10 December 2017

Future Risk: Resilience and Competitiveness...

The U.S. Department of Defense (DoD) is in the middle of substantial Operational Risk Management discussions behind closed doors, in light of new threats and new priorities. The majority of the Intelligence Community budgets are under the DoD umbrella and in a new world order, subjected to the mobile ICT revolution that is erupting before us. Does Twitter and other social media tools present the need for a new paradigm shift in the future evolution of the Intelligence Community (IC)? Consider this flashback analysis:
Abstract
"This paper analyzes the role of situational information as an antecedent of terrorists’ opportunistic decision making in the volatile and extreme environment of the Mumbai terrorist attack. We especially focus on how Mumbai terrorists monitored and utilized situational information to mount attacks against civilians. Situational information which was broadcast through live media and Twitter contributed to the terrorists’ decision making process and, as a result, increased the effectiveness of hand-held weapons to accomplish their terrorist goal. By utilizing a framework drawn from Situation Awareness (SA) theory, this paper aims to (1) analyze the content of Twitter postings of the Mumbai terror incident, (2) expose the vulnerabilities of Twitter as a participatory emergency reporting system in the terrorism context, and (3), based on the content analysis of Twitter postings, we suggest a conceptual framework for analyzing information control in the context of terrorism."
The Mumbai attackers could have used open source social media even more to their advantage and this is what the Intelligence Community (IC) continues to leverage as the Arab Spring(s) continue, civil war escalates in Syria and other ICT-enabled regions of conflict emerge. The tools are becoming more optimized to the kinds of applications necessary to deal with these new Operational Risks. What may continue to be the greatest vulnerability, is the economics. The ability to invest in and provide training for the new generation of cyber warriors and HUMINT collectors. Are the Trusted Systems and Networks in place integrated with the latest Commercial-Off-The-Shelf (COTS) software riding on encrypted networks?

The convergence of mobile, cloud and big data is the single IT transformation issue in governments and the private sector. The IC and DoD realize that the only way to survive and to be more resilient, is to close or converge data centers with legacy hardware and software. Simultaneously accelerating the onboarding to private sector assets, that have also been certified and accredited. The next vulnerability being discussed, is how to acquire enough of the existing energy grid to support the requirements for cooling the vast data centers under construction and getting access to dark fibre. Bluffdale has been just one example:

"Inside, the facility will consist of four 25,000-square-foot halls filled with servers, complete with raised floor space for cables and storage. In addition, there will be more than 900,000 square feet for technical support and administration. The entire site will be self-sustaining, with fuel tanks large enough to power the backup generators for three days in an emergency, water storage with the capability of pumping 1.7 million gallons of liquid per day, as well as a sewage system and massive air-conditioning system to keep all those servers cool. Electricity will come from the center’s own substation built by Rocky Mountain Power to satisfy the 65-megawatt power demand. Such a mammoth amount of energy comes with a mammoth price tag—about $40 million a year, according to one estimate."

This is the kind of capability that will remain exempt from the threat of limited funding or future austerity in the new world order of mobile, cloud and big data. The introduction of tools or services such as Silent Circle, Wickr, Signal and others will only add to the Operational Risk challenges of the next decade. Privacy will become a sought after luxury, only available to those with the means or the latest set of consumer-based communications tools. Either way, the senior executives of private sector critical infrastructure companies are under the spot light. They own the majority of the ICT assets and therefore have the most to win. Unfortunately, they also have the most to lose.

The future of the DoD and the IC will be determined by the success or failure of the cooperation, coordination and collaboration of men and women with a unity of purpose. Patriots who will continue to do the right things for the right reasons. The future is now about resilience and competitiveness. Lets get to work!

02 December 2017

Situational Awareness: Battlefield to Board Room...

Creating a "Common Operational Picture" for your organization is an elusive yet attainable goal for your senior management and the Board of Directors. How at a moments notice does the organization provide leadership with the answers to Operational Risk questions such as:
  1. How many employees from our company are currently traveling outside your home country?
  2. What are their modes of transportation and where do they plan to stay each night?
  3. What employees from our "Red Zone" list have left the company in this past week?
  4. How many of these employees left suddenly without any warning?
  5. What employees were asked to resign or were fired from their position?
  6. What controls have failed in the process for closing deals within our standard time period?
  7. How much has our sales pipeline increased or decreased over the past quarter?
  8. What is the total number of network access points (Points of Presence) our company currently believes are available for employees to connect to the Internet?
  9. How many known incidents occurred over the past week related to malicious software attacks or Denial of Service attempts on our network?
  10. How many employees started work with the company who have been added to the "Red Zone?"
  11. What are the names of the local liaison officials for our water, power, telecom and data carrier suppliers? Who is their deputy?
  12. How often has the company exercised a plan for major business crisis or disruption in the past year?
  13. What is the current forecast for severe weather in the corporate headquarters region in the next week?
These questions and more should be able to be answered at a moments notice. Any senior manager or member of the Board of Directors should have an information dashboard they can view with these situational awareness questions at their finger tips.
If you don't have the latest Operational Risk Quotient in your enterprise it may be a clear indicator that the people, process, systems or external events are a severe threat.The corporate landscape or battlefield if you will requires that the commanders in the field have the intelligence they require to make split second decisions.
These Directors, Managers, Supervisors that drive the business forward each day need leadership to give them split second answers, especially in the midst of a crisis. There is not time for a Q & A session or for an extended report to give leadership the view they need to steer the enterprise out of harms way.

Operational Risk Managers rely on a combination of real-time feeds from internal sources and outside the organization to provide this level of situational awareness. CCTV feeds, access controls, intrusion detection, and many more are part of the Corporate Intelligence Unit's own Fusion Center.

Why is this a prudent business practice to assist you in "Achieving a Defensible Standard of Care" for your employees? Because without it you are flying blind and trying to operate without the awareness and predictive ability to mitigate risks as they unfold before you.

Whether it is on the battlefield or your own organization does not matter. Your people need to understand their role in providing this vital aspect of the risk management solution. Without hourly by the minute or second intelligence about your people, processes, systems and external events you are destined for a future either known or unknown. You make the choice.

25 November 2017

Imagination: Limitless Exploration Ahead...

