15 January 2017

Inspired Outcomes: A Culture of Why...

Why does your organization exist?  Most people answer this question with the kinds of products or services provided.  This is "What you do".  Some people talk about how they provide the service or how the product works.  This is "How you do it".  This does not answer the question.

Most organizations have it backwards.  What >> How >> Why.  Now think, Why >> How >> What.

Why your organization exists, is paramount to understanding the real purpose and DNA of your culture.  It is vital to the people who show up every day, the core reason they perform their role or contribute to the measurable outcomes of the team.  True Operational Risk Management (ORM) professionals discover the "Why" at the beginning.  Without the truth behind "The Why", nothing after it, has enough context.

When you begin the journey to build a better product, or invent a new process you better know the answer to "Why".  Discovering this first, will provide the inspiration, the creativity and the fortitude to get you and your team out of bed the next day, to do it all over again.  Without the "Why", we as humans lose sight of our destined purpose.

Over seven years ago, Simon Sinek was advocating for "Why" in his book and on Ted Talks.  A few years later, he was helping the Air Force hone new leadership skills in it's pilots:
"I told the guys, it's not enough any more to be ace of the base," said Col. Richard "Tex" Coe, commandant of the United States Air Force Weapons School. "We have to bring others with us.

Coe believes the school's new leadership curriculum will translate to success in the global war on terrorism, particularly in the fight in Afghanistan.

"What we're going to be doing is purposely developing these innovative and creative leaders that will go out there and face problems," Coe said.

"We don't even know our problems yet, and we'll be able to put our pieces together and use resources and other people around us to get the mission accomplished."

Coe, a master navigator with more than 3,000 flight hours including 460 combat hours, left Afghanistan in 2002. Today, the country "is a new and different place" he said.

"It's a completely different problem than it was back then. It's ever changing, and we're preparing them for that ever-changing problem."
"What we believe" is not the same as "Why We Exist".  It is different and it could mean the difference to owners, employees, partners and external customers or clients.  Here is just one example from Palantir:
Why
We’re Here

"We believe in augmenting human intelligence, not replacing it.

With good data and the right technology, people and institutions today can still solve hard problems and change the world for the better."
How could you make this even more compelling?  More inspiring and motivating, so that you want to jump out of bed each day at the sound of the morning alarm.

Behind every process, product and service there are humans who must see, feel and smell the "Why".  If and when they do, now they are ready to endure the journey, the quest and the challenges ahead.  They are there for a purpose they can internalize and outcomes that they can pursue vigorously, each day.

Discover the "Why" from your clients and customers, if you have not already done so.  Understand deeply the reason why they are doing business with you.  You may be surprised to know that your clients are paying you more than your competitors, for the same product or service.  You may soon find out the real value of "Trust."

Making the "Decision to Trust" one product or service over another, can not be under estimated.  Yet so many organizations and companies fail to find the truth about "Why" in their ecosystems of followers.  Is it the location, the price, the ease of use, the color, the feel, the endurance, the speed, the intelligence?

Once you have discovered the truth on "Why", you must know "How".  Then the "What" will follow, with the name of your product or brand.  Isn't it interesting that when you are attending a networking or convention event, that when you meet someone new, they may ask:  "What do you do?"

What if you answered the question like this.  "I work with "X" and we exist to "Y".  The cause and reason for your organizations existence transcends everything.  It provides the foundation for why this person is going to trust you and your organization.  Now if they would only start the conversation with:  "Why does your organization exist?"

Once you have a solid foundation for "Why", then you must know "The How" and then "The What".  Here is another example:
SpaceX designs, manufactures and launches advanced rockets and spacecraft. The company was founded in 2002 to revolutionize space technology, with the ultimate goal of enabling people to live on other planets.
Or how about:

"SpaceX exists to enable people to live on other planets.  We manufacture rockets and launch them so that our customers can supply other spacecraft or travel to other destinations beyond Earth."

