03 December 2016

Digital Innovation: Architecture for the Future...

You are the Senior Operational Risk Management (ORM) Officer in your organization.  One early morning on a crisp Fall day, your "Black Phone" rings.  It is your boss calling.
"We need your leadership and assistance in the reorganization of our enterprise.  Your job will be to head up the new "Digital Innovation" mission group.  We need you to integrate and collaborate effectively with the other 9 mission centers in our organization."
You hang up the phone and your mind begins to wander.  How will you address the digital challenges ahead?  Where will you start?  Will you combine the current silos of the security and privacy domains?  What will the new Enterprise Architecture reveal about the new focus on the potential "Insider Threat"?  Is your enterprise ready to migrate to AWS?

The time has finally arrived at this point in the organizations maturity, to address and accept the new reality.  In 2016, digital has become pervasive and the undisputed core of the lifeblood of our economy and business.  Not only has this reality started to finally gain traction with Board of Directors and Senior leadership, it is now a mandate for our total reorganization.

What is the key reason why?  Exponential change and development of the operational ecosystems of the world.  Our global ICT (Information, Communications & Technology) infrastructure has created an international trust issue.  Achieving digital TrustDecisions across directorates, business units and international partners is now clearly mission critical.  Encryption is at the center point of the dialogue.

As you glance at your e-mail, after signing in using the "Digital Authenticator" also on your "Black Phone," it hits you square in the face.  The silos of security and privacy across the enterprise will have to be integrated and a new play book will have to be implemented early.  How will you architect this vital component of the mission group?

Digital Innovation going forward requires that you effectively integrate with a previous decades old organizational structure. No longer will the owner of the digital innovation mission, reside with the person or department that runs the "Compute Utility". Whether this has been called the CTO, CIO or VP of xyz does not really matter. They have been overseeing the group who is responsible for the hardware, software and the functions that keep the compute utility running.

The lifeblood of your organization is "Data." This can be found in more than just one place within the organization. This data can be found far beyond just the "Zeros and Ones" being stored as a bulk repository, or "data lake," for analytics; backup & recovery; disaster recovery; and serverless computing.  How will you address the data across the landscape of your field operations with partners, suppliers, 3rd parties and each of their own intellectual capital?  Think about it this way:
  • Compute
  • Storage
  • Database
  • Migration
  • Networking & Content Delivery
Your current architecture is simply a utility.  Nothing more.  You want to turn it on, pay for only what you use when you use it, turn it off when you don't need it and have it available 24x7x365.  Right?  Just like your electric utility.

The new "Digital Innovation" mission center will now have a new mind-set.  A new architecture for the future:
Why?

The truth is, it starts with a model that is decades old.  It has sometimes been called "Backwards from Perfect".  Imagine yourself as one of dozens of "End-Users" in your enterprise.  What data do you need to do your job and fulfill your mission at that particular moment?  What type of device will connect to the utility to allow you to explore and create your model.

How will you build your understanding and the insight you require to fulfill the current question?  The hypothesis?  How will you deploy the new digital innovation with your stakeholders, collaborators and the trusted insiders to your latest mission?

Using a simple model like "Backwards from Perfect" with your Field Rep, Service Agent, Partner Consultant, War Fighter, Station Chief or Mission Program Manager is just the beginning.  Your future success and survival now is directly, tied to where we started.  Operational Risk Management.

There isn't one person, one department or one mission that doesn't need you and your mission to succeed.  The safety and security of your people your business unit and your purpose on the planet is at stake.  They are all depending on you...

Godspeed...

26 November 2016

Proactive Defense: ICT Supercomputers in the Fifth Domain...

The days are numbered for the major and large scale ICT (Information, Communications & Technology) incidents.  Corporations and global 500 organizations are scaling up for the long game, in a new era of Operational Risk Management (ORM).  We are rapidly moving from Fear, Uncertainty and Doubt, to "Proactive Defense."

No longer, is the topic of digital strategy being pushed down on the list of priorities by the Board of Directors; it is now at the top.  E-commerce and digital branding are an integrated dialogue along with EBITA in the corporate board room.  The "Trust Decisions" being made each minute of each hour by the enterprise, are now being calculated by machines, sophisticated algorithms and data analytics.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.--William H. Saito  Special Advisor, Cabinet Office (Government of Japan)
Japan and other nations are racing each other to create the worlds fastest-known supercomputer.  Why?

The deep learning and artificial-intelligence (AI) trend tells us that soon more corporations will be leveraging these government-owned assets for assistance.  Whether it is for medical diagnostics, cyberspace threat intelligence or improving the speed of other humanitarian focused equations, Japan is also joining the supercomputer race for the fastest computer on earth:

"In a move that is expected to vault Japan to the top of the supercomputing heap, its engineers will be tasked with building a machine that can make 130 quadrillion calculations per second - or 130 petaflops in scientific parlance - as early as next year, sources involved in the project told Reuters.

At that speed, Japan's computer would be ahead of China's Sunway Taihulight that is capable of 93 petaflops".


Why is the global race for supercomputer superiority a nation-state issue?  What is the reason for diverting national funds to this project, over others of key importance to the welfare of the majority of the population?  Operational Risk Management of the nation itself.

