By SOMINI SENGUPTA October 3, 2013
UNITED NATIONS — "Countries all over the world, dictatorships and democracies alike, have in the last few years sought to tame — or plug entirely — that real-time fire hose of public opinion known as Twitter. 
But on the sidelines of the General Assembly meeting over the last couple of weeks, ministers, ambassadors and heads of state of all sorts, including those who have tussled with Twitter the company, seized on Twitter the social network to spin and spread their message. 
At the height of the diplomatic negotiations last week over a United Nations Security Council resolution that would require Syria to turn over its stockpile of chemical weapons, the American ambassador to the United Nations, Samantha Power, used Twitter to preempt criticism of the measure as lacking teeth because it had no automatic enforcement provision."
What does this mean for the global enterprise, who circumnavigates the planet to initiate and manage daily business operations?  It means that "Information Warfare" and intelligence collection and analysis for the enterprise continues, as a top strategic and operational function.  It requires continuous Operational Risk strategy oversight.

How an organization directs personnel and manages daily decisions, is more mobile information-centric than ever before.  Just stand at any major sidewalk intersection in a major city across the world and count the number of people looking at their "Smart Phones" as they cross the street.

The speed of business that is fueled by leaders commenting via social media, can even influence commodity traders in futures markets and operational planners in the "E-ring."

Leadership has the ability to by-pass the traditional media juggernauts to get their message heard in seconds.   The President of a major stock exchange or of a G20,  has a "Duty of Care" to it's constituents to make the correct public decisions.  At the same time, a moral and ethical context begins to evolve, in the vast battle space of 140 digital characters.

The use of a social media post or Tweet from the Board Room to the Court Room; from San Francisco to Tehran, or from Wall Street to Hong Kong, is a risk-oriented asymmetric information tactic delivered in plain sight.

Those social tactics, visual in the landscape of our modern day quest for influence, notoriety or outcry, shall forever shape the breadth of our enterprise digital risk management spectrum...

07 April 2018

Privacy by Design: Trust-Based Business Integrity...

The truth is, your enterprise is under assault.  The asymmetric warfare tactics that are targeting the firewall and the e-mail Inbox, will continue to be a digital challenge.  Intellectual Property (IP) Lawyers and government regulators are gearing up, for another salvo of mandates to enable "Privacy by Design" and increase consumer protection.

Operational Risk Management (ORM), is the discipline to focus the organization, with proven tools, methods and strategies to assist in the risk mitigation associated with nation states, rogue criminal syndicates and even your own employees.

Achieving digital trust with your company and your customers is a continuous process.  It requires substantial resources and specialized subject matter expertise to remain effective.

Without a purposeful "Privacy by Design" approach within your enterprise and a renewed focus on the pervasive problem-set now clearly before us, our digital infrastructure integrity is destined for failure.
Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard. 
By reading this definition of "Privacy by Design", you may assume this problem is the responsibility of the Information Technology department to fix or manage.  Until you ascertain it is not just an Information Technology challenge.

It is an Organizational Culture issue, that persists at the Board of Directors level, either before an incident, or certainly soon thereafter.  The Board of Director's may question the market value of a Fortune Magazine web page, dedicated to updating the public on the developing company crisis:

"Facebook in recent weeks has been plagued by yet another scandal, as the social networking giant struggles to deal with the fallout from the Cambridge Analytica controversy.

On Wednesday, it was revealed that initial figures estimating Facebook exposed the data of 50 million users without direct consent were actually much higher than reported, closer to 87 million instead. And Facebook CEO Mark Zuckerberg is now set to testify in front of Congress next week.

But this isn’t the first time Facebook has been embroiled in controversy. The social media company has been involved in a number of scandals just over the past week alone."

So how do you mitigate and start to remedy an "Organizational Culture" issue like this one?  Before the government decides to try and fix it for you.

You have to start with building proactive data privacy awareness with every employee.  Especially if your revenue model is based upon selling advertising.  What is your organizations revenue model?  Are you aggregating members or users data and offering a free service platform?  Buyer beware.

What is ahead of us, as we approach a digital "dead mans curve"?  Jeffrey Ritter best explains this:
"To shift toward building digital trust, nation-states must acknowledge that sanctions become increasingly difficult to enforce and must, instead, move toward a regulatory scheme that favors, and provides incentives for, stakeholders that commit to trust-based business methods. Already, both in the United States and other nations, companies that can certify their compliance with third party standards are receiving direct benefits from government agencies."
How are you improving the trustworthiness of your organization? With employees, partners and customers. Think about it long and hard during purposeful learning sessions with your Board of Directors.

