25 May 2024

Memorial Day 2024: "Always be Ready"...

In America, our Memorial Day is a holiday to remember. A day to reflect on all those Americans who have died fighting for our freedom.

Growing up the young son of a U.S. Marine, our home always had our flag flying on Memorial Day.

Yet it wasn’t until a relocation 30 years later, that took our own new family to Northern Virginia and that provided the real understanding of this remembrance day and for it to truly sink in.

Then as a grown adult, walking through Arlington Cemetery toward the “Tomb of the Unknown Soldier” on a May weekend in 1997 with our daughter (8) and son (7), we could feel the real emotions of it come forth.

Seeing a sea of gravestones walking up the path gave us a better understanding of our service members and their ultimate sacrifice, it was also enhanced by watching the “Changing of the Guard” ceremony.

Overlooking the beautiful grounds facing towards the distant Washington Memorial and overlooking our Nations Capital from that hill in Arlington, Virginia is just so epic.

As our tears were quickly wiped away, looking at the sunrise East on that early morning, the jets from Reagan Airport roared in the background.

As an American, someday you too, must do the same.

How can you begin to truly appreciate the historical journey we have endured as a nation, preserving your freedom and our way of life in America?

The fallen have helped ensure your ability to grow up in a country like no other. A place where you might see your own children find their destined path in life, with all the opportunities that lay before them.

Walking that day among the headstones and almost a decade later, while attending a burial ceremony of a colleague in Section 60, it really hit me.

"Watching an officer hand a folded U.S. Flag to Neal’s Mother that sky blue day, was a vivid reminder of why we are so blessed to be born in these United States of America and protected by such brave Americans of allFirst Responders."

On this Memorial Day 2024, look at our U.S. Flag waving in the wind, think about just those buried on the 624 acres of Arlington and now multiply that, across all of the other Veterans Cemeteries in America.

With such brave Men and Women to defend us over our nations 248 years, to preserve our way of life, in your own home town, we are so very grateful.

Thank you...Godspeed!

18 May 2024

Trust Decisions: EO of ORM...

In our most uncertain times over the past few years, it is again time to revisit several key factors of Operational Risk Management (ORM) within our Global Critical Infrastructure organizations.

Think of examples like Maersk or Boeing and UnitedHealth Group or Silicon Valley Bank.

Into the future, our Risk, Security and Controls personnel shall have equal power with the executives who are responsible for bringing in the revenue.

This means that the future power-base of the Sales and Marketing teams would need to also be on par with the Internal Audit, Security and Risk Management executives.

This internal culture shift is harder to achieve than one would think.

The ego's aside, the people who make it their job to worry about potential losses, look over the horizon and to mitigate risks day in and day out, are just not used to warning everyone each day to every alert, each instance or possible threats.

It is because everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

Not the doom and gloom.

It has been said before, the tone starts at the top.

The CEO and Board of Directors who are cognizant of the necessity for effective risk management objectives must also create a balanced power-base at the top to balance the "Revenue Generators" with the “Risk & Loss mitigators.”

So who are some of these people who deserve a greater exposure to this new born culture shift:

  • _Director of Information Security promoted to CISO. (Chief Information Security Officer)
  • _Director of Corporate Facilities to CSO. (Chief Security Officer)
  • _Director of Regulatory Affairs to CCO. (Chief Compliance Officer)
  • _Director of Privacy to CPO. (Chief Privacy Officer)
  • _Director of Human Resources to CHO. (Chief Humanity Officer)

If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the:

Executive Office of Operational Risk Management (ORM)

This would be on par with the Chief Financial Officer and might even include the Chief Information Officer.

The new EO of ORM would now be on the same level of power with the EVP of Sales or Marketing and beyond the Chief Operations Officer (COO).

They would be laser focused on mitigating a spectrum of corporate threats, implementing relevant employee education and determining the true effectiveness of any organizational risk controls.

Just not so much on the effectiveness of sales incentives and corporate promotions or the uptime of corporate marketing processes.

So what does someone such as Sherron Watkins, the former VP of Corporate Development at Enron Corporation think the moral is?

You've been asked this one numerous times Sherron, I'm sure, but what's the moral of the story?

“Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.”

11 May 2024

Mothers: Brave & Resilient...

Growing up in a small town in the Midwest USA, our Mom was an only child.

Anne was a mother who was so devoted to her four kids in so many ways.

Being a Mom in those early days was about getting you off to the bus stop in the morning, and being there when you walked home from the bus stop in the afternoon.