 “Never be limited by other people’s limited imaginations.”
--Dr. Mae Jemison
When was the last time you traveled outside your own country or beyond?  The discovery of new places, environments and the opportunity to experience other cultures is a key factor in gaining new context.  The learning and the observations of how other people behave and how things work in other countries, provides additional insights to your own social and economic factors.

What works in one organization, city, county or country may not be enough to make a difference in other places around the globe.  The limits, the parameters or the laws may work in one geographic location and simultaneously have little relevance or importance somewhere else.  This could be due to environmental factors, culturally historic issues or just simple critical infrastructure, either present or non-existent.

Who do you respect past or present, for their ability to imagine something new, something different, something better or something that has never been thought of before?  People with limited imaginations have not experienced what these thought leaders have seen, heard and felt both physically and emotionally around the world.

Over time, the transport vehicles included animals (horses, elephants, camels) boats, ships, balloons, automobiles, aircraft and spacecraft.  The intellectual vehicles we use to take us other places by people who have been there include books, newspapers, television, radio, movies and the Internet.

Think about the people you interact with each day.  How limited are their imaginations?  Have they traveled far and wide across the world?  Are they well read in the latest current events, world issues and global challenges?  What opportunities have they been given in their lives to witness our planet, witness what humans are really capable of doing?  What has all of this done to give them purpose in life?

Scientists, researchers, inventors, disciples, professors, explorers, warriors, teachers, environmentalists, humanitarians, journalists, artists, photographers, mountain climbers, scuba divers, sailors, pilots, drivers, captains, astronauts and many others, have been increasing their abilities of imagination.  Why?
"Go confidently in the direction of your dreams, live the life you've imagined..."
--Henry David Thoreau
Did you ever wonder how someone you read about or see in life, got to where they are?  If you are asking yourself that same question, you must be wondering what ingredients they used, so that you could try and pursue the same path, or perhaps avoid it all together.  Is it curiosity?  Is it courage?  Is it resources?  Is it faith?  Is it environment?  Is it a mystery?

You see, the truth is, you still have the ability for limitless imagination.  Why haven't you explored it yet...

18 November 2017

Operational Risks Are Taking Executives By Storm...

Executive Summary

There is a growing threat on the business horizon. The risk of loss from inadequate or failed processes, people, and systems or from external events is taking executives by storm. This definition of Operational Risk also includes legal risk, which is the risk of loss from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of institutions activities.

In the course of a single day the organizational exposure to threats ranges from low to severe on the horizontal axis. It isn’t until you put the vertical spectrum into consideration that you arrive at your “Operational Risk Profile” for that particular slice of time. This vertical axis is the range of consequences that would impact the business should the threat event actually occur. It ranges from minor to disastrous. Each day our organizations live in a dynamic spectrum of tolerable and intolerable threats to our most precious corporate assets.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system. Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets.

Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization. Who is responsible for Operational Risk Management in your business? Everyone is.

You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in the lower left quadrant. This is where the threat exposure is low and the consequences are minimal. This is exactly why you are spending less and less time here. Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly. If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

11 November 2017

November 11: The One Percent Who Serve...

It is Veterans Day 2017 and all of those who understand what that means, are thinking about it.  Some out loud and for others, it is an internal battle of thoughts and emotions.

November 11 is a day that some families are sad about.  It is a day that so many other Americans think is just another day off.  Yet others think about that 1%, who now defend and serve our country.  Who are they and what are they truly feeling on Veterans Day?

If you really know anything about the life of a Veteran, you probably know that life inside the military changes you.  Just as working within any major organization for 2, 4+ or even an entire career, will impact your life in some way.

Spending that duration of time with others who served, whether inside the United States Army, Air Force, Navy, Marines or Coast Guard will affect your way of thinking about our country and our "Flag of Stars and Stripes"waving at the top of a pole, or "Old Glory" only raised to half staff.  What does the sound of 21 seconds of "Reveille"  remind you of?   Does a particular place or time in your life come into view?

The "One Percent" (1%) and those family members who surround and support them, know what Veterans Day is really all about.  It is unique for everyone in some special way and across America, you see pockets of how it is celebrated and expressed in words on social media and even in full page advertising in the Washington Post.

Hopefully you are in good spirits and you have a smile on your face today, as you experience another November 11th!  Our country is strong and our Department of Defense is there to protect the freedoms our nation is founded upon.

You have contributed your time, hard work and devotion to so many, and we may never know your name or sacrifice.  Thank you to the "One Percent"...

05 November 2017

Trust Decision Model: New Rules at the Speed of Light...

As a leader in your organization you rise each day with the inspiration to achieve the best possible outcomes for the tasks ahead.  Your outlook is positive and your goals are well communicated on what solutions you bring to the market you serve.  The course is charted and the plans are in place for you to execute your strategy with your team.

How well the day unfolds as anticipated and whether the tasks are completed on time and as planned is still uncertain.  Why?  We are human.  Humans have been studied by scientists and doctors since the beginning, to better understand our behavior.  What are they capable of and when is a machine better suited to a particular physical task or complex calculations?

As we invented new tools and machines to saw down trees, pound nails, dig holes and harvest our food, we wanted to continuously innovate.  We learned to adapt and to adjust these tools to accommodate new challenges, new environments and new hypotheses.  We learned to improvise and new brilliant researchers and inventors brought us automobiles, vaccines, airplanes, computers and even space travel.

Along our path of human progress there has been a tremendous amount of testing and experimentation.  We like to try to see what works and what doesn't.  Our curious nature keeps us seeking new ways to achieve the same outcomes, yet maybe faster or at a lower expense.  Economic prosperity or failure is in the hands of global markets.  How is the market performing today?

Yet as you navigate your small and specific path, you have choices to make.  Decisions on how you will spend your finite time to make your life better or to make a difference for others.  Your team, the company you manage, the agency you command or the country you lead, is counting on you.

The people, processes, systems and external events you encounter ahead, are comprised of hundreds of Operational Risks, that span a widening spectrum.  There is a high degree of certainty today, that you will encounter a myriad of actions, changes, deviations and climatic events that will challenge you.  These operational risks are not always known in advance, yet there are many that you already know about.