The "Fifth Domain" after Air, Land, Sea and Space is that infrastructure comprised of our planetary ICT landscape.  Digital infrastructures are now so integrated that cyberspace incidents such as war in Estonia, Stuxnet in Iran, Sony Pictures in the U.S. and the more pervasive "Ransomware" worldwide, are just the initial indicators of what still lies ahead of us.

We must now turn our attention to the positive innovation and continuous "Proactive Defense" of our critical infrastructure.  Nation states such as Japan and others, who are the key gateways for undersea cables, truly understand the vital nature of their ICT assets.

A nation states "Cyberspace Strategy" has now evolved beyond the current state, to the "Fifth Domain".  Global 500 companies are fighting DDoS botnets on a daily basis trying to keep e-commerce running.  This largely invisible war, will continue to evolve as new technologies and supercomputers become the new normal.

"On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

12 November 2016

Exponential Innovation: Systems Risk with Beneficiaries...

When you have the opportunity to watch or attend TED, how does it make you feel?  Do you get the sense that the person behind the story, the idea, the innovation, is more genuine and sincere?

What about those advocating for "Exponential" change?  Individuals and organizations that have made the leap beyond incremental change and invention and are on to the concept of "Exponential Innovation".  The xPrize Foundation is a perfect example.

How can big ideas, bold inventions and people with exponential thinking accelerate their cause, advocate their blueprint or design a creative new alternative?  They need a system.  A model and community platform for ingesting ideas, testing prototypes, adapting designs and fostering continuous experimentation.

Why do you need a new system in your organization?  Let us start with some simple mathematics.  Multiply the number of people in your organization x 2.  Now think about the number of products, initiatives or major changes that you successfully implemented over the course of the last 12 months.  How many?

It is a safe estimate that each of your employees has at least two new ideas or bold ways to improve or change a product or process in your organization each working day.  500 employees x 250 working days = 250,000 potential ideas, changes or exponential innovations.  How did you capture these and utilize a system to capitalize on them, for your organization and those you serve?

What does this new innovation system have to do with Operational Risk Management (ORM)?

The Operational Risks associated with an organizational system for capturing, nurturing and producing new found Intellectual Capital are vast.  The goal however is to simultaneously accelerate, share and produce a collective thought leadership within the greater public-private community.  This in itself creates new challenges, in order to minimize the potential for significant losses and external risk events.

Across all the domains for "Exponential Innovation" from Healthcare, Space Travel, Artificial Intelligence and Ocean studies to name a few, lies one of the greatest barriers to our ultimate progress.  Adapting to the ecosystem of people utilizing the product or service.

Total immersion in the marketplace or with the customer, the beneficiary of the new product, service or invention, is a significant factor for future success.  The single factor of time, being embedded with the actual end user, recipient or beneficiaries of the new found innovation, is directly proportional to the Operational Risk exposures.

Think about it.  When was the last time your CEO or chosen leader was embedded with the customer for more than a few hours or a day?  How often is the scientist, designer or engineer using the product or system side-by-side the beneficiary?  Not often enough or long enough.

Sure we have all heard the mantra about "Managing by Walking Around" for decades, yet why do we continue to see the outcomes of this failure at well managed companies such as Wells Fargo and Samsung.  Operational Risk Management (ORM) shall be a component of any major initiative and a necessary competency in any dangerous or high risk environments.

From the decks of aircraft carriers to the trading on Wall Street and within the test trials of new pharmaceuticals, to the Yottabytes of data across the Internet, Operational Risk Management (ORM) is more relevant than ever on an exponential scale.  Just ask Elon Musk, Warren Buffet, Bill Gates or Ash Carter what they think...

06 November 2016

Internet Hurricanes: Resilient Trust Decisions into the Future...

"Trust Decisions" are made in nanoseconds as a human being.  Your past experiences, data stored in your brain from sensory collection and a clear understanding of the rules and the consequences, assists you in your decision to trust.  To trust someone or some thing.

The science and the research on the process and systemic nature of how TrustDecisions occur, are ongoing.  Humans have for decades designed machines and software to mimic and replace our own decision making process.  It has been replaced with a foundation now found in semiconductors, artificial memory, databases, fiber optics, neural nets and 5G wireless networks.

Even deeper, trust decisions are now embedded in software code.  The machine languages that have created our ability to use the entire Information and Communications Technology (ICT) infrastructure to our advantage.  While simultaneously creating a tremendous vulnerability and opportunity for systemic risk.  Our Critical Infrastructure Sectors are forever integrated, with increasing complexity and intelligence of our man-made machines.

The Fourth industrial Revolution is upon us:

With significant growth in IoT and the cloud, machine learning and big data are becoming ever more important as a significant amount of previously untapped data are collected, assessed and digitized. These newly available data provide billions of dollars to potential businesses that can quickly and effectively evaluate the data.  Additionally, the International Data Corporation (IDC) forecasts global spending on cognitive systems will reach nearly $31.3 billion in 2019.   IDC further sees cognitively-enabled solutions that “offer the tools and capabilities to extract and build knowledge bases and knowledge graphs from unstructured and semi-structured information as well as provide predictions, recommendations, and intelligent assistance through the use of machine learning, artificial intelligence, and deep learning”.
So now what?  Only 50% of the population of our Earth is connected at this point in time.  What will happen over the course of the next two decades as the growth curve accelerates?  How as a corporate enterprise or global organization will we be able to weather the "Internet Hurricanes" that are ahead of us?
Whether it is a systemic cyber risk event or something worse, the opportunity exists now. We begin the journey by revisiting our Trust Decisions. The rules that have defined us and the rules that our machines are executing on our behalf.