We had just enough time to get home, drop our books and then head out into the neighborhood on our bike to our friends house or down to the beach on Goguac Lake.

A few hours later, it was about the home dinner routine just after 6:00PM, when Dad walked in the door from his HQ job with a regional restaurant chain.

After dinner, it was time for our homework and baths/showers before bedtime.

Sound familiar?

Moms really are so amazing. They are Gods greatest creation and over time we all witness the extraordinary capabilities of a Mother.

Our particular Mom was a proud Pi Phi at Northwestern University yet her real passion was becoming an Artist. To this day, she still has her oil paintings on our walls in our Living Room.

As young kids sitting on the floor in one of her Art Studio rooms or the corner of a basement, we would watch her paint on a large canvas with colorful oils and gluing various items to give a collage effect. Later...

  • _ Mom was also there when we all swam across Goguac Lake in the "Husky Muskie" swimming event each summer, cheering us on with her fingers crossed behind her back.
  • _ Mom was there to help Dad with maintaining the yard on weekends before they headed out to a Saturday night party with friends at the nearby Country Club.
  • _ Mom was there to pick us up after our 6 weeks at summer camp in another state.
  • _ Mom was also quite the snow skier and not to far behind us, on the challenging ski runs of Apres Vous mountain in “Jackson Hole” on our Christmas vacations.

Mothers are just so resilient. They are incredibly versatile. Mothers always want to make sure you are never hungry and when you cry, they will do what ever it takes to make you feel better.

On this Mothers Day 2024, we are thinking of you Mom…it has now been a decade since she went to heaven.

“Happy Mothers Day” to all of the other bravest Moms on our Earth…

03 May 2024

Reputation Risk: Is Murphy to Blame?

Any board member or executive today is well aware of the direct impact of an adverse event or significant business disruption can have on shareholder value and customer confidence. When it does happen, how many people just throw up their hands and shout, Murphy's Law!

"Murphy's Law ("If anything can go wrong, it will") was born at Edwards Air Force Base in 1949 at North Base.

It was named after Capt. Edward A. Murphy, an engineer working on Air Force Project MX981, (a project) designed to see how much sudden deceleration a person can stand in a crash."

Murphy is all about managing the "What if's" and planning for their possibility.

More than one business has been subjected to the Law's of Murphy whenever a complex and logistical project or program is underway.

If you are one of those corporate executives who has been unable to use your security badge the Monday after the big office move, you are not alone.

The question is not that it could happen, it's what impact will it have on employee satisfaction the day it happens, and beyond.

In your future planning to mitigate the Operational Risks associated with Murphy and your reputation, we are reminded of a few of our favorite Murphy's Laws:

1._Computer systems are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable.

2._If there is a possibility of several things going wrong the one that will cause the most damage will be the one to go wrong.

3._A difficult task will be halted near completion by one tiny, previously insignificant detail.

4._High speed chases will always proceed from an area of light traffic to an area of extremely heavy traffic.

5._Every emergency has three phases: PANIC... FEAR... REMORSE.

Do you think you're spending too much time with your team planning? You haven’t.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful.

Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day.

Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

26 April 2024

Navigating Wisdom: Partners in True Innovation...

Before you were wise, you were prone to be testing, wondering what would happen next.

The more you found yourself exploring, testing and better understanding the results, the more wisdom you created.

Creating the opportunities for gaining new knowledge and learning, requires first an attitude of curiosity.

What is on the other side of that hill? Who lives around the corner? How does a bird fly? Why does the sun shine during the day and the moon at night?

Are you creating curiosity with the purpose of learning more and asking new questions?

After the process has been repeated enough times with the same results, you begin to craft your own hypothesis.

True Innovation begins here.

Beyond your curiosity stage and past your due diligence, now you have arrived at your new hypothesis:

1 a: an assumption or concession made for the sake of argument

b : an interpretation of a practical situation or condition taken as the ground for action

2 : a tentative assumption made in order to draw out and test its logical or empirical consequences

3 : the antecedent clause of a conditional statement

Now your testing begins and you experience the outcomes and results. The evidence of your work will provide you the path for your future navigation.

Too fast, too slow. Too hot, too cold. Too high, too low. Keep testing.

So what kind of “Innovation Navigator” will you become?

Time will tell and much of what happens in your life is going to be a factor of the people you meet.

Who else has the same curiosity as you do? What questions do they ask that you never thought about?

You see, you need a Team Mate. A Wing Man. A Buddy. Together you will discover far more about your growing curiosity and your new tested hypotheses.

You will leverage each others strengths together and you will cover each others vulnerabilities.