Now think about your organization.  Take a deep look at your culture.  What is the fuel that will propel it into the future to achieve extraordinary outcomes?  Exponential results...

08 January 2017

Symbiosis: Information Advantage in a Virtual Battlespace...

Symbiosis with machines to gain information advantage, is a challenging problem-set.  The magnitude of Operational Risks will now soar, as we pivot towards machines that are performing more as autonomous colleagues.  Pre-programmed instructions has been the standard for our software-based systems, until now.

The integration challenges ahead on the leading edge of "Information Advantage", produces a spectrum of new-born problems to solve.  User interfaces that are speech driven or by a new Virtual Reality (VR) capability, is just the dawn of a new era.  DARPA (BAA-16-51) is already headed this direction:
The symbiosis portfolio develops technologies to enable machines to understand speech and extract information contained in diverse media, to learn, to reason and apply knowledge gained through experience, and to respond intelligently to new and unforeseen events. Application areas in which machines will prove invaluable as partners include: cyberspace operations, where highly-scripted, distributed cyber attacks have a speed, complexity, and scale that overwhelms human cyber defenders; intelligence analysis, to which machines can bring super-human objectivity; and command and control, where workloads, timelines and stress can exhaust human operators.
"Technological surprise" is a complex area of research.  The problems to be solved are tremendous.  Information advantage in virtual environments has been developing for years.  15 plus years before the U.S. Department of Defense utilized the concept of a public "Bug Bounty" style program for vulnerability discovery on public-facing systems, Bug Bounties were used by the private sector.

Automated Testing tools and the ability to run software scripts that can simulate a human behind the keyboard, were invented more than a decade ago.  It is time for the next generation of information advantage to be addressed; combined with a strategic and policy focused initiative.

Why?

Principal Investigators understand the stakes within the cyber domains.  The myriad of adversaries have advanced far beyond current capabilities and are even utilizing our own infrastructure against us.  Their abilities to adapt and change direction, cloak their presence and attack from new locations is finally being understood in the Board Room.

Yet what is the business problem that is being addressed?  Who are going to be the primary beneficiaries of any new invention or solution?  More importantly, why will they continue to use it?

In between commercial-off-the-shelf (COTS) and military unique systems is the zone we shall be navigating to in the next few years.  Military adapted commercial technology is the place for tremendous opportunity and new innovation.

How will we get there?

Since there is no viable rapid acquisition structure in place, it means that new leadership and resources will be required to deploy these solutions.  The entrants to this area will prosper, if they are able to mobilize strategically and with speed.

Information advantage is a lofty goal and worth the ambition to achieve it soon.  The speed to attain even a slight edge over the adversary is a whole different strategy when you are talking about information operations.  Different than traditional air or sea domains, the speed and ability to scale, deploy and execute with COTS is exponential.

How long did it take start to finish, for physical solutions such as "PackBot", "TALON", "Sand Flea", "BigDog", "Cheetah", "Perdix", "RiSE", "BEAR" and "WASP" to make it onto the operational arena?  The ARGUS-IS camera on a "Global Hawk" UAS generates 1 million terabytes of data daily with a "persistent stare", to track all ground movements in a medium size city from 60,000 ft.  How long did the procurement take to get this capability into the physical domain?

The speed in the current information warfare domain is exponential using COTS and IoT.  Using existing Virtual Machines on AWS-like infrastructure, combined with IP-addressable CCTV cameras to launch a DDoS on a DNS provider in minutes or hours is just one example. The "Mirai botnet" is just another tool (weapon) in the information advantage virtual battlespace.

So what?

Symbiosis with machines to gain information advantage, is a challenging problem-set.  Think about the time it takes to design, procure and deploy a robot solution on the physical field of play.  Now think about the same, in the almost limitless virtual domains across the globe.  The challenges ahead are formidable and the really hard problems to be solved, remain endless...

31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

03 December 2016

Digital Innovation: Architecture for the Future...

