22 June 2019

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events. The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.

This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance. The design and architecture of software needs a human-based fail-safe. It requires a human interface that allows and simultaneously requires human intervention. Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities and for a human-factor to ask "What if" questions. Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.

Now we go back to Operational Risk and the nature of thinking from a security and safety perspective. What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?

We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth? Is it true? What evidence do we have that this is true? How do you know that the evidence is not spoiled or compromised? If we know the truth, then what do we do next? Is the software really telling us the truth?

The security and the safety of the enterprise is counting on you. And more importantly, the enterprise is asking you to question the software. The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Is our system learning? In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions? Are you with us? The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.

"Active Defense" has been and is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.

Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.

Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety...

15 June 2019

Fatherhood: Reflecting on a Wondrous Journey...

After 31 years of experience as a Husband and a Father, the emotions are heart felt this June 16th, 2019.  The eyes are moist, thinking of so many wonderful memories.  My Daughter and Son have a Dad who has been there for them, whenever they cried or whenever they called (texted).

Having a day of recognition as a Father is twofold, especially if your reflection is on the journey of marriage as being completely integrated.  Seeing the wonderful process of being a Dad, is completely enhanced when your life partner is there by your side, to share all that life together has to offer.

When you have the responsibility and the challenges of Fatherhood in front of you, the only context you have is your own childhood.  Fathers Day is not just about anticipating the future, yet it is also reflecting on your own past.  How are you the same or different than your own Father?

You have the opportunity from day one as a Dad to be different and to be better.  You will lose sleep and you will ask yourself how to achieve all that you had growing up and so much more for your own kids.  Everyone has a Father, and you have a choice.

Are you capable of being a true partner with your wife to develop a wondrous team effort?  How will you work together to solve problems, provide all that a child requires in their first two decades of life?  And then that point in time arrives sooner then you wished, the day your child drives off for the first time in your automobile alone.

This is the point in time as a Father, when you feel so helpless and at a loss of control as a parent.  Think back to the past 16 or so years at that point.  This is when prayer, is even more of a refuge.

To my Daughter Taylor and Son Connor on Fathers Day.  I am so proud of both of you.  Thank you for being my kids who allow me to love them so much.  Thank you to my wife Cheryl for finding me, understanding me and giving us such wonderful children...so much love to all!

Happy Fathers Day 2019

08 June 2019

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.
How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.
Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

01 June 2019

Trust Decisions: Never Stop Questioning...

"Learn from yesterday, live for today, hope for tomorrow.  The important thing is not to stop questioning."  --Albert Einstein
What sources are influencing your "Trust Decisions" today?

The front page of the "Washington Post."  The e-mail from a parent.  The text message from a loved one.  A phone call from your commander or a work supervisor.

What does your future look like next week?  Next month.  Or next year.  You might think you have it all planned out and on your calendar.  Or maybe you have not even thought about it yet.

Which person are you?

One certainty is, that you will experience the unexpected and you will simultaneously be required to adapt, to adjust and to be agile, in order to respond to the changes in your day, your plan and in your life.

As a true leader in your business, in your agency, in your tribe or in your family, is there anyone you know, that asks questions all the time?  Here is a question.  Why does this bother you?

How will you achieve your latest objectives?  Most likely because you have a continuous passion for asking questions.  Then you truly listen.  You take the time to think.  You now make your "Trust Decisions" to act.

Albert Einstein was correct...
Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
Read more at: https://www.brainyquote.com/topics/hope

25 May 2019

Memorial Day 2019: The Courage of Risk Decisions...

Walking through Section 60 at Arlington National Cemetery on Memorial Day weekend is a stark reminder of the Operational Risk Management challenges we have faced these past 18+ years.  One example can be found in the budget at the Pentagon, on how to defeat the IED.

Billions of dollars are devoted to the strategies and tactics to keep U.S. "boots on the ground" on foreign lands from becoming KIA, an amputee or another invisible wound such as Traumatic Brain Injury or Post Traumatic Stress.

Regardless of the dollars devoted, many grave markers in Section 60 have birth dates in the 1980's and 1990's.  Standing there remembering Neil, a tear rolled down a cheek and the wind quickly blew it away...
"Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3]."
If you are currently in the military we will thank you for your courage of service on Veterans Day, as we have before.  This day however, is for those in the U.S. forces who have died while serving.

Simultaneously, we must thank all of the other "Operational Risk Management" subject matter experts.  The "Quiet Professionals" who operate everyday in the shadows.  We hope that their decisions will continue to be the right ones.  They live each day with the burden of managing risk decisions, that could send another U.S. patriot on their way to Section 60 or a remembrance "Star" on the wall at Langley.

This Memorial Day and each day after, an average of 22 veterans will take their own lives.  Here in their own home town, in their own country.

The risks that each of us take in our chosen careers and life decisions, is a mosaic of future events that can be managed.  The likelihood and impact of those risks can be assessed and decisions can be made.  What risks will be mitigated, accepted or avoided all together?

It is up to you.  These courageous decisions will determine your risk appetite and your willingness for the consequences of your choice.

On our July 4th birthday, we will all remember why we celebrate Memorial Day in the United States.

It is worth the sacrifice, the loss and the tears.  God bless our heroes and our great nation...

11 May 2019

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...

04 May 2019

Neurodiversity: Leveraging the Capital of the 4th Industrial Revolution...

