17 September 2017

DEF: Defense Entrepreneurs Forum Increases National Security Velocity...

There is a tremendous amount of buzz and focus on innovation these days, especially around the .gov and .mil ecosystems.  The Defense and Intelligence domains are in a race and competition for increased velocity in procurement, adoption of new or updated systems, talented people and the implementation of state-of-the-art Commercial-Off-The-Shelf (COTS) solutions.

Every so often you come across some thought leaders like the Defense Entrepreneurs Forum (DEF), that know what true innovation means.  They get it.  The membership understands that innovation does not always = technology alone.  The process of innovation and the people who surround it will tell you, that many prototypes of new innovation do not always include semiconductors, transistors or gigahertz.

When you combine the nodes of an ecosystem of smart people, devoted to increasing velocity in the defense and intelligence communities, there will be inspiration, connection and empowerment.  Each one of these nodes is vital, yet they grow and sustain themselves independently.  Working together however, they will provide our national security institutions additional resources, insight and outside the agency expertise.

At the latest Annual Forum at University of Texas - Austin this past week, it was in full force in conjunction with "Clements Center for National Security".  Keynotes and talks from Adm. William McRaven (ret.), Ori Brafman, Col. Mark Berglund, Brigadier-General Hans Damen, Admiral Bobby Inman (ret.), Todd Stiefler, Warren Katz, Clare O'Neill, Lauren Fish, Kaly McKenna, Eric Burleson, Brendan Mullen, Steve Slick, Kristen Wheeler, Kristen Hajduk and others were just the top line.

The bottom line up front is that as a participant, you witnessed first hand, that people with outstanding ideas with a similar mission and the genuine enthusiasm for improving United States National Security is increasing velocity.  In greater numbers, momentum and thought leadership.  The Defense Entrepreneurs Forum (DEF) is now in it's 5th year and is a best kept secret no longer.

So what?  What is DEF’s goal?

"We believe that the complexity of national security necessitates Defense professionals with innovative solutions. We believe that great ideas do not depend on rank and that creative problem solving cannot be developed rapidly. Today’s junior and mid-grade Defense professionals will be the future military leadership of this country.
  • Inspire: By attracting diverse, passionate, and innovative individuals, DEF inspires individuals through a community of like-minded national security innovators.
  • Connect: In person and virtually, DEF is a network that connects innovative thinkers who seek to improve on the status quo and educates them on how to do this.
  • Empower: Through a variety of methods--from idea generation to senior-leader engagement--DEF empowers junior leaders to be change agents in national security."
The innovation mindset is only part of the equation.  You need people with the context, experience and ambition to make a real difference.  Those who are seeking new ideas, new talent and new methodologies for increasing velocity.  People who want to contribute time, resources and intellectual thought leadership.

As the wheels went up on the dawn of a new day over Austin, TX our plane headed North East.  The future is bright for U.S. National Security.  Trust is in the wind and the Defense Entrepreneurs Forum is accelerating...

09 September 2017

Resilience: Optimizing a Continuous Cycle in Your Particular Environment...

Walking across the River Thames over a bridge in London, you can see several signs of resilience, if you look carefully.  This city has listened to air raid sirens, bombs exploding and witnessed vehicles running over pedestrians in a pure act of terror over the past seven decades and beyond.

Big Ben was strangely silent, for maintenance and restoration work.  Yet the citizens of the area and tourists alike were anxious to make it past the new vehicle barriers, to reach the other side.  Resilience runs deep in London and you can see it on the faces of those who call it home.

To endure hardship, disappointment, disability, destruction and years of abandoned dreams is just part of life.  Some cities across the globe have endured and stayed vigilant.  They have learned the art and science of resilience, so that their citizens can carry on, no matter what the negative forces may be.

Across any major continent you will find examples of places and people who have endured and remained resilient.  To the wrath of Mother Nature or the evil deeds of other human beings.  Whether it is Houston, Texas or New York City, London or Berlin doesn't really matter.  The examples of resilience are personified in granite, museums and historical sites with the names and faces of resilient people.

Yet as the train pulled out of Euston Station towards Edinburgh, the city fades into rolling farms and wooded forests, thousands of sheep dot the hillsides.  People living outside the city still have their own challenges and battles with everyday life.  They too must adapt and encourage resilience.

A crop that never makes it to harvest due to a fungal disease or live stock threats from liver fluke, are just a few threats that farmers and ranchers must plan for and respond to, in order to lower the risk of loss.  So should you find yourself in the countryside or in the middle of the city looking up at the Edinburgh Castle, here is a standard six-step process to endure and remain vigilant:
These steps in the process are not some new invention.  Others have invented variations such as the OODA Loop.  The point is that even Plan-Do-Check-Act (PDCA) will provide a continuous cycle for the city dweller or the countryman, the banker or the fighter pilot.  The hedge fund manager or the venture capitalist.

So what?

The likelihood is that you to have witnessed operational failure.  You have felt the emotion of severe loss of life.  You have been part of a life or business scenario, that has brought you to a point when you have lashed out at those you love, or brought you to your knees looking to the sky.

Beyond your faith and wishful or positive mental attitude, you only have your proven process left to work with, to endure, to be resilient.  The continuous cycle will keep you heading in the only direction you have and that is, to the next step in that cycle.  When you skip a step or have missed one altogether, you are simply opening yourself up to increased exposure of loss or even complete failure.

You shall discover your favorite process or cycle in your life, your vocation and within your domain.

Once you do, you must decide to master it.  To never skip a step and to adapt, learn and improvise.

When you do this, you will have achieved resilience for yourself, your family and your country... 

27 August 2017

Courage: Mitigating Fear...

Fear is a paralyzing condition. What sometimes can paralyze some people, often motivates others. Think about it. What are you afraid of? When was the last time you felt so paralyzed with fear that you either couldn't move or it pumped you up so much that the adrenaline took over and made you do things that you never thought were possible.

Where is your courage today? Hiding out for the day it seems safe? You are going to be waiting a long time. There is no such time or space where it is safe. In the board room or on your battle field, the world is looking for leaders and people with courage.

Often times the answer is action, regardless of the threat. This in itself is a sign to show your foe that you are aware of the threat and will not only respond, but mitigate any operational risk.

It takes courage to pursue the unpopular agenda. Whether it is to save lives, save investors, or save precious physical or digital assets, the game is the same. Those who decide to do nothing in the face of an obvious threat, have nothing but paralysis. Those who decide to do something, dig deep to find the purpose and justification for their actions.

Once you find courage, it's very hard to turn the other way. Paralysis becomes so foreign that whenever you feel even a little unresponsive, you compensate the other direction almost by instinct.

If you spend enough time around courageous people, it starts to rub off on you. If you still don't have the bug, then you must not be surrounding yourself with those who can take fear by storm. What are you afraid of?

As Steve Farber would say, you need some more OS!M's....Once you have enough of these to know that you won't freeze, then you are well on your way to really making a difference on this rock. If you are not there yet, then now is a good time to start speeding up your OS!M's for all of the children of our fallen heroes.