Mitigating risks and making decisions to improve your life and your organization are all in your control.  How many people have written best selling books to teach you how to do this?  How many Big Five Accounting firms have written reports and raised red flags for you, your owners, or operators and shareholders?

So what?

The decisions you make today, will make a difference.  A "Trust Decision" has a model.  Deciding to trust is not a singular event.  More precisely, it is multiple decisions occurring in sequence.  To quote Jeffrey Ritter:
"Every trust decision is a determination to trust an object, person, group, system, device, or information asset to be used to accomplish a specific task."
The more you study and understand "Trust Decisions" the greater knowledge you gain on your spectrum of daily Operational Risks.  This is because you know what the steps are in your particular trust decisions model and accordingly, you can calculate the risks to achieving the desired outcomes.

Here is just one example:
"On Monday, October 30th at 3:34 p.m., SpaceX successfully launched the Koreasat-5A satellite from Launch Complex 39A (LC-39A) at NASA’s Kennedy Space Center, Florida. Following stage separation, Falcon 9’s first stage successfully landed on the “Of Course I Still Love You” droneship, stationed in the Atlantic Ocean. Falcon 9 delivered the Koreasat-5A satellite to its targeted orbit and the satellite was deployed approximately 36 minutes after liftoff."
While your team or organization may not have the breadth or depth of "Trust Decisions" that SpaceX has on a daily basis, your decisions are not a singular event.  What is your particular "Trust Decision Model?"  How well do you know how each component of that model will perform today?  Have you done enough testing, witnessed enough failures and now know the possible outcomes for each part of that model?

The new rules for your organization at the speed of light, your TrustDecisions are out there...go discover them.

28 October 2017

Critical Infrastructure: "Known Vulnerabilities" in Your Enterprise...

What are the known vulnerabilities in your enterprise architecture?  We will come back to this question.

Asymmetric Warfare across the globe spans a digital Internetwork that has it's roots fostered in openness and with little regulation.  We are in many instances within real possibilities of significant digital systems failures.  Here is a just small window into that battlefield.

Operational Risk Management (ORM), is a mature discipline that you and your organization shall embrace, study, expand and continuously support.  One facet of Operational Risk, the Information Technology (IT) systems in your enterprise, is not part of an evolution any longer.  It has become a pervasive and mobile social revolution, that is now accelerating beyond your comprehension.

Let's put it another way.  Known but unmitigated vulnerabilities, will likely be the origin of your demise, failure, damage, ruin and loss of precious assets.  Why do you let it continue?

You and your organization are on the edge, operating each day with peoples lives, reputations and Personal Identifiable Information (PII) at stake and even the livelihood of the enterprise itself.

Whether that is your family, business, state or even your country, you can do something more to address your known vulnerabilities.  Do you know who, what and where they are in your enterprise?

When you hear the name "Equifax" today, what do you think?  Data security breach, correct?  What about these organizations:
  • Whole Foods Market Services, Inc.
  • Discover Financial Services
  • Transamerica
  • Hyatt Hotels
  • Northwestern Mutual Life Insurance Company
  • Wells Fargo Advisors
  • Sprint
  • Massachusetts Mutual Life Insurance Company
  • Sharp Memorial Hospital
  • Virgin America
  • The Neiman Marcus Group
  • Keller Williams Realty, Inc.
  • Club Quarters Hotels
  • Hard Rock International
  • Four Seasons Hotels Limited
  • BMO Harris Bank NA
  • Bank of the West
  • Gannett Company, Inc.
These are all well known companies, who have reported data security breaches by law, to the State of California, over the past 6 months.  There are dozens more of other organizations who are not large, well known brand names such as these.  Some are as a result of the Equifax breach and organizations who were using Equifax product solutions internally.  Now multiply this by 50 states.

So what?

Our Critical Infrastructure(s) in the United States are something we just take for granted.  Bank ATM's on every corner, bridges across bays and rivers, trains and planes departing from even small cities, trauma hospitals, massive hotels and supermarkets, fiber communications and LTE wireless network connectivity almost everywhere.

Let's come back to where we started.  What are the "Known Vulnerabilities" in your enterprise architecture?  Why are you so certain, that your adversaries are not currently inside your network?

The resilience modernization of your particular enterprise, is going to be expensive.  Mostly, because it has been patched and poorly integrated for a decade or more.  In some cases, simply because your adversaries and competition are more stealthy than you are.  Faster than you are.  Smarter than you are.  Laying in wait.

So what are you going to do about it?  In your home, business, city, state, or country and beyond?
"As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, (May 11, 2017) the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation."   Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 
You are going to find, repair and replace your known vulnerabilities.  Then repeat.  When you think you are finished, you can begin the next project, on your UNKNOWN vulnerabilities.

22 October 2017

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:
"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."
This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.

15 October 2017

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of Operational Risk Management (ORM) and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:
The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?
In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.
On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 
This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.
This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.

07 October 2017

Unanswered Questions: Leading Teams in a Virtual Domain...

The "Art and Science" of Leadership in disconnected environments is challenging to say the least.  The science might be initially enabled by the utilization of technology-based platforms including mobile smartphones, Cloud and even SATCOM capabilities.

The art or "How" of leading teams in a geographically dispersed area, across hierarchies of people with precision and speed is the hard problem.  The problem-set for so many growing organizations today.  How do you create a leadership mechanism with the right "Linchpins," to enable trust and simultaneously execute vital tasks, across silos with a single purposeful mission?

Frankly, it is quite complex.  Yet there are proven methodologies and proven technologies, that will quickly jump start and improve your teams problem-solving abilities and to gain "shared consciousness."  It all begins with the leaders implementing a single organizational lens to view the enterprise architecture or operational landscape before them and communicate what they have experienced, witnessed and accomplished.

The shared "Network" of people, systems, philosophy, experience and purposeful mission is paramount to success.  The moving pieces of the network both human and technological or operational, work independently and yet they are becoming a single adaptive entity.

Building and enabling trust across domains, working groups, operators and the significant distance between horizontal or vertical communication, is now the nexus of the "Art and Science" of Leadership.  You have probably read countless books and seen inspiring talks, by people who have done it all, experienced it all and still to this day will admit, that the human organizational issues still keep them from sound sleep at night.