You are the Senior Operational Risk Management (ORM) Officer in your organization.  One early morning on a crisp Fall day, your "Black Phone" rings.  It is your boss calling.
"We need your leadership and assistance in the reorganization of our enterprise.  Your job will be to head up the new "Digital Innovation" mission group.  We need you to integrate and collaborate effectively with the other 9 mission centers in our organization."
You hang up the phone and your mind begins to wander.  How will you address the digital challenges ahead?  Where will you start?  Will you combine the current silos of the security and privacy domains?  What will the new Enterprise Architecture reveal about the new focus on the potential "Insider Threat"?  Is your enterprise ready to migrate to AWS?

The time has finally arrived at this point in the organizations maturity, to address and accept the new reality.  In 2016, digital has become pervasive and the undisputed core of the lifeblood of our economy and business.  Not only has this reality started to finally gain traction with Board of Directors and Senior leadership, it is now a mandate for our total reorganization.

What is the key reason why?  Exponential change and development of the operational ecosystems of the world.  Our global ICT (Information, Communications & Technology) infrastructure has created an international trust issue.  Achieving digital TrustDecisions across directorates, business units and international partners is now clearly mission critical.  Encryption is at the center point of the dialogue.

As you glance at your e-mail, after signing in using the "Digital Authenticator" also on your "Black Phone," it hits you square in the face.  The silos of security and privacy across the enterprise will have to be integrated and a new play book will have to be implemented early.  How will you architect this vital component of the mission group?

Digital Innovation going forward requires that you effectively integrate with a previous decades old organizational structure. No longer will the owner of the digital innovation mission, reside with the person or department that runs the "Compute Utility". Whether this has been called the CTO, CIO or VP of xyz does not really matter. They have been overseeing the group who is responsible for the hardware, software and the functions that keep the compute utility running.

The lifeblood of your organization is "Data." This can be found in more than just one place within the organization. This data can be found far beyond just the "Zeros and Ones" being stored as a bulk repository, or "data lake," for analytics; backup & recovery; disaster recovery; and serverless computing.  How will you address the data across the landscape of your field operations with partners, suppliers, 3rd parties and each of their own intellectual capital?  Think about it this way:
  • Compute
  • Storage
  • Database
  • Migration
  • Networking & Content Delivery
Your current architecture is simply a utility.  Nothing more.  You want to turn it on, pay for only what you use when you use it, turn it off when you don't need it and have it available 24x7x365.  Right?  Just like your electric utility.

The new "Digital Innovation" mission center will now have a new mind-set.  A new architecture for the future:
Why?

The truth is, it starts with a model that is decades old.  It has sometimes been called "Backwards from Perfect".  Imagine yourself as one of dozens of "End-Users" in your enterprise.  What data do you need to do your job and fulfill your mission at that particular moment?  What type of device will connect to the utility to allow you to explore and create your model.

How will you build your understanding and the insight you require to fulfill the current question?  The hypothesis?  How will you deploy the new digital innovation with your stakeholders, collaborators and the trusted insiders to your latest mission?

Using a simple model like "Backwards from Perfect" with your Field Rep, Service Agent, Partner Consultant, War Fighter, Station Chief or Mission Program Manager is just the beginning.  Your future success and survival now is directly, tied to where we started.  Operational Risk Management.

There isn't one person, one department or one mission that doesn't need you and your mission to succeed.  The safety and security of your people your business unit and your purpose on the planet is at stake.  They are all depending on you...

Godspeed...

26 November 2016

Proactive Defense: ICT Supercomputers in the Fifth Domain...

The days are numbered for the major and large scale ICT (Information, Communications & Technology) incidents.  Corporations and global 500 organizations are scaling up for the long game, in a new era of Operational Risk Management (ORM).  We are rapidly moving from Fear, Uncertainty and Doubt, to "Proactive Defense."

