17 March 2018

Future Risk: Citizen Soldiers Extinct...

It is not often that we see an editorial article that prompts us to get the scissors out of the drawer to cut it out of the Washington Post.  It remains in the saved articles file from 2009 and is relevant still to this day.

This Opinion written by Matthew Bogdanos, is worth some additional consideration from an "Operational Risk Management" perspective.   He is a Colonel in the U.S. Marine Corps Reserves and now an assistant district attorney for New York City.  He writes:
"A nation largely founded on the citizen-soldier ideal finds itself, following Vietnam and the expulsion of recruiters from campuses, with the military and civilian worlds warily eyeing each other across a cultural no man's land. As budgets shrink future forces, veterans will be fewer and the chasm wider -- to our peril.
No one wants everyone to think and act alike. Diversity is a major source of our nation's strength. But this diminishing shared experience leaves us ill-prepared against global terrorism. As the British general Sir William Butler warned a century ago, "A nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking done by cowards."
We will leave it up to the OPS Risk Managers of the globe, whether to agree with Col. Bogdanos and his comments. What is our take away from his words about "Duties That Are Best Shared?" We think it's quite simple:

How can an "Operational Risk Manager" make effective decisions without having walked a few "clicks" in another persons boots?   Effective decision support from the Incident Command Center is far more effective, if the person making those decisions has relevant and first hand on the ground experience.

In the corporate world, asking a new hired employee to take the week long orientation training, without having done it yourself, is not only bad management, it's reckless governance of the organization.

Years ago after the invasion of Baghdad, this OPS Risk manager (Bogdanos) did what we do every day. He adapted, improvised and overcame risks in order to recover stolen artifacts from the museums.  The investigation was successful because not only was he someone that had experienced what it was like to operate in a war zone, he also was a subject matter expert on much of what was recovered.

If you are going to be an effective risk manager in your government organization, startup or Fortune 500 company, you have to train with your troops in the business unit or at the base. You have to know first hand, what you are talking about.

Without these, "we risk a future without all of us working towards the same ends --whatever society decides those ends should be."

You need to "get out of the building" as we say these days.  Solving problem-sets within your agency or with your "Cash Cow" customer, requires getting right in the bulls eye of the issue.  Seeing it, touching it and hearing it first hand.

Without this insight, you lack the understanding, empathy or compassion for the people who experience the problem each day.  You fail to see how a new approach, process or new system will be better.

If you think this is sound reasoning and you are looking for others to assist you in your problem-solving journey, look no further than the Defense Entrepreneurs Forum (DEF).  You will find others who are focused on National Security innovation and have definitely been "outside the building."

Maybe even more vital, is their mindset on disciplines such as Design-Thinking, Lean Methodologies and achieving Decision Advantage.  Col. Bagdanos, "Citizen Soldiers" are definitely not extinct.

Happy St. Patrick's Day!

10 March 2018

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity, be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance, is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered, is the role of risk management in "Security Governance."

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.

The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.
If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.
An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:
  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place
The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them.

It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

04 March 2018

Perseverance: How many problems have you solved today...

"We can not solve our problems with the same thinking we used when we created them.--Albert Einstein
Measuring success, is something that happens on a daily basis in life and in business.  The metrics however are different.  Or are they?

When Wall Street or the Board of Directors measures success, the quants are looking at mathematical equations to determine Earnings Per Share (EPS) or Return on Equity (ROE) of a business.  After all, how can an investor determine where they should invest their capital.  Operational Risk is always a factor.

When people measure success about their life, the measuring tools and methods are sometimes different.  For one person, it is whether they or their children have finished the day without that feeling in their gut of starvation.  For another person, it is whether they will live long enough to see their first grand child.  For others, just living a life full of faith, integrity, ethics, trust and resilience is enough.

Some people might measure success by the car they drive, the house or neighborhood they live in or the Country Club where they are a member.  In Silicon Valley, the metric may be how many rounds (A, B, C, D) of funding, your startup has achieved.  Around the beltway in Washington, DC the metric could be, whether your "Program" was funded in the last budget cycle.

The problem-sets that we engage with in business, organizations, government and in life, require the time and the effort to truly assess the catalyst and the environment that you are operating within.  But not too long.  Speed and time to a solution, can be your strategic ally or your lethal enemy.

To solve an identified problem requires an analysis of the root cause and the final solution may be achieved in small incremental steps.  The final answer may take minutes, hours or even years.  The one factor that will remain constant, is your ability to forge successful relationships with others to assist you.

The other factors of achieving success, once you truly understand the real problem, is the ability to adapt, pivot and perseveranceThe continued effort to do or achieve something despite difficulties, failure, or opposition.

How long have you been persevering?

1 day.  1 month. 1 year.  5 years. 20 years.  40 years.  60+ years.  You see, your success is based upon experience and wisdom, yet it has only one metric.  How many problems have you solved so far?

What you see and hear today, what you think about and how you do it, is all in your ability and capacity to solve the daily problems of life and business.

So what?  This is nothing new...

You have no doubt heard or read, a famous book about similar topics and subjects.  How to be successful?

What if perseverance was that one differentiator, that determines whether you are successful, or not?

Again, you have heard it all before.  Stop doing this, start doing that.  Keep doing it.  Did you hear that from your mother, father or your latest boss?  Really, is that all success is about?

Guess what?  Are you still alive?  Did you, or your children or parents go to bed hungry tonight?  If the answer is yes that you are reading this, and no one was hungry...you have been successful today.

Remember, tomorrow you will be solving more problems and persevering...to persist in a state, enterprise, or undertaking in spite of counterinfluences, opposition, or discouragement..

Godspeed!  Have a prosperous journey...

25 February 2018

Decision Advantage: Cognitive Apps to Achieve Digital Trust...

There are several nation states racing towards substantial "Decision Advantage" priorities that includes Quantum computing.  The reason is becoming more obvious to those who operate somewhere within the Information, Technology, Communications (ICT) sector.  Operational Risk Management (ORM) is a top of mind dialogue for industry and governments.

Countries are being measured on their "Dimensions of Digital Trust" as these authors in Harvard Business Review recently revealed:

"What these stories underscore is that our digital evolution and our productive use of new technologies rests on how well we can build digital trust. But is it possible to measure digital trust and compare it across countries? Are there countries where guaranteeing trust is a more urgent priority and will draw a larger share of trust-building resources and regulations?"
Sweden's attitude towards Digital Trust is highest, with China in second place.  China leads the behavior category on how users respond to frictions in digital experiences.  Yet there are low levels of trust in the environment and experience categories in China, compared to the rest of the world.