Will those individuals who are in front of the problem-set on your team, act without hesitation?  Do they have the best possible information at their finger tips to make the "Trust Decisions" to achieve their objective?  How will the outcomes of their actions build on the entire teams goals and aspirations?

Whether your team is a family, a work group, the neighborhood, a company, a municipality or an agency doesn't really matter.  The people, processes, systems and external events are going to continuously challenge the intended forward direction.

So what?

This is all great, yet it sounds like we are describing environments where all of this leadership action is taking place in a purely physical world.  What happens when 99% of it is happening in a "virtual space?"

Inside the virtual computing consciousness of the global Internet, across a domain of space made possible by Virtual Machines (VM), solid-state storage and the software comprised of just Zeros (0) and Ones (1).  Now just add billions of interconnected (IP) devices.

The good news is, that much of this virtual environment still requires having human intervention and human participation.  Simultaneously, through global systems automation and use of Bots, Artificial Intelligence (AI) and other autonomous "Machine Learning" inventions are now on our doorstep.  This is our new reality:
The speed that the autonomous machines are making decisions and the abilities they are gaining in shared consciousness, is in most cases beyond human understanding.  The global organizational and national security implications are gaining momentum.
So what does leadership need next, for us to survive the remarkable velocity of our Trust Decisions, in an exponential virtual world?  How do we put it all in perspective?  What are the remaining unanswered questions? Author Jeffrey Ritter gives us his insightful context from decades of experience:

"It is essential to our human nature to make trust decisions. The Net has become essential to our existence. Whether or not this book prescribes the right direction, we will not survive as a global community unless we commit to a new architecture that enables trust in the digital assets of our world to be established and maintained. The solution, I believe, is found in understanding that trust is the essential predicate to the creation of new wealth. Working collaboratively, the world’s population can achieve both trust and wealth.

From my earliest work with the United Nations, I have recognized that the greatest potential of the Net is its ability to enable any of us to trade with anyone else. Trade inherently creates wealth for all of the participants. The curious thing about trade is that, when it proceeds properly, enriching all stakeholders, trade is the ultimate dis-incentive for war. We simply are reluctant to do battle against those with whom we do business. If digital trust can expand our capacities to trade, and connect us effectively into a broader network with whom we can trade, the strongest possible incentives for sustaining peace emerge. That is my fondest hope for the Net, that it will be the infrastructure for enabling global co-existence. To achieve that dream, we must build digital trust."


What are your unanswered questions?...

01 October 2017

TrustDecisions: Beyond that Perfect Cup of Coffee...

You are out there helping and assisting a loved one or another person in need.  Your life has been a virtual maize of daily pathways and encounters, to where you are now.  Where, when and how will the next chapter unfold?

Our lives are a series of experiences, encounters, actions and reactions.  We each wake up each day with the unknown.  How will this day allow for creative thought, fulfilling dialogue, warm and loving feelings and maybe even just that perfect cup of coffee?

One thing is certain this new day of your life.  You have choices to make.  You are going to be challenged with new information to assess, analyze and then to make an informed decision.  The "Trust Decisions" that you process and act upon are human.

What about the TrustDecisions that are being executed by the millions of machine code and computers, that now permeate so much of our lives?  These devices to navigate you and your vehicles, silicon-based systems to calculate new found wealth or manufacture new goods or services.  The lines of program code in the software and at the heart of the hand-held machine you trust for communications, location or music, was designed and written by another human.

Or was it?

Prepare yourself for the next generation of TrustDecisions that are being executed by computers and machines, that were designed and written only by other very intelligent non-human systems.  Perhaps you will trust these inventions and the capabilities they provide, even more than you ever have in the past.  Artificial Intelligence is real.

It is the look on another persons face, the tone of your child's voice or the warm touch from your most precious loved one that really matters in life however.  Where will this day end up?  What will you do to make this day even better than yesterday in your life?

At some point you realize that you alone are responsible and capable of that next hour of joy or sorrow in your life.  You have the ability and the capacity to assist someone else in need, to contribute resources or knowledge that can change another humans course in life.

Somewhere along the way, you finally understood that you really are not in complete control.  From the day you were born, until today, October 1 2017, you have watched your life journey unfold before you.  How much of it has been all because you made the correct TrustDecisions?

The milestones of life are never guaranteed.  The perfect parents, the perfect friends, the perfect schools and teachers, the perfect spouse, the perfect kid(s), the perfect career, or even the perfect cup of coffee.

Yet today brings another life opportunity before you.  A new day to truly look around.  Think quickly about what your actions will be next.  To make a decision.  To act upon this with all your heart and mind.  Then to look to the sky and say a prayer.

You are well on your way to another purposeful day...

24 September 2017

OSAC: The Insider Threat...

In November 2007, the "Insider Threat" was on the minds of Global Security Executives that year as evidenced by a half day emphasis on the current trends and issues.  We wonder what will have changed over a decade later, at the 2017 OSAC Annual Briefing.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm.

In a converging organization with outsourced services around every corner, the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year!

You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:
1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective and comprehensive operational risk program;

3. Lack of adequate decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.
The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:
  • Is your policy enforced fairly, consistently and legally across the enterprise. 
  • Would our employees, contractors and partners know if a violation was being committed? 
  • Would they know what to do about it if they did recognize a violation?
If you don't know the answers to these questions, then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management.

Perhaps it is time for the Private Sector to get serious about the "Insider Threat."  The U.S. Department of Defense has been on point with the issue now for years:
The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.

Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.
Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for, are the means to gain a larger budget for their departments and to be able to invest in new "Insider Threat" technologies and tools.

Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively...

17 September 2017

DEF: Defense Entrepreneurs Forum Increases National Security Velocity...

There is a tremendous amount of buzz and focus on innovation these days, especially around the .gov and .mil ecosystems.  The Defense and Intelligence domains are in a race and competition for increased velocity in procurement, adoption of new or updated systems, talented people and the implementation of state-of-the-art Commercial-Off-The-Shelf (COTS) solutions.

Every so often you come across some thought leaders like the Defense Entrepreneurs Forum (DEF), that know what true innovation means.  They get it.  The membership understands that innovation does not always = technology alone.  The process of innovation and the people who surround it will tell you, that many prototypes of new innovation do not always include semiconductors, transistors or gigahertz.