"Grasping the opportunities and managing the challenges of the Fourth Industrial Revolution require a thriving civil society deeply engaged with the development, use, and governance of emerging technologies. However, how have organizations in civil society been responding to the opportunities and challenges of digital and emerging technologies in society? What is the role of civil society in using these new powerful tools or responding to Fourth Industrial Revolution challenges to accountability, transparency, and fairness?"  World Economic Forum

Is automation the current answer to all of our problems?  When will the research tell us the true impact of too much "Screen-Time" on our brains?  What will be the next terror incident in our society, that is "broadcast live" over the Internet?

These questions and more, are on the minds of community leaders in government, the R&D scientists and also the Chief Operational Risk Officer of your organization.

Our cultures, innovators and tools are on a major collision course, that will prove to be more challenging than we could ever have anticipated.  Even those working in the early days of the IBM Watson project, would probably tell you of their fears of the future.

Yet our youth across the globe, are being submerged in technology and software interfaces so early in life, that they may not learn how to think or work in manual/analog mode.  They will only have the creativity to code or to automate with software, unaware that history may have accomplished some of the same tasks without software, hundreds of years ago.

How might the older generations teach the younger generations about the way it used to be done?  Why would we even try to do this in a more manual method or process?  To provide context and generate cognitive creativity.

The truth is, that educators believe that innovation of technologies is driving their curriculum and our communities own economic development.  The impacts of automation and technology are being continuously researched in the wave of change known as the "Fourth Industrial Revolution".

These trends have significant risk implications on our workforce and the future opportunities of the vocational education and training of our future force.  This is clearly evident across our communities, business entities, military service and government policy.

The rapid adoption of digital innovation has impacted the requirements of certain knowledge workers to be more versatile.  They must be more adaptive, collaborative and have expanded skill-based capabilities for problem-solving.

Do not underestimate the importance of the soft skills and people skills for continuous development and reducing risk.  Simultaneously, we must understand the impact of advanced technologies on our workforce and the real opportunities in leveraging our neurodiversity assets.

How might we better understand the diagnostics of our own human capital, to leverage and apply the right people, with the correct technology, in the most compatible job?

What is your business, military branch or government agency doing today to cross-train and educate your employees?

When was the last time you put your STEM engineering group, through a soft-skills course on communications?  How might your business development team, become immersed in the new design for a next generation digital tool?

So what?

The Operational Risk before you is all about people and your evolving human capital.  When was the last time your Board of Directors contemplated the interaction with your Human Resources department and the workforce recruitment processes?

When was the training of new hired employees and even employees with 1, 3 and 5 years or more of tenure focused on new soft-skills?  New skills and techniques for Collaborative Dialogue, Negotiation or Management Coaching?

The human capital risks in your organization are changing rapidly and they are not always about automation and disruptive technologies.

The greatest risk to you and our society is your managements failure to recognize and apply, what you have learned about your people...

28 April 2019

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures.  The Board of Directors stands to be better equipped for sustained continuity.

Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative with Operational Risk Management (ORM) that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures, of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
  • Public perception
  • Unethical dealings
  • Regulatory or civil action
  • Failure to respond to market changes
  • Failure to control industrial espionage
  • Failure to take account of widespread disease or illness among the workforce
  • Fraud and Cyber-related incidents
  • Exploitation of the 3rd party suppliers
  • Failure to establish a positive culture
  • Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan, that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates?

How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out, that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization, if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what?

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Managing Risk: 100 Years and Beyond...

Senior executives continue to wonder why they are continually surprised by certain incidents or events that take place within their enterprise. Operational Risk exposure is hard to manage, without a robust risk management system that is constantly monitoring the business environment you operate in and the people that work within that environment.

If you asked any CEO of a Fortune 500 company about their current financial condition or market position they would be able to answer with confidence and with valid facts and figures to support the statements.

Yet if you were to ask the same CEO, about their current exposure to Operational Risks, you may get a "Deer in the Headlights" look, followed by less than confident facts about their proactive, preventive or defensive strategies to address:
  • Governance, Regulatory and Compliance (GRC)
  • Employee Ethics, Malfeasance, Fraud and Corruption
  • Continuity of Business Systems Operations
  • Supply Chain Cyber Resilience
  • Litigation and Class Action Suits
Yet Operational Risks erode the corporate earnings and impact the reputation of the enterprise in the marketplace. The Board of Directors are charged with understanding Operational Risks and how these are being addressed in concert with the organizations strategies for growth or mergers and acquisitions.

They are continually asking for more effective risk management systems from the organization and the CEO should be well versed in what, where, who and why they are addressing the threats and the likelihood of these events taking place.

The point is, as the CEO you have no idea when the next significant business disruption is going to take place that impacts the organization. Therefore, the CEO and the enterprise must accept the fact that these Operational Risk events are going to occur, and when they do, the CEO must know what to do immediately and who to assist them with the incident before them.

So if this is the case, that you as a senior corporate leader agree that you can't ever know where or when the next threat is going to take place, then the question presents itself, what are you and the enterprise doing "Today" to mitigate the threat or prepare for the response?

You see, every day is a training day and if the organization is not testing itself in some place or some way, the next incident that presents itself could be the final blow. The event that brings the entire enterprise to it's knees or the failure that changes the entire world's perception of who you are and what you represent.

With the stakes that high, wouldn't you want to know what people in the organization are doing each day to manage risks in their business unit, department and section? What are the contingency plans and when was the last time they were exercised? Is once a year enough, based upon the speed of change in your business environment? Maybe not.