As business races to gain market share and industry continues to own 85% of critical infrastructure, you will see three clear trends and business requirements emerge for "Artificial Intelligence":
  • Process Automation
  • Cognitive Insight
  • Cognitive Engagement
These are the key places today that Artificial Intelligence technologies are being applied in business.  You will see a continuous race to apply this new innovation where business requirements exist for:
  • Automating Business Processes
  • Gaining Insight Through Data Analysis
  • Engaging with Customers and Employees
Organizations are currently evaluating how these emerging "Artificial Intelligence" technologies can assist in some capacity to make humans make faster decisions.  Will AI make more accurate decisions and enhance the overall user experience with vast oceans of new and rapidly changing data sets?

The capability to utilize new data to become more predictive, improves over time with "Cognitive Insight" applications.  These kinds of applications can recognize images and speech and attempt to mimic our brain.  Now think about how these are being applied outside of business, in the National Security domains.

The ICT applications that are now being tested and applied in the "Cognitive Engagement" realm, include chatbots and other intelligent agents that are providing answers to frequently asked questions (FAQs).  The immaturity of this category is on a slower pace with business, including Facebook that has found its Messenger chatbots, could not satisfy 70% of customer requests without a human assistant.

So what?

Organizations and industry, will need to create a portfolio of active projects within the enterprise.  The trend is a larger pool of (1) process automation apps, followed by (2) cognitive insight and then a smaller set of true (3) cognitive engagement applications.  The maturity curve of these applications is accelerating rapidly.

Will the application of cognitive computing increase the level of "Digital Trust?"  How will humans verify that the decisions made by Artificial Intelligence are true and correct?  Jeffrey Ritter has been a leader in assisting organizations and governments in achieving digital trust.  He writes:
"Building for digital trust must become a priority of the nation-state and its components. Once ubiquitous computing is achieved, digital trust will become the competitive differential within the global space of the Net. Nation-states that position their regulatory rules to enable private sector companies to build digital trust more effectively will generate genuine advantage for both the public and private sector. But nation-states must also invest in building digital trust in their own infrastructures and services."
Where are there "Use Cases" to examine how these capabilities are currently being applied?

xView is one of the largest publicly available datasets of overhead imagery. It contains images from complex scenes around the world, annotated using bounding boxes. The DIUx xView 2018 Detection Challenge is focused on accelerating progress in four computer vision frontiers:
  • Reduce minimum resolution for detection
  • Improve learning efficiency
  • Enable discovery of more object classes
  • Improve detection of fine-grained classes
The dimensions of "Digital Trust" are expanding globally. Our human cognitive abilities are being assisted with rules being applied to expanding data sets. What are the "Rules for Composing Rules?" (authoring rules that are effective when crossing the chasm between the ambiguity of broad, governing rules (such as statutes or regulations) and the binary precision required by the executable code of software applications) 

The complexity of our "Operational Risks" has now become exponential.  Systems are in battle against other systems.  The speed and accuracy of our TrustDecisions will determine our "Decision Advantage."  In the near future, cognitive technologies will finally propel industry and countries, to a new strategy for achieving Digital Trust.

18 February 2018

Information Warfare: The Future of Trusted Words...

Trust is on the minds of almost every American as they read the Washington Post these days.  Reading a publication that utilizes a set of standards for journalism, may address part of your "Trust Decision" to depend on this source for your information.

Reading this Operational Risk blog, you understand that the words and opinions are not under the same editorial guidelines and grammar rule sets as the authors and journalists at the Washington Post.  The sentences and thoughts are being written freely however, by someone who you may know of, yet how do you really validate that the words were actually written by the assumed author?

At an early age in school, as a young student, your teacher at some point assigns that work called an essay, a short piece of writing that tells a person's thoughts or opinions about a subject.  Regardless of the topic assigned by the teacher, when the work is turned in to the teacher, they are assuming it was written by that particular student.  Unless they have doubts.

The trust you put into the author of words written in an essay for a class, or an article in the established news papers, has for decades relied on the integrity of institutions and the validation of persons true identities. Yet as the typewriter replaced hand written documents, so too did the act of using another person's words or ideas without giving credit to that actual person : the act of plagiarizing something.

When you read this Washington Post article, you assume that the words are actually from the journalist:
Indictment shows how Russians conspired to disrupt U.S. politics — but not how to stop them next time

By Craig Timberg February 16 The Washington Post
"Efforts to reconstruct the Russian conspiracy to sway 2016’s presidential election benefited from the digital trails left behind whenever people travel, make payments or communicate using common technology such as Facebook or Gmail. Such breadcrumbs provided plentiful evidence for Friday’s indictment by the special counsel of the Internet Research Agency and 13 Russian associates.

But even as the disinformation campaign from two years ago finally came into focus, it was far from clear how to prevent future bids to distort American politics.

U.S. intelligence agencies warned this week that the federal government remains ill equipped to combat Russian disinformation even as crucial midterm congressional elections loom this fall. And technology companies, while cooperating with federal investigators, acknowledge that they still struggle to detect and thwart foreign propaganda without impinging on the free-speech rights of Americans."
Now in the age of computing, word processing and the Internet, the integrity of written words by a person is in question?  The origin and authenticity of the actually words that are written by a human on paper, a typewriter or computer such as these, is now in question?

The utilization of various methods for "Information Warfare" is actually well known:
"Information Warfare has three main issues surrounding it compared to traditional warfare: 

The risk for the party or nation initiating the cyberattack is substantially lower than the risk for a party or nation initiating a traditional attack. This makes it easier for governments, as well as potential terrorist or criminal organizations, to make these attacks more frequently than they could with traditional war.

Information communication technologies (ICT) are so immersed in the modern world that a very wide range of technologies are at risk of a cyberattack. Specifically, civilian technologies can be targeted for cyberattacks and attacks can even potentially be launched through civilian computers or websites. As such, it is harder to enforce control of civilian infrastructures than a physical space. Attempting to do so would also raise many ethical concerns about the right to privacy, making defending against such attacks even tougher.

The mass-integration of ICT into our system of war makes it much harder to assess accountability for situations that may arise when using robotic and/or cyber attacks. For robotic weapons and automated systems, it’s becoming increasingly hard to determine who is responsible for any particular event that happens. This issue is exacerbated in the case of cyberattacks, as sometimes it is virtually impossible to trace who initiated the attack in the first place.[5]"
These words are being written by a human being.  His name is Peter L. Higgins.  Or are they?  The art and science of the truth has been evolving for hundreds of years.  What will we invent next, to validate our identities, provide assurance that the words written are actually human, and not of an Artificial Intelligence (AI)?

Whether the words you read are being written by a human-based "troll factory" in St. Petersburg or by a specialized Artificial Intelligence is not the point of this essay.  Then what is the point?

You have to make judgements as a human being about who to trust.  What to trust.  How to trust.  Why to trust.  This is a foundation of our human evolution.  Trust takes time.  TrustDecisions and the decision to trust someone or something, is actually a factor of science, mathematics and history.