No longer, is the topic of digital strategy being pushed down on the list of priorities by the Board of Directors; it is now at the top.  E-commerce and digital branding are an integrated dialogue along with EBITA in the corporate board room.  The "Trust Decisions" being made each minute of each hour by the enterprise, are now being calculated by machines, sophisticated algorithms and data analytics.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.--William H. Saito  Special Advisor, Cabinet Office (Government of Japan)
Japan and other nations are racing each other to create the worlds fastest-known supercomputer.  Why?

The deep learning and artificial-intelligence (AI) trend tells us that soon more corporations will be leveraging these government-owned assets for assistance.  Whether it is for medical diagnostics, cyberspace threat intelligence or improving the speed of other humanitarian focused equations, Japan is also joining the supercomputer race for the fastest computer on earth:

"In a move that is expected to vault Japan to the top of the supercomputing heap, its engineers will be tasked with building a machine that can make 130 quadrillion calculations per second - or 130 petaflops in scientific parlance - as early as next year, sources involved in the project told Reuters.

At that speed, Japan's computer would be ahead of China's Sunway Taihulight that is capable of 93 petaflops".


Why is the global race for supercomputer superiority a nation-state issue?  What is the reason for diverting national funds to this project, over others of key importance to the welfare of the majority of the population?  Operational Risk Management of the nation itself.

The "Fifth Domain" after Air, Land, Sea and Space is that infrastructure comprised of our planetary ICT landscape.  Digital infrastructures are now so integrated that cyberspace incidents such as war in Estonia, Stuxnet in Iran, Sony Pictures in the U.S. and the more pervasive "Ransomware" worldwide, are just the initial indicators of what still lies ahead of us.

We must now turn our attention to the positive innovation and continuous "Proactive Defense" of our critical infrastructure.  Nation states such as Japan and others, who are the key gateways for undersea cables, truly understand the vital nature of their ICT assets.

A nation states "Cyberspace Strategy" has now evolved beyond the current state, to the "Fifth Domain".  Global 500 companies are fighting DDoS botnets on a daily basis trying to keep e-commerce running.  This largely invisible war, will continue to evolve as new technologies and supercomputers become the new normal.

"On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

12 November 2016

Exponential Innovation: Systems Risk with Beneficiaries...

When you have the opportunity to watch or attend TED, how does it make you feel?  Do you get the sense that the person behind the story, the idea, the innovation, is more genuine and sincere?

What about those advocating for "Exponential" change?  Individuals and organizations that have made the leap beyond incremental change and invention and are on to the concept of "Exponential Innovation".  The xPrize Foundation is a perfect example.

How can big ideas, bold inventions and people with exponential thinking accelerate their cause, advocate their blueprint or design a creative new alternative?  They need a system.  A model and community platform for ingesting ideas, testing prototypes, adapting designs and fostering continuous experimentation.

Why do you need a new system in your organization?  Let us start with some simple mathematics.  Multiply the number of people in your organization x 2.  Now think about the number of products, initiatives or major changes that you successfully implemented over the course of the last 12 months.  How many?

It is a safe estimate that each of your employees has at least two new ideas or bold ways to improve or change a product or process in your organization each working day.  500 employees x 250 working days = 250,000 potential ideas, changes or exponential innovations.  How did you capture these and utilize a system to capitalize on them, for your organization and those you serve?

What does this new innovation system have to do with Operational Risk Management (ORM)?

The Operational Risks associated with an organizational system for capturing, nurturing and producing new found Intellectual Capital are vast.  The goal however is to simultaneously accelerate, share and produce a collective thought leadership within the greater public-private community.  This in itself creates new challenges, in order to minimize the potential for significant losses and external risk events.

Across all the domains for "Exponential Innovation" from Healthcare, Space Travel, Artificial Intelligence and Ocean studies to name a few, lies one of the greatest barriers to our ultimate progress.  Adapting to the ecosystem of people utilizing the product or service.

Total immersion in the marketplace or with the customer, the beneficiary of the new product, service or invention, is a significant factor for future success.  The single factor of time, being embedded with the actual end user, recipient or beneficiaries of the new found innovation, is directly proportional to the Operational Risk exposures.