When you combine the nodes of an ecosystem of smart people, devoted to increasing velocity in the defense and intelligence communities, there will be inspiration, connection and empowerment.  Each one of these nodes is vital, yet they grow and sustain themselves independently.  Working together however, they will provide our national security institutions additional resources, insight and outside the agency expertise.

At the latest Annual Forum at University of Texas - Austin this past week, it was in full force in conjunction with "Clements Center for National Security".  Keynotes and talks from Adm. William McRaven (ret.), Ori Brafman, Col. Mark Berglund, Brigadier-General Hans Damen, Admiral Bobby Inman (ret.), Todd Stiefler, Warren Katz, Clare O'Neill, Lauren Fish, Kaly McKenna, Eric Burleson, Brendan Mullen, Steve Slick, Kristen Wheeler, Kristen Hajduk and others were just the top line.

The bottom line up front is that as a participant, you witnessed first hand, that people with outstanding ideas with a similar mission and the genuine enthusiasm for improving United States National Security is increasing velocity.  In greater numbers, momentum and thought leadership.  The Defense Entrepreneurs Forum (DEF) is now in it's 5th year and is a best kept secret no longer.

So what?  What is DEF’s goal?

"We believe that the complexity of national security necessitates Defense professionals with innovative solutions. We believe that great ideas do not depend on rank and that creative problem solving cannot be developed rapidly. Today’s junior and mid-grade Defense professionals will be the future military leadership of this country.
  • Inspire: By attracting diverse, passionate, and innovative individuals, DEF inspires individuals through a community of like-minded national security innovators.
  • Connect: In person and virtually, DEF is a network that connects innovative thinkers who seek to improve on the status quo and educates them on how to do this.
  • Empower: Through a variety of methods--from idea generation to senior-leader engagement--DEF empowers junior leaders to be change agents in national security."
The innovation mindset is only part of the equation.  You need people with the context, experience and ambition to make a real difference.  Those who are seeking new ideas, new talent and new methodologies for increasing velocity.  People who want to contribute time, resources and intellectual thought leadership.

As the wheels went up on the dawn of a new day over Austin, TX our plane headed North East.  The future is bright for U.S. National Security.  Trust is in the wind and the Defense Entrepreneurs Forum is accelerating...

09 September 2017

Resilience: Optimizing a Continuous Cycle in Your Particular Environment...

Walking across the River Thames over a bridge in London, you can see several signs of resilience, if you look carefully.  This city has listened to air raid sirens, bombs exploding and witnessed vehicles running over pedestrians in a pure act of terror over the past seven decades and beyond.

Big Ben was strangely silent, for maintenance and restoration work.  Yet the citizens of the area and tourists alike were anxious to make it past the new vehicle barriers, to reach the other side.  Resilience runs deep in London and you can see it on the faces of those who call it home.

To endure hardship, disappointment, disability, destruction and years of abandoned dreams is just part of life.  Some cities across the globe have endured and stayed vigilant.  They have learned the art and science of resilience, so that their citizens can carry on, no matter what the negative forces may be.

Across any major continent you will find examples of places and people who have endured and remained resilient.  To the wrath of Mother Nature or the evil deeds of other human beings.  Whether it is Houston, Texas or New York City, London or Berlin doesn't really matter.  The examples of resilience are personified in granite, museums and historical sites with the names and faces of resilient people.

Yet as the train pulled out of Euston Station towards Edinburgh, the city fades into rolling farms and wooded forests, thousands of sheep dot the hillsides.  People living outside the city still have their own challenges and battles with everyday life.  They too must adapt and encourage resilience.

A crop that never makes it to harvest due to a fungal disease or live stock threats from liver fluke, are just a few threats that farmers and ranchers must plan for and respond to, in order to lower the risk of loss.  So should you find yourself in the countryside or in the middle of the city looking up at the Edinburgh Castle, here is a standard six-step process to endure and remain vigilant:
  • IDENTIFY
  • ASSESS
  • DECIDE
  • IMPLEMENT
  • AUDIT
  • SUPERVISE
These steps in the process are not some new invention.  Others have invented variations such as the OODA Loop.  The point is that even Plan-Do-Check-Act (PDCA) will provide a continuous cycle for the city dweller or the countryman, the banker or the fighter pilot.  The hedge fund manager or the venture capitalist.

So what?

The likelihood is that you to have witnessed operational failure.  You have felt the emotion of severe loss of life.  You have been part of a life or business scenario, that has brought you to a point when you have lashed out at those you love, or brought you to your knees looking to the sky.

Beyond your faith and wishful or positive mental attitude, you only have your proven process left to work with, to endure, to be resilient.  The continuous cycle will keep you heading in the only direction you have and that is, to the next step in that cycle.  When you skip a step or have missed one altogether, you are simply opening yourself up to increased exposure of loss or even complete failure.

You shall discover your favorite process or cycle in your life, your vocation and within your domain.

Once you do, you must decide to master it.  To never skip a step and to adapt, learn and improvise.

When you do this, you will have achieved resilience for yourself, your family and your country... 

27 August 2017

Courage: Mitigating Fear...

Fear is a paralyzing condition. What sometimes can paralyze some people, often motivates others. Think about it. What are you afraid of? When was the last time you felt so paralyzed with fear that you either couldn't move or it pumped you up so much that the adrenaline took over and made you do things that you never thought were possible.

Where is your courage today? Hiding out for the day it seems safe? You are going to be waiting a long time. There is no such time or space where it is safe. In the board room or on your battle field, the world is looking for leaders and people with courage.

Often times the answer is action, regardless of the threat. This in itself is a sign to show your foe that you are aware of the threat and will not only respond, but mitigate any operational risk.

It takes courage to pursue the unpopular agenda. Whether it is to save lives, save investors, or save precious physical or digital assets, the game is the same. Those who decide to do nothing in the face of an obvious threat, have nothing but paralysis. Those who decide to do something, dig deep to find the purpose and justification for their actions.

Once you find courage, it's very hard to turn the other way. Paralysis becomes so foreign that whenever you feel even a little unresponsive, you compensate the other direction almost by instinct.

If you spend enough time around courageous people, it starts to rub off on you. If you still don't have the bug, then you must not be surrounding yourself with those who can take fear by storm. What are you afraid of?