Are you Indispensable? To your employees, your shareholders, your customers? The fact is that you and your organization are not as ready as you could be and you are not as indispensable as you want to be.

There are plenty of examples out there on the planet however, that make sense to model or examine and to learn from based upon the way they behave in the marketplace and the value they bring from being so consistent, reputable and resilient to all that the risk environment can throw at them. They are not perfect, but maybe close:

Of the top 25 industrial corporations in the United States in 1900, only two remained on that list at the start of the 1960s. And of the top 25 companies on the Fortune 500 in 1961, only about six remain there today.

Some of the leaders of those companies that vanished were dealt a hand of bad luck. Others made poor choices. But the demise of most came about because they were unable simultaneously to manage their business of the day and to build their business of tomorrow.

Today we take a moment to step back and view the longer arc of history. We’d like to share some of what we have learned—sometimes in humbling ways—on our journey so far.

A century of corporate life has taught us this truth: "To make an enduring impact over the long term, you have to manage for the long term."

21 April 2019

Easter 2019: Another Day to Remember & to Be Proactive...

“Blessed be the God and Father of our Lord Jesus Christ, which according to his abundant mercy hath begotten us again unto a lively hope by the resurrection of Jesus Christ from the dead,”  1 Peter 1:3

COLOMBO (Reuters) - Over 200 people were killed and at least 450 injured in bomb blasts that ripped through churches and luxury hotels in Sri Lanka on Easter Sunday, the first major attack on the Indian Ocean island since the end of a civil war 10 years ago.

On this Easter Sunday 2019, the world mourns the news from Sri Lanka. Across the globe people are reminded that evil remains a constant in our society today and for the future. Our prayers today are evident in every language and every continent...

Looking around your religious venue today you may notice a heightened presence of security and law enforcement.  Our public safety and first responders are on high alert.

So what can you do as a public citizen to learn, prepare and perhaps spring into action if you are ever needed?  How can you train and learn what to do, in the event of a mass casualty incident?  At your place of worship, place of education, place of business or place of recreation.

You can attend a training similar to this one, being offered in a community near you:


Preparation – Action – Recovery

Mass shootings seem to be more and more prevalent nowadays. As the world focuses all its attention on the “why”, we must focus our attention on how we can better prepare our critical infrastructure sectors and communities alike. Learn about the signs and pre-incident indicators (PII’s) of an active shooter before it’s too late. And learn life-saving techniques during and after an active shooting such as how to use a tourniquet and other items in a “stop the bleed” kit.

PART 1 - PREPARATION: INTELLIGENCE SME - Pre-Incident Indicators / behavioral indicators of potential subjects prior to a terrorism or criminal related incident & how to be situationally aware and prepare for such incidences.

PART 2 - ACTION: SWAT SME - To address run-hide-fight, appropriate response for when law enforcement arrives on scene and active shooter survival kit.

PART 3 – RECOVERY: TACTICAL MEDIC SME: Trauma and treatment post active shooting incident. Use of trauma kit, chest seals and current industry standards. Tourniquet drills will be a part of this training.

If you are a Father, Mother, Brother, Sister or just a good friend, you must continue to think about being proactive.  To be ready.  To be more aware.

Take a moment this Sunday in your prayers for Sri Lanka and soon plan to be more prepared...volunteer at your church, school or business to be a proactive advocate and responder for Preparation, Action and Recovery.


13 April 2019

Digital Trust: Transparency in a World of Cyber War...

"British police arrested Wikileaks founder Julian Assange on Thursday. He had been hiding in the Ecuadorian Embassy in London since 2012 and was arrested after the Ecuadorian government invited the Metropolitan Police Service into the embassy to remove him. Assange was initially arrested for jumping bail in 2012, but the Metropolitan Police Service subsequently announced that he had been "further arrested on behalf of the United States authorities."

After Assange's arrest, the US Justice Department unsealed its indictment against him. The indictment focuses on Assange's role in helping Chelsea Manning steal classified information from the US military."
  Wikileaks — Julian Assange arrested, charged with conspiracy to hack US computers Assange had been holed up in the Ecuadorian Embassy in London since 2012.  Timothy B. Lee - 4/11/2019, 7:05 AM

Someday in the future, there will be a documentary on the timeline and journey of Julian Assange, beyond what has already been produced about his life and his behavior.

It is going to be years before the U.K. legal system finishes the process it has demonstrated in the past with people and issues such as this one.

Yet transparency remains an important topic here.  Whether you are arguing for greater disclosure on what is going on inside government or within the R&D practices of a Global Fortune 1000 public company, transparent communications to the public and shareholders is vital.

The justice systems will finally have the opportunity to produce the information, that will allow every world citizen, to read about the true facts in the Assange case.

Meanwhile, the use of sophisticated exploit tools by nation states and rogue non-state actors continues to disrupt our international e-commerce.  Many variations of these tools are now in the wild as a result of the actions of Wikileaks and are being utilized in nefarious ways.  Here is just one example:

Canadian Police Raid ‘Orcus RAT’ Author
"Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan." Krebs on Security

This latest phase of legal justice is about a digital world that exists underground and unknown to the naive "John Q. Citizen" on the street.  Brian Krebs own transition from journalism at the Washington Post to creating his own blog, is only part of this transparency topic.  The Dark Web and all that is comprised of it, is still growing exponentially.

Remember that only about 4-5% of the world wide web (WWW) is what you are seeing in the searchable "Google" Internet.  The other 95% of the Deep and Dark web, is indeed another virtual world.