How wise will you both become as “Innovation Navigators”…

19 April 2024

Dream: Smell the Flowers…

What is your next dream? How might you envision it even more effectively?

As a young kid one of the books Mom & Dad would read to us started off like this:

“Once upon a time in Spain there was a little bull and his name was Ferdinand. All the other little bulls he lived with would run and jump and butt their heads together, but not Ferdinand. He liked to sit just quietly and smell the flowers.”—By Munro Leaf & Robert Lawson - Copyright 1936 - Viking Press

In your own life journey in search of “New”, new change, new environments, new people, new places and where your next destination will be, you shall continuously Innovate, Adapt, Test and become even more Resilient.

You see, your dream is out there. You can see it and you are able to feel it.

The reality is that you are impatient. You will not have time to test long enough.

This is when the surprises become a reality. You are caught off guard, you experience an error, you experience a loss.

What is your back up “Just-in-Time” plan?

How shall you implement the plan of actions with scarce resources?

Do you have a path to eliminate the delay or to restore the loss quickly? How will you achieve true resiliency?

Our true professionals in Operational Risk Management (ORM) dream just like everyone else.

Yet, they dream and envision the “What ifs” and the possible ways to respond. They anticipate the ways to bounce back, restore balance and move forward:

  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions in the right time at the right level.

Now, envision your dream with some interruptions. Then see yourself quickly recovering to achieve your planned “Mission Objective”.

What have you learned this year, this month or this week?

In 2024 and beyond, our International Globe and its people will continue to challenge all of us.

Our countries and their businesses are accelerating towards the future with exponentially more data and with so much less understanding. We may also have less empathy.

You and your team can change this as you strive together to understand more about the “Why” and the “How”.

Will you grow with your new trusted partners to be even more empathetic?

Always be Ready…and try to take time to ”Smell the Flowers”.

Godspeed!

13 April 2024

Corporate Business Survival: 4D | Deter. Detect. Defend. Document.

Critical Infrastructures are those systems and assets - whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.

As ransomware attacks continue to grow, organizations need to improve their security posture to protect against an attack.  Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place.

The landscape of how we work has changed since the onset of the global pandemic.  We must assess vulnerabilities in a new way and with increased due diligence.

Our Corporate Critical Assets are "Under Attack".

4D = Deter. Detect. Defend. Document.

"Attackers use Tools to exploit Vulnerabilities. They create an Action on a target that produces an Unauthorized result."

Attackers do this, to obtain their Objective.

LESSON 1- DETER.

  • What corporate critical assets are most valuable in the eyes of your adversary?
  • Increase deterrence with these assets first.
  • MFA / Layered Access.  [SMS vs. Authy or Authenticator]]
  • Segmented Networks.
  • Data / Network Encryption.
  • People motivated by Financial Gain, Damage/Disruption or the Challenge.

LESSON 2 – DETECT.

  • Detect the use of tools by the Attackers.
  • Some tools are High Tech, others are "Social Engineered".
  • They will discover vulnerabilities in:

Design.

Implementation.

Configuration.

You must continuously detect the use of attackers methods and tools to exploit your vulnerabilities.

LESSON 3 – DEFEND.

  • Defend the target assets from actions by the attackers.
  • Targets may include people, facilities, accounts, processes, data, devices, networks.
  • Actions against the target are intended to produce the unauthorized result include:

Probe.

Spoof.

Steal.

Delete / Encrypt.

LESSON 4 – DOCUMENT.

  • Document the "Normal" so you know when and where there is an Unauthorized result:

Increased Access.

Disclosure or Corruption of Information.

Denial of Service or Theft of Resources.

  • Continuous Documenting and using a "Collection Management Framework"  (Logs) and how to access it for effective Incident Response.

1_ In order to understand how to defend your corporate critical assets, use Red Teams, Bug Bounties or internal testing resources.

2_ Maintain offline, encrypted backups of data and regularly test your backups.

3_ Review Third Party or Managed Service Provider (MSP) policies for maintaining and securing your organizations backups.

4_ Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.

The cost of a cyberattack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future.

Public Private Partnerships of Critical Infrastructure organizations with CISA.gov and FBI.gov are vital to enhance our National Security...

06 April 2024

Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…

22 March 2024

Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

  1. Is your security policy enforced fairly, consistently and legally across the enterprise.
  2. Would our employees, contractors and partners know if a security violation was being committed?
  3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…

15 March 2024

OSINT 2: When is it Time?

Wonder why some companies don't have a more proactive OSINT (Open Source Intelligence) operation inside their own institution, looking at and analyzing potential “Threat Intel” across their global domains?