Think about it.  When was the last time your CEO or chosen leader was embedded with the customer for more than a few hours or a day?  How often is the scientist, designer or engineer using the product or system side-by-side the beneficiary?  Not often enough or long enough.

Sure we have all heard the mantra about "Managing by Walking Around" for decades, yet why do we continue to see the outcomes of this failure at well managed companies such as Wells Fargo and Samsung.  Operational Risk Management (ORM) shall be a component of any major initiative and a necessary competency in any dangerous or high risk environments.

From the decks of aircraft carriers to the trading on Wall Street and within the test trials of new pharmaceuticals, to the Yottabytes of data across the Internet, Operational Risk Management (ORM) is more relevant than ever on an exponential scale.  Just ask Elon Musk, Warren Buffet, Bill Gates or Ash Carter what they think...

06 November 2016

Internet Hurricanes: Resilient Trust Decisions into the Future...

"Trust Decisions" are made in nanoseconds as a human being.  Your past experiences, data stored in your brain from sensory collection and a clear understanding of the rules and the consequences, assists you in your decision to trust.  To trust someone or some thing.

The science and the research on the process and systemic nature of how TrustDecisions occur, are ongoing.  Humans have for decades designed machines and software to mimic and replace our own decision making process.  It has been replaced with a foundation now found in semiconductors, artificial memory, databases, fiber optics, neural nets and 5G wireless networks.

Even deeper, trust decisions are now embedded in software code.  The machine languages that have created our ability to use the entire Information and Communications Technology (ICT) infrastructure to our advantage.  While simultaneously creating a tremendous vulnerability and opportunity for systemic risk.  Our Critical Infrastructure Sectors are forever integrated, with increasing complexity and intelligence of our man-made machines.

The Fourth industrial Revolution is upon us:

With significant growth in IoT and the cloud, machine learning and big data are becoming ever more important as a significant amount of previously untapped data are collected, assessed and digitized. These newly available data provide billions of dollars to potential businesses that can quickly and effectively evaluate the data.  Additionally, the International Data Corporation (IDC) forecasts global spending on cognitive systems will reach nearly $31.3 billion in 2019.   IDC further sees cognitively-enabled solutions that “offer the tools and capabilities to extract and build knowledge bases and knowledge graphs from unstructured and semi-structured information as well as provide predictions, recommendations, and intelligent assistance through the use of machine learning, artificial intelligence, and deep learning”.
So now what?  Only 50% of the population of our Earth is connected at this point in time.  What will happen over the course of the next two decades as the growth curve accelerates?  How as a corporate enterprise or global organization will we be able to weather the "Internet Hurricanes" that are ahead of us?
Whether it is a systemic cyber risk event or something worse, the opportunity exists now. We begin the journey by revisiting our Trust Decisions. The rules that have defined us and the rules that our machines are executing on our behalf.

The decisions to trust, that are occurring when our iPhone App utilizes wireless networks and GPS to guide us using Google Maps to our next destination.  The decisions to trust, as the bank debits your checking account and routes the funds to your mortgage company.  The decisions to trust, as the doctor reads the vital signs on the monitors attached to your loved one in the ER.

As Operational Risk Management (ORM) professionals, we must adopt a continuous resilience mindset.  We look at the automation and the benefit of the machine and yet we ask ourselves what if?  What if the battery fails?  What if the connection is lost?  What if the data is corrupted?

There is one idea that has been utilized to address this in an organization.  It begins as an exercise in resilience planning and beyond.  Start with a small team or project group.  Announce in advance that on a certain date and time, an "Internet Hurricane" will hit and a systemic cyber event will last 24 hours.  Could you survive?

This is not a new idea.  Clearly, the exercise for Disaster Recovery Planning (DRP) has other nuances yet it serves the point.  When was the last time your team was able to operate without access to data from a networked system?  The time has come to prepare for that next digital storm ahead of us.  Will you be ready to operate in an austere environment of your corporate domain without the Internet?