Here is a good example:

Over six years ago this month, Elite Navy SEAL, Aaron Carson Vaughn, was killed August 6, 2011 when a Chinook chopper carrying 30 American troops was shot down in Afghanistan.

In their grief and with a desire to do something that would honor Aaron's legacy, his family chose to start Operation 300.

Operation 300 is a non-profit foundation designed to create a week long experience for children who have lost their fathers as a result of service to our country.

The camp will provide an opportunity to participate in activities that embody the spirit of adventure that characterized the lives of their absent fathers while fostering a culture of courage, strength, freedom, endurance, honor and godly morality embodied by fearless patriots throughout the history of our American Republic.

Never forget!

20 August 2017

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.
"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.
In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:
  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

13 August 2017

Capitol Hill: Zeros and Ones of Resilient Vigilance...

Walking past the Cannon House Office Building this week, on the way to a meeting at the U.S. Capitol, created some reflective thoughts.  As our Capitol came into full view, you have to wonder how many congressman have made that walk since the early 1900's?  How many representatives from across America contemplated whether their work was making a real difference, for their constituents and for our country.

The future of America is bright and our level of resilience as a nation has endured, yet we must remain vigilant.  There are thousands of people who get up every day and travel into the District of Columbia and surrounding suburbs, because they are Patriots and they care so very much about our growing Republic.  You have to see it in their eyes, to realize how much that is true.

Entering the South door on the House side, we proceeded to our meeting room, H-137.  As our small cadre sat down for a light meal, the focus quickly turned to our purpose for gathering.

National Security and Intelligence was the high level reason, yet the dialogue quickly drifted into what was an 80/20.  It seems that the "Cyber" related conversations these days are taking up about 80% of the nuances to Critical Infrastructure Protection (CIP) and for good reason.  The fact is, more than 85% of our nations Critical Infrastructure are out of the direct control and ownership of the government.

Private Sector companies and other non-government entities control 16+ vital sectors of the nations infrastructure assets.   They are the owners and operators of Energy companies, Telecommunications, Financial, Water, Transportation and our Information Technology Sectors and including the Defense Industrial Base to name a few.

What was not mentioned in the room over our 90 minutes, were some of the most sensitive issues confronting those on the front lines of the private sector critical infrastructure protection industry.  "Fancy Bear," "Eternal Blue," "Vault7" were on some peoples mind.  These references mean nothing to many of the "John Q. Citizens" in America who are working using smart phones and lap top computers at home, on the job or in our free lance economy.  Until these electronic tools are no longer functioning correctly.

So what?

Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June.

The owners and operators of Critical Infrastructure across the globe, are now operating on high alert.  The executives and policy-makers in discussion behind closed doors, around the U.S. Capitol understand the magnitude of the current problem-set.  Utilization of these exploit tools will continue by rogue individuals, Crime, Inc., and cyber terrorists that are no different than other examples in the physical world associated with IED's or weapons of mass destruction.

The Private Sector will need to step up its resilience and readiness game in the next few years, if not months.  The capabilities and Return-on Investment (ROI) for non-state actors to play in a whole new league, are becoming ever more apparent.

To continue our resilient vigilance across the nation, we will require a whole spectrum of new capabilities and some, that have worked for years...

05 August 2017

LIGHTest: An Open Global Ecosystem of Trust...

On the dusk of another day in Southern California, there are new TrustDecisions being made, that will impact how our IoT and Critical Infrastructure evolves in the decades ahead.  Operational Risk Management (ORM), will continuously adapt to our global future of "Achieving Digital Trust."

Yet, this innovative catalyst and consortium has been forming over the past year, from the European Union.  It is called LIGHTest.
"Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust scheme"
"This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing Domain Name System, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities."

Trustworthy computing is not new and it has been evolving since the beginning of the Internet with PKI.  What is encouraging and worth pursuing now, is a better understanding of the problem-set.

What is the real problem, that LIGHTest will address and try to solve?
"The DNS translates domain names that humans can remember into the numbers used by computers to look up destination on the Internet. It does it incrementally. Vulnerabilities in the DNS combined with technological advances have given attackers methods to hijack steps of the DNS lookup process.
They want to take control and direct users to their own deceptive Web sites for account and password collection to perpetuate their Internet disruption attacks and crime schemes. The only long-term solution to this vulnerability, is the end-to-end-deployment of a security protocol called DNS Security Extensions – or DNSSEC."
So what?

The Domain Name System (DNS) relies on these foundational entities for our Global Internet. Designated by letter, they are the operators of the root servers:

A) VeriSign Global Registry Services;
B) Information Sciences Institute at USC;
C) Cogent Communications;
D) University of Maryland;
E) NASA Ames Research Center;
F) Internet Systems Consortium Inc.;
G) U.S. DOD Network Information Center;
H) U.S. Army Research Lab;
I) Autonomica/NORDUnet, Sweden;
J) VeriSign Global Registry Services;
K) RIPE NCC, Netherlands;
M) WIDE Project, Japan.

Ref: http://www.root-servers.org

Now when you are just starting to understand the complexity of the problem that LIGHTest is attempting to solve, you add "Mobile Identities" to the dialogue.

It is one step towards trust to get machines to complete a transaction with integrity and consistent trustworthiness.  When you add the challenge of validating reputation and identities of people, the scale of the entire problem-set soars.  The geopolitical and organization boundaries that are now the state-of-play are tremendous.  The United States Department of Commerce is at the table.

Think about how far we have come in our technological history and enterprise architecture, with the pervasive use of communications satellites and 30 billion mobile devices by 2020, now imagine how far we still have to travel, to attain true "Digital Trust."  The infrastructure is global and the complexity is far greater than most humans can truly understand.  To trust one another, to trust transactions, to trust our machines and digital inventions implicitly.  That is our lofty aspiration.

LIGHTest is heading in an innovative direction, in the pursuit of greater trustworthiness and we have to keep reminding ourselves why:

Instilling fear in peoples minds about monetary losses, stolen intellectual property, hackers, cyber criminals and rogue web sites is important.  Buyer beware!  Stranger danger!  See something Say something.  WannaCry.  AlphaBay.  No different than wanted posters for bank robbers, fraudsters, or terrorists.
Companies, people, products or services that continue to serve up messages of digital fear, uncertainty and doubt, are in need of even more clarity and education.  The real problem-set to be solved is about trust and making more highly effective trust decisions, at increasing velocity...

29 July 2017

OPS Risk: Choosing Service Over Self-Interest...

Accountability and ownership are two vital elements of any operational risk professionals mindset, if they are to accomplish real results.  In order to gain this mindset as a professional, you have to be able to work along side others, who have these ingrained into their character and DNA.

What are you accountable for in your team or organization?  You are accountable for the stewardship of your particular mission at this point in time with a clear vision of the results that are envisioned.

You are not accountable to anyone but yourself and the team you have assembled for this particular set of tasks and outcomes.  The Operational Risks that you will encounter and those that you decide to mitigate or avoid are entirely up to you and your team, long before you set out to accomplish the mission.