As Steve Farber would say, you need some more OS!M's....Once you have enough of these to know that you won't freeze, then you are well on your way to really making a difference on this rock. If you are not there yet, then now is a good time to start speeding up your OS!M's for all of the children of our fallen heroes.

Here is a good example:

Over six years ago this month, Elite Navy SEAL, Aaron Carson Vaughn, was killed August 6, 2011 when a Chinook chopper carrying 30 American troops was shot down in Afghanistan.

In their grief and with a desire to do something that would honor Aaron's legacy, his family chose to start Operation 300.

Operation 300 is a non-profit foundation designed to create a week long experience for children who have lost their fathers as a result of service to our country.

The camp will provide an opportunity to participate in activities that embody the spirit of adventure that characterized the lives of their absent fathers while fostering a culture of courage, strength, freedom, endurance, honor and godly morality embodied by fearless patriots throughout the history of our American Republic.


Never forget!

20 August 2017

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.
"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.
In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:
  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

13 August 2017

Capitol Hill: Zeros and Ones of Resilient Vigilance...

Walking past the Cannon House Office Building this week, on the way to a meeting at the U.S. Capitol, created some reflective thoughts.  As our Capitol came into full view, you have to wonder how many congressman have made that walk since the early 1900's?  How many representatives from across America contemplated whether their work was making a real difference, for their constituents and for our country.

The future of America is bright and our level of resilience as a nation has endured, yet we must remain vigilant.  There are thousands of people who get up every day and travel into the District of Columbia and surrounding suburbs, because they are Patriots and they care so very much about our growing Republic.  You have to see it in their eyes, to realize how much that is true.

Entering the South door on the House side, we proceeded to our meeting room, H-137.  As our small cadre sat down for a light meal, the focus quickly turned to our purpose for gathering.

National Security and Intelligence was the high level reason, yet the dialogue quickly drifted into what was an 80/20.  It seems that the "Cyber" related conversations these days are taking up about 80% of the nuances to Critical Infrastructure Protection (CIP) and for good reason.  The fact is, more than 85% of our nations Critical Infrastructure are out of the direct control and ownership of the government.

Private Sector companies and other non-government entities control 16+ vital sectors of the nations infrastructure assets.   They are the owners and operators of Energy companies, Telecommunications, Financial, Water, Transportation and our Information Technology Sectors and including the Defense Industrial Base to name a few.

What was not mentioned in the room over our 90 minutes, were some of the most sensitive issues confronting those on the front lines of the private sector critical infrastructure protection industry.  "Fancy Bear," "Eternal Blue," "Vault7" were on some peoples mind.  These references mean nothing to many of the "John Q. Citizens" in America who are working using smart phones and lap top computers at home, on the job or in our free lance economy.  Until these electronic tools are no longer functioning correctly.

So what?

Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June.

The owners and operators of Critical Infrastructure across the globe, are now operating on high alert.  The executives and policy-makers in discussion behind closed doors, around the U.S. Capitol understand the magnitude of the current problem-set.  Utilization of these exploit tools will continue by rogue individuals, Crime, Inc., and cyber terrorists that are no different than other examples in the physical world associated with IED's or weapons of mass destruction.

The Private Sector will need to step up its resilience and readiness game in the next few years, if not months.  The capabilities and Return-on Investment (ROI) for non-state actors to play in a whole new league, are becoming ever more apparent.

To continue our resilient vigilance across the nation, we will require a whole spectrum of new capabilities and some, that have worked for years...

05 August 2017

LIGHTest: An Open Global Ecosystem of Trust...

On the dusk of another day in Southern California, there are new TrustDecisions being made, that will impact how our IoT and Critical Infrastructure evolves in the decades ahead.  Operational Risk Management (ORM), will continuously adapt to our global future of "Achieving Digital Trust."

Yet, this innovative catalyst and consortium has been forming over the past year, from the European Union.  It is called LIGHTest.
"Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust scheme"
"This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing Domain Name System, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities."

Trustworthy computing is not new and it has been evolving since the beginning of the Internet with PKI.  What is encouraging and worth pursuing now, is a better understanding of the problem-set.

What is the real problem, that LIGHTest will address and try to solve?
"The DNS translates domain names that humans can remember into the numbers used by computers to look up destination on the Internet. It does it incrementally. Vulnerabilities in the DNS combined with technological advances have given attackers methods to hijack steps of the DNS lookup process.
They want to take control and direct users to their own deceptive Web sites for account and password collection to perpetuate their Internet disruption attacks and crime schemes. The only long-term solution to this vulnerability, is the end-to-end-deployment of a security protocol called DNS Security Extensions – or DNSSEC."
So what?

The Domain Name System (DNS) relies on these foundational entities for our Global Internet. Designated by letter, they are the operators of the root servers:

A) VeriSign Global Registry Services;
B) Information Sciences Institute at USC;
C) Cogent Communications;
D) University of Maryland;
E) NASA Ames Research Center;
F) Internet Systems Consortium Inc.;
G) U.S. DOD Network Information Center;
H) U.S. Army Research Lab;
I) Autonomica/NORDUnet, Sweden;
J) VeriSign Global Registry Services;
K) RIPE NCC, Netherlands;
L) ICANN;
M) WIDE Project, Japan.

Ref: http://www.root-servers.org

Now when you are just starting to understand the complexity of the problem that LIGHTest is attempting to solve, you add "Mobile Identities" to the dialogue.

It is one step towards trust to get machines to complete a transaction with integrity and consistent trustworthiness.  When you add the challenge of validating reputation and identities of people, the scale of the entire problem-set soars.  The geopolitical and organization boundaries that are now the state-of-play are tremendous.  The United States Department of Commerce is at the table.

Think about how far we have come in our technological history and enterprise architecture, with the pervasive use of communications satellites and 30 billion mobile devices by 2020, now imagine how far we still have to travel, to attain true "Digital Trust."  The infrastructure is global and the complexity is far greater than most humans can truly understand.  To trust one another, to trust transactions, to trust our machines and digital inventions implicitly.  That is our lofty aspiration.