The decisions to trust, that are occurring when our iPhone App utilizes wireless networks and GPS to guide us using Google Maps to our next destination.  The decisions to trust, as the bank debits your checking account and routes the funds to your mortgage company.  The decisions to trust, as the doctor reads the vital signs on the monitors attached to your loved one in the ER.

As Operational Risk Management (ORM) professionals, we must adopt a continuous resilience mindset.  We look at the automation and the benefit of the machine and yet we ask ourselves what if?  What if the battery fails?  What if the connection is lost?  What if the data is corrupted?

There is one idea that has been utilized to address this in an organization.  It begins as an exercise in resilience planning and beyond.  Start with a small team or project group.  Announce in advance that on a certain date and time, an "Internet Hurricane" will hit and a systemic cyber event will last 24 hours.  Could you survive?

This is not a new idea.  Clearly, the exercise for Disaster Recovery Planning (DRP) has other nuances yet it serves the point.  When was the last time your team was able to operate without access to data from a networked system?  The time has come to prepare for that next digital storm ahead of us.  Will you be ready to operate in an austere environment of your corporate domain without the Internet?

"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.Achieving Digital Trust - Jeffrey Ritter

30 October 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

23 October 2016

Intelligence-led Enterprise: CIU Success Factors...

Intelligence-led processes applied within the corporate global enterprise, continues its relevance for reasons being published in the popular press. "Operational Risk Management (ORM) Specialists" utilize these processes, to mitigate a growing spectrum of domestic and transnational threats:
Developing relevant intelligence to run daily business decisions in your institution may seem like an important task day to day. The question is, how embedded is the "Corporate Intelligence Unit" in developing the relevant intelligence your decision makers need every few minutes or hours to steer the organization away from significant losses? Is your internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in real-time by the employees in each department or business unit?
Do you have an organized, synchronized media and communications function working within your Corporate Intelligence Unit (CIU), to continuously post the correct content and manage the RSS feeds from each global business unit? Why not?
The "Information Operations" (IO) of your company are the lifeblood of how your employees will make relevant decisions on where to steer clear of significant risk.  Based upon what other business units are doing or what is going on in the external environment of your state, sector or geography, consider these scenarios:
If the internal RSS Feed for the IT department reported that there was a Distributed Denial of Service  (DDos) Attack going on at the moment, how might that impact the decision by the marketing department to delay the posting of the new product release information to the Twitter site? The synchronization of intelligence-led processes is lead by the head of the Corporate Intelligence Unit. The CIU is staffed with people who have a tremendous understanding of the corporate enterprise architecture and have the skills and talents to operate as effective operational risk management professionals.

If the internal RSS Feed for the Facilities Security department reported the presence of a "White Truck Van" with blacked-out windows trolling the perimeter of the corporate parking lot, how might this change the decision for the CEO to leave that minute for her scheduled trip to the airport? Skilled CIU staff within would quickly notify the CEO via the "Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under cover corporate security personnel would then be immediately approaching the vehicle for a recon drive by.

If the internal RSS Feed reported the recent change in industry legislation that would change the way the Federal Trade Commission defined the elements regarding consumer privacy, how might this affect the latest strategy on how the institution was going to encrypt it's data in servers and on laptops? The CIU staff would advise the Chief Information Officer and other Information Security Risk staff to step up the roll-out for the latest version of PGP for the enterprise.
And the list goes on. The modern day intelligence-led Corporate Intelligence Unit (CIU), in concert with other highly specialized Operational Risk Management professionals in the enterprise can keep you safe, secure and keenly aware of new threats to your corporate assets. The degree to which you provide the right resources, funding and continuous testing/exercising of your capabilities will determine your likelihood for loss outcomes.

If your organization has been impacted by loss outcomes that continuously put your employees, stakeholders or assets at risk, then look hard and deep at your "Operational Risk" quotient, to determine if you are the best you can be...

15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.


The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 October 2016

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:
  • Protecting Personal Data
  • Political Hacks and Leaks
  • Cyberspace:  A 21st Century Warzone
  • A Focus on Critical Infrastructure
  • The White House and Cybersecurity
Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets, binary code.
In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers had been circulating in security circles at that point in time.  Soon thereafter, warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.
In this decade old case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The human element, which relates to situational awareness, can't be ignored any longer.  And this can only be changed through more effective education, training, and testing of employees.  An organization that procures technology worth millions of dollars is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.
"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."
The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat.  We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.
If you start thinking of the Super Bowl championship as your motivation, you are going to miss the trees for the forest or the forest for the trees. I never could understand that one. Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees

02 October 2016

Homegrown Violent Extremism: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  New York City.  San Bernardino.  Orlando.  Dallas.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing.  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow or red flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that our process changes take place and citizens behaviors are modified.  Erroll Southers explains why we have more work ahead of us:
 At the same time, the radicalization process is not brief. Extremism smolders like a hot coal, an idea that grows into a violent fire fueled by anger, conflicts of identity, feelings of humiliation and marginalization.. It is important for the public to understand that removing any one of these elements cannot fully disrupt radicalization. All of these and other root causes need to be addressed in the effort to not just apprehend terrorists, but dissuade the radicalization that leads to terrorism.
There will be numerous accounts of heroism, people who saw or reported details that could have helped stop any of these Homegrown Violent Extremist (HVE) events.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.
Godspeed America!
  1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.