"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.Achieving Digital Trust - Jeffrey Ritter

30 October 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

23 October 2016

Intelligence-led Enterprise: CIU Success Factors...

Intelligence-led processes applied within the corporate global enterprise, continues its relevance for reasons being published in the popular press. "Operational Risk Management (ORM) Specialists" utilize these processes, to mitigate a growing spectrum of domestic and transnational threats:
Developing relevant intelligence to run daily business decisions in your institution may seem like an important task day to day. The question is, how embedded is the "Corporate Intelligence Unit" in developing the relevant intelligence your decision makers need every few minutes or hours to steer the organization away from significant losses? Is your internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in real-time by the employees in each department or business unit?
Do you have an organized, synchronized media and communications function working within your Corporate Intelligence Unit (CIU), to continuously post the correct content and manage the RSS feeds from each global business unit? Why not?
The "Information Operations" (IO) of your company are the lifeblood of how your employees will make relevant decisions on where to steer clear of significant risk.  Based upon what other business units are doing or what is going on in the external environment of your state, sector or geography, consider these scenarios:
If the internal RSS Feed for the IT department reported that there was a Distributed Denial of Service  (DDos) Attack going on at the moment, how might that impact the decision by the marketing department to delay the posting of the new product release information to the Twitter site? The synchronization of intelligence-led processes is lead by the head of the Corporate Intelligence Unit. The CIU is staffed with people who have a tremendous understanding of the corporate enterprise architecture and have the skills and talents to operate as effective operational risk management professionals.

If the internal RSS Feed for the Facilities Security department reported the presence of a "White Truck Van" with blacked-out windows trolling the perimeter of the corporate parking lot, how might this change the decision for the CEO to leave that minute for her scheduled trip to the airport? Skilled CIU staff within would quickly notify the CEO via the "Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under cover corporate security personnel would then be immediately approaching the vehicle for a recon drive by.

If the internal RSS Feed reported the recent change in industry legislation that would change the way the Federal Trade Commission defined the elements regarding consumer privacy, how might this affect the latest strategy on how the institution was going to encrypt it's data in servers and on laptops? The CIU staff would advise the Chief Information Officer and other Information Security Risk staff to step up the roll-out for the latest version of PGP for the enterprise.
And the list goes on. The modern day intelligence-led Corporate Intelligence Unit (CIU), in concert with other highly specialized Operational Risk Management professionals in the enterprise can keep you safe, secure and keenly aware of new threats to your corporate assets. The degree to which you provide the right resources, funding and continuous testing/exercising of your capabilities will determine your likelihood for loss outcomes.

If your organization has been impacted by loss outcomes that continuously put your employees, stakeholders or assets at risk, then look hard and deep at your "Operational Risk" quotient, to determine if you are the best you can be...

15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.


The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 October 2016

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:
  • Protecting Personal Data
  • Political Hacks and Leaks
  • Cyberspace:  A 21st Century Warzone
  • A Focus on Critical Infrastructure
  • The White House and Cybersecurity
Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets, binary code.
In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers had been circulating in security circles at that point in time.  Soon thereafter, warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.
In this decade old case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The human element, which relates to situational awareness, can't be ignored any longer.  And this can only be changed through more effective education, training, and testing of employees.  An organization that procures technology worth millions of dollars is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.
"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."
The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat.  We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.
If you start thinking of the Super Bowl championship as your motivation, you are going to miss the trees for the forest or the forest for the trees. I never could understand that one. Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees

02 October 2016

Homegrown Violent Extremism: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  New York City.  San Bernardino.  Orlando.  Dallas.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing.  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow or red flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that our process changes take place and citizens behaviors are modified.  Erroll Southers explains why we have more work ahead of us:
 At the same time, the radicalization process is not brief. Extremism smolders like a hot coal, an idea that grows into a violent fire fueled by anger, conflicts of identity, feelings of humiliation and marginalization.. It is important for the public to understand that removing any one of these elements cannot fully disrupt radicalization. All of these and other root causes need to be addressed in the effort to not just apprehend terrorists, but dissuade the radicalization that leads to terrorism.
There will be numerous accounts of heroism, people who saw or reported details that could have helped stop any of these Homegrown Violent Extremist (HVE) events.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.
Godspeed America!
  1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.