Do you have ownership of the results desired?  You must have ownership of the operational risks that may and will occur if you and your team are to survive whatever known and unknown challenges may come your way.  Who are some of the best of the best in the profession of Operational Risk Management (ORM) over the past few decades?

Neil Armstrong and Buzz Aldrin are just two:
Of course, it was less than a year later that Armstrong himself would make the biggest step. After a three day trip to the moon, Armstrong, Aldrin and Collins entered lunar orbit on July 19. On July 20, Armstrong and Aldrin began their descent towards the surface inside Eagle, the lunar landing module. The flight to the surface did not quite go as planned. During the descent several alarms from the flight guidance computer distracted the astronauts. The onboard computers were inundated with extraneous radar information, but the alarms were determined not to be a problem. 
But Armstrong also noticed he and Aldrin were flying faster than expected across the lunar surface and were likely going to overshoot their landing site. As the Eagle passed 1,500 feet above the surface, Armstrong saw they were heading for a crater. He thought this might be a good option as it would have “more scientific value to be close to a large crater.” But the steep slope and big rocks did not provide a safe place to land. 
As they continued to fly over areas covered with large rocks and boulders, Armstrong took over control of the Eagle and continued flying it manually. He was able to use his training from the LLTV to maneuver as they continued to descend to the surface. But all of the maneuvering was using up propellant. At 200 feet above the surface, Armstrong finally was able to find a place to land. 
Aldrin: Eleven [feet per second] forward. Coming down nicely. Two hundred feet, four and a half down.
Armstrong: Gonna be right over that crater.
Aldrin: Five and a half down.
Armstrong: I got a good spot.
Aldrin: One hundred and sixty feet, six and a half down. Five and a half down, nine forward. You’re looking good. 
As they passed 75 feet mission control in Houston determined the Eagle only had 60 seconds of fuel left. Armstrong says he wasn’t terribly concerned about the low fuel situation, “typically in the LLTV it wasn’t unusual to land with 15 seconds left of fuel.”
About 40 seconds later Armstrong made a final few maneuvers before announcing the landing was complete. 
Armstrong: Shutdown.
Aldrin: Okay. Engine stop.
Houston: We copy you down, Eagle.
Armstrong: Houston, Tranquility Base here. The Eagle has landed.
Think about your team.  Is the boss dictating from the top on your every move or are they side-by-side with equal accountability and ownership of the results of the mission.  NASA puts rock star top gun pilots behind the controls of lunar missions for a good reason.  It is because they know that they are not in control, ultimately the pilots are working together.

So if you find that in your next corporate or organizational project that the boss from afar is telling you what to do at every moment, it's time to eject.  A true Operational Risk professional understands the mission and the desired results.

They have accountability and ownership of the tasks necessary to achieve the results.  Their stewardship of the project, with their fellow team members will be able to adapt to any changing environment or sudden challenges.

If you are the boss that has responsibility for the team and the successful outcome of the mission, what have you done to enhance each of their skills, knowledge and experience to deal with operational risks?    You may be asking at this point "How" do I do this?  This isn't about giving you suggestions or to show you where it is working and how to do it.

This is about service before self-interest and your ability to think of yourself as an equal on the team. Just one more vital asset with the same sense of accountability and ownership for the overall mission. That's it.

Your team needs you as one more set of brains, hands and talents to solve the operational risks that will be on their way.  How you behave and perform in light of these new found challenges, may very well be the one thing that determines whether your team lives, or survives.
To serve. To be safe. To know what freedom feels like.
Author, Peter Block - Stewardship - Choosing Service Over Self-Interest
Neil Armstrong was a true Operational Risk Professional...God speed.

22 July 2017

Global Pulse: Resilience in Development...

The asymmetric threats cast upon the private sector on a daily basis across the globe, are rising and more complex.  As a result, Operational Risk Management (ORM) is a discipline that has quickly matured in the past decade.  

Today, as we embark on this blog post number 1154 we can reflect on our amazing journey.  When you search Google from our location on "Operational Risk Management Blog" this blog is the number 1 link.

This endless journey encounters new insights and transverses industry sectors to include financial services, energy, automotive manufacturing, aerospace, defense industrial base, pharmaceuticals and government both local and federal.  It has involved the following four fundamental principles of ORM:
  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions at the right level.
Whether the oversight and pursuit encountered the risks of fraud, economic espionage, workplace violence, natural disasters, terrorism or cyber vulnerabilities does not matter.  The threats and hazards that span the spectrum of Operational Risks to the enterprise are vast and increasingly diverse.

The discipline continues the quest to improve and to learn new lessons from both the private sector and government.  Now both of these need to also include a third dimension, that is evolving and could be the place to look for real innovation:  Non-Governmental Organizations. (NGO)

The NGO community is the environment that has now gone beyond response and is finally becoming more predictive:
Global Pulse is a United Nations initiative, launched by the Secretary-General in 2009, to leverage innovations in digital data, rapid data collection and analysis to help decision-makers gain a real-time understanding of how crises impact vulnerable populations. Global Pulse functions as an innovation lab, bringing together expertise from inside and outside the UN to harness today’s new world of digital data and real-time analytics for global development. The initiative contributes to a future in which access to better information sooner makes it possible to keep international development on track, protect the world’s most vulnerable populations, and strengthen resilience to global shocks.
There are plenty of situational awareness analogies that can be made to the risk management of vital private sector or government assets over the years.  Predictive operations have been evolving for years with the goal of preemptive capabilities to detect an attack on a Homeland.  The analysis of information from disparate sources is nothing new.  Link analysis and other methods of qualitative and human factors analysis give us the cues and clues to a possible evolving pattern of human behavior.

Yet what is fascinating now about the NGO perspective, is the intersection of Big Data and the mobile phone:
Wherever people are using mobile phones or accessing digital services, they are leaving trails behind in the data. Data gathered from cell phones, online behavior, and Twitter, for example, provides information that is updated daily, hourly and by the minute. With the global explosion of mobile phone-based services, communities all around the world are generating this real-time data in ever-increasing volumes. These digital trails are more immediate and can give a fuller picture of the changes, stressors, and shifts in the daily living of a community, especially when compared with traditional indicators such as annual averages of wages, or food and gas prices. This is especially crucial during times of global shocks, when the resilience of families and their hard-won development gains are tested.
These global shocks that are economic, geopolitical or as a result of climate change are at a macro level nothing more than environmental volatility.  This volatility in markets, government leadership, religious conflict and drought are what is driving the NGO development community to be more predictive and to be more preemptive.