25 September 2016

ORM: "All Threats & All Hazards"...

If you are new to the discipline of Operational Risk Management (ORM) your entry point in it's vast spectrum is a vital realization. The business problem that you are trying to solve with the utilization of an effective set of protocols, policy and risk management framework, may take years to accomplish. Do you have that much time?

Operational Risk Management 101 requires an "All Threats & All Hazards" point of view from day one. It also requires a protocol that your whole organization can understand, implement and put to work on a daily basis. Whether you are in banking, drilling for oil, flying an AV-8B out of hostile conditions or preparing for hundreds of people for a "State Dinner" on the South lawn; Operational Risk Management is the versatile discipline that will enhance your safety and security.

Practitioners of ORM know, that the next threat or the unexpected hazard is almost impossible to defend against. Once you realize that you are always in "degrees of vulnerability" your mindset changes about where to spend your activity, effort and resources to maximize your returns. Did anyone see the process of turning sub-prime mortgage portfolios into securities and selling them to investors on wall street, as a future threat to our economic prosperity? Yes. The same people bought instruments to hedge this risk in the form of "Credit Default Swaps" (CDS):
Credit default swaps are often used to manage the credit risk (i.e., the risk of default) which arises from holding debt. Typically, the holder of, for example, a corporate bond may hedge their exposure by entering into a CDS contract as the buyer of protection. If the bond goes into default, the proceeds from the CDS contract will cancel out the losses on the underlying bond.
Prudent Operational Risk practitioners look at the threat and invent the correct tool, product, or countermeasure to hedge the risk. It happens on Wall Street and it happens on the urban battlefields of cities across America. A US Justice Department researcher, Lester Shubin utilized a DuPont fabric intended for tires and developed the Kevlar bulletproof vest. This inventor passed away about seven years ago and is credited with helping to save the lives of over 3,000 law enforcement officers. A heart attack took the life of a man who understood the core value of "Operational Risk Management." Godspeed Lester.

Shubin and his advocates had many obstacles to overcome in order for their idea, invention and risk management habit to succeed. First there was testing, then the legal hurdles to get companies to manufacture vests because of liability and then finally getting street cops to use them. This practitioner of Operational Risk did not stop there. He was also one of the first to suggest the use of canines to find explosives.

If you enter the ORM discipline from a safety orientation the perspective may be different than one who enters it from a security orientation. What they both have in common is managing risk. The most effective 21st century experts in Operational Risk Management realize that an "All Threats & All Hazards" mindset is crucial to the entire profession. So how do you know where to invest your activity, effort and resources? That depends on your industry sector, the environment you are operating in and the pace of the processes being performed.

Being an effective Operational Risk expert today requires a multi-faceted, mosaic-based, pervasive protocol in order to be adaptive. Working and operating in the trading pit at the Chicago Mercantile Exchange (CME) or the deck of CVN-77 in the middle of the Arabian Sea both require the same set of skills, knowledge and training. If done effectively, it will save lives and millions of dollars simultaneously.

18 September 2016

Digital Citizens: The Integrity of our Trust Decisions...

Operating globally in business requires travel across borders and into less than familiar places.  Operational Risk Management (ORM) is at the forefront of global commerce for good reason.  The tools we use to assist us; range from the smart phone airline App to hold your boarding pass and even the latest travel warnings from the U.S. State Departments "SmartTraveler" App.

Perhaps on your last trip abroad you ditched your regular personal smart phone for a pay-as-you-go model that you could throw away, upon your return.  Most likely a prudent strategy, especially if you are traveling into physical places that are known to be less trusted for their wireless communications infrastructure or for other questionable reasons.

Regardless, the use of a Virtual Private Network (VPN) on connecting a device in any country is worth the extra step of privacy.  OpenVPN or Golden Frog's VyprVPN can provide your iOS or Android device, with an encrypted tunnel to prevent eavesdropping on your Internet traffic.  Again, a wise step to take at all times.

However, even today that may not be enough.  Digital Trust is paramount in a mobile-centric 24x7 business world.  The integrity of communications from the CxO ranks while traveling abroad is vital when interacting with senior staff and other government collaboration partners.  Our Trusted Apps perhaps need to have a new and emerging set of new capabilities going forward.  Marc Canel writes:

"A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.

The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.

The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:

  • an open international protocol based on the Public Key Infrastructure (PKI)
  • an open market for competing certificate authorities
  • an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations."

The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.