Reading, writing and a decision to trust, is an Operational Risk.  True or False?

10 February 2018

Cluetrain: Manifesto Revisited...

When was the last time you revisited the 95 theses of the Cluetrain Manifesto? There are some nuggets here that remain timeless, even though they were written over 16 years ago. Here are some of the classics:
  • Markets are conversations.
  • Markets consist of human beings, not demographic sectors.
  • People in networked markets have figured out that they get far better information and support from one another than from vendors. So much for corporate rhetoric about adding value to commoditized products.
  • There are no secrets. The networked market knows more than companies do about their own products. And whether the news is good or bad, they tell everyone.
  • Networked markets can change suppliers overnight. Networked knowledge workers can change employers over lunch.
  • Your own "downsizing initiatives" taught us to ask the question: "Loyalty? What's that?" Smart markets will find suppliers who speak their own language.
  • Companies make a religion of security, but this is largely a red herring. Most are protecting less against competitors than against their own market and workforce.
  • To traditional corporations, networked conversations may appear confused, may sound confusing. But we are organizing faster than they are. We have better tools, more new ideas, no rules to slow us down.
  • We are waking up and linking to each other. We are watching. But we are not waiting.
In a hyperlinked, social networked, iPhone rich society the authors and founders of the Cluetrain Manifesto must have had a crystal ball. The "end of business as usual" has been accelerating and the exponential explosion of zero's and one's has produced a global economy.

Just look at the saturation of IP connections across the planet Earth and you will see where the capital is flowing and the societal impact is obvious.
"A powerful global conversation has begun. Through the Internet, people are discovering and inventing new ways to share relevant knowledge with blinding speed. As a direct result, markets are getting smarter—and getting smarter faster than most companies."
So what? So what does all of this have to do with Operational Risk Management?

It has to do with the pervasive vulnerability that an organization perpetuates, without the correct attitude and policies about managing risks. Theft of trade secrets, corporate espionage, competitive intelligence and loss of intellectual capital as the head hunters feast on your key employees to name a few.

Global enterprises with deep hierarchy in the organizational chart, continue to wonder how their best people have left and who leaked the information on the next big idea.

How would you ever put enough policies, tools, systems, training or behavior modification in place to stop the flow of new hyperlinks through your own corporate IntraNet or the public bulletin boards and social networking web sites? The fact is that you can't.

Here’s one example of how things work in a hyperlinked organization:

You’re a sales rep in the Southwest who has a customer with a product problem. You know that the Southwest tech-support person happens not to know anything about this problem. In fact, (s)he’s a flat-out bozo. So, to do what’s right for your customer you go outside the prescribed channels and pull together the support person from the Northeast, a product manager you respect, and a senior engineer who’s been responsive in the past (no good deed goes unpunished!). Via e-mail or by building a mini-Web site on an intranet, you initiate a discussion, research numbers, check out competitive solutions, and quickly solve the customer’s problem -- all without ever notifying the "appropriate authorities" of what you’re doing because all they’ll do is try to force you back into the official channels.

Game. Set. Match. Managing Operational Risks in the 21st century requires a whole new perspective. A brand new definition of the new "Normal."

03 February 2018

The 3rd Planet: On The Edge of a Digital Precipice...

After reading the Washington Post on February 3, 2018, there is little debate in our world capitals, that we are on the edge of a digital precipice.

Mobile devices in the hands of humans, has exponentially changed the transnational landscape for our communications forever.  Yet this digital precipice is just inches away from a tremendous chasm in our cultural, social and legal way of life.

Every organization, now has substantial Operational Risks to manage, within the context of their group, company, enterprise, government and even family.  This alone is not a revelation.  However, if you are a Mother, Father, Brother or Sister, you are constantly challenged by the kinds of risks that plague anyone who dares to explore and utilize the benefits of the modern day Internet.

Our children are growing up faster, as they are exposed to the dark side of life, the evil that is present in our world.  They witness violence, revenge and all of the other negative attributes of society faster than ever before.

The outcomes of mother nature and our natural disasters are always front and center.  The digital controls and censors of broadcast television are no longer pervasive across the content and web sites available, to those who know how to navigate our IP-based digital oceans.

Operational Risk Management (ORM) is now each persons responsibility.  It is no longer in the hands of a few people, in a few departments at your organization.  It is not the role of a single person in your household, to make sure the family router is configured correctly.

If you are holding your latest "Digital Device" in your hand, or tapping away on the keyboard of your new lap top it is your decision to "Give" or to "Take."

Over a year ago, Adam Grant wrote his book.  To get some context in 13 minutes, you can watch this YouTube of his Ted Talk.

We have for years been exposed to the concepts of "Pay It Forward" or even other concepts of reciprocity.  The real question is:  Are you a "Giver or a Taker?"  You might be surprised to learn what Adam Grant's research uncovers.

So what?

The ethics and morals that are embedded in you at an early stage of your life, will most likely continue.  The influence your Mother and/or Father or early childhood caregiver provided you may have made a difference.  Maybe it was an old book they read to you, or someone asked you to read.

We all know that the words, content, pictures, videos and ideas on the other side of that tiny digital screen in your hand, is nothing more than a mirror, of our own human behavior.  Good or deleterious.

How will you use this iPhone tool today, to be a "Giver or a Taker?"  There might even be another option.  Turn it off and put it in a drawer.  At least for a few hours...but could you for a whole day?

When was the last time you donated your time, expertise, abilities or resources?  What will you do right now, to make a difference on the third planet from the Sun...

20 January 2018

Homeland Security: The Risk of Fusion Man...

Modern Day Operational Risk Management, requires a multi-skilled and versatile individual. Someone who understands the difference between "Information Warfare" and "Cyberterrorism." And if you were born after 1980 and part of Generation Y, then you might even have more insight on how Sam Fisher has managed his way through unimaginable risks throughout his career as a Splinter Cell operative.

You understand why Homeland Security is evermore focused on HUMINT and our national security is ever so vulnerable to an increasing reliance on the Internet Protocol (IP).

Information warfare is an attack against computers, networks, or information systems to coerce or intimidate a government and its people. These attacks result in violence against people or property and generate fear.

Attacks that disrupt nonessential services or create a costly nuisance are not considered information warfare. Cyberterrorism results in severe effects such as death, bodily injury, explosions, plane crashes, water contamination, severe economic loss, and so on.

Information warfare is easily and most effectively waged against civilians. Because of its size and reliance on technology, no nation is as vulnerable to information warfare as the United States. Information warfare can be waged anonymously, or with all the publicity in the world.

If were born before 1960 and you fall into the "Baby Boomer" category, you better spend some time with your "Generation Y" kids or nieces or nephews, if you want to better understand what is now coming over the threat horizon. There are Global Hawks and Predators seeking out their targets with skilled aviators located thousands of miles away.