In concert with this focus on predictive intelligence is the initiative "data philanthropy."  How can the data sets from our respective countries be shared to work on the really hard global problems together?  Open Data Sites is just the beginning.  You have to make sure that you recognize the attributes of "Big Data for Development" vs. the private sector or purely government:
Big Data for Development sources generally share some or all of these features: 
(1) Digitally generated – i.e. the data are created digitally (as opposed to being
digitised manually), and can be stored using a series of ones and zeros, and thus
can be manipulated by computers; 
(2) Passively produced – a by product of our daily lives or interaction with digital
(3) Automatically collected – i.e. there is a system in place that extracts and stores
the relevant data as it is generated; 
(4) Geographically or temporally trackable – e.g. mobile phone location data or
call duration time; 
(5) Continuously analysed – i.e. information is relevant to human well-being and
development and can be analyzed in real-time;
What if the private sector and the government started looking through a different lens?  Or perhaps the other way around.  Is the NGO development community capable of learning from the mistakes with data that intersect with privacy and national intelligence?  Operational Risk Management is just as much an imperative in the NGO environment, as we evolve in the integration of Big Data for global humanitarian initiatives.

When you really look at the opportunity and the challenge ahead, you must consider this intersection of data today in context with where development is still in its infancy.  Look at this visualization of Google search volume by language.  Notice the darkest parts of the planet Earth.

These are where the NGO community lives today, with little access to the Internet, regardless of language.  The human resilience factor necessary to evolve in these non-connected IP (Internet Protocol) deprived areas of the world, must be addressed as we aspire to become more predictive risk managers.

16 July 2017

Cyber Deterrence: Chief Information Warfare Officer (CIWO) is born...

In 2017 there has been a significant amount of news and dialogue on the topic of information security. America is now waking up to the reality that it's true vulnerability is critical infrastructure reliance on strategic networks and is worth analyzing in depth.

Operational Risk Management (ORM) in critical infrastructure sectors such as Energy, Finance, Transportation, Defense Industrial Base (DIB) and a dozen more, is alive and well. Yet the long view, requires a pivot from the cyber analogies of immune systems and daily hygiene scenarios simply to address cyber theft, denial of service, viruses and ransomware.

The growing priority problem-set is "Cyber Deterrence" and the U.S. is still a long way off from having this strategy in place. The current abilities of several known nation state adversaries, to launch and maintain a persistent attack on our critical infrastructure, requires a new and robust set of initiatives to solve this new reality and immediate cyber problem for national security.

The fusion of Homeland Security with U.S. Department of Defense planning to address "Cyber Deterrence" is necessary and beyond what has been accomplished to date. The attributes focused on "Continuity of Government" (COG) and "Continuity of Operations" (COOP) are paramount with solving the hard problem-set of U.S. Cyber Deterrence. Why?

A wider range of military cyber options are needed beyond diplomatic expulsions and economic sanctions and a clear policy framework must be in place for these deterrence options to be utilized against nation states.

The growing use of cyber offensive weapons requires an increased level of preparedness, offensive war games and planning including substantial integration with the U.S. private sector critical infrastructure companies. The resilience factors associated with Fortune 500 private sector companies is vital.

First, a substantial portion of the new problem-set, involves the use of offensive cyber weapons and the declaratory engagement policy with adversaries such as Russia, China, Iran and North Korea. This must include the key dialogue on attribution capabilities. Have you ever had a conversation with your information security team on the topic of attribution? If you haven't then now is the time to better understand this set of issues.

Second, the degree to which a private sector company has been under attack by non-state actors will in many cases provide an indicator of their current cyber deterrence capabilities. The question is, how would they respond and how resilient would they be if any new attacks were exponential in proportion to previous adversarial campaigns?

Third, the coordination with not only DOD and private sector companies also requires significant integration with the Department of Homeland Security (DHS), State Department and the Intelligence Community (IC).

Non-Kinetic cyber actions utilized by the military is not new. Strategic U.S. ICT (Information, Communications & Technology) capabilities working side-by-side and in concert with the military is now more necessary than ever. Private sector organizations interacting and engagement with USCYBERCOM to establish working relationships that include COG and COOP level planning also needs to accelerate.

So what?
The House has joined the Senate in calling for the Department of Defense to update its cyber strategy and to more clearly define the meaning of cyber deterrence.
The House on July 14 overwhelmingly passed the 2018 National Defense Authorization Act, which included a number of cyber-related amendments, including a provision directing the secretary of defense to "develop a definition of the term 'deterrence' as such term is used in the context of the cyber operations of the Department of Defense; and assess how the definition...affects the overall cyber strategy of the Department."
The Senate's draft of the NDAA establishes a U.S. cyber deterrence and response policy and calls on the administration to develop a clear cyber deterrence strategy.
The Chief Information Warfare Officer (CIWO) has been born...is it a myth?

09 July 2017

Mergers & Acquisitions: Achieving Trust Awareness...

Building relationships is a continuous process that requires an effective approach, mutual intent and clear understanding of the purpose.  Operational Risk Management is at the center of all kinds of Mergers and Acquisitions (M&A) activities.

Whether it is a mega-merger between Amazon and Whole Foods or even a planned meeting with a potential partner or client invested to discover the possibilities of working together;  you can improve the ratios of a positive outcome.

Developing new capabilities, launching a new solution or improving an existing line of business, requires a substantial investment in "Relationship Building."  A team of individuals with their respective areas of knowledge, subject matter expertise and mutual mission still require continuous hands on facilitation.

The building of relationships requires at the core, a persistent devotion to "Trust Awareness."  This means that you have to be conscientious about looking through your individual and organizational behaviors and messaging, that could in some way erode trust.  This trust awareness is the ability to detect anything that could diminish the possibility for the relationship to grow.

Building and growing trust with new partners, mentors, clients or customers requires an investment in time and resources to monitor, measure, document and adapt with change.  It requires a new level of transparency and focus on integrity.  Simultaneously, it means that you have to accept a new level of vulnerability.

Regardless of the logo on your business card or web site, the tag line of what you are about, or even the URL for your domain name, what are you doing today to build trust?  With your employees, co-workers, supply chain or channel partners.  What is the process and method you utilize to improve your trust awareness and to build stronger and lasting relationships?

Jeffrey Ritter says it best from his book "Achieving Digital Trust":
"Whether in government, in business, in classrooms, or at the dinner table, the ubiquitous presence of digital assets and devices enables us to do something radical—immediately seek out information that allows us to challenge and evaluate our trust in the decisions of others we are expected to follow. So, in addition to your own decision process being shaken, so too are the evaluations others make to trust your decisions. If you are a business leader, IT executive, information security manager, systems architect, elected public official, educator or stay-at-home parent, you have surely felt the discomfort.

As soon as you announce a decision, someone is thumb-typing on a device to find information to validate or contradict you. A few clicks and your questioner has acquired data that enables that person to question your decision process, view it differently, or weigh it with lesser confidence. Admit it, you surely have done the same when you are on the other side of the table, hearing the decisions, opinions, or guidance of others—a superior officer, a corporate manager, a business partner, a teacher, or even a spouse."
Building effective relationships between people in the digital age will certainly involve e-mail, iMessages, web sites and even Twitter.  How often do you read a persons name or see them perform before an audience and immediately do a "Google Search" or LinkedIn lookup?  What you see and read there, could influence you and how much you initially trust that person.