We have created devices we want to trust.  Our business and global commerce requires the ability to effectively communicate with integrity.  The Open Trust Protocol (OTrP) is only the beginning.

Why?
The foundations of the Internet and the future of Artificial Intelligence (AI) will soon be at a break point.  A place in the growth curve where there is a bifurcation.  If we do nothing, the system will decline and die.  As opposed to being re-engineered now to survive and adapt, to the evolving environment ahead.  A digital environment where machines are talking to machines on a more massive scale at light speed, beyond just digital switches, routers and other mobile (IoT) devices.
The continuous integrity and assurance of our networked infrastructure to enhance "Digital Trust" is already well on its way.  Important foundations have already been established and the transformation steps are underway beyond protocols, with the education of our most promising generation of new software engineering talent.  Here is just one example in Jeffrey Ritter's University of Oxford course, "Building Information Governance":

"To govern information now requires mastery of a diverse, often international, portfolio of legal rules, technology standards, business policies, and technology, all applied across increasingly complex, distributed systems and repositories. The increased scrutiny and requirements of official agencies and business partners impose new requirements for compliance documentation and transparency. This course introduces participants to a structured design approach that will enable strong, responsive and resilient information governance to be incorporated into the design and management of digital assets. 21st century information governance must navigate and embrace records management, privacy, electronic discovery, compliance, information security, corporate governance, and transparency of operations—all of these will be considered in this course."

The future of "Privacy Engineering" is at stake in a mobile commerce digitally trusted environment.  All of the protocols being developed for moving zeros and ones from point A to point B will not mean anything, if we have not effectively enhanced our "TrustDecisions" capabilities and outcomes.

The environment is virtual.  Just like the physical world, there are places that are safe and others that are dangerous and evil.  Since the beginning, the diversity of content and the people who are operating in the environment, are good and bad.  This is the reason the virtual environment of the Internet has rules and the engineered governance that is necessary for the integrity and safety of the global citizens who utilize it.

You have to wonder what our digital world would be like without rules or any governance.  Without the international Rule of Law.  Without the enforcement of international safe havens for people to operate with integrity and in safety.  In the physical world and on the Internet.  It would be global uncontrolled chaos.

As you ascend into the next generation of mobile and global commerce, think harder about "Digital Trust".  How will the Trust Decisions that your business or your country relies on, remain in a safe haven?  Will the confidentiality, integrity and assurance of the underlying data science continually be trusted?
"These forces are concurrently driving transformations that are now already visible in how we structure the governance of our political states, our commercial consortia, our corporate digital ecosystems, and our interactions as individual users with the digital assets of the Net.
Ultimately, the Net succeeds or fails based on the cumulative affirmative decisions of individual humans to trust the networks, systems, devices, applications, and information assets that are the blocks from which the Net is constructed.   For the Net to prosper, and to be functional as a global infrastructure, the values and consequences of building digital trust must be embraced.  That evolution is already underway"...  Jeffrey Ritter

11 September 2016

9/11 2016: Remembering the Fallen...

"We Will Never Forget".  On 9/11 2016 as the names are read, we remember and we reflect upon the significance of this anniversary for each of us.  Fifteen years later from that horrific start of a new generation of Violent Extremism and International Terrorism we honor those who have fallen.

The First Responders from the ranks of the New York City Fire and Police Departments on that morning to the forward deployed from the CIA and our (AFSOC) Special Operations Forces a decade and a half later.  Four years ago today in Benghazi, we were attacked again at our U.S. Diplomatic Compound, 9/11 2012.

As we talk and discuss where we were and how we felt on that day in September 2001, it is vital we analyze what has changed and how we are now different.  Even today the kinetic war persists on the ground, in places like the Hindu Kush and Shabwah province to eliminate the threat of AQAP and ISIL or IS (Islamic State).

Meanwhile, millions gather at Mount Arafat in Saudi Arabia for the Hajj ceremonies, where Muslims believe the Prophet Muhammad gave his last sermon.  Fifteen of the 19 attackers were Saudi nationals.

Fifteen years ago the attacks were planned and coordinated by a more central and organized set of leadership in al-Qa'ida.  The erosion of Middle East states after the Arab uprising has brought us an asymmetric threat commanded online through social media and more sophisticated video enabled communications strategies.  These tangents for recruitment and online command and control has created new challenges for our counter terrorism (CT) strategies.

Watching the dual beams of light shining over New York City at Ground Zero on this anniversary we must not forget.  We must seek to understand the behavioral components of "Homegrown Violent Extremism" (HVE) as the primary future weapon of al-Qa'ida leadership.  From Paris and Nice to San Bernardino and Dallas the variants of how and where HVE will erupt is unknown and even harder to detect in advance of a violent attack.
Now that women, young children and even four-wheel truck vehicles have been utilized as simple tools to perpetuate the stealth and low-tech / high-assurance approach to killing innocents, there is still no where to hide.  There is no place that is truly safe.
The primary solution for you, your company and a nation is to continue to enhance Operational Risk Management (ORM) and to seek even more robust levels of resilience.  We have learned years ago that the ability to adapt and to survive relies on this core strategic capability.

Whether you are preparing for that next hurricane, earthquake, cyber or explosive attack does not matter.  We must all seek to better understand Operational Risk and prepare even more than we ever have in the past.