The international entrepreneur today who has that new great idea, product or service will be operating on the Internet and the World Wide Web.  No different from years before the Internet when you set up your office/business on Mainstreet, in the skyscraper or in the Mall, yet now your reach is instantaneously global.  Your inventory display, banking, accounting, order entry, distribution and delivery is done with software and global communications networks.

Today and since the dawn of the Internet, every new online entrepreneur has a digital spectrum of Operational Risks that must be addressed as part of your daily business.  Those digital trust factors have created new dimensions of risk and resilience strategies, to counter the size and scope of the expanding cyber crime and terrorism enterprises.

So what?

There are several analogies that could be used here to illustrate the issues associated with selling cyber weapons online or the theft and distribution of those digital weapons in our modern society.  Yet the truth is, international commerce is here to stay and it will require new and more rapid action by business and governments.

Simultaneously, the future of our digital trust and the lack of manpower and enforcement resources is spelled out daily in the public press.  How many times have we heard, that there is a shortage of Cyber Security and Risk professionals in the commercial and government workforce?  There is a reason for this.

Transparency of reporting is vital for the public, so they can make more informed decisions.

Balancing the nightly television news with politics, business earnings reports, weather events and the reality of our expanding "Cyber World War," will soon become the new normal...

07 April 2019

Preemption: An Operational Risk Perspective...

"The global regulation of cybersecurity is one of the most contentious topics on the international legal plane. States, the actors primarily responsible for arranging most other international regulatory regimes, have so far been incapable of reaching a consensus on how to govern international cyberspace. For example, in 2017, the United Nations Group of Governmental Experts, arguably the most promising effort to create international norms for cyberspace, collapsed. In this vacuum, private tech companies are seizing the opportunity to create norms and rules for cyber operations, essentially creating a privatized version of cybersecurity law."  LawfareBlog Ido Ikilovaty

Preemption - A Knife That Cuts Both Ways by Alan M. Dershowitz should be considered for the professional Operational Risk Managers reference library:

Decisions to act preemptively generally require a complex and dynamic assessment of multiple factors. These factors include at least the following:
  1. The nature of the harm feared.
  2. The likelihood that the harm will occur in the absence of preemption.
  3. The source of the harm--deliberate conduct or natural occurrence?
  4. The possibility that the contemplated preemption will fail.
  5. The costs of a successful preemption.
  6. The cost of a failed preemption.
  7. The nature and quality of the information on which these decisions are based.
  8. The ratio of successful preemptions to unsuccessful ones.
  9. The legality, morality, and potential political consequences of the preemptive steps.
  10. The incentivizing of others to act preemptively.
  11. The revocability or irrevocability of the harms caused by the feared event.
  12. The revocability or irrevocability of the harms caused by contemplated preemption.
  13. Many other factors, including the inevitability of unanticipated outcomes (the law of unintended consequences).
Regardless of the agreement or bias of the reader, this book makes you think upside down and sideways about decisions you have made, and will make.

While Mr. Dershowitz takes time to make his own opinions known, his mastery of building the foundation for transformation is unequaled on such a topic; controlling dangerous and destructive human behavior and how to confront terrorism, crime and warfare.

During the course of a single day in the life of the Operational Risk Manager there are dozens if not hundreds of preemptive or preventive decisions to be made.

Private Sector vs. Public Sector is not so much the issue here. Whether you are the Chief Operational Risk Officer at a major banking institution or the Commander in the local Emergency Operations Center, you both have the same dilemma.

A decision must be made quickly and you must be able to live with the implications of either decision.

31 March 2019

Operational Risk Management: Discipline and Professional Development...

You know that the discipline of Operational Risk Management has finally reached the minds of global executives and Board of Directors, when you see growth in the organizations that have established a Board-level Executive in charge of Operational Risk Management (ORM).

The ORM discipline has now spanned several primary critical infrastructure sectors of the global economy for over a decade, including Energy, Financial Services, Information Technology, Defense Industrial Base and others who are highly regulated by government.

Global organizations such as BP as one example, have found the necessity of new Operational Risk capabilities. This is to produce a prudent and consistent strategy after a Gulf of Mexico Macondo Blowout, in other parts of the planet where deep water drilling is still a vital solution.

Goldman Sachs and the other band of brothers in the global financial crisis of the decade past, have reinvested in more prudent Operational Risk Management strategies. The books that have been written outlining the risks of people taking on derivatives of one type or another to hedge the marketplace have been prolific.

IBM, Google, Apple, AWS and Cisco have capitalized on "Operational Risk Management" and its focus on business continuity planning (BCP), continuity of operations planning (COOP) and the facilitation of utilizing cloud computing to enhance the resilience factor of critical systems.
The pervasive growth of people however, utilizing social networking in the workplace, has created its own set of OPS Risk challenges.

Spear phishing, targeted fraud schemes such as Business E-mail Compromise (BEC) and sophisticated software exploits, can be attributed in many cases to the plethora of personal information the criminals and intelligence activities have to work with.

Social engineering, economic espionage and other transnational criminal activities are continually perpetuated by the security and privacy failures of the critical infrastructure industries.

The Defense Industrial Base including the US Navy, US Marines, US Army, US Air Force and our Coast Guard, know the value of effective Operational Risk Management. The discipline is a core aspect of their cultures and is continuously tested and measured on a daily basis.