These tools and systems of warfare are easily turned in our own direction and now Homeland Security finds it nexus with some new Operational Risk challenges. Accomplished authors such as P.W. Singer writes about "What happens when science fiction becomes battlefield reality"?

"If issues like these sound like science fiction, that’s because many of the new technologies were actually inspired by some of the great scifi of our time ­ from Terminator and Star Trek to the works of Asimov and Heinlein. In fact, Singer reveals how the people who develop new technologies consciously draw on such sci-fiction when pitching them to the Pentagon, and he even introduces the sci-fi authors who quietly consult for the military.

But, whatever its origins, our new machines will profoundly alter warfare, from the frontlines to the home front. When planes can be flown into battle from an office 10,000 miles away (or even fly themselves, like the newest models), the experiences of war and the very profile of a warrior change dramatically. Singer draws from historical precedent and the latest Pentagon research to argue that wars will become easier to start, that the traditional moral and psychological barriers to killing will fall, and that the “warrior ethos” ­ the code of honor and loyalty which unites soldiers ­ will erode."

Homeland Security professionals and new recruits to the various public and private sector organizations are ever more savvy and vital to managing the risks of the coming decades. Technology and the newest inventions of the human mind are consistently applied for the purpose of good and the well being of our fellow man. We are consistently pushing the outside of the envelope to fly farther and faster, even if it means becoming a "Fusion Man."

"Swiss adventurer Yves Rossy flew from France to Britain Friday propelled by a jetpack strapped to his back -- the first person to cross the English Channnel in such a way.

Rossy, a pilot who normally flies an Airbus airliner, crossed the 22 miles between Calais and Dover at speeds of up to 120 mph in 13 minutes, his spokesman said.

When the white cliffs of Dover came into view, he opened a blue and yellow parachute and drifted down in light winds to land in a British field where he was mobbed by well-wishers.

"Everything was perfect," he said afterwards. "I showed that it is possible to fly a little bit like a bird."

Rossy traced the route of French aviator Louis Bleriot, who became the first person to fly across the Channel in an aircraft in 1909.

The Swiss pilot was propelled by four kerosene-burning jet turbines attached to a wing on his back. He ignited the jets inside a plane before jumping out more than 8,000 feet above ground."

We suspect that Mr. Rossy has hired some very competent lawyers to work on his patents and licensing of intellectual property. By now, it all may be classified and Sam Fisher is taking his first test flights.

13 January 2018

Situational Awareness: Reality in ORM...

Situational Awareness has always been a key factor in effective Operational Risk Management and Real-Time Incident Command.

Situational awareness (SA) involves being aware of what is happening around you to understand how information, events, and your own actions will impact your goals and objectives, both now and in the near future. Lacking SA or having inadequate SA has been identified as one of the primary factors in accidents attributed to human error .

What you know and when you know it, can make the difference between life and death in the context of real-time emergency management and tactical response operations.  However, it can also provide you with the intelligence you need to save lives and avoid new risks as a more sudden and real-time threat unfolds.

Whether it's the active shooter, disgruntled employee or an international hotel under siege, it should not matter. Let's take a minute and look at a sample time line on the Mumbai attacks in India November 26th, 2008 as one example from a situational report:
  • Two terrorists have barricaded themselves in the Oberoi Hotel; 3 dead and 25 injured. 11/26/08 10:31 PST
  • Terror strikes at 12 places in Mumbai. Up to 20 hostages held at Oberoi Hotel. 11/26/08 11:57 PST
  • Several British and American civilians among hostages at two hotels. Explosion reported at Taj Hotel. 11/26/08 13:59 PST
  • Explosions and fire reported at Oberoi Hotel; clashes continue in multiple locations across Mumbai. 11/27/08 07:23 PST
  • Indian elite commando chief is reporting that the Oberoi-Trident Hotel has been cleared of terrorist threat. 11/28/08 01:03 PST
  • Counter-terrorism operations declared over; at least 195 killed in attacks. An investigation is underway. 11/29/08 16:06 PST
Look at the time stamps and the lag time between each one. The person writing these bullets for a "Flash" message to subscribers or people asking for text based updates, was either not using all of the potential assets available to them, or they just did not think there was any relevance of the other information unfolding. This example of 2008 "Situational Awareness" reporting is not only dangerous and a thing of the past, it's letting the "Grey Matter" get in the way.

So what about the public? Is Periscope and #NEWS hash tags the answer?

The problem with most "Situational Awareness" capabilities is that the subject matter experts, commanders in the SOC/NOC, or the business CEO 2,000 miles away, are letting the "interpreters" on the street in the heat of the crisis, determine what is important. The second issue and until the past few years, is that the information is not "Real-Time":

Seamless and secure tracking and communication among mission planners, field personnel, and central command elements are essential to mission success. Raytheon's Blackbird Technologies Gotham™ system is a comprehensive back-end solution for monitoring, operating, and managing tagging, tracking, and locating (TTL) devices and viewing associated geospatial data. 

A Common Situational Picture for Military and Emergency Operations

With the ability to track assets and targets — and to communicate with team members and devices — Gotham enables networked team decision-making, control of resources, shared resource dispatching, and adaptability to change based on operational requirements.

In a disaster, communication among emergency responders and control of needed assets are vital to the safety and security of personnel and the public, as well as the effective execution of the disaster response mission.

Your Operational Risk Management tool box is now enhanced.  Pay it forward...

07 January 2018

Imagination of Trust: The Risk of CEO Transformation...

The true sign of intelligence is not knowledge but imagination. --Albert Einstein
In the past 17 years, over 50 percent of the largest industrial companies have been extinguished from the Fortune 500.  Some were acquired, others bankrupt, many others merged to survive.  Have you noticed the trend line on the stock price of General Electric this past year?

Digital Transformation and potential extinction is the single unanswered factor on every CEO's mind today.  As massive data sets become exponential in size, pervasive in geographic reach and utilize a wide spectrum of sensors from mobile phones to C4ISR, the Operational Risk parameters are even more complex.

Decision Advantage is the lofty goal and the speed to answers and insight is evermore the ultimate competition.  The words "innovation" and "disruption" are being used to describe something that is far more scientific and evolutionary.  The World Economic Forum has an initiative called the "The Fourth Industrial Revolution" and the 48th annual meeting this month is entitled: Creating a Shared Future in a Fractured World.

So what?

The CEO's of this world are on edge.  They wonder if they will have enough intellectual and operational transformation in this digital and fractured world to survive.  They worry about the new born threats of the digital age such as ransomware, block chain and artificial intelligence.  Welcome to the conversation around the C-Suite and the new normal.

Yet who better to capture the essence of why this matters, than Jeffrey Ritter:

"When the information you need to make decisions is controlled, the quality of your decision is controlled and the possible outcomes from which you can choose slip from your control. Where there is less information, your decisions become vulnerable. As an executive, an IT architect, an investment manager, an educational director, or even a parent, your job is to lead with good decisions. You want your decisions to be ones that others will follow. But those ambitions erode when those fighting the war to control digital information are winning."