On this fifteenth anniversary, we have learned so much and still have so far to go...Godspeed!

27 August 2016

Human Capital Risk: Know Your Company...

Operational Risk Management (ORM) is about continuous innovation.  It requires a steadfast momentum towards a future spectrum of dynamic resilience.  The shift in thinking is that your ability to survive the impact of any adverse incident to your people, process, systems or other external factor is commensurate with your current-state of resiliency.

You must establish and cultivate the creative and innovating environment in your organization at the core.  Then wrapped around this ecosystem of core human potential, the culture evolves into a ripe entity of new possibility.  New hope.

Simultaneously the visions of what contributes to a healthy environment and the attributes of what creates a deterioration, starts to become more clear to you.

You see, when most people think about risk management they are immediately drawn to threats and vulnerabilities external to the organization.  Protect against known external threats and remediate known vulnerabilities.

How much time is devoted to understanding the maturity and the resilience of your core internal ecosystem of human capital.  From the inside out.  The same human capital that will either achieve survival after any known or unknown incident, could also contribute to it's inevitable demise.

So what are we talking about it?  How well do you know your company?  Jason Fried, CEO of 37signals.com explains:
  • As CEO, maintaining a healthy culture isn’t someone else’s job — it’s my job. I had to take responsibility for knowing my people and knowing my company. That buck starts and stops with me.
  • Answers only come when you ask questions, so the tool had to be built around questions. People generally don’t volunteer information re: morale, mood, motivation unless they’re directly asked about it.
  • The entire system had to be optional. No one at the company should be forced to use it. Forcing people to give you feedback is ineffective and builds resentment.
  • This couldn't be a burden on my employees. Employees would never have to sign up for something or log into anything.
  • Information had to come in frequently and regularly. Huge information dumps once or twice a year are paralyzing and lead to inaction.
  • I had to follow-through. If someone (or a group of people) suggested an important change, and it made sense, I had to do everything I could to make it happen. I wasn't creating this system to gather information and do nothing about it.
  • It had to be automated, super easy (for me and my employees), non-irritating, and regular like clockwork. This had to eventually become habit for everyone involved. If it ever felt like something that was in the way or annoying, it wouldn’t work. It had to be something people looked forward to every week.
  • Feedback had to be attached to real people - it couldn’t be anonymous. You need to know your people individually, not ambiguously. If someone has a problem, you need to know who it is so you can talk to them about it. This requires trust on everyone’s part.
  • Success depended on a combination of automated, and face-to-face, back-and-forth with my team. The unique combination of automated and face-to-face communication play off each other in really positive ways.
Quantity vs. Quality.  If you have read any of Jason's books such as "Rework" you know what we are talking about.  37 Signals has been in business now about 16 years and has just surpassed xx people. Congratulations Jason.

Managing Operational Risks with an organization begins with the clairvoyance and the insight gained from knowing your human capital.  Knowing your people when they come on board and knowing how they change over time.

Do you think that the person you hired two years ago is still the same person? What about ten years ago or 20?  People change for a myriad of reasons impacted by the environment on the home front and certainly their work place environment.

The resilience of your organization begins and ends with knowing your company, or government agency.  In order to know your enterprise, you need to know your people.  Your ecosystem of innovation possibility and the longevity of your organization depends on it.   As a recent agency example,  commentary by George Bamford:
In the summer of 1972, state-of-the-art campaign spying consisted of amateur burglars, armed with duct tape and microphones, penetrating the headquarters of the Democratic National Committee. Today, amateur burglars have been replaced by cyberspies, who penetrated the DNC armed with computers and sophisticated hacking tools.
Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.
Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia – though there seems little evidence backing up the accusation.

20 August 2016

Strategic Foresight: Risk Leadership into the Future...

When you really start to think long and deep on the discipline of the agile startup community,  you keep coming back to a single word.  Improvise.  The more you analyze what it takes to get an idea from "Zero to One" to a Minimum Viable Product (MVP), the more you need Operational Risk Management (ORM).  At the same time, this thought might question the notion of previous planning or preparedness:
im·pro·vise [im-pruh-vahyz] Show IPA verb, im·pro·vised, im·pro·vis·ing.
verb (used with object) 
1.  to compose and perform or deliver without previous preparation; extemporize: to improvise an acceptance speech.
2.  to compose, play, recite, or sing (verse, music, etc.) on the spur of the moment.
3.  to make, provide, or arrange from whatever materials are readily available.