On the flight line or on the base, these branches of the military use ORM to save lives and protect valuable assets worth millions of dollars every day.

As the Board of Directors focus on ORM across the globe, one can only wait and see how it will impact the discipline of the individuals themselves.

We trust that our practitioners will continue their own quest for expanding the portfolio of thinking and to see that the right people are at the table, to assist in ORM direction and continued global success.

24 March 2019

Operational Threat Matrix: The Mission Ready Many...

"Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014."

Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occurred?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits.

Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system:
  • Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. 
  • Identify the assets and the owners of these assets. Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization.

Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in constant control of how much incidents are costing the enterprise.

Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly.

If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

16 March 2019

Private Sector Mentoring: Operational Risk Specialists to the Rescue...

The international spectrum of Operational Risk Management (ORM) is playing out before us on a global stage.  Nation states and the airline industry are in full crisis management collaboration.

And while all of this, is distracting our attention, the operational risks associated with volatility on a financial world stage continues to unfold.

What will the future hold for global business commerce and the military personnel transitioning from regions of conflict?  Syria. Yemen. Iraq. Afghanistan.

This is where our next generation of "Operational Risk Specialists" will come from, to assist us in our most challenging future of global incidents, crisis and humanitarian requirements.

Yet these men and women will be competing in an economy that is ultra-competitive. There are however, innovative ways for us to hedge the risks for future U.S. veterans as they look for their next mission in the private sector. The first step is an old and very effective method called mentoring:



1. a wise and trusted counselor or teacher.

2. an influential senior sponsor or supporter.

verb (used without object)

3. to act as a mentor: She spent years mentoring to junior employees.

verb (used with object)

4. to act as a mentor to

1740–50; after Mentor (Greek Méntōr )

Related forms

men·tor·ship, noun

1. adviser, master, guide, preceptor.

It would be in the best interest of the private sector in a world that is challenged by so much change, volatility and uncertainty to have a cadre of "Operational Risk Specialists" who are there at a moments notice.

Working 24 x 7 in concert with all critical business functions, to enhance the resilience of the enterprise. Yet it will take thousands of mentors to assist these veterans, as they transition to this important role and mission.

Are you a CxO that relies now on a small team of risk minded people, tasked with your supply chain, personnel security, information security, facilities or even insider incidents? You are the perfect catalyst to get a new program going at your organization.

Begin the process of identifying and tasking the right people in your organization, to be mentors for the new "Operational Risk Specialists," that you should hire over the next few years.

What would happen, if you created a whole new way for you to mentor, hire, mentor, train, mentor and grow, a new generation of risk management professionals for your organization?

How might the performance and the resiliency of your enterprise improve, with the ongoing mentoring of veterans as they begin to understand the business of the private sector. A different and yet similar environment for the management of operational risks.

Your vision should be to create a "VetAccelerator" for each of your organizational business units. To engage mentors with new veterans returning and transitioning from almost 2 decades of war.

We have done this before in our U.S. history and it will not be the last. Let all of us embrace the opportunity to strengthen our business engine and to improve our resilience in the new world order.

Finally, never forget how all of this latest chapter started. And how it still continues to play out on a daily basis. Our vigilance is an imperative and veterans will be our Go-To "Operational Risk Specialists" for years to come.

09 March 2019

Trust: In Pursuit of Implicity...

RSA 2019 was another event for the vast spectrum of security and privacy professionals to reflect on, regardless of the color of hat you wear.  One word seemed to be prevalent in this years atmosphere:

trust (trŭst)n.

1. Firm reliance on the integrity, ability, or character of a person or thing.
—Related forms
trust·a·ble, adjective
trust·a·bil·i·ty, noun
truster, noun

—Synonyms 1. certainty, belief, faith. Trust, assurance, confidence imply a feeling of security. Trust implies instinctive unquestioning belief in and reliance upon something: to have trust in one's parents.
To have real trust in something or someone, you don't even think about it. It's implicit.

If you start to think about it, then it is not really trust in it's purest form. In Operational Risk Management (ORM), we are always in pursuit of trust. We want to trust our sensors, monitors and fail safe process.

Yet we know that this is why we train for contingencies. Because failure is always a possibility, even if it has a .00000000000099 probability.

As a true Operational Risk professional, you train for the remote possibility of failure and create alternative scenarios to test your contingencies. And when you find what works through exercises and experimentation, you put that in your memory bank or cache of alternatives. Never knowing when you will have to use it again.

And when it comes to trust and human beings, there is only one way we know you can get to implicity. It is through testing, training and observable behaviors.

And when this person or software algorithm has demonstrated that they are able to repeat the tasks, actions and behaviors with a .00000000000099 probability of failure, that is when trust begins to become inherent.
"Trust will not be accomplished 100% through AI / ML technologies when humans are still creating and writing the code. Nor the convergence of information in a database. It can only be forged through actions and observable behaviors."
Outcomes based upon sound planning, training, testing and continuous contingency operations. Only then will we reach the level of implicity we seek.

23 February 2019

OPS Risk: Military Lesson for Wall Street...

Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies. Bill Ga
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy
 "There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  Stanley A. McChrystal
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy
Almost ten years ago, Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska, quoted the essence of Operational Risk Management.

Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:
"Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a Wingman."
Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations, consider this.

Effective "Operational Risk Management" will improve your organizations resilience factor.

The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" is his understanding, that most of us will become more complacent the minute we hit the parking lot.