What is the cloud?  Your information on another organizations computer.  The race for faster decision advantage has now transformed to the race for the fastest TrustDecisions.  Decisions executed on trusted information is why we have the wave of new technologies embedded with encryption, biometrics and even Multi-Factor Authentication (MFA).

Digital Transformation in your enterprise changes your reason for existence.  The answers in many cases will be more about your people, not the technology.  It will require bold action and sweeping personal imagination.  The definition of imagination:
...the act or power of forming a mental image of something not present to the senses or never before wholly perceived in reality.
The trustworthiness of your future decisions are at stake.  The imagination of the people around you is a limiting factor.  As the CEO of your Fortune 500 company or the leader of your Series A startup, the time has come for your transformation...

31 December 2017

Prosperous Journey: This I Believe...

On the dusk of the last day of 2017, many people will reflect on what they have accomplished over the past year.  Others may focus on what they will change, in their daily routines for the New Year.  How many people do you know, that will pledge to do something as a resolution and never have a chance to succeed?

With 52 weeks in a year, what could you do every week at least once, for a few hours?  Or what could you do on a daily basis that changes your life forever?  There is a different opportunity for each person to choose.  Regardless of your place in life, your country, economic situation or remaining days on Earth, you can make a choice.

The choice you make is a decision.  A decision based upon experience, current conditions, future expectations or available data.  When you arrive at that point, to make a decision to rise early and take a run or a ride, or to write a blog post, or to hug your trusted loved one at least once each day, you are well on your way.
"This I Believe" are 3 powerful words when you embark on this journey ahead.  Who you are and what you believe as an individual, will have a substantial impact and influence on your future decisions.
This I Believe exists for those who have made a decision of transparency.  A way for us as individuals, to describe our essence as a human being and who we are:

"This I Believe, Inc., was founded in 2004 as an independent, not-for-profit organization that engages youth and adults from all walks of life in writing, sharing, and discussing brief essays about the core values that guide their daily lives.

This I Believe is based on a 1950s radio program of the same name, hosted by acclaimed journalist Edward R. Murrow. Each day, Americans gathered by their radios to hear compelling essays from the likes of Eleanor Roosevelt, Jackie Robinson, Helen Keller, and Harry Truman as well as corporate leaders, cab drivers, scientists, and secretaries—anyone able to distill into a few minutes the guiding principles by which they lived. These essayists’ words brought comfort and inspiration to a country worried about the Cold War, McCarthyism, and racial division.

In reviving This I Believe, executive producer Dan Gediman said, “The goal is not to persuade Americans to agree on the same beliefs. Rather, the hope is to encourage people to begin the much more difficult task of developing respect for beliefs different from their own.”

Maybe this is the year, you will write your own "This I Believe" essay.  The outcomes may surprise you.  The focus for this next year may now become 20/20 in the clarity of your vision.  Yet there is an opportunity to go further.  Make a decision to share this essay with others you care about.  Ask others to share their own "This I Believe" with you.  Why?

Transparency is vital to building trust with others.  At the root of making a Decision to Trust is transparency of data, information, emotions, behavior and clarity of purpose.  Why you make a decision to write and share your "This I Believe" with others, is a TrustDecision.

Embark on your journey ahead.  Start with a clear and substantial purpose, where you have been and where you are going in life.  Open your heart to others and share your beliefs.  Forgiveness is a decision.  It is the decision to offer grace, not to demand justice.

You now have 52 weeks ahead this year, to create and to produce, according to your core beliefs.


24 December 2017

Onward: Christmas 2017 and Beyond...

As you gather this weekend with family, friends and loved ones to celebrate, what will your prayers be?  Will you shed a tear at some point, as the emotions of the holiday overwhelm your senses?  How will you focus on the real meaning of Christmas?
"She will bear a son, and you shall call his name Jesus, for he will save his people from their sins." - Matthew 1:21
Remember and reflect all that you have done.  All that you have accomplished this past year of 2017, following the faith and in the name of our savior.  Onward...

17 December 2017

2018: The Speed of Operational Risk...

As we begin to look into the rear view mirror these last few weeks of 2017 and scan the horizon of 2018, Operational Risks are ever more so present.

Whether you are a leader of a global organization or the sole bread winner of your single parent household, the management of risk is a daily priority.  Even getting enough sleep is a risk to health and well being.

So what are you going to do about 2018 and managing risk in your life? Your company. Your nation. Operational Risk Management is a discipline that can be mastered and those who will excel in the next few years understand what is at stake. Unfortunately, many people and organizations will not have the wisdom, experience or resources to survive the onslaught of new threats and to mitigate existing vulnerabilities.
"Achieving a substantial level of competence and resilience in Operational Risk Management takes decades of experience in seeing the mistakes. Witnessing the tragedy. Feeling the successful outcomes of a solid process for sense making. Using information in ways that we never dreamed about. Turning speed into your greatest ally."
Your ability to thrive in 2018 and beyond will rest with your leadership and the ability to adapt. Yet even beyond this fundamental reality is the continuous discipline to effectively accept more risks. The organizations and those individuals who rise to the 2% or even 1%, took more risks than you did. The question is, why?

Accepting a risk means that you have to think through the real potential outcomes. Both positive and negative. And you have to make the decision to accept each risk action at light speed. Otherwise, it is too late.

This is not a game of spending too much time trying to figure out odds and percentages.  It is a professional decision to act, while not knowing the exact future outcome. What you do know, is the clear result of a positive outcome and even more importantly, you know the result of a negative outcome.

Can you live with either outcome? If the answer is yes, then you should consider yourself a true Operational Risk Professional. Now make the decisions faster, before someone else makes it before you do...

The cyber offensive against ISIS, an acronym for the Islamic State, was a first and included the creation of a unit named Joint Task Force Ares. It focused on destroying or disrupting computer networks used by the militant group to recruit fighters and communicate inside the organization. Such offensive weapons are more commonly associated with U.S. intelligence agencies, but they were brought into the open in 2016... Washington Post by Dan Lamothe

We wish you an abundance of new and rapid Operational Risk decisions in 2018!

10 December 2017

Future Risk: Resilience and Competitiveness...