25 September 2016

ORM: "All Threats & All Hazards"...

If you are new to the discipline of Operational Risk Management (ORM) your entry point in it's vast spectrum is a vital realization. The business problem that you are trying to solve with the utilization of an effective set of protocols, policy and risk management framework, may take years to accomplish. Do you have that much time?

Operational Risk Management 101 requires an "All Threats & All Hazards" point of view from day one. It also requires a protocol that your whole organization can understand, implement and put to work on a daily basis. Whether you are in banking, drilling for oil, flying an AV-8B out of hostile conditions or preparing for hundreds of people for a "State Dinner" on the South lawn; Operational Risk Management is the versatile discipline that will enhance your safety and security.

Practitioners of ORM know, that the next threat or the unexpected hazard is almost impossible to defend against. Once you realize that you are always in "degrees of vulnerability" your mindset changes about where to spend your activity, effort and resources to maximize your returns. Did anyone see the process of turning sub-prime mortgage portfolios into securities and selling them to investors on wall street, as a future threat to our economic prosperity? Yes. The same people bought instruments to hedge this risk in the form of "Credit Default Swaps" (CDS):
Credit default swaps are often used to manage the credit risk (i.e., the risk of default) which arises from holding debt. Typically, the holder of, for example, a corporate bond may hedge their exposure by entering into a CDS contract as the buyer of protection. If the bond goes into default, the proceeds from the CDS contract will cancel out the losses on the underlying bond.
Prudent Operational Risk practitioners look at the threat and invent the correct tool, product, or countermeasure to hedge the risk. It happens on Wall Street and it happens on the urban battlefields of cities across America. A US Justice Department researcher, Lester Shubin utilized a DuPont fabric intended for tires and developed the Kevlar bulletproof vest. This inventor passed away about seven years ago and is credited with helping to save the lives of over 3,000 law enforcement officers. A heart attack took the life of a man who understood the core value of "Operational Risk Management." Godspeed Lester.

Shubin and his advocates had many obstacles to overcome in order for their idea, invention and risk management habit to succeed. First there was testing, then the legal hurdles to get companies to manufacture vests because of liability and then finally getting street cops to use them. This practitioner of Operational Risk did not stop there. He was also one of the first to suggest the use of canines to find explosives.

If you enter the ORM discipline from a safety orientation the perspective may be different than one who enters it from a security orientation. What they both have in common is managing risk. The most effective 21st century experts in Operational Risk Management realize that an "All Threats & All Hazards" mindset is crucial to the entire profession. So how do you know where to invest your activity, effort and resources? That depends on your industry sector, the environment you are operating in and the pace of the processes being performed.

Being an effective Operational Risk expert today requires a multi-faceted, mosaic-based, pervasive protocol in order to be adaptive. Working and operating in the trading pit at the Chicago Mercantile Exchange (CME) or the deck of CVN-77 in the middle of the Arabian Sea both require the same set of skills, knowledge and training. If done effectively, it will save lives and millions of dollars simultaneously.

18 September 2016

Digital Citizens: The Integrity of our Trust Decisions...

Operating globally in business requires travel across borders and into less than familiar places.  Operational Risk Management (ORM) is at the forefront of global commerce for good reason.  The tools we use to assist us; range from the smart phone airline App to hold your boarding pass and even the latest travel warnings from the U.S. State Departments "SmartTraveler" App.