You see, OPS Risk is not just something being advocated in the Wall Street workplace. It should be just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

What most organizations the size and complexity of Facebook under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what privacy risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

"Facebook Inc. (FB - Get Report) and the Federal Trade Commission currently are negotiating details of a settlement related to the Cambridge Analytica scandal, the Washington Post reported, citing people familiar with the matter.

The penalty imposed by the FTC likely would be a multi-billion dollar fine, which would easily be the largest fine ever issued to a tech company by the FTC. In 2012, Alphabet Inc.'s (GOOGL - Get Report) Google was fined $22.5 million by the agency for user privacy offenses.

The two sides are still negotiating the amount of the fine. If no agreement is reached, the FTC could take the issue to court, according to the Washington Post.

Facebook's privacy issues date back to 2012. Facebook settled a case with the FTC in August 2012, when the two parties reached an agreement that "Facebook must obtain consumers' consent before sharing their information beyond established privacy settings," according to a press release from the FTC published at the time the deal was made.

Facebook's privacy issues continued last March when news broke that Cambridge Analytica, a political research company, had harvested user data beyond what was acceptable. It later became evident that Facebook likely was aware of Cambridge's actions on the platform" 

Whether it's collecting user data to sell to your supply chain or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it...

17 February 2019

Powerbase: Information Operations in the Workplace...

How robust is your organizations "Information Operations"(IO) capabilities? The degree to which the threat to your institution escalates in a war of words is going to be in direct proportion to your ability to monitor and counter the "Powerbase" within your Information-centric community.

Operational Risk within the institution, the city or the country is a factor of the likelihood of a particular threat and the ability to deter, detect, defend and document the threat.

However, the overt abilities to sensor, block or suppress your particular community from communicating freely, will be difficult if not impossible. Or will it?

Nations states have for years been subjected to the technology innovation of proxy servers and other methods for obtaining blocked Internet content.

The human element of the insatiable pursuit of information will continuously provide for the innovation to obtain that information that has been withheld from the community.

Whether that community is a corporation or a country, the employees or the citizens will find a way to gain the access and obtain the information they seek.

The ability to utilize ubiquitous devices such as camera enabled wireless smart phones has changed the landscape for "Information Operations" within your company and your local community.

Operational Risk professionals are keenly aware of the requirements to monitor and detect the use of rogue communications devices in the workplace, including unauthorized broadband hot spots (simple and effective).

Yet the state of business and politics precludes these individuals from truly understanding what their real role should be in this fight for zero's and one's. The fight is not about learning who has unauthorized access, it is about understanding human behavior and the "Powerbases" within a particular community.

Even the use of more sophisticated wireless mesh networks has been pervasive for years within the context of the USIC and where U.S. defense forces need to operate in areas with little or no telecommunications infrastructure.

The questions begs then, to what degree are these same kinds of capabilities being utilized within the context of industrial espionage and foreign intelligence services within the skyscrapers of downtown Washington, DC, Chicago, New York or Los Angeles?

"Having a better understanding of the powerbase of each actor, the number and types of dimensions of that power, which elements of the powerbase are inherent or inferred, and whether it is growing or shrinking through cooperation or conflict, are all essential elements of information in stability operations and prerequisites for effective influence operations. Understanding Local Actor Bases of Power" - Col. Patrick D. Allen, USA (Ret.)

So how easy or difficult would it be to set up a relatively effective mesh network? Look to one of the leaders in the technology itself for guidance.

If the City of Houston or the country of Singapore can utilize these capabilities to create their own information networks for voice, video and data applications, then so too could any private enterprise with the right funding and the people to operate these systems.

Your organizations "Information Operations" capabilities go far beyond the IT department and their ability to sweep for rogue "Wi-Fi Hotspots" in the workplace. It could mean the difference between the safety and security of your municipality or the entire academic R&D campus.

In either case, the Powerbase of information will still have to be analyzed and understood. Without this Powerbase insight your organizational "Operational Risks" will remain unknown and your ability to mitigate these risks unknowable.

09 February 2019

Givers: The Master Plan for Grit...

"Of course, natural talent also matters, but once you have a pool of candidates above the threshold of necessary potential, grit is a major factor that predicts how close they get to achieving their potential. This is why givers focus on gritty people: it’s where givers have the greatest return on their investment, the most meaningful and lasting impact."  Grant Ph.D., Adam M.. Give and Take (p. 106). Penguin Publishing Group. Kindle Edition.
This quote is in chapter 4, Finding the Diamond in the Rough - The Fact and Fiction of Recognizing Potential.

Having passion and perseverance in any endeavor is worthwhile.  In this chapter of Adam Grant's book, he is talking about "Givers".  You will have to read the book to better understand the research of 30,000 people behind who you are and the difference between "Givers and Takers".

Flashback to your early years as a kid in elementary school.  Now think about all of the activities and endeavors your parent(s) had you involved with, in or outside the classroom.  Were you involved in the scouting or other after school activities?  What about your local church or synagogue?  Maybe your parents were even Boy or Girl Scouts themselves?  Did they achieve "Eagle" or the "Gold Award"?

Flashback to your years in Middle and High School.  Were you involved in Sports Teams or maybe the Marching Band?  Or perhaps the more academic or creative teams like "Debate" or the "Thespian Club".

What about in University or College?  Did your passion and perseverance for sports or other skill-building endeavors, keep you gaining more of what is called "Grit", a firmness of mind or spirit, unyielding courage in the face of hardship or danger.  Were you able to graduate within 4 years and then obtain a decent job or commission to start your career?