While there are very expensive services that can package up exactly what you are looking for, sometimes it just takes a little more time and the right “Sources."

You could get a service at x-iDefense or even a more wide range of collection capabilities from the likes of x-Cyveillance to assist the in-house OSINT operation.

Throw in some Stratfor, OSAC and one or more variations of Symantec or Qualys or Seerist and you have it mostly covered. Except for one thing.

Plenty of "Gray Matter.”  How many qualified analysts do you have on your team?

We might agree that there is more information out there than anyone could possibly imagine accessible with a few clicks and keystrokes.

Yet the easy part is the collection and the filtering or storage. Making any sense of it all with the relevance you seek is the "Holy Grail" for you, today.

Yet that might change tomorrow.

It's the consistent development of a new hypothesis and testing it that determines who will get the next new piece of information ready for OSINT.

And still the question remains. Will this be better kept a secret, or out in the “Wild"?

The argument usually isn't whether the results of the test should be published, it's more about when to publish.

Open Source Intelligence is going to be around for some time to come. The tools are getting even better to find and process massive volumes of information.

Think AI.  Think GPU.

The only real impediment will continue to be those who want to wait and hold on to it, a little longer…

09 March 2024

SPRINT: Folin Lane to Cislunar...

It was the year 1997 and there was another client meeting at the headquarters of Navy Federal Credit Union in Vienna, Virginia.

Traveling through Tysons Corner on Route 7, the Spring colors from Dogwoods were in full bloom. The Navy Federal HQ was tucked away in the woods just a short ride down Chain Bridge Road (123) past Westwood Country Club then a left onto Folin Lane.

The IBM Personal Computer was just now quickly replacing the old CR terminals sitting in the "Teller Windows" at 80+ branches in port locations across the USA and the world.

With NFCU overseas members branches today in Bahrain, Cuba, Greece, Guam, Korea, Italy, Japan, Singapore and Spain the Internet and use of banking protocols outside proprietary computing networks was just in it’s infancy.

Meeting up that early Spring day with NFCU key IT executives and our fellow Noblestar Team of outside Software Quality Assurance (SQA) experts such as David, Gia and Howard, the topics on that days agenda was the automated testing for bugs.

"No not Cicadas. You know, Vulnerabilities. Software Errors. Cracks in the Code."

Places that credit union software systems might be broken, running across the new IBM PCs networked to replace the terminals (CRT) from Annapolis to San Diego to Guantanamo to Italy.

Our innovation then in Software Quality Assurance, was about writing automated scripts that would rapidly test software.

The testing scripts developed by our Team in the SQA software, would help simulate hundreds of real people working at their new IBM PCs doing deposits, transfers and withdrawals as just one example.

Members of our Armed Forces who were NFCU customers (members), were counting on the IT personnel in Vienna, VA to help their branch managers keep their systems up-time-all-the-time, without vulnerabilities to the swarm of growing cyber exploits via the Internet.

So what?

True innovation begins with discovering a problem-set that has high value. Then figuring out if it can be solved quickly. A SPRINT.

To find a real solution to the problem-set that allows for the widget, the software, the process or the vehicle to do its job. What it was designed to do.

Whether it is software running on the IBM PC at the Teller Window at NFCU in Guam in 1977 or the sophisticated cislunar software running on a Space Force Lunar Lander on the Moon in 2024, what matters most?

Our United States next generation abilities to use software to more rapidly discover problems and test new versions is even more vital.

Now imagine, humans working with new AI-powered software applications to augment our abilities to discover and rapidly solve new sophisticated problem-sets, a galaxy away.

This is already our SPRINT destiny…

02 March 2024

Critical Infrastructure Protection: Resolve to be Ready...

CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises.

Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety.

Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners.

Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future.

First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. Think “Ransomware” or even Colonial Pipeline.

The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure.

In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles.

These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers, they must have a foundation of knowledge about the structures physical vulnerabilities.

However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk.

If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions.

The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events.

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount...

23 February 2024

CERT: Make a Difference in this World...

Since the beginning of time, weather has been unpredictable. So has man.

When was the last time you witnessed the aftermath of a natural disaster?

When was the last time you saw the devastation from the Fateh-110 family of short-range ballistic weapons?

The continuous examples of risks to our world could generally be put into two major categories, 1) those we as humans can control and 2) those natural risks that we can’t control and shall have to live with.

Our spectrum of "Operational Risks" across People, Processes, Systems and External Events is vast and endless.