LIGHTest is heading in an innovative direction, in the pursuit of greater trustworthiness and we have to keep reminding ourselves why:

Instilling fear in peoples minds about monetary losses, stolen intellectual property, hackers, cyber criminals and rogue web sites is important.  Buyer beware!  Stranger danger!  See something Say something.  WannaCry.  AlphaBay.  No different than wanted posters for bank robbers, fraudsters, or terrorists.
Companies, people, products or services that continue to serve up messages of digital fear, uncertainty and doubt, are in need of even more clarity and education.  The real problem-set to be solved is about trust and making more highly effective trust decisions, at increasing velocity...

29 July 2017

OPS Risk: Choosing Service Over Self-Interest...

Accountability and ownership are two vital elements of any operational risk professionals mindset, if they are to accomplish real results.  In order to gain this mindset as a professional, you have to be able to work along side others, who have these ingrained into their character and DNA.

What are you accountable for in your team or organization?  You are accountable for the stewardship of your particular mission at this point in time with a clear vision of the results that are envisioned.

You are not accountable to anyone but yourself and the team you have assembled for this particular set of tasks and outcomes.  The Operational Risks that you will encounter and those that you decide to mitigate or avoid are entirely up to you and your team, long before you set out to accomplish the mission.

Do you have ownership of the results desired?  You must have ownership of the operational risks that may and will occur if you and your team are to survive whatever known and unknown challenges may come your way.  Who are some of the best of the best in the profession of Operational Risk Management (ORM) over the past few decades?

Neil Armstrong and Buzz Aldrin are just two:
Of course, it was less than a year later that Armstrong himself would make the biggest step. After a three day trip to the moon, Armstrong, Aldrin and Collins entered lunar orbit on July 19. On July 20, Armstrong and Aldrin began their descent towards the surface inside Eagle, the lunar landing module. The flight to the surface did not quite go as planned. During the descent several alarms from the flight guidance computer distracted the astronauts. The onboard computers were inundated with extraneous radar information, but the alarms were determined not to be a problem. 
But Armstrong also noticed he and Aldrin were flying faster than expected across the lunar surface and were likely going to overshoot their landing site. As the Eagle passed 1,500 feet above the surface, Armstrong saw they were heading for a crater. He thought this might be a good option as it would have “more scientific value to be close to a large crater.” But the steep slope and big rocks did not provide a safe place to land. 
As they continued to fly over areas covered with large rocks and boulders, Armstrong took over control of the Eagle and continued flying it manually. He was able to use his training from the LLTV to maneuver as they continued to descend to the surface. But all of the maneuvering was using up propellant. At 200 feet above the surface, Armstrong finally was able to find a place to land. 
Aldrin: Eleven [feet per second] forward. Coming down nicely. Two hundred feet, four and a half down.
Armstrong: Gonna be right over that crater.
Aldrin: Five and a half down.
Armstrong: I got a good spot.
Aldrin: One hundred and sixty feet, six and a half down. Five and a half down, nine forward. You’re looking good. 
As they passed 75 feet mission control in Houston determined the Eagle only had 60 seconds of fuel left. Armstrong says he wasn’t terribly concerned about the low fuel situation, “typically in the LLTV it wasn’t unusual to land with 15 seconds left of fuel.”
About 40 seconds later Armstrong made a final few maneuvers before announcing the landing was complete. 
Armstrong: Shutdown.
Aldrin: Okay. Engine stop.
Houston: We copy you down, Eagle.
Armstrong: Houston, Tranquility Base here. The Eagle has landed.
Think about your team.  Is the boss dictating from the top on your every move or are they side-by-side with equal accountability and ownership of the results of the mission.  NASA puts rock star top gun pilots behind the controls of lunar missions for a good reason.  It is because they know that they are not in control, ultimately the pilots are working together.

So if you find that in your next corporate or organizational project that the boss from afar is telling you what to do at every moment, it's time to eject.  A true Operational Risk professional understands the mission and the desired results.

They have accountability and ownership of the tasks necessary to achieve the results.  Their stewardship of the project, with their fellow team members will be able to adapt to any changing environment or sudden challenges.

If you are the boss that has responsibility for the team and the successful outcome of the mission, what have you done to enhance each of their skills, knowledge and experience to deal with operational risks?    You may be asking at this point "How" do I do this?  This isn't about giving you suggestions or to show you where it is working and how to do it.

This is about service before self-interest and your ability to think of yourself as an equal on the team. Just one more vital asset with the same sense of accountability and ownership for the overall mission. That's it.

Your team needs you as one more set of brains, hands and talents to solve the operational risks that will be on their way.  How you behave and perform in light of these new found challenges, may very well be the one thing that determines whether your team lives, or survives.
To serve. To be safe. To know what freedom feels like.
Author, Peter Block - Stewardship - Choosing Service Over Self-Interest
Neil Armstrong was a true Operational Risk Professional...God speed.

22 July 2017

Global Pulse: Resilience in Development...

The asymmetric threats cast upon the private sector on a daily basis across the globe, are rising and more complex.  As a result, Operational Risk Management (ORM) is a discipline that has quickly matured in the past decade.  

Today, as we embark on this blog post number 1154 we can reflect on our amazing journey.  When you search Google from our location on "Operational Risk Management Blog" this blog is the number 1 link.

This endless journey encounters new insights and transverses industry sectors to include financial services, energy, automotive manufacturing, aerospace, defense industrial base, pharmaceuticals and government both local and federal.  It has involved the following four fundamental principles of ORM:
  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions at the right level.
Whether the oversight and pursuit encountered the risks of fraud, economic espionage, workplace violence, natural disasters, terrorism or cyber vulnerabilities does not matter.  The threats and hazards that span the spectrum of Operational Risks to the enterprise are vast and increasingly diverse.

The discipline continues the quest to improve and to learn new lessons from both the private sector and government.  Now both of these need to also include a third dimension, that is evolving and could be the place to look for real innovation:  Non-Governmental Organizations. (NGO)

The NGO community is the environment that has now gone beyond response and is finally becoming more predictive:
Global Pulse is a United Nations initiative, launched by the Secretary-General in 2009, to leverage innovations in digital data, rapid data collection and analysis to help decision-makers gain a real-time understanding of how crises impact vulnerable populations. Global Pulse functions as an innovation lab, bringing together expertise from inside and outside the UN to harness today’s new world of digital data and real-time analytics for global development. The initiative contributes to a future in which access to better information sooner makes it possible to keep international development on track, protect the world’s most vulnerable populations, and strengthen resilience to global shocks.
There are plenty of situational awareness analogies that can be made to the risk management of vital private sector or government assets over the years.  Predictive operations have been evolving for years with the goal of preemptive capabilities to detect an attack on a Homeland.  The analysis of information from disparate sources is nothing new.  Link analysis and other methods of qualitative and human factors analysis give us the cues and clues to a possible evolving pattern of human behavior.