There are dozens of ways that due diligence is accomplished during any M&A activity including the asset inventory, testing and validation along with a forensic records review.  Yet in the initial days of the team coming together to identify, approach and cultivate a meaningful relationship with a new partner or buyer, the process is vital.  The methodology can mean your success ratio is improving, flat-lined or declining.

Step back and take a look at your relationship building capabilities.  Analyze why your success ratio is declining.  Understand the trust awareness factors that could be part of the answer to your achieving even greater digital trust.  The next step is to effectively identify and solve the problems that you will encounter as the M&A trends continue.

Building new relationships takes time and resources.  Yet, keeping those relationships effective and continuously growing "Trust Awareness" for years and decades requires even more.  Listening, learning and compassion...

02 July 2017

USA: Our Past and Future Destiny...

The United States of America turns 241 years old on Tuesday, July 4, 2017.  As the parades of celebration commence across the small towns and the mega-metropolitan cities, we have so much to be proud of and have so many accomplishments in these few short centuries.

The Founding Fathers really had no idea in 1776 what Operational Risks they would face or what our nation would look like now, as they were crafting our U.S. Declaration of Independence and later the U.S. Constitution.  All they knew was, that they were crafting something new and unique, in so many ways.  It has endured World Wars and this Republic has become ever more resilient to economic turmoil over the years.

The rest of the world needs the United States of America.  After all, how would they know about the existence of underground ice on Mars or other first discoveries by NASA.  How would many of the countries on our Earth continue to accelerate their abilities to produce greater food yields, preserve vital fresh water drinking sources or even power their transportation sector with clean energy?  Who invented the Internet?  We explore farther and innovate faster...

As Americans, we travel the world with our U.S. Passport and it gives us a glimpse into why this little book is so valuable.  Why it is so sought after.  Even most Americans might not realize that their U.S. Passport is not their property.  It is the property of the United States (Title 22, Code of Federal Regulations, Section 51.9).  It must be surrendered upon demand made by an authorized representative of the United States Government.

On page 16 and 17 of the U.S. Passport is the following quote:

"This is a new nation, based on a mighty continent, of boundless possibilities."  --Theodore Roosevelt

Theodore Roosevelt became the United States youngest President at age 42 in September of 1901.  The 25th President, William McKinley had been the third U.S. President to be assassinated after Lincoln and Garfield.  Now Teddy Roosevelt saw the possibilities and as Vice-President, took our country forward once again.

One can only imagine what our country will be like in another 241 years.  Where else in the solar system will we have new outposts?  How will we be assisting and cooperating with other countries to promote peace and justice?

So with that United States banner of "50 Stars and 13 Stripes" waving in the wind over your home in America this 4th of July, put your hand over your heart or salute our flag.  Remember how far we have come and how far we will be going as a nation together...

24 June 2017

Walking the Talk: Asymmetric Lessons Learned...

Operational Risk Management (ORM) is about "Walking the Talk." What are you advocating in your solutions or services and advice to clients or within your own organization? When you "Walk the Talk", this means that you believe in and demonstrate first to yourself and your own organization that you execute and comply with what you say is policy and is a key factor in your own Continuity of Business Operations.

You carry out in a demonstrable form the rule-sets, best practices, ethics and behaviors that you are asking your own customers and your suppliers to follow. Your failure to do so, can have tremendous ramifications.  Nicholas Weaver explains:
The payload of CrashOverride is rather elegant in its simplicity; in a way it’s reminiscent of how a toddler might sabotage the lights at home. Once CrashOverride is running on a control system, it begins by mapping out all the circuit breakers. Once the payload knows where all the switches are, it can launch the primary malicious attack, either by turning off all the switches or—potentially more catastrophically—by repeatedly flipping them on and off until the substation in question is isolated.
Asymmetric Warfare is about an indirect strategy and the ability to compromise your target through non-traditional methods.  You and your organization might just be a pawn in a more sophisticated, planned and smart attack on a much more worthy adversary. Whether the intended target is a Critical Infrastructure organization in the financial, energy or defense industrial base (DIB) doesn't really matter.

Supply Chain Risk Management (SCRM) is not just about validating where and how embedded circuits, EPROMs or other systems software are ensured for quality and without tampering. SCRM is about your vendors themselves being compliant within their own enterprise with the manufacturing of their own products or the operational environment of their solution ecosystem.

The trust and confidence of your extended partners, clients, contractors and key suppliers is ultimately about "Walking the Talk." 
Malicious and trusted insiders pose a range of challenges in terms of counterintelligence risks and physical threats, and experts say policy needs to catch up quickly to the new technologies available to help mitigate the problem.  Mackenzie Weinger is a national security reporter at The Cipher Brief
If you are a prudent CSO or CISO of a critical infrastructure product or services organization, beware. You may just be what the enemy needs to perpetuate their asymmetric operations on the Homeland. Beyond your own reputation being at stake, so too is the trust, safety and security of the entire economic infrastructure of the United States.

17 June 2017

Innovation: Investing in the Linchpins...

There are new innovation initiatives that have been launched across America and internationally over the past few years.  Each has a vertical or horizontal focus to attract a particular set of entrepreneurs, coders, researchers and founders or data scientists.

You may have seen the accelerators, the incubators, training boot camps or even the H4D class being offered in your particular U.S. city or university lately.  Behind these initiatives are leaders, executives and fellow startup founders/practitioners who have developed a combination of methodologies and strategies, to produce new products and problem-solving business platforms.

After several years of practicing and mentoring in this category and recently devoting 30+ hours of first hand observation, there are several insights that were discovered.

First off, the quality and experience of instructors, mentors and the support ecosystem is vital.  You must create a robust program to recruit, train and continuously facilitate the actual people who surround the accelerator, incubator or university class and are devoting their time and resources to volunteer.

The ecosystem itself requires tested and proven processes, business rules and significant buy-in by all contributors.  The volunteers need a set of program prerequisites, a framework and the coaching along the way, to make their experience just as valuable as the participants in the innovation entities program.  Many of the mature innovation programs do this already.

Second, the founders, subject matter experts, linchpins, content providers or problem-set sponsors should have their own meetings and live interactions before and after each iteration of the participants program.  As an example, if the incubator has a cohort that is in-residence over the course of 10 weeks, on Tuesday's from 4:30-7:30PM, then the volunteers should meet for 30 minutes before and 30 minutes afterwards.


During those 3 hours there are plenty of live interactions, new learning, comments and ideas generated with the actual program participants.  It is just as valuable for the volunteers to share and interact after each iteration or cohort meeting to prepare and to debrief.  Certainly some of the follow-up learning could be captured using Slack or other online tools, yet having those linchpins face-to-face and interacting live is ever so valuable.

So What?

The maturity of the systems and processes associated with the innovation initiative, will be a key factor in the long term success and longevity of a particular program.  Yet even a set of solid systems can be influenced and characterized simply by the combination and quality of people, who are interacting and supporting these systems.  The parallel effort and devotion of one-to-one development, training and post program-metrics of these instructors, mentors, problem-sponsors and facilities or resources donors is paramount.
If you are an innovation engine producing new entrepreneurs and business startups that utilizes an ecosystem of volunteers, your future success will be directly linked to these vital linchpins...