The U.S. Department of Defense (DoD) is in the middle of substantial Operational Risk Management discussions behind closed doors, in light of new threats and new priorities. The majority of the Intelligence Community budgets are under the DoD umbrella and in a new world order, subjected to the mobile ICT revolution that is erupting before us. Does Twitter and other social media tools present the need for a new paradigm shift in the future evolution of the Intelligence Community (IC)? Consider this flashback analysis:
"This paper analyzes the role of situational information as an antecedent of terrorists’ opportunistic decision making in the volatile and extreme environment of the Mumbai terrorist attack. We especially focus on how Mumbai terrorists monitored and utilized situational information to mount attacks against civilians. Situational information which was broadcast through live media and Twitter contributed to the terrorists’ decision making process and, as a result, increased the effectiveness of hand-held weapons to accomplish their terrorist goal. By utilizing a framework drawn from Situation Awareness (SA) theory, this paper aims to (1) analyze the content of Twitter postings of the Mumbai terror incident, (2) expose the vulnerabilities of Twitter as a participatory emergency reporting system in the terrorism context, and (3), based on the content analysis of Twitter postings, we suggest a conceptual framework for analyzing information control in the context of terrorism."
The Mumbai attackers could have used open source social media even more to their advantage and this is what the Intelligence Community (IC) continues to leverage as the Arab Spring(s) continue, civil war escalates in Syria and other ICT-enabled regions of conflict emerge. The tools are becoming more optimized to the kinds of applications necessary to deal with these new Operational Risks. What may continue to be the greatest vulnerability, is the economics. The ability to invest in and provide training for the new generation of cyber warriors and HUMINT collectors. Are the Trusted Systems and Networks in place integrated with the latest Commercial-Off-The-Shelf (COTS) software riding on encrypted networks?

The convergence of mobile, cloud and big data is the single IT transformation issue in governments and the private sector. The IC and DoD realize that the only way to survive and to be more resilient, is to close or converge data centers with legacy hardware and software. Simultaneously accelerating the onboarding to private sector assets, that have also been certified and accredited. The next vulnerability being discussed, is how to acquire enough of the existing energy grid to support the requirements for cooling the vast data centers under construction and getting access to dark fibre. Bluffdale has been just one example:

"Inside, the facility will consist of four 25,000-square-foot halls filled with servers, complete with raised floor space for cables and storage. In addition, there will be more than 900,000 square feet for technical support and administration. The entire site will be self-sustaining, with fuel tanks large enough to power the backup generators for three days in an emergency, water storage with the capability of pumping 1.7 million gallons of liquid per day, as well as a sewage system and massive air-conditioning system to keep all those servers cool. Electricity will come from the center’s own substation built by Rocky Mountain Power to satisfy the 65-megawatt power demand. Such a mammoth amount of energy comes with a mammoth price tag—about $40 million a year, according to one estimate."

This is the kind of capability that will remain exempt from the threat of limited funding or future austerity in the new world order of mobile, cloud and big data. The introduction of tools or services such as Silent Circle, Wickr, Signal and others will only add to the Operational Risk challenges of the next decade. Privacy will become a sought after luxury, only available to those with the means or the latest set of consumer-based communications tools. Either way, the senior executives of private sector critical infrastructure companies are under the spot light. They own the majority of the ICT assets and therefore have the most to win. Unfortunately, they also have the most to lose.

The future of the DoD and the IC will be determined by the success or failure of the cooperation, coordination and collaboration of men and women with a unity of purpose. Patriots who will continue to do the right things for the right reasons. The future is now about resilience and competitiveness. Lets get to work!

02 December 2017

Situational Awareness: Battlefield to Board Room...

Creating a "Common Operational Picture" for your organization is an elusive yet attainable goal for your senior management and the Board of Directors. How at a moments notice does the organization provide leadership with the answers to Operational Risk questions such as:
  1. How many employees from our company are currently traveling outside your home country?
  2. What are their modes of transportation and where do they plan to stay each night?
  3. What employees from our "Red Zone" list have left the company in this past week?
  4. How many of these employees left suddenly without any warning?
  5. What employees were asked to resign or were fired from their position?
  6. What controls have failed in the process for closing deals within our standard time period?
  7. How much has our sales pipeline increased or decreased over the past quarter?
  8. What is the total number of network access points (Points of Presence) our company currently believes are available for employees to connect to the Internet?
  9. How many known incidents occurred over the past week related to malicious software attacks or Denial of Service attempts on our network?
  10. How many employees started work with the company who have been added to the "Red Zone?"
  11. What are the names of the local liaison officials for our water, power, telecom and data carrier suppliers? Who is their deputy?
  12. How often has the company exercised a plan for major business crisis or disruption in the past year?
  13. What is the current forecast for severe weather in the corporate headquarters region in the next week?
These questions and more should be able to be answered at a moments notice. Any senior manager or member of the Board of Directors should have an information dashboard they can view with these situational awareness questions at their finger tips.
If you don't have the latest Operational Risk Quotient in your enterprise it may be a clear indicator that the people, process, systems or external events are a severe threat.The corporate landscape or battlefield if you will requires that the commanders in the field have the intelligence they require to make split second decisions.
These Directors, Managers, Supervisors that drive the business forward each day need leadership to give them split second answers, especially in the midst of a crisis. There is not time for a Q & A session or for an extended report to give leadership the view they need to steer the enterprise out of harms way.

Operational Risk Managers rely on a combination of real-time feeds from internal sources and outside the organization to provide this level of situational awareness. CCTV feeds, access controls, intrusion detection, and many more are part of the Corporate Intelligence Unit's own Fusion Center.

Why is this a prudent business practice to assist you in "Achieving a Defensible Standard of Care" for your employees? Because without it you are flying blind and trying to operate without the awareness and predictive ability to mitigate risks as they unfold before you.

Whether it is on the battlefield or your own organization does not matter. Your people need to understand their role in providing this vital aspect of the risk management solution. Without hourly by the minute or second intelligence about your people, processes, systems and external events you are destined for a future either known or unknown. You make the choice.

25 November 2017

Imagination: Limitless Exploration Ahead...

 “Never be limited by other people’s limited imaginations.”
--Dr. Mae Jemison
When was the last time you traveled outside your own country or beyond?  The discovery of new places, environments and the opportunity to experience other cultures is a key factor in gaining new context.  The learning and the observations of how other people behave and how things work in other countries, provides additional insights to your own social and economic factors.

What works in one organization, city, county or country may not be enough to make a difference in other places around the globe.  The limits, the parameters or the laws may work in one geographic location and simultaneously have little relevance or importance somewhere else.  This could be due to environmental factors, culturally historic issues or just simple critical infrastructure, either present or non-existent.

Who do you respect past or present, for their ability to imagine something new, something different, something better or something that has never been thought of before?  People with limited imaginations have not experienced what these thought leaders have seen, heard and felt both physically and emotionally around the world.

Over time, the transport vehicles included animals (horses, elephants, camels) boats, ships, balloons, automobiles, aircraft and spacecraft.  The intellectual vehicles we use to take us other places by people who have been there include books, newspapers, television, radio, movies and the Internet.

Think about the people you interact with each day.  How limited are their imaginations?  Have they traveled far and wide across the world?  Are they well read in the latest current events, world issues and global challenges?  What opportunities have they been given in their lives to witness our planet, witness what humans are really capable of doing?  What has all of this done to give them purpose in life?