Yet what is fascinating now about the NGO perspective, is the intersection of Big Data and the mobile phone:
Wherever people are using mobile phones or accessing digital services, they are leaving trails behind in the data. Data gathered from cell phones, online behavior, and Twitter, for example, provides information that is updated daily, hourly and by the minute. With the global explosion of mobile phone-based services, communities all around the world are generating this real-time data in ever-increasing volumes. These digital trails are more immediate and can give a fuller picture of the changes, stressors, and shifts in the daily living of a community, especially when compared with traditional indicators such as annual averages of wages, or food and gas prices. This is especially crucial during times of global shocks, when the resilience of families and their hard-won development gains are tested.
These global shocks that are economic, geopolitical or as a result of climate change are at a macro level nothing more than environmental volatility.  This volatility in markets, government leadership, religious conflict and drought are what is driving the NGO development community to be more predictive and to be more preemptive.

In concert with this focus on predictive intelligence is the initiative "data philanthropy."  How can the data sets from our respective countries be shared to work on the really hard global problems together?  Open Data Sites is just the beginning.  You have to make sure that you recognize the attributes of "Big Data for Development" vs. the private sector or purely government:
Big Data for Development sources generally share some or all of these features: 
(1) Digitally generated – i.e. the data are created digitally (as opposed to being
digitised manually), and can be stored using a series of ones and zeros, and thus
can be manipulated by computers; 
(2) Passively produced – a by product of our daily lives or interaction with digital
services; 
(3) Automatically collected – i.e. there is a system in place that extracts and stores
the relevant data as it is generated; 
(4) Geographically or temporally trackable – e.g. mobile phone location data or
call duration time; 
(5) Continuously analysed – i.e. information is relevant to human well-being and
development and can be analyzed in real-time;
What if the private sector and the government started looking through a different lens?  Or perhaps the other way around.  Is the NGO development community capable of learning from the mistakes with data that intersect with privacy and national intelligence?  Operational Risk Management is just as much an imperative in the NGO environment, as we evolve in the integration of Big Data for global humanitarian initiatives.

When you really look at the opportunity and the challenge ahead, you must consider this intersection of data today in context with where development is still in its infancy.  Look at this visualization of Google search volume by language.  Notice the darkest parts of the planet Earth.

These are where the NGO community lives today, with little access to the Internet, regardless of language.  The human resilience factor necessary to evolve in these non-connected IP (Internet Protocol) deprived areas of the world, must be addressed as we aspire to become more predictive risk managers.

16 July 2017

Cyber Deterrence: Chief Information Warfare Officer (CIWO) is born...

In 2017 there has been a significant amount of news and dialogue on the topic of information security. America is now waking up to the reality that it's true vulnerability is critical infrastructure reliance on strategic networks and is worth analyzing in depth.

Operational Risk Management (ORM) in critical infrastructure sectors such as Energy, Finance, Transportation, Defense Industrial Base (DIB) and a dozen more, is alive and well. Yet the long view, requires a pivot from the cyber analogies of immune systems and daily hygiene scenarios simply to address cyber theft, denial of service, viruses and ransomware.

The growing priority problem-set is "Cyber Deterrence" and the U.S. is still a long way off from having this strategy in place. The current abilities of several known nation state adversaries, to launch and maintain a persistent attack on our critical infrastructure, requires a new and robust set of initiatives to solve this new reality and immediate cyber problem for national security.

The fusion of Homeland Security with U.S. Department of Defense planning to address "Cyber Deterrence" is necessary and beyond what has been accomplished to date. The attributes focused on "Continuity of Government" (COG) and "Continuity of Operations" (COOP) are paramount with solving the hard problem-set of U.S. Cyber Deterrence. Why?

A wider range of military cyber options are needed beyond diplomatic expulsions and economic sanctions and a clear policy framework must be in place for these deterrence options to be utilized against nation states.

The growing use of cyber offensive weapons requires an increased level of preparedness, offensive war games and planning including substantial integration with the U.S. private sector critical infrastructure companies. The resilience factors associated with Fortune 500 private sector companies is vital.

First, a substantial portion of the new problem-set, involves the use of offensive cyber weapons and the declaratory engagement policy with adversaries such as Russia, China, Iran and North Korea. This must include the key dialogue on attribution capabilities. Have you ever had a conversation with your information security team on the topic of attribution? If you haven't then now is the time to better understand this set of issues.

Second, the degree to which a private sector company has been under attack by non-state actors will in many cases provide an indicator of their current cyber deterrence capabilities. The question is, how would they respond and how resilient would they be if any new attacks were exponential in proportion to previous adversarial campaigns?

Third, the coordination with not only DOD and private sector companies also requires significant integration with the Department of Homeland Security (DHS), State Department and the Intelligence Community (IC).

Non-Kinetic cyber actions utilized by the military is not new. Strategic U.S. ICT (Information, Communications & Technology) capabilities working side-by-side and in concert with the military is now more necessary than ever. Private sector organizations interacting and engagement with USCYBERCOM to establish working relationships that include COG and COOP level planning also needs to accelerate.

So what?
The House has joined the Senate in calling for the Department of Defense to update its cyber strategy and to more clearly define the meaning of cyber deterrence.
The House on July 14 overwhelmingly passed the 2018 National Defense Authorization Act, which included a number of cyber-related amendments, including a provision directing the secretary of defense to "develop a definition of the term 'deterrence' as such term is used in the context of the cyber operations of the Department of Defense; and assess how the definition...affects the overall cyber strategy of the Department."
The Senate's draft of the NDAA establishes a U.S. cyber deterrence and response policy and calls on the administration to develop a clear cyber deterrence strategy.
The Chief Information Warfare Officer (CIWO) has been born...is it a myth?