If you accomplished all of this and are now well on your way to discovering and building a life full of rewarding experiences, you probably need to say "Thank You".  To your Mother, Father, Teacher, Boy/Girl Scout Leader, Coach, Commander or Professor.  They are the ones that got you to where you are today.

Yet if someone ever calls you a "Diamond in the Rough" you should consider that a complement.

And you should also consider what they meant by that reference.  It means that they as a "Giver" who focus on gritty people, have found what they are always searching for.  They have recognized that you too are someone that stands out, that has the knowledge and the skills and that extra perseverance they are always in search of.

You may be wondering when your time will come.  When you will finally feel like you have "Made It" in life.  That you are truly happy.  Guess what, you are not there yet...


It is because you have not reached all of your potential, designed just for you.  The "Master Plan" for you is unique and you must realize that there is no visible finish line.  There are only more opportunities, tests, more challenges, significant success and substantial road blocks.

Being a "Giver" in your life means that you seek a path that puts you in pursuit of others just like you.  You know when you have found your Tribe, your calling and you know that they will be there to help you through the tough times and to persevere.

Now it is time, for you to contribute.  Your knowledge.  Your skills.  Your passion...yet do not fear asking for help.  The "Givers" in your community are searching for you now...


02 February 2019

Transparency: "Square One" in ORM...

Operational Risk Management (ORM) has been evolving for over a decade. There are new insights into why effective business process management coupled with Operational Risk architecture makes sense, through the lens of the Board of Directors. Transparency.

Still to this day, the questions remain:
  • What can my organization do about the risk of loss resulting from inadequate processes, people, or systems?
  • To what extent should my organization link employee compensation or job performance with operational risk management?
  • How is operational risk taken into consideration when new products or technology solutions are designed or acquired, deployed, and executed?
  • Does my organization have an inventory of its key business processes with documented controls and designated senior managers responsible?
Can these questions be answered in a book of 308 pages from 2008? It was a good start, to say the least. The authors understood, that to really embed a culture of (ORM) into the enterprise, you have to begin at the architecture level, the business process level.

This is far in advance of the governance of information and the business rules coded into software systems, even for such mundane corporate tasks as expense report or travel request review and sign-off.

You see, some companies still think that they are just doing fine with their Safety and Security Team, Continuity of Operations and Crisis Team, Chief Information Officer (CIO), General Counsel (GC), Chief Financial Officer (CFO) and in limited cases the Travel Risk Management department all working autonomously. They think that having a few dedicated investigators to look into corporate malfeasance, is all they require in a corporate population of tens of thousands.

What do we mean by autonomous? Not what you may think. There is no doubt that the leaders of these organizational departments are cooperating and coordinating functionally. They have each other on speed dial. They share high level red alert Intel with each other.

The question is, what is being done at the metadata level of the Operational Risk Enterprise Architecture (OREA)?

How are they designing Operational Risk Management systems to answer key questions at the speed of business? To continuously adapt to an organization’s changing global environment, executives must know about, keep in balance, and communicate several vital components:
  • What are the organizational strategies (Strategic Intent) and how these should be implemented (Strategy Development and Organizational Change)
  • What organizational processes are executed and why, how they are integrated, and how they contribute to the strategy of the organization (Business Process Management)
  • How human resource utilization is working and whether there is optimum use of skills and resources available across processes and functions (Human Resource Management)
  • To what extent the enterprise organizational chart is cognizant of appropriate roles and responsibilities, in order to effectively and efficiently carry out all work (Organization Management)
  • What IT applications exist and how they interface with what processes and functions they support (IT Portfolio Management)
  • How the performance of each process, each function and each individual adds up to the organization’s performance (Performance Management)
  • What projects are currently underway, how they effect and impact change, what processes and IT applications they change and how this contributes to the strategy of the organization (Project & Program Management) 
Is Operational Risk Management (ORM) about "Big Data Analytics"?

Only if your organization values better transparency, governance and regulatory compliance. Ask the Board of Directors their answer on this question to determine whether ORM is a "Big Data Analytics" issue. How big is big?

The momentum for transparency is now at the U.S. government level of commitment.   It is the law. Big Data Analytics will mean nothing, without increased transparency. Now we can ask the questions that we all want answers to.

The Operational Risk Management (ORM) architecture of your enterprise will now begin with transparency, as the fundamental "Square One".

26 January 2019

Davos 2019: A War on Trust...

As the World Economic Forum Annual Meeting comes to a close in Switzerland, "Trust Decisions" are on our mind.
"The corporate, political and cultural elite gathered in Davos are expressing worries about a disturbing trend: The erosion of public trust in institutions and companies.

World Economic Forum attendees said the lack of faith in everything from governments to social media platforms is hampering innovation and contributing to widening inequality."

Over five years ago the new rules for business and the Net were in plain sight.  Articulated in a way that most business owners, CEO's of global enterprises and even our politicians could understand.

Yet at this years Annual Meeting, trust is becoming a buzzword in the panel discussions and around the dinner tables in Davos.  How might the institutions attending the World Economic Forum, strive to build a planet where "Achieving Digital Trust," is the basis for starting a business or at ground zero of creating a new product?

In 2015, Jeffrey Ritter published his book:

"In reading this book, you will explore and acquire an entirely new portfolio of tools and strategies to help shift the momentum of that war. As in any combat or battle, to succeed, it is essential for you to understand what is at stake. What we are facing is more than a war to control information. It is a war on our ability to trust information. Yes, a war on trust." Achieving Digital Trust by Jeffrey Ritter

To presume the trustworthiness of information is now a continuous question. GDPR and other forward leaning regulations are beginning to shape the way we design our systems.