Scientists, researchers, inventors, disciples, professors, explorers, warriors, teachers, environmentalists, humanitarians, journalists, artists, photographers, mountain climbers, scuba divers, sailors, pilots, drivers, captains, astronauts and many others, have been increasing their abilities of imagination.  Why?
"Go confidently in the direction of your dreams, live the life you've imagined..."
--Henry David Thoreau
Did you ever wonder how someone you read about or see in life, got to where they are?  If you are asking yourself that same question, you must be wondering what ingredients they used, so that you could try and pursue the same path, or perhaps avoid it all together.  Is it curiosity?  Is it courage?  Is it resources?  Is it faith?  Is it environment?  Is it a mystery?

You see, the truth is, you still have the ability for limitless imagination.  Why haven't you explored it yet...

18 November 2017

Operational Risks Are Taking Executives By Storm...

Executive Summary

There is a growing threat on the business horizon. The risk of loss from inadequate or failed processes, people, and systems or from external events is taking executives by storm. This definition of Operational Risk also includes legal risk, which is the risk of loss from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of institutions activities.

In the course of a single day the organizational exposure to threats ranges from low to severe on the horizontal axis. It isn’t until you put the vertical spectrum into consideration that you arrive at your “Operational Risk Profile” for that particular slice of time. This vertical axis is the range of consequences that would impact the business should the threat event actually occur. It ranges from minor to disastrous. Each day our organizations live in a dynamic spectrum of tolerable and intolerable threats to our most precious corporate assets.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system. Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets.

Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization. Who is responsible for Operational Risk Management in your business? Everyone is.

You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in the lower left quadrant. This is where the threat exposure is low and the consequences are minimal. This is exactly why you are spending less and less time here. Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly. If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

11 November 2017

November 11: The One Percent Who Serve...

It is Veterans Day 2017 and all of those who understand what that means, are thinking about it.  Some out loud and for others, it is an internal battle of thoughts and emotions.

November 11 is a day that some families are sad about.  It is a day that so many other Americans think is just another day off.  Yet others think about that 1%, who now defend and serve our country.  Who are they and what are they truly feeling on Veterans Day?

If you really know anything about the life of a Veteran, you probably know that life inside the military changes you.  Just as working within any major organization for 2, 4+ or even an entire career, will impact your life in some way.

Spending that duration of time with others who served, whether inside the United States Army, Air Force, Navy, Marines or Coast Guard will affect your way of thinking about our country and our "Flag of Stars and Stripes"waving at the top of a pole, or "Old Glory" only raised to half staff.  What does the sound of 21 seconds of "Reveille"  remind you of?   Does a particular place or time in your life come into view?

The "One Percent" (1%) and those family members who surround and support them, know what Veterans Day is really all about.  It is unique for everyone in some special way and across America, you see pockets of how it is celebrated and expressed in words on social media and even in full page advertising in the Washington Post.

Hopefully you are in good spirits and you have a smile on your face today, as you experience another November 11th!  Our country is strong and our Department of Defense is there to protect the freedoms our nation is founded upon.

You have contributed your time, hard work and devotion to so many, and we may never know your name or sacrifice.  Thank you to the "One Percent"...

05 November 2017

Trust Decision Model: New Rules at the Speed of Light...

As a leader in your organization you rise each day with the inspiration to achieve the best possible outcomes for the tasks ahead.  Your outlook is positive and your goals are well communicated on what solutions you bring to the market you serve.  The course is charted and the plans are in place for you to execute your strategy with your team.

How well the day unfolds as anticipated and whether the tasks are completed on time and as planned is still uncertain.  Why?  We are human.  Humans have been studied by scientists and doctors since the beginning, to better understand our behavior.  What are they capable of and when is a machine better suited to a particular physical task or complex calculations?

As we invented new tools and machines to saw down trees, pound nails, dig holes and harvest our food, we wanted to continuously innovate.  We learned to adapt and to adjust these tools to accommodate new challenges, new environments and new hypotheses.  We learned to improvise and new brilliant researchers and inventors brought us automobiles, vaccines, airplanes, computers and even space travel.

Along our path of human progress there has been a tremendous amount of testing and experimentation.  We like to try to see what works and what doesn't.  Our curious nature keeps us seeking new ways to achieve the same outcomes, yet maybe faster or at a lower expense.  Economic prosperity or failure is in the hands of global markets.  How is the market performing today?

Yet as you navigate your small and specific path, you have choices to make.  Decisions on how you will spend your finite time to make your life better or to make a difference for others.  Your team, the company you manage, the agency you command or the country you lead, is counting on you.

The people, processes, systems and external events you encounter ahead, are comprised of hundreds of Operational Risks, that span a widening spectrum.  There is a high degree of certainty today, that you will encounter a myriad of actions, changes, deviations and climatic events that will challenge you.  These operational risks are not always known in advance, yet there are many that you already know about.

Mitigating risks and making decisions to improve your life and your organization are all in your control.  How many people have written best selling books to teach you how to do this?  How many Big Five Accounting firms have written reports and raised red flags for you, your owners, or operators and shareholders?

So what?

The decisions you make today, will make a difference.  A "Trust Decision" has a model.  Deciding to trust is not a singular event.  More precisely, it is multiple decisions occurring in sequence.  To quote Jeffrey Ritter:
"Every trust decision is a determination to trust an object, person, group, system, device, or information asset to be used to accomplish a specific task."
The more you study and understand "Trust Decisions" the greater knowledge you gain on your spectrum of daily Operational Risks.  This is because you know what the steps are in your particular trust decisions model and accordingly, you can calculate the risks to achieving the desired outcomes.

Here is just one example:
"On Monday, October 30th at 3:34 p.m., SpaceX successfully launched the Koreasat-5A satellite from Launch Complex 39A (LC-39A) at NASA’s Kennedy Space Center, Florida. Following stage separation, Falcon 9’s first stage successfully landed on the “Of Course I Still Love You” droneship, stationed in the Atlantic Ocean. Falcon 9 delivered the Koreasat-5A satellite to its targeted orbit and the satellite was deployed approximately 36 minutes after liftoff."
While your team or organization may not have the breadth or depth of "Trust Decisions" that SpaceX has on a daily basis, your decisions are not a singular event.  What is your particular "Trust Decision Model?"  How well do you know how each component of that model will perform today?  Have you done enough testing, witnessed enough failures and now know the possible outcomes for each part of that model?

The new rules for your organization at the speed of light, your TrustDecisions are out there...go discover them.

28 October 2017

Critical Infrastructure: "Known Vulnerabilities" in Your Enterprise...

What are the known vulnerabilities in your enterprise architecture?  We will come back to this question.