So what?

What are you doing today to increase the integrity of your TrustDecisions, to enable and perpetuate your foundation for digital business integrity?

As you analyze your current state, pages of words written by lawyers in "Terms of Service" policies are not enough to satisfy your customer.

Have you strategically implemented all that is possible so far, to address your organizational culture with the pursuit of achieving digital trust?

Leadership of any organization, must perpetuate and transfer the morals and ethics of our society, into the trusted digital products and solutions that our enterprises design, distribute and sell to the public.

01 April 2018

Leadership: The Life Journey of Discovering "X"...

There, can you hear it?  The sound of the helicopters in the distance.  Where is the sun this dawn lit morning, to join all the incredible sounds of nature?  The birds with their unique languages and the insects sending their clear signals of distress.

What will this new day bring before us, this Easter Sunday, April 1, 2018?  How will our leadership be challenged with new problem-sets and the speed of making the right trust decisions?  There is one certainty today, that is unrefutable, to prove wrong by argument or evidence.

As a recognized leader in your current role, how would you describe your particular style?  Do you lead by example or do you just sit back and wait for others to make it happen?  Maybe you do it all and never let anyone else learn from their mistakes and learn the feeling of success or failure.

It all begins with your up-bringing and where and how you were raised as a child.  The roots of your leadership in many ways, has been influenced by your early years, before you were even in your mid 20's.

Maybe somewhere along the path of your career, you were administered a psychological profile test.  You know, some form of questions or exercise instrument, to help you determine what particular "Quadrant" or dichotomies of cognitive learning style you are in, as it pertains to the psychologists descriptions:

Cognitive learning styles
Yet by the time you have reached the age where an employer, agency or other unit has a reason to peel back that facade you wear on a daily basis, you are already destined.  By DNA and by your parents.

Now the question is, who do you want to be and how are you going to train or re-train to be that kind of person?  That kind of leader.  To learn how to behave in a way, that truly makes a difference in other peoples lives.

The answers that you seek will be determined by your actions.  You have heard this before.  Who you are becoming and how you will judge your progress, is worth examining further.  What is your measuring device?  How do you feel at the end of the day, if you "Have" or "Have not" seen, heard or accomplished "X"?

What is "X" in your life?  Is it a signature on the bottom of a new contract?  Is it the smile on a loved ones face?  Is it a 3 mile run or ride?  Is it a "Thumbs Up" on your latest social media posting?  Perhaps it is simple as five hours of solid sleep.  Everyone has their own particular metrics by which they are judging their progress each day.  What is yours?

Metrics and your personal measuring device may determine who you are and what you are becoming.  Discovering and knowing that "X" in your life is perhaps more of an influence than you ever anticipated.  What the psychologists and the research has proven over the years, is that DNA and environment in your early years will be a major influence on your life.

Yet when you are ready to lead yourself or others in the small world you live in, think about what "X" has been for you this particular day.  Write it down and explain it to yourself each day.  Call it a journal, or a blog or just a composition notebook.  Without writing it out and explaining it to yourself you will have missed the opportunity.
The opportunity, is your own version of leadership:   To guide on a way especially by going in advance, to direct the operations, activity, or performance of, to guide someone or something along a way...
Now, listen carefully.  Do you hear the birds singing and see the sun rising... Happy Easter!

24 March 2018

Liaison Mission: When Will You Introduce Them?

As a current Chief Executive Officer or Commander across some branch or agency, who have you named as a key "Liaison?"  Who is this vital person that you have asked to be your voice, your thinking and your representative to a partner, collaborator or strategic ally?

In Chris Fussell's book One Mission:  How Leaders Build A Team of Teams, the Task Force Liaison is described as follows:
"We clearly share a determined adversary--one that, unlike our organizations, is networked and thus moves with incredible speed. In the Task Force, we are now trying to forge a new type of model based on relationships among individuals and organizations like yours--and we'd like to be more closely connected with your organization. Winning will come from leveraging our mutual strengths, sharing insights and nuanced understanding of the problems and respecting one another's positions.

To help our partnership, we would like to give you one of our best people as a liaison. I expect our liaison to be an asset to you, sharing anything we're doing, providing our most timely intelligence, and seeking out ways that we can help your organization accomplish its goals."
This idea is not a new strategy per se.  Similar derivations of the concept have been utilized for hundreds if not thousands of years.  So why is this so important now, to the current state of global and corporate affairs?