04 June 2017

Decision Advantage: The Business of Information Assurance...

The CxO's in the Global 500 are evermore involved in the state of asymmetric warfare over Intellectual Property (IP), Economic Espionage and the simple but effective use of ransomware.  The "Decision Advantage" and national security implications, intersect with international commerce and the consistent security vs. privacy policy debates.

How would you invest resources to Deter, Detect, Defend and Document (4D) within your enterprise, if you knew that your organization would be continuously vulnerable for the next 6 years?  What would you change, if this was the current state of play:
"A recent study from the RAND Corporation, a global policy think tank, determined that among any given entity's stockpile of zero-day vulnerabilities, only 5.7 percent of these bugs will be discovered and publicly disclosed by a second party within a year's time. (Note that the study does account for additional groups that may also find some of the same bugs but decide to secretly hoard them.) Moreover, the study found that exploits and their corresponding vulnerabilities have an average life expectancy of 6.9 years before they are uncovered and patched."
You won't have to invest more dollars in your pest extermination company such as Orkin to address these kind of bugs.  The software vulnerabilities that exist in your organization, will be unknown to you long enough for the adversaries to live and operate freely inside your company, for months if not years.

The mindset shift that is necessary now, is to view the enterprise as any major change management initiative.  One that is continuously evolving based upon market shifts and new product introductions.  You have to be "Adaptive" and you must respond to the competitions new marketing campaigns.

Why is it so hard for you, to take the "Strategy of Business" and make the leap to the "Strategy of Information Security?"

When the competitor launches a new feature set and the corresponding Ad campaign, how do you pivot?  What do you do to counter the potential erosion of your market share?  How much money and resources are devoted to the new roll-out, brand recognition and sales events?

Can you imagine sitting back and doing nothing for months or years, while your adversaries in business are exploiting your slow and weak response in the marketplace?

The nation-states and Crime, Inc. is betting on the reality that you don't take Information Security seriously in your organization.  They do their research to see what Global 500 organizations are keeping their Information Technology budgets flat, year-to-year.  They use this Intelligence to stack rank their list of targets for the software vulnerabilities they are buying each day on the "Deep Web."

Is your Chief Information Security Officer (CISO) still reporting to the Chief Information Officer (CIO)?  Is your Chief Privacy Officer (CPO) even part of your Senior Staff?  Can you show a line item increase for Information Security in your year-to-year budget, to address the change management reality and strategy of your enterprise?

Have you and your Board of Directors had a briefing yet on "The Shadow Brokers?"  What does it all mean for your enterprise?

It means that the traditional way of thinking about protecting and defending your organization is over.  It means that the standard "Go-to-Market" strategy and "Competitive Intelligence" investments that you are making should incorporate a parallel "Information Assurance" program.

The business of an "Adaptive Enterprise Architecture" and "Decision Advantage" requires bold new thinking and even harder changes of personal and organizational behavior.

So what?

The truth and reality of your business survival means a significant change in strategy and in investment.  Do your own research within your own organization this week.  Get the numbers and the data to show how much you are spending next budget cycle on Information Assurance vs. last year.

Find out where the budget is being allocated year-to-year and why?  You know how to do this.  Just like you have been doing it, with the Marketing and Sales Department.

What is the opportunity?

Sometimes the digital truth is difficult and in the end, the trusted reality becomes almost "Darwinian".  Survival in the next decade will be about your "Decision Advantage" at the speed of Digital Trust...

28 May 2017

Memorial Day 2017: Honoring All of Our Fallen...

On Memorial Day 2017 in the United States, we remember those who have defended our freedoms and our Republic.  As the sound of modern aircraft lift off in the distance and the 50 stars and 13 stripes of our flag wave in the wind, we pause.

This day, is about a visit to Arlington National Cemetery or another ceremony, to stand and remember those who you once knew:

Neil was just one of those who have served our country with distinction and honor in Special Operations.  A man who did not die, as a result of fighting in the Civil War, World War I or II, the Korean War, or Vietnam.  He served our country with courage in the Global War on Terrorism (GWOT):

"Neil Christopher Landsberg of Frederick, Maryland, passed away May 9, 2013. Born January 13, 1980 in Wichita, Kansas, he attended Thomas Johnson High School, Frederick, MD and Valley Forge Military Academy in PA. He graduated from the Citadel, Charleston, SC and served with distinction as a Captain in USAF Special Operations receiving the Air Force Commendation Medal, Air Force Achievement Medal, Meritorious Service Medal, Defense Service Medal, Afghanistan Campaign Medal, and Global War on Terrorism Service Medal. He was employed by Blackbird Technologies."

As we bow our heads this Monday, May 29, 2017, think about our United States and about the less than 1%.  The less than 1% of U.S. citizens who have made so many sacrifices in life, for our country.  You also have to include a tremendous thank you, to all of those family and friends who were and still are the support system for our service members.

Just up the Potomac River in Langley Virginia, there are 125 or so Stars on a Memorial Wall.  These remember those individuals from the CIA who have also fallen, in the line of duty to our nation.  They too are acknowledged and remembered this Memorial Day.

 What can you do on this day to "Honor our Fallen":
  • Donate or volunteer for a cause that was important to them
  • Write them a letter
  • Talk about them
  • Fly the American flag high
As you navigate your daily routine on Tuesday, reflect on all that Neil and the hundreds of thousands of others have given their life for:
"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

20 May 2017

Board of Directors: 4D Strategy Revisited...

The Board of Directors are convening this week and there is an item back on the agenda, we haven't seen for sometime:

Recovery Time Objective (RTO) Recovery Point Objective (RPO)

These Business Continuity (BC) and Disaster Recovery (DR) parameters are being addressed for good reason.  WannaCry and the impending Tsunami of cyber worms attacking our critical infrastructure across the globe.

Designing a resilient and fault-tolerant architecture for your Operational Risk Management (ORM) strategy shall focus on critical assets and the impact of unidentified single points of failure.  Implementing a highly available IT infrastructure and resilient applications to quickly respond to major incidents or a disaster scenario is vital in our 24x7x365 operations.

Beyond a revisit to the ability to recover from a sudden disaster, the Board of Directors may be asking Senior Management about the global standard for Information Security:  ISO 27001:
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
 More importantly for organizations who may say to themselves, "well we are safe because we are in the cloud" is the standard ISO 27017:

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.

As an example, Amazon Web Services Cloud Compliance enables customers to leverage their utilization of ISO 27001 standards.  Yet there are shared responsibilities  that you must be aware of within the shared responsibility model when it comes to the relationship with your organization and AWS:

While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.

So what?

If you retain ownership and control over your content within a cloud implementation architecture, what about answers to these highly relevant questions:
  1. What does our organization need to comply with the laws pertaining to privacy and data protection?
  2. Who will have access to content?
  3. Where will storage of content be located physically /  geographically?
  4. How will the content be secured both physically and virtually?
So in this environment of shared responsibility let us ask a simple question.  Who is accountable for the configuration of the AWS provided security group firewall?  This is an area of your responsibility including all operating system, network and firewall configurations.