Where do you as a leader in your organization spend most or your time and resources to try and mitigate risks:

  • Natural Disasters and Weather (External Events)
  • People and Processes

Why?

Do you think that you are able to make a difference with those risks that you might be able to control?

Which is it - A) controlling the weather or B) influencing human behavior. Pick one.

What might happen if we devoted more time and resources to “B”.

How might this investment have a risk reduction impact and reduction in annual loss events to your family, organization, community, college or government?

Complacency or ignorance will continue to plague us and will make the world a more dangerous place to work and live.

Just listen to your own local news for a day. What will you learn?

Now, learn what you might do to make proactive difference.

This is one great place to begin: Community Emergency Response Team CERT.

Similar to the Community concept, why not apply this just cause of continuous training and learning to a Corporation, a Church, a Synagogue, a Campus, a Club or a Cinema.

“The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.” Albert Einstein

17 February 2024

Antares: Innovation from Country Roads to Cislunar...

It was early February 1971 and three High School best friends consistently car pooled to do a little early morning “Country Roading”, in the white Pontiac LeMans on the way to school.

This was just a circuitous route down tree lined roads and around vast farm lands in the Midwest USA.

We were always set to arrive in the school parking lot, just in time to make it to our locker and then to 1st period before the bell rang.

Our dialogue on Capital Avenue SW and West on Beckley Road, quickly turned to the prescience of the Apollo 14 Antares Lunar Lander and it’s planned descent to the Moon in a few days time on February 4th.

Country roading this early morning gave us guys a chance to catch-up, then map and sketch out where we would rendezvous to watch together the Apollo 14 coverage of Commander Alan Shepard, Command Module Pilot Stuart Roosa and Lunar Module Pilot Ed Mitchell.

Before we as young teenage students ever knew what true innovation was really all about, we were about to see and read about it in the national news.

And little did we anticipate that when you encounter the “ABORT” signal, you sometimes have to just improvise. Test. Improvise. Test.

“After separating from the command module in lunar orbit, the LM Antares had two serious problems. First, the LM computer began getting an ABORT signal from a faulty switch. NASA believed the computer might be getting erroneous readings like this if a tiny ball of solder had shaken loose and was floating between the switch and the contact, closing the circuit. The immediate solution – tapping on the panel next to the switch – did work briefly, but the circuit soon closed again.”

Software engineering and Software Quality Assurance (SQA) is a continuous cycle of development, testing, errors, changes, testing and deployment. The software teams at MIT knew this first hand.

“A second problem occurred during the powered descent, when the LM landing radar failed to lock automatically onto the Moon's surface, depriving the navigation computer of vital information on the vehicle's altitude and vertical descent speed. After the astronauts cycled the landing radar breaker, the unit successfully acquired a signal near 22,000 feet (6,700 m). Mission rules required an abort if the landing radar was out at 10,000 feet (3,000 m), though Shepard might have tried to land without it. With the landing radar, Shepard steered the LM to a landing which was the closest to the intended target of the six missions that landed on the Moon.”

As our United States continues our next generation of the commercial race to the Moon, we can only anticipate future “ABORT” signals. Prototypes. Testing. Innovation.

After so many years working in global places where Software Quality Assurance was mission critical, you finally will learn as a professional, that it is never finished. It is never perfect.

So what?

Our USA will always be a leader because we have already been there, with humans actually operating on the Moon.

We know what will be challenging and why a hypothesis might end up being changed and adapted.

As our next human race to the Moon continues and our cislunar challenges are encountered, we know that we must continuously improve and innovate.

The same strategy shall also work here for you today on Earth, in your own small town…around your own dinner table each night…

Godspeed!

10 February 2024

Analytic Priorities: Crossing the Digital RubiCON...

The governance of information within the government enterprise or the private sector enterprise remains very much the same. Both are subjected to a myriad of laws to help protect the civil liberties and privacy of U.S. citizens. Yet the data leaks, breaches and lost laptops keep both private sector and government organizations scrambling to cover their mistakes and to keep their adversaries from getting the upper hand. Again, the governance of information is the core capability that must be addressed if we are to have effective homeland security intelligence sharing to defeat the threats to the homeland 100% of the time.

The stakeholders in the information sharing environments will say that they have all the laws they need to not only protect information and also to protect the privacy of and liberties of U.S. citizens. What they may not admit, is that they do not have the assets within the context of their own organizations to deter, detect, defend and document the threats related to too much information being shared or not enough. These assets are a combination of new technologies, new education and situational awareness training and the people to staff these respective duties within the enterprise architecture.

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.