17 June 2018

Father's Day 2018: 30 Years of Wisdom...

On the dawn of the day in America, known as Father's Day we reflect and we acknowledge him.  For many, their Father was a major influence in their life.  All to often, others never really knew who he was.  Father's are all Operational Risk Management (ORM) professionals in many ways.

This Father has two adult children, a daughter and a son about 19 months apart in their late twenties.  Fatherhood started in mid-September, 1988.  That gives you some perspective on our years of experience together.  So to all those Father's out there, who are planning a family someday, here are a few thoughts.

First off, the role consumes you.  Seeing that first born baby, changes you forever.  You suddenly realize the word "I" is no longer in your vocabulary.  Most certainly, you thought you loved your wife tremendously, before you watched your first daughter born.  Yet the overwhelming feeling of new love you have for your wife at that time and moment, is ever so special.  Incredible!

Second, becoming a Father becomes a life long responsibility and a new life mission.  You find yourself having memory moments, decades later about your children's greatest achievements in life.  The day they walked for the first time.  The special birthday party with friends in that old neighborhood.  The day they walked up on stage to get their College/University Diploma.  At that point in your life, when you were working 12 hour days.

Father's Day as long as you are alive, shall be a day of remembrance, a day of memories and a day of looking into what lies ahead.  You have watched them grow up.  You have counseled them, taught them, trained them and loved them.  When is your role as Father over?  Not until your last day on Earth.

Being a Father makes you a better husband.  It gives you the role of being all those things that your wife can't be or won't be at that particular point in time.  As your kids grow up, you will both find your path, as a mate and a parent.  One thing is for certain.  Being married now 30+ years and raising two kids, who are both college graduates and now in challenging careers, makes you realize you might have made a difference.

Finally, being a Father makes you think about your own Father and how you want to be the same or different.  After all, where did you learn many of the things that will influence how you might parent.  When I saw my Father on the day he died, I cried.  And yet, I saw a look of joy on his face as if to say, I know I was not perfect, but I loved you very much.

On this Father's Day in America, this one is so proud.  This Father loves his wife dearly and realizes that our two kids love us so much too.  Having a son makes you strive to be your best.  To be a model husband, to live ethically, morally and spiritually.  And now that we have a new Son-in-Law, loving him like my own.  Walking my daughter down that aisle, was almost as joyful as the day I saw her born...

Happy Father's Day...Onward!

09 June 2018

Crisis Readiness: Future of Risk Response...

One of the key components of effective Operational Risk Management (ORM) is a robust Crisis and Incident Readiness Response Team. This team shall have practiced and exercised multiple scenarios over the course of their training together. Why?

The ability to adapt on the fly regardless of the kind or type of incident is the core of what OPS Risk professionals are able to do, time and time again. The more unknowns that are encountered in any space of time, requires the ability to Observe, Orient, Decide and Act.

Yet this is not so much about the use of the OODA Loop or any other process in effectively adapting to your new and rapidly changing environment. It is about having the right sensors and early warning capabilities in place to detect and to deter the potential for new threats and new vulnerabilities, that may disrupt your mission.

Why do you read about Global 500 organizations that have seen their stock price erode in a day, week or month due to the ineffective response to a crisis incident? In many cases, it is a simple fact. The Crisis and Incident Response Team was caught in a scenario that they had never imagined.

An unfolding situation that they had never thought of and simply didn't plan for because it's likelihood was just too low. This author has talked about this before and it deserves repeating that exercising for the low likelihood and high impact events is where you need to spend most of your time.

The 1-in-100 year events are no longer the case. They are 1-in-50 or less. Just ask your property and casualty insurance carrier about how their actuarial Quants are thinking about this very topic. Whether is it global climate change or unregulated nuclear power industries in emerging nations, the low likelihood and high impact events are becoming more of a risk.

So what is the answer? To begin, you must first start the culture change and mind set shift to the future and to your own Strategic Foresight Initiative. Looking into the future is not exactly the exercise. Pick a point in time, five years, ten or twenty-five years into the future. Select a scenario that you can't even fathom is a possibility of actually coming true that will impact your organization. Then start your own "Backwards from Perfect" strategic foresight initiative.

What this process will do, is to get all the focus on what you still need to accomplish between now and then to get yourself into a position so that your people, systems and organization will be able to withstand the scenario incident. Welcome to Global Enterprise Business Resilience.

Across every sector of society, decision-makers are struggling with the complexity and velocity of change in an increasingly interdependent world. The context for decision-making has evolved, and in many cases has been altered in revolutionary ways. In the decade ahead, our lives will be more intensely shaped by transformative forces, including economic, environmental, geopolitical, societal and technological seismic shifts.

The signals are already apparent with the re-balancing of the global economy, the presence of over seven billion people and the societal and environmental challenges linked to both. The resulting complexity threatens to overwhelm countries, companies, cultures and communities.

FLASHBACK TO THE:  Global Risks 2012 Seventh Edition

What if you happen to be a Non Governmental Organization (NGO)? What are some of the risks that may impact you from a "Geopolitical" perspective that today have a high likelihood?
  • Global Governance Failure
  • Terrorism
  • Failure of Diplomatic Conflict Resolution
  • Pervasive Entrenched Corruption
  • Critical Fragile States
  • Entrenched Organized Crime
  • Widespread Illicit Trade
Crisis impact will be specific to your particular stakeholder group. These will be higher or lower depending on whether you are a:
  • NGO
  • Business
  • Government
  • International Organization
  • Academia
There are however, three main cross cutting observations by all of the these stakeholders from the Global Risks 2012 report and even to present day:
  • Decision-makers need to improve understanding of incentives that will improve collaboration in response to global risks
  • Trust, or lack of trust, is perceived to be a crucial factor in how risks may manifest themselves. In particular, this refers to confidence, or lack thereof, in leaders, in the systems which ensure public safety and in the tools of communication that are revolutionizing how we share and digest information 
  • Communication and information sharing on risks must be improved by introducing greater transparency about uncertainty and conveying it to the public in a meaningful way.
The way that the global citizen decides to digest information in five or twenty years will be different than it is today. The world has already started to see this with the proliferation of mobile smart phone technologies, GPS, cameras, and other Twitter-like knowledge systems networks such as FrontlineSMS and Ushahidi.