Yet what the true startup and ORM professional understands is the origin of the word:
Origin:

1820–30; French improviser, or its source, Italian improvisare (later improvvisare ), verbal derivative of improviso improvised; Latini mprōvīsus, equivalent to im- im-2 + prōvīsus past participle of prōvidēre to see before hand, prepare, provide for (a future circumstance). See proviso
And so this brings us to the importance today of utilizing the power of "Strategic Foresight."
Strategic foresight is a fairly recent attempt to differentiate "futurology" from "futures studies". It arises from the premise that:
  • The future is not predictable;
  • The future is not predetermined; and
Future outcomes can be influenced by our choices in the present. [1]  Strategic foresight may be used as part of the corporate foresight in large companies.[2] It is also used within various levels of Government and Not for Profit organizations. Many concepts and tools are also suited to 'personal futures' thinking.
The "Asymmetric Attributes" of enterprise risk and "Big Picture Security" today is making predictability a major task going forward.  So what do improvising and strategic foresight have to do with startups and Operational Risk Management?  Everything.  Let's go back in the "Time Machine" for a minute:
The 2010 eruption of Eyjafjallajökull were volcanic events at Eyjafjallajökull in Iceland which, although relatively small for volcanic eruptions, caused enormous disruption to air travel across western and northern Europe over an initial period of six days in April 2010. Additional localised disruption continued into May 2010. The eruption was declared officially over in October 2010, when snow on the glacier did not melt. From 14–20 April, ash covered large areas of northern Europe when the volcano erupted. About 20 countries closed their airspace (a condition known as ATC Zero) and it affected more than 100,000 travellers.
"As the crisis ran its course it went on to paralyze or seriously limit air traffic in 23 countries around the EU and its periphery bringing 300 airports to a standstill and cancelling 100,000 flights, representing three-quarters of all European traffic. Ten million individuals were affected and had to cancel their trips or find alternative travel arrangements at serious economic cost for the passengers, carriers, and insurers involved."
So what?  So the future state of a High Risk X Low Frequency event is unlikely to get the attention it requires.  The 1-in-100 year probability of an event occurrence, has been so integrated with insurance industry underwriting group think, it often falls on deaf ears.  Resources and attention are increasingly directed towards potential crisis events, that are considered High Risk X High Frequency.

Could the EU have imagined the impact of volcanic ash from an erupting volcano in Iceland?  Most certainly.  Did the EU have the strategic foresight to know what to do when and if this happened?  The point is that sometimes improvising and the success of improvisation is a result of having devoted resources and time towards the planning and behavioral prediction of future outcomes.  Influenced by our choices in the present.  The impact to the organization, enterprise, nation state or individual is going to be a factor of how much is devoted to strategic foresight initiatives.

It is also imperative that we discern the risk of natural incidents caused by mother nature, to human threat actors. We must continue to evaluate the characteristics of other threat vectors related to our daily Operational Risk spectrum.  Using only the imagination of low-tech, less sophisticated and tried-and-true methods, our human adversary has a "Modus Operandi" with a continued low-risk of failure.  That low tech lower risk of failure, is still one of our greatest vulnerabilities:
The Joint Improvised Explosive Device Defeat Organization (JIEDDO, pronounced like "ji-dough") is a jointly operated organization of the U.S. Department of Defense established to reduce or eliminate the effects of all forms of improvised explosive devices used against U.S. and coalition forces.[4]
  • Formed February 14, 2006
  • Headquarters The Pentagon
  • Employees 435 government civilians and military personnel; ~1,900 contract personnel
  • Annual budget $1.6 billion for fiscal year 2013 [1]
JIEDDO is making a difference and the metrics prove that our Operational Risk Management professionals here, need to continue the course.  Not just for what has happened overseas on foreign soil, but for the surging wave on our own U.S. Homeland:  Boston, MA is one recent and relevant example.

Be Vigilant America!  Use Strategic Foresight to imagine such interdependent, unpredictable scenarios.  These growing interdependencies, are becoming ever more so prevalent:

• Rapid global economic growth
• Industrial development of non-OECD nations
• Interlinked global supply chains
• Increased worldwide awareness
• Increased media reach and individual power

These five interdependencies will be the catalyst of our future High Risk X Low Frequency incidents.
The future success ratio of agile startups and the ability for new innovation to pivot effectively, will be determined by an Operational Risk Management maturity factor. 

13 August 2016

CityNext: Trust in a New Age Public Sector...

What if you had the opportunity to establish and design a new city in the United States?  Where would you decide to put it and how would you do it differently than it has ever been done before?

This would be a Public Sector project worth doing differently than we ever have imagined.  After all, how much have we learned by 2016 about critical infrastructure, including electrical grids, solar energy, water resources and waste management?  What about the latest inventions with 5G wireless and how broadband information systems have evolved to satisfy our insatiable appetites for data, entertainment and knowledge working professionals?

How would you design the transportation systems and how would you put the economic and governance factors of the new city into place?  The Urban Planning and CityNext initiatives today are trying to apply many new ideas and thinking to established cities, not just starting from a clean slate if you will.  There might be many discussions on what U.S. State was most suited for the city,  what the size in population and square miles that would encompass housing, commercial development and the social support systems to include health care, public safety and public works.

There are several global livability indexes that exist today and ranking cities by criteria on being the most livable.  Each may put cities such as Melbourne or Zurich,  Boulder or Santa Barbara, Rochester or Bellevue at the top.  This depends on the geographic scope and other criteria to rank cities by all of these particular index factors.

Realizing that there are also so many subjective reasons for wanting to live in an environment near the ocean or the mountains, let us just focus for a minute on all the factors that make the city operate effectively and produce positive economic and governance outcomes for its citizens.  Now how would you design this ideal ecosystem for the future?