Perhaps on your last trip abroad you ditched your regular personal smart phone for a pay-as-you-go model that you could throw away, upon your return.  Most likely a prudent strategy, especially if you are traveling into physical places that are known to be less trusted for their wireless communications infrastructure or for other questionable reasons.

Regardless, the use of a Virtual Private Network (VPN) on connecting a device in any country is worth the extra step of privacy.  OpenVPN or Golden Frog's VyprVPN can provide your iOS or Android device, with an encrypted tunnel to prevent eavesdropping on your Internet traffic.  Again, a wise step to take at all times.

However, even today that may not be enough.  Digital Trust is paramount in a mobile-centric 24x7 business world.  The integrity of communications from the CxO ranks while traveling abroad is vital when interacting with senior staff and other government collaboration partners.  Our Trusted Apps perhaps need to have a new and emerging set of new capabilities going forward.  Marc Canel writes:

"A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.

The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.

The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:

  • an open international protocol based on the Public Key Infrastructure (PKI)
  • an open market for competing certificate authorities
  • an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations."

The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.


We have created devices we want to trust.  Our business and global commerce requires the ability to effectively communicate with integrity.  The Open Trust Protocol (OTrP) is only the beginning.

Why?
The foundations of the Internet and the future of Artificial Intelligence (AI) will soon be at a break point.  A place in the growth curve where there is a bifurcation.  If we do nothing, the system will decline and die.  As opposed to being re-engineered now to survive and adapt, to the evolving environment ahead.  A digital environment where machines are talking to machines on a more massive scale at light speed, beyond just digital switches, routers and other mobile (IoT) devices.
The continuous integrity and assurance of our networked infrastructure to enhance "Digital Trust" is already well on its way.  Important foundations have already been established and the transformation steps are underway beyond protocols, with the education of our most promising generation of new software engineering talent.  Here is just one example in Jeffrey Ritter's University of Oxford course, "Building Information Governance":

"To govern information now requires mastery of a diverse, often international, portfolio of legal rules, technology standards, business policies, and technology, all applied across increasingly complex, distributed systems and repositories. The increased scrutiny and requirements of official agencies and business partners impose new requirements for compliance documentation and transparency. This course introduces participants to a structured design approach that will enable strong, responsive and resilient information governance to be incorporated into the design and management of digital assets. 21st century information governance must navigate and embrace records management, privacy, electronic discovery, compliance, information security, corporate governance, and transparency of operations—all of these will be considered in this course."

The future of "Privacy Engineering" is at stake in a mobile commerce digitally trusted environment.  All of the protocols being developed for moving zeros and ones from point A to point B will not mean anything, if we have not effectively enhanced our "TrustDecisions" capabilities and outcomes.

The environment is virtual.  Just like the physical world, there are places that are safe and others that are dangerous and evil.  Since the beginning, the diversity of content and the people who are operating in the environment, are good and bad.  This is the reason the virtual environment of the Internet has rules and the engineered governance that is necessary for the integrity and safety of the global citizens who utilize it.

You have to wonder what our digital world would be like without rules or any governance.  Without the international Rule of Law.  Without the enforcement of international safe havens for people to operate with integrity and in safety.  In the physical world and on the Internet.  It would be global uncontrolled chaos.

As you ascend into the next generation of mobile and global commerce, think harder about "Digital Trust".  How will the Trust Decisions that your business or your country relies on, remain in a safe haven?  Will the confidentiality, integrity and assurance of the underlying data science continually be trusted?
"These forces are concurrently driving transformations that are now already visible in how we structure the governance of our political states, our commercial consortia, our corporate digital ecosystems, and our interactions as individual users with the digital assets of the Net.
Ultimately, the Net succeeds or fails based on the cumulative affirmative decisions of individual humans to trust the networks, systems, devices, applications, and information assets that are the blocks from which the Net is constructed.   For the Net to prosper, and to be functional as a global infrastructure, the values and consequences of building digital trust must be embraced.  That evolution is already underway"...  Jeffrey Ritter