So what?

How will those citizens and consumers that are devouring information from that electronic photography and RF device in the palm of their hand, think differently in the next few years?

How will the designers and engineers of Samsung, Apple, IBM, Amazon, Google, Facebook and others architect their new software and solutions with trust embedded in all that they produce?

When will our citizens understand that not selling your data, does not actually mean that your data has not been given away for free?

The future of our institutions, governments, products and relationships must be built on trust.  As you sit across the table from your editor, your CEO, your elected official or your senior software engineer you must ask the question, how will we achieve digital trust?

What if there was a Green, Yellow, or Red banner across the top of the display screen, as a quick identifier whether the information being delivered and displayed was in compliance with the new "World Digital Trust Standard"?

Yet we know that "Green Padlocks" in front of our URL and the "Privacy Essentials" grade in the top of our browser, just isn't enough.  Especially when we know that there are U.S. DHS Emergency Directives such as 19-01 in place:

"In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering." 

Jeffrey Ritter is correct.  It is a war on our ability to trust information.  Do you understand what is at stake in your nation state?  Your organization?  Your household?  Yes, a "War on Trust"...

19 January 2019

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government, in terms of regulation and compliance, it is often considered another risk to its operations. Why? More rules and the need to report on oversight, creates new obstacles to other more valuable revenue producing activities.

CDOs were a focus in the movie "The Big Short" and is an example of a financial product that explains why the government regulation mechanisms continue to exist. Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community. This paradox is something that continues to occur in the cyber risk management domain.

The dawn of Internet banking, spawned many of the Operational Risks associated with using public networks for our various banking transactions. The oversight of cyber risk management in the financial institution, is still a major challenge yet becoming more mature by the day.

Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

The newest strategies for cyber risk management have been a robust topic of global conversation. New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:

"Deadly force against organized hackers could be justified under international law, according to a document created by a panel of legal and cyber warfare experts. Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I. Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press."

Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service. A kinetic response is much more clear, based upon the source or attribution evidence of the attack. In the cyber domain, the word "Attribute" has some very interesting ramifications.

The State-of-Play will remain the same and for good reason. The governments of the world do not have issue with each other performing reciprocal cyber espionage. This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy. However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all. The question remains, what is a cyberattack? Jim Lewis said over five years ago:
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."
  Cyberwarfare Rules of Engagement remains a significant international Operational Risk...

12 January 2019

4th Generation Warfare: Insider Risk...

Flashback to 2010.  Over 8 years ago, this author discussed the situational awareness and the implications of the "Stuxnet" malware that was being investigated by international authorities. In January 2011, the New York Times published a more detailed set of facts and a hypothesis that the sophisticated "worm code" was tested in Israel:

William J. Broad, John Markoff and David E. Sanger.
The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.
4th Generation Warfare (4GW) and the implications for global critical infrastructure organizations is obvious. The Operational Risks associated with targeted infiltration of systems that control machines, manufacturing processes and software that manages transportation, has now changed the baseline for where to begin mitigating this asymmetric threat.

Executives then and to this day, realize the continuous requirement for improved focus on the "Insider Threat" to their systems operations. Why?
This particular worm was initially delivered by a USB Thumb Drive according to various reports. This means that someone would have to have been inside the facility targeted for the attack, to actually introduce the malware to the actual system controller. A person within the perimeter of the organization with this single device, could set the chain reaction in motion.

Whether you are a major manufacturer or an electric utility doesn't matter. The person you trust to access systems inside the organization, is the basis for mitigating this type of attack. Most important is the scrutiny associated with the extended supply chain of semi-trusted contractors or others known to the organization. 
All of the back ground checks and other methods for determining someone's character will not be the major deterrent to a worm introduced internally to an Intranet, with the use of a USB thumb drive.

So what is the answer to address this threat?
A TSA-style check, scan and pat down at the entrance to every commercial enterprise that has computers inside with open USB ports? This is very unlikely in the near term for most facilities.

What about disablement of the technology itself, that turns off the ports themselves on each system inside the organization perimeter? This solution is more likely to deter many opportunities for this type of USB style attack to occur, yet still doesn't remove all of the risks against another possible vector to the network through a CD drive as an example.
Regardless of the method or the controls you employ to mitigate this risk, it will not eliminate the entire threat from your organization. Even the use of a "Digital Sandbox", Endpoint security measures or other methods to disable ports on systems will entirely lock down your organization.

There is only the ability to create a more resilient and durable environment to survive a significant business disruption. The mind set shift to durability and the latency to recover, now becomes the new strategy for these kinds of risks.
Using a strategy for "Business Resilience" is one that requires significant resources, a Global Security Operations Center (GSOC) and a committed management team. The ability to survive is the first part of the process and how soon you return to full operational capability is the metric. How long does it take to bounce back to normal from a major crisis, in your organization?

The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption or crisis, will be a competitive differentiator for companies and countries alike in the 21st century.

Homeland security is often seen as a protective, even defensive, posture. But Maginot lines are inherently flawed. Fences and firewalls can always be breached. Rather, the national focus should be on risk management and resilience, not security and protection.
Resilience—the capability to anticipate risk, limit impact and bounce back rapidly—is the ultimate objective of both economic security and corporate competitiveness...