If we could do it in such a way that you could replicate the model and the support systems then is it possible that you could put a new city in the middle of some U.S. state and have it flourish over the next 2 decades and beyond?  What factors would we focus on when it comes to how people make a living and sustain their families with a decent standard of living?

All of these considerations and questions are similar whenever you are talking about putting tens, hundreds or thousands of humans together to live, work and play together.  The anthropologists, economists, architects, scientists and doctors would all have their thoughts on what to avoid and how to do it correctly.

So what?  What does any of this have to do with Operational Risk Management (ORM)?

The truth is, that the design of the ideal city, the ideal business, the ideal product or the ideal operations plan, can't evolve and survive without Operational Risk Management:
Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.
 
It really does not matter whether it is a single household, an enterprise business or the ideal city.  How much you focus on the "TrustDecisions" that are made each moment of every day, will determine the outcomes of your vision?

Now consider this:
Every transaction creating wealth first requires an affirmative decision to trust.

Building trust creates new wealth. Sustaining trust creates recurring wealth.

Achieving trust superior to your competition achieves market dominance.

Leadership rises (or falls) based on trust (or the absence of trust).


Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained?  Source:  "Achieving Digital Trust" - Jeffrey Ritter
 "Trust is achieved by making decisions that produce favorable outcomes."  These words and more from Jeffrey Ritter should give us pause, as we advance or society and we design new cities.

The truth is, the "Public Sector" needs to create more trusted environments, more trusted transportation, more trusted water supplies, more trusted communications, more trusted safety and security.  The public sector needs systems that use trusted data to fuel all of this and provides continuous Confidentiality, Integrity and Assurance for all of its citizens.

If the public sector can attain these levels of performance, the vast spectrum of knowledge workers will flourish and data driven business models of the future will thrive and they will have new levels of trust.  Trust in their choice on where to live, to work, to raise a family and:
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

07 August 2016

IT Transformation: Change Agent Journey into the Unknown...

The era of cloud computing is upon us and business innovation is rapidly adopting a new Information Technology strategy.  Planning for the business to be more adaptive, requires that the IT organization become more embedded with the functional leaders who are tasked with guiding the people, process and technology of the enterprise into the future.

Operational Risk Management (ORM) is about building an effective framework for business transformation executives at the CxO level to effectively coordinate and collaborate with the IT leadership.  Together, business and IT executives shall provide the organization and its customers with a seamless and almost undetectable transformation.

True "IT Transformation" has a trajectory to an unknown destination that is constantly adapting and becoming more agile.  It is a non-linear project plan, that is evolving towards a "Future State" where people and culture must change with it.  As a result, true "IT Transformation" requires experts in managing Operational Risks that encompass far more than just new cloud infrastructure for compute, storage, database and networking.

A culture transformation from an "As is" to a "Future State" is a professional services initiative that senior leaders are co-designing.  It is recognized that the vision of the future is still unknown as the business adapts to its environment and marketplace.  If you were an organization that had made the decision to move the business into international locations, how would you do that effectively?

An "IT Transformation" initiative to a new international marketplace requires far more time and resources.  The change mindset and culture shift for the employees will be imperative in order for the IT mechanisms to perform effectively and successfully.  How will this shift in business strategy impact the coding, architecture, inventory and customer service processes in the enterprise?
Let us be clear.  Transformation is different.  It is not "Developmental Change".  It is not "Transitional Change".  It requires a mindset, culture and systems change that operates in the unknown and where peoples emotions and behaviors are exaggerated.  It can't follow a linear project plan and that is why some organizations never attempt true transformation.
So what?  The decision for true "IT Transformation" requires a journey into the unknown yes, just as any explorer. This however also requires a mindset shift to that of the explorer, to prepare for the unknown and to plan for the contingencies to survive the trip.  Whether the journey is weeks or months does not matter.  There is always an opportunity to prepare before the launch.

 Consider these ORM categories as you begin the preparation for your true "IT Transformation":
  • Governance of Accounting (International pricing/regulatory compliance)
  • Access and Security Controls (Data privacy or legal considerations)
  • Asset Management
  • Application Risk (Availability, Disaster Recovery and backup)
  • Incident Triage and Continuous Monitoring
  • Configuration Change Management
  • Release and Deployment Management
 Now consider this:

Who will you embark on the journey with?  Who are the people in your organization that are ready, in condition and have the time to devote to your exploration journey?  What is each person currently working on and what is their particular "Powerbase" in the enterprise?

Now, who is the partner outside the organization that you will utilize as your "Change Agent"?  That change agent who is currently external to your company and enterprise is a vital choice.  How will the firm or company you choose to assist you in your transformation work with you side-by-side to endure the hardships, the emotions and the outcomes of the work ahead?

As your change agent team embarks on your "IT Transformation" journey, remember that the unknown is the reason that you were chosen.  You were chosen because your experience and skill sets add overall strength and resilience to the entire team.  The resilience of the team requires that you endure the journey until the objectives for innovation have been achieved.

Achieving the future state of your journey, puts you in a place you never imagined, because you have never been there before.  Yet the experience of getting there and the knowledge gained during the preparation, the team interaction and the accomplishments along the way, have made you a better person.  A trusted team member.

An "IT Transformation" professional...