The first reason is that operating at the speed of "iMessaging" social media, will create chasms of misunderstanding.  The simple fact is that information being collected, interpreted and disseminated in your digital-based platforms will most likely have gaps.  The messaging and communications will be hard to decipher by others, who don't know all of the acronyms as just one example.

This is where an embedded "Liaison Officer" or representative can bridge the cultures and the lines of direct messaging.  This is how the speed of the combined network is increased in it's ability to pivot, to adapt and to solve problems, faster and with higher quality than the competition.

The second reason is that a key mission of the nominated Liaison is to establish, maintain and perpetuate trusted relationships.  Otherwise, how can the leaders of your two organizations gain any momentum, in the quality and the speed of the partnership that is desired as a relevant outcome?

Now think about your own organization.  Where do you have a blind spot?  What other entity, team, business unit or agency is now seen as a barrier or competitor?  Are you both after the same customer, the same target or the same outcome?  Is a partnership in place now, to even embed or exchange Liaison personnel?

Believe us when we say that your adversary has already done the same.  They are working together across boundaries to share intelligence, to exchange vital data and to work in tandem to perpetuate their cause, their ideology or their campaign.  They have their own trusted Liaison's working each day, to move faster than you are and to achieve new gains in their mission, while you are worried about the unknowns.

Who is it in your organization that you feel that you can't live without?  The one or two leaders that you rely on each day.  The personality that exhibits the way that "Adam Grant" describes a "Giver" or "Matcher," in the way they operate across the team and within the company.  This may be the best person for you to let go of and to be your next "Liaison" to that vital partner, agency or even country.

Looking across the landscape of America, you will find examples of this idea and methodology that is working.  You will find places across the globe where it is in total failure.  Yet how can you raise the odds, that the likelihood of the person you choose to be embedded with another organization, will indeed succeed?

As a current Team Leader, CEO or Commander, it means you will have to go a step farther.  It means that you will have to take this person side-by-side in many cases, into the same office, SOC, NOC or conference room to explain it face-to-face.  Sitting across the table from this partnered organizations top executive, you say it:

"I have carefully selected "Jill or Jack" to be our Liaison with your unit or department.  It is something we know to be of great value to the ongoing mission we both face, to address the (problem-set).

 Please know that she/he knows me very well and how I think and what our organizations real capabilities are.  We will miss them, yet want her/him to work alongside your leaders to learn as fast as possible about your greatest hurdles and problems.  It is only then, that we envision a chance for our respective teams to move faster with the most effective joint solutions, to obtain and synchronize our advantage." 

This few minutes face-to-face may make all the difference on the potential for a successful and trusted relationship.  As you stand up and leave your Liaison with their new assigned organization, remember this.

Your Liaison's ability to succeed, will only be as good as the job you have done in preparing them for the assignment.  Think about all the months or years you have worked to shape their character, to instill the ethics and integrity into their daily decisions.  How many problems did you let them solve on their own?

We look forward to hearing the stories about your "Liaison's" and their respective missions to achieve decision advantage and to reach those lofty outcomes you seek...

17 March 2018

Future Risk: Citizen Soldiers Extinct...

It is not often that we see an editorial article that prompts us to get the scissors out of the drawer to cut it out of the Washington Post.  It remains in the saved articles file from 2009 and is relevant still to this day.

This Opinion written by Matthew Bogdanos, is worth some additional consideration from an "Operational Risk Management" perspective.   He is a Colonel in the U.S. Marine Corps Reserves and now an assistant district attorney for New York City.  He writes:
"A nation largely founded on the citizen-soldier ideal finds itself, following Vietnam and the expulsion of recruiters from campuses, with the military and civilian worlds warily eyeing each other across a cultural no man's land. As budgets shrink future forces, veterans will be fewer and the chasm wider -- to our peril.
No one wants everyone to think and act alike. Diversity is a major source of our nation's strength. But this diminishing shared experience leaves us ill-prepared against global terrorism. As the British general Sir William Butler warned a century ago, "A nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking done by cowards."
We will leave it up to the OPS Risk Managers of the globe, whether to agree with Col. Bogdanos and his comments. What is our take away from his words about "Duties That Are Best Shared?" We think it's quite simple:

How can an "Operational Risk Manager" make effective decisions without having walked a few "clicks" in another persons boots?   Effective decision support from the Incident Command Center is far more effective, if the person making those decisions has relevant and first hand on the ground experience.