The Board of Directors needs to revisit Business Continuity Planning and Disaster Recovery with the CIO and all IT stakeholders at your organization, including ISP's and any third party infrastructure suppliers.


The "Business" is in many cases out of "Synch" with the Information Systems / Data Management / Privacy / Security side of the enterprise.  The WannaCry issues may not impact your organization directly because you have already patched or your systems and are beyond the vulnerabilities of this Operating System specific threat.

Where the business is heading in the next six to nine months with mergers, acquisitions and even consolidation, will impact your overall enterprise architecture. The business pace of change will most likely be months even years ahead, of where the IT infrastructure is today and it must become more resilient.

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.


You must create the culture and the due diligence to see that your IT strategy becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective.  These "4D" lessons should put you on the way to creating a more survivable business.

14 May 2017

Digital Illiteracy: Trust Decisions in a Global Race...

Executive Management and the Board of Directors are asking Chief Information Officers (CIO) and CISO's about WannaCry this weekend.  The illiteracy and complacency of key officials in business and governments across the globe are again evident today:
"The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries."
If you are an Operational Risk Management (ORM) professional in your particular organization, you may be on high alert.  You may have had a few sleepless nights since Friday, as the wave of infections propagated across systems and networks running Microsoft operating systems.

Are you or your organization a victim?  Why?

The illiteracy and complacency of senior management across commercial and government enterprises about information security, continues to plague our critical infrastructure sectors and institutions.  In 2017, this fact is our greatest vulnerability and threat.

How does any legitimate organization both public and private explain being subjected to an exploit, that has been known about for months?  What excuse could there possibly be, for not having patched a system, that is most likely far beyond "Out-of-Date"?  There will be many excuses told and so many others trying to explain to the Board of Directors about the lack of funding or the vast complexity of a systems network.  Yet here we are in 2017, with the same set of complacent attitudes and practices still in existence.

Emily Dreyfuss at Wired.com sums it up nicely from a government perspective:
"All of this underscores how digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy. It takes a multi-pronged, concerted approach, with smart internal policies, federal legislation, tech savvy diplomats, and a willingness to realize information security is a critical skill for the defense of the nation—all of which is incredibly difficult to achieve even when a government is functioning well."
At the dawn of the World Wide Web, many of us in the "Information, Communications & Technology" (ICT) industry, understood and studied the new ecosystem and battle space evolving before us.  All of those subject matter experts and government officials, have been immersed in the Internet environment for over 20 years.  Even to this day, we wonder why executives still "Don't get it."

In many cases we understand that not every executive is going to understand the tech vulnerabilities of ransomware.  Yet are the same executives capable of understanding the simple concept of Disaster Recovery Planning?  The ability to accomplish incremental and daily back-ups of data?  We think they also can understand the concept of patching systems that are vulnerable.

The budgets devoted to ICT are in many cases a mystery to illiterate executives.  CIO's and Chief Information Security Officers (CISO) would most likely say in general, that they do not have enough resources to fight the battle.  This is known.

TrustDecisions that occur within the ranks of senior management are now maturing to the point of focus on building digital trust across the enterprise.  The decisions to trust between humans is different than the decisions to trust between machines.  Or is it?

Achieving Digital Trust requires a vast yet easily comprehended set of rules and policies.  Is the United States losing the race for "Digital Trust?"  Consider this blog post from Jeffrey Ritter:

"Advances toward digital trust, whether enabling commerce or government autocracy, require enormous resources to create the inter-dependencies and inter-operabilities that enable digital information to be functional and useful. The conspicuous absence of those resources is simply leaving the United States on the sideline. The disruption of digital trust may likely gain such momentum that no amount of “catch-up” investments will enable the combined assets of government and industry to catch up in the global, wired marketplace that now exists."

Executive management across America has a choice.  You as an individual could raise your education and awareness level on your ICT landscape, in several ways.  This in turn, may reduce the overall level of illiteracy and complacency across our critical infrastructure domains.  This will eventually lower our vulnerability over time.  Here is one solution:  StaySafeOnline.org

Let us start the lesson by defining the landscape and the battle space.  What is the "Deep Web?"  It is that part of the online universe, that is not indexed by traditional search engines.  But how large is it?  When asked this question to many executives, they have no idea.  Not a clue.

The "Deep Web" is 500+ times larger than the surface web and growing.  The "Deep Web" is 7500+ terabytes vs. 19 terabytes that Google and others capture.  Wake up and realize the magnitude of the problem-set, as you consider the next budget allocations for the safety and security of your enterprise.

The Trust Decisions you make with your colleagues, partners, employees, customers, communities and countries, will either make you more trustworthy, or will erode and erase trust.  At the pinnacle of your next major Trust Decision, ask yourself whether you are truly "Achieving Digital Trust..."

06 May 2017

Quiet Professional: A Leader Remembered...

Leadership has been written about since humans have been writing and recording history.  How leaders have been described, documented and chronicled over our existence here on Earth, comes back to the definition of leadership:  noun, the act or instance of leading - the office or position of a leader.

The leader and the characteristics of a particular person, are typically what is written about to document someone who is in a position of leadership.  It may start as an oldest sibling, leading younger sisters or brothers when Mother or Father is not around, or even deceased.

It may have all started in a school or church group, or as camp counselor, President of that social group, and then someday even also as a Mother or Father.  Leaders and leadership have so many facets and is in many cases just present, or absent in someone's life.

Over history, the definition of a person who has been or is a current leader, has several synonyms:

Synonyms boss man, captain, chief, foreman, head, headman, helmsman, honcho, jefe, kingpin, boss, master, taskmaster

In the broad and complex world we live in, these synonyms only describe a small facet of what true leadership is all about.  The vast realm of Operational Risk Management (ORM) also gives us additional context, when it comes to true leadership and the goal of ever increasing our overall safety, security and trust.

When someone writes your eulogy as an Operational Risk Leader, what will they say.  How will they describe you?  Perhaps none of the synonyms above are even mentioned.  Why?

It is because you are known as a "Quiet Professional."  Someone who is a leader and continues to exemplify the act of leading in so many ways and far too detailed to describe in words.  Yet you continue to aspire to improve, to listen, to learn.  You don't know it yet, but at your eulogy, others will describe you as a "Quiet Professional."

The "Quiet Professional" operates through life serving others, doing their best to continuously learn and improve on their greatest skills.  Yet at the same time, the true leader also recognizes the areas of knowledge and expertise they don't possess and so they will create alliances with others who do.

The small group, the team, the cohort, the class, the board, the executive office, the assembly, the country - they have a combination of leaders who are diverse in their skills, knowledge and aspirations and yet simultaneously, they have the same single mission.