Asymmetric Warfare across the globe spans a digital Internetwork that has it's roots fostered in openness and with little regulation.  We are in many instances within real possibilities of significant digital systems failures.  Here is a just small window into that battlefield.

Operational Risk Management (ORM), is a mature discipline that you and your organization shall embrace, study, expand and continuously support.  One facet of Operational Risk, the Information Technology (IT) systems in your enterprise, is not part of an evolution any longer.  It has become a pervasive and mobile social revolution, that is now accelerating beyond your comprehension.

Let's put it another way.  Known but unmitigated vulnerabilities, will likely be the origin of your demise, failure, damage, ruin and loss of precious assets.  Why do you let it continue?

You and your organization are on the edge, operating each day with peoples lives, reputations and Personal Identifiable Information (PII) at stake and even the livelihood of the enterprise itself.

Whether that is your family, business, state or even your country, you can do something more to address your known vulnerabilities.  Do you know who, what and where they are in your enterprise?

When you hear the name "Equifax" today, what do you think?  Data security breach, correct?  What about these organizations:
  • Whole Foods Market Services, Inc.
  • Discover Financial Services
  • Transamerica
  • Hyatt Hotels
  • Northwestern Mutual Life Insurance Company
  • Wells Fargo Advisors
  • Sprint
  • Massachusetts Mutual Life Insurance Company
  • Sharp Memorial Hospital
  • Virgin America
  • The Neiman Marcus Group
  • Keller Williams Realty, Inc.
  • Club Quarters Hotels
  • Hard Rock International
  • Four Seasons Hotels Limited
  • BMO Harris Bank NA
  • Bank of the West
  • Gannett Company, Inc.
These are all well known companies, who have reported data security breaches by law, to the State of California, over the past 6 months.  There are dozens more of other organizations who are not large, well known brand names such as these.  Some are as a result of the Equifax breach and organizations who were using Equifax product solutions internally.  Now multiply this by 50 states.

So what?

Our Critical Infrastructure(s) in the United States are something we just take for granted.  Bank ATM's on every corner, bridges across bays and rivers, trains and planes departing from even small cities, trauma hospitals, massive hotels and supermarkets, fiber communications and LTE wireless network connectivity almost everywhere.

Let's come back to where we started.  What are the "Known Vulnerabilities" in your enterprise architecture?  Why are you so certain, that your adversaries are not currently inside your network?

The resilience modernization of your particular enterprise, is going to be expensive.  Mostly, because it has been patched and poorly integrated for a decade or more.  In some cases, simply because your adversaries and competition are more stealthy than you are.  Faster than you are.  Smarter than you are.  Laying in wait.

So what are you going to do about it?  In your home, business, city, state, or country and beyond?
"As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, (May 11, 2017) the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation."   Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 
You are going to find, repair and replace your known vulnerabilities.  Then repeat.  When you think you are finished, you can begin the next project, on your UNKNOWN vulnerabilities.

22 October 2017

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:
"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."
This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.

15 October 2017

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of Operational Risk Management (ORM) and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:
The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?
In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.
On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 
This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.
This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.

07 October 2017

Unanswered Questions: Leading Teams in a Virtual Domain...

The "Art and Science" of Leadership in disconnected environments is challenging to say the least.  The science might be initially enabled by the utilization of technology-based platforms including mobile smartphones, Cloud and even SATCOM capabilities.

The art or "How" of leading teams in a geographically dispersed area, across hierarchies of people with precision and speed is the hard problem.  The problem-set for so many growing organizations today.  How do you create a leadership mechanism with the right "Linchpins," to enable trust and simultaneously execute vital tasks, across silos with a single purposeful mission?

Frankly, it is quite complex.  Yet there are proven methodologies and proven technologies, that will quickly jump start and improve your teams problem-solving abilities and to gain "shared consciousness."  It all begins with the leaders implementing a single organizational lens to view the enterprise architecture or operational landscape before them and communicate what they have experienced, witnessed and accomplished.

The shared "Network" of people, systems, philosophy, experience and purposeful mission is paramount to success.  The moving pieces of the network both human and technological or operational, work independently and yet they are becoming a single adaptive entity.

Building and enabling trust across domains, working groups, operators and the significant distance between horizontal or vertical communication, is now the nexus of the "Art and Science" of Leadership.  You have probably read countless books and seen inspiring talks, by people who have done it all, experienced it all and still to this day will admit, that the human organizational issues still keep them from sound sleep at night.

Will those individuals who are in front of the problem-set on your team, act without hesitation?  Do they have the best possible information at their finger tips to make the "Trust Decisions" to achieve their objective?  How will the outcomes of their actions build on the entire teams goals and aspirations?

Whether your team is a family, a work group, the neighborhood, a company, a municipality or an agency doesn't really matter.  The people, processes, systems and external events are going to continuously challenge the intended forward direction.

So what?

This is all great, yet it sounds like we are describing environments where all of this leadership action is taking place in a purely physical world.  What happens when 99% of it is happening in a "virtual space?"

Inside the virtual computing consciousness of the global Internet, across a domain of space made possible by Virtual Machines (VM), solid-state storage and the software comprised of just Zeros (0) and Ones (1).  Now just add billions of interconnected (IP) devices.

The good news is, that much of this virtual environment still requires having human intervention and human participation.  Simultaneously, through global systems automation and use of Bots, Artificial Intelligence (AI) and other autonomous "Machine Learning" inventions are now on our doorstep.  This is our new reality:
The speed that the autonomous machines are making decisions and the abilities they are gaining in shared consciousness, is in most cases beyond human understanding.  The global organizational and national security implications are gaining momentum.
So what does leadership need next, for us to survive the remarkable velocity of our Trust Decisions, in an exponential virtual world?  How do we put it all in perspective?  What are the remaining unanswered questions? Author Jeffrey Ritter gives us his insightful context from decades of experience:

"It is essential to our human nature to make trust decisions. The Net has become essential to our existence. Whether or not this book prescribes the right direction, we will not survive as a global community unless we commit to a new architecture that enables trust in the digital assets of our world to be established and maintained. The solution, I believe, is found in understanding that trust is the essential predicate to the creation of new wealth. Working collaboratively, the world’s population can achieve both trust and wealth.

From my earliest work with the United Nations, I have recognized that the greatest potential of the Net is its ability to enable any of us to trade with anyone else. Trade inherently creates wealth for all of the participants. The curious thing about trade is that, when it proceeds properly, enriching all stakeholders, trade is the ultimate dis-incentive for war. We simply are reluctant to do battle against those with whom we do business. If digital trust can expand our capacities to trade, and connect us effectively into a broader network with whom we can trade, the strongest possible incentives for sustaining peace emerge. That is my fondest hope for the Net, that it will be the infrastructure for enabling global co-existence. To achieve that dream, we must build digital trust."

What are your unanswered questions?...