In the corporate world, asking a new hired employee to take the week long orientation training, without having done it yourself, is not only bad management, it's reckless governance of the organization.

Years ago after the invasion of Baghdad, this OPS Risk manager (Bogdanos) did what we do every day. He adapted, improvised and overcame risks in order to recover stolen artifacts from the museums.  The investigation was successful because not only was he someone that had experienced what it was like to operate in a war zone, he also was a subject matter expert on much of what was recovered.

If you are going to be an effective risk manager in your government organization, startup or Fortune 500 company, you have to train with your troops in the business unit or at the base. You have to know first hand, what you are talking about.

Without these, "we risk a future without all of us working towards the same ends --whatever society decides those ends should be."

You need to "get out of the building" as we say these days.  Solving problem-sets within your agency or with your "Cash Cow" customer, requires getting right in the bulls eye of the issue.  Seeing it, touching it and hearing it first hand.

Without this insight, you lack the understanding, empathy or compassion for the people who experience the problem each day.  You fail to see how a new approach, process or new system will be better.

If you think this is sound reasoning and you are looking for others to assist you in your problem-solving journey, look no further than the Defense Entrepreneurs Forum (DEF).  You will find others who are focused on National Security innovation and have definitely been "outside the building."

Maybe even more vital, is their mindset on disciplines such as Design-Thinking, Lean Methodologies and achieving Decision Advantage.  Col. Bagdanos, "Citizen Soldiers" are definitely not extinct.

Happy St. Patrick's Day!

10 March 2018

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity, be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance, is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered, is the role of risk management in "Security Governance."

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.

The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.
If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.
An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:
  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place
The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them.

It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

04 March 2018

Perseverance: How many problems have you solved today...

"We can not solve our problems with the same thinking we used when we created them.--Albert Einstein
Measuring success, is something that happens on a daily basis in life and in business.  The metrics however are different.  Or are they?

When Wall Street or the Board of Directors measures success, the quants are looking at mathematical equations to determine Earnings Per Share (EPS) or Return on Equity (ROE) of a business.  After all, how can an investor determine where they should invest their capital.  Operational Risk is always a factor.

When people measure success about their life, the measuring tools and methods are sometimes different.  For one person, it is whether they or their children have finished the day without that feeling in their gut of starvation.  For another person, it is whether they will live long enough to see their first grand child.  For others, just living a life full of faith, integrity, ethics, trust and resilience is enough.

Some people might measure success by the car they drive, the house or neighborhood they live in or the Country Club where they are a member.  In Silicon Valley, the metric may be how many rounds (A, B, C, D) of funding, your startup has achieved.  Around the beltway in Washington, DC the metric could be, whether your "Program" was funded in the last budget cycle.

The problem-sets that we engage with in business, organizations, government and in life, require the time and the effort to truly assess the catalyst and the environment that you are operating within.  But not too long.  Speed and time to a solution, can be your strategic ally or your lethal enemy.

To solve an identified problem requires an analysis of the root cause and the final solution may be achieved in small incremental steps.  The final answer may take minutes, hours or even years.  The one factor that will remain constant, is your ability to forge successful relationships with others to assist you.

The other factors of achieving success, once you truly understand the real problem, is the ability to adapt, pivot and perseveranceThe continued effort to do or achieve something despite difficulties, failure, or opposition.

How long have you been persevering?

1 day.  1 month. 1 year.  5 years. 20 years.  40 years.  60+ years.  You see, your success is based upon experience and wisdom, yet it has only one metric.  How many problems have you solved so far?

What you see and hear today, what you think about and how you do it, is all in your ability and capacity to solve the daily problems of life and business.

So what?  This is nothing new...

You have no doubt heard or read, a famous book about similar topics and subjects.  How to be successful?

What if perseverance was that one differentiator, that determines whether you are successful, or not?

Again, you have heard it all before.  Stop doing this, start doing that.  Keep doing it.  Did you hear that from your mother, father or your latest boss?  Really, is that all success is about?

Guess what?  Are you still alive?  Did you, or your children or parents go to bed hungry tonight?  If the answer is yes that you are reading this, and no one was hungry...you have been successful today.

Remember, tomorrow you will be solving more problems and persevering...to persist in a state, enterprise, or undertaking in spite of counterinfluences, opposition, or discouragement..

Godspeed!  Have a prosperous journey...