How others will describe you and your leadership at your eulogy, is completely in your control as a human.  What are the characteristics of your particular way of leading and operating as a "Quiet Professional (QP)?"  Maybe it will sound like this:

QP was a person that not many people knew very well and that was just fine with them.  QP worked on becoming and performing each day, as the best they could be, with each person they encountered in life, one-to-one.  As a brother or sister, as a mother or father, as a friend and servant leader of others.

QP was always watching out for others.  Looking around the corner or over the horizon.  It was for three reasons.  Curiosity, building trust and continuous learning.  It was because QP always wanted to improve and to aspire for that next level of perfection.  QP wanted others close to them to feel safe and secure.

QP wanted others to feel as if they could do anything and could achieve anything.  What ever their particular mission was that day, month or year.  QP wanted those closest to them to know, they were always going to be cared for and looked after,  no matter what happened.

QP will always be remembered for their kind heart and tremendous courage.  QP will be remembered for their fierce competitiveness and simultaneous compassion.  They will be remembered for their ability to love.  Their ability to forgive.  And QP will always be remembered for their leadership.

Are you a "Quiet Professional?"...

30 April 2017

Complacency Risk: The Next Attack...

 In Ronald Kessler's book "The Terrorist Watch" you get the impression that this journalist, author and nonfiction story teller is walking a thin line. A line between telling us too much, because it could compromise national security and not telling us enough, so that the public can really visualize what the truth is.

"Inside the desperate race to stop the next attack". This book tag line says it all.
Drawing on unprecedented access to FBI and CIA counterterrorism operatives, New York Times bestselling author Ronald Kessler presents the chilling story of terrorists’ relentless efforts to mount another devastating attack on the United States and of the heroic efforts being made to stop those plots.

Kessler takes you inside the war rooms of this battle—from the newly created National Counterterrorism Center to FBI headquarters, from the CIA to the National Security Agency, from the Pentagon to the Oval Office—to explain why we have gone so long since 9/11 without a successful attack and to reveal the many close calls we never hear about. The race to stop the terrorists, Kessler shows, is more desperate than ever.

Never before has a journalist gained such access to the FBI, the CIA, the National Counterterrorism Center, and the other agencies that are doing the unheralded work of finding and capturing terrorists.

Ronald Kessler’s you-are-there narrative tells the real story of the war on terror and will transform the way you view the greatest problem of our age.
OK, so what? So how does this war on terror and media leaks within the context of Operational Risk impact your institution or organization? Here are a few ways:
  • Will your company have staffing challenges as a result of new immigration legislation or limits on H1-B Visas? Remember the 9/11 hijackers?
  • Will your institution require new systems and processes to meet increased compliance or regulatory mandates? Remember the Patriot Act?
  • Will you or a senior staff member be the target of a kidnapping, ransom or extortion plot at the hands of a terrorist cell? Remember Danny Pearl?
  • Will your organization be impacted by the leaks in the press regarding your operational strategy or Board Room discussions? Remember pretexting at Hewlett Packard (HP)?
Sharing information. Too much or not enough. The paradox of our generation as we all go digital. The speed of business in the connected economy and 24 hour news cycles has created a beast that will not ever be tamed or controlled.

Operational risks are a result of the continuous challenges to the collection, dissemination and analysis of information. Think about your own institution and those who hold the keys to the most valuable information.

Those who disclose operational secrets could be putting that "deal" in jeopardy just as easily as putting that "life" in harms way. Those who try to sleep at night in close proximity of their "Blackberry" know the feeling of information overload, or starvation. Both represent operational risks that keep the same people grabbing the Prilosec OTC or the AmbienCR.

Ronald Kessler's book is a wake-up call for all of us in the United States. A Presidential election is behind us and there has been over eight years of testing and waiting by those who wish to do us harm.
"To many fail to recognize that al Qaeda's long-term goal is to send the US the way of the Roman Empire. And too many in the press are willing to take the chance of compromising the lives of innocent Americans by running stories that gratuitously disclose operational secrets."
The risk of complacency is and will continue to be our greatest threat...

22 April 2017

Go Fast or Go Far: Professionals of Operational Risk...

As the sun sets less than a mile from the Pacific ocean, dozens of security researchers from across Los Angeles are converging on this modern technology office park.  The meeting presentation this evening, will be focused on unveiling vulnerabilities within one of sixteen U.S. Critical Infrastructures.  Why?

Operational Risk Management (ORM) is a discipline that is a dynamic matrix, of columns and rows of the architecture and intersections of your entire enterprise.  The places and ways that the organization is exposed to potential failures of people, processes, systems or other external events.

Think about how many people you have working with you, the number of locations they work and travel, the number of technology devices running software to compute algorithm operations to enable your particular mission.  Think about all the potential ways that adverse weather and natural disasters or the simple loss of electrical power or communications in a few square blocks of your city, will impact you today.

Security researchers are also converging into a conference room somewhere in your organization this week, to discuss and show evidence of your organizations vulnerabilities today.  They might be experts in "Ruby on Rails" or how to optimize "SecDevOps".

They might be experts in counterintelligence or the detection of rogue/activist human behavior by analyzing open source social media.  They might be experts in using offensive tools, operating armored vehicles and flying aircraft into hostile environments.  Among them are also your legal experts in privacy and regulatory compliance.

Why these individual professionals are working 24x7 to expose, document and provide evidence of your vulnerabilities is complex.  Yet you should know, that they are doing it because they understand that your adversaries are also hard at work, to do the same.  Is it a competitor or a nation state?  Is it a disgruntled employee or an external extremist?  Is it the next tornado, hurricane or earthquake?  The landscape is vast and is continuously changing by the minute.

As an executive within your organization, when was the last time you devoted an hour or even two, to lock yourself in the same room with your Operational Risk professionals.  To see what they are working on to Deter, Detect, Defend and Document, all that is happening in their environment today.

What if you had that hour to turn off your busy executive life and so what might you learn?
You might learn that your organization is being attacked every day by "Spear Phishing" experts from the other side of the globe.  More importantly, the source of the attacks is by an organized cadre of criminal experts in social engineering and SQL injection.

You might learn that one of your employees has set up a Twitter account with an anonymous user name and identity.  The daily "Tweets" are telegraphing your corporate strategy to your competitors or leaking proprietary internal protected information about rogue co-workers behavior.

You might learn that the Commercial-Off-The-Shelf (COTS) sensor you utilize within your flagship transportation vehicle, is being exploited by a highly trained clandestine military unit from another country.

You might learn that a key manufacturing location is about to be surrounded by environmental activists who are planning to camp out on your entrance until their demands are met.
So what?

The question is necessary to get to the bottom line.  It helps to define the purpose for why you have these resources working with you.  The reason that they are working 24x7 to keep you and your organization even more aware and resilient.  Why they are converging on a conference room in Los Angeles after working all day to learn about new vulnerabilities?

Take the time this week to meet with them.  Ask them the question.  Listen to their answers.  You might be surprised at what you hear.  You will probably learn something new.  Work with them to improve the Operational Risk Management (ORM) capabilities and functions within the enterprise.

"If you want to Go Fast go alone.  If you want to Go Far, go together".
--African Proverb