Do you really believe that CNN and AlJazeera will be the source of truth in the next two decades? Social Media is here to stay and the only reason that formal news organizations will exist, is to try to validate and verify.

Operational Risk Management (ORM) and Crisis Readiness shall continue to be one of the most dynamic and challenging places for global enterprises for years to come...

03 June 2018

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for within the Operational Risk Management(ORM) discipline? The low consequence high frequency incident or the high consequence low frequency incident?

The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio, yet what about the resilience to the "Black Swan"?

A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

The astonishing success of Google was a black swan; so was 9/11.  For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.
"Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events, that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy.

Yet it is the "Outlier" incident, that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday, it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long.

Just ask those people who had been working 24/7 since on any major incident.  It could have been the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

Remember Target Corporation:

Is Target to Blame for Its Data Breach? Let the Lawsuits Begin

By Joshua Brustein December 26, 2013

The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data.

Another lesson learned from Supply Chain Risk.  Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it.  Perhaps through your most trusted supply chain vendors and partners.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector, because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone.

What is amazing to many in the after-action reporting is still how much we continue to under estimate the magnitude of a lack of planning and resources devoted, to these low frequency high consequence events.

20 May 2018

Memorial Day 2018: The Risk of Service is Understood...

Memorial Day weekend will soon be upon us in the U.S. and on the final Monday of May 2018, we reflect on this remembrance.

In order to put it all in context, we looked back 5 years to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was also one of the 22 that day in early May, that could not defeat the legacy of demons he fought each night, as he fell deep asleep.

On Memorial Day 2018, we again honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have sacrificed and defended our freedoms for 242 years. Simultaneously, we do the same for the people behind the "Stars" on a wall in Langley, Va for those officers who have done the same.

Together we are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from a UAS.  We are all the same, in that we share the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this Memorial Day weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

13 May 2018

InTP: Insider Threat Via Critical Infrastructure...

The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats.  Securing Critical Infrastructure sectors includes:
  • Chemical:
  • Commercial Facilities:
  • Communications:
  • Critical Manufacturing:
  • Dams:
  • Defense Industrial Base:
  • Emergency Services:
  • Energy:
  • Financial Services:
  • Food and Agriculture:
  • Government Facilities:
  • Healthcare and Public Health:
  • Information Technology:
  • Nuclear Reactors, Materials, and Waste:
  • Transportation Systems:
  • Water and Wastewater Systems:
The National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.
Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

We realize that there are many facets of CIP, yet where should we be allocating resources?  The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:
"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.

Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat" and our resilience.

More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode, waiting to strike.

And while the scenario could be well contained, the timing could create opportunities for the "Black Swan" outlier inside your enterprise.

It's never to early to plan for the unimaginable, all happening in the same geography and the same time frame.  Revisit your "Insider Threat Program" (InTP) and Critical Infrastructure Resilience today...

06 May 2018

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22
"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”
A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:
  • Hacker
  • Spies
  • Terrorists
  • Corporate Raiders
  • Professional Criminals
  • Vandals
  • Voyeurs
Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:
  • Attackers
  • Tool
  • Vulnerability
  • Action
  • Target
  • Unauthorized Results
  • Objectives
Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:
  • Existence addresses the question of who is hostile to the assets of concern?
  • Capability addresses the question of what weapons have been used in carrying out past attacks?
  • History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
  • Intention addresses the question of what does the potential threat element hope to achieve?
  • Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?
Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

22 April 2018

Unthinkable: Adapting in New World Disorder...

Will 2018 bring more data breaches, lost laptops and insider threats than 2017?  This is why CSO's, CPO's and corporate General Counsels have their teams working overtime.

When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised organizational intellectual and data assets, the future horizon becomes ever more clear. 

The statistics don't lie.  1579 documented Data Breaches occurred in 2017. Up 44.7% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.  It is the new normal.

The Insider Threat Program (InTP) however, remains a key focus for Operational Risk Management (ORM) professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may have never considered doing something to jeopardize their reputations, may now be up against a wall.

When there is no obvious exit and no way out, people will do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life.

In Joshua Cooper Ramo's book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system:
"A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt".  Being Adaptive.  However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy investigator on how she solved the case and you may hear just that, "I had a hunch."

Talk with a Chief Privacy Officer in any Global 500 company.  You might get them to admit they have a sense that their organization will be the target of an "Insider data breach" incident in the coming year or two.

Do you remember signing off on reading and your acceptance of the employee handbook?  When did your organization last make changes to the Corporate Employee policies?  We would start with the updates to the following sections:
Due to the increasing complexity of IT systems, cloud computing, data networks and the hundreds or thousands of laptops and mobile devices circling the globe with company executives and employees is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively.  Proactive Intuition.

Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

15 April 2018

Social Strategy 140: Direct Action #Risk...

Twitter real-time direct action (DA) "Information Warfare" between nation states is a daily task. Current and future Operational Risk Management (ORM) priorities will encompass the imperative to staff "Corporate Intelligence Unit" Fusion Centers.

A prudent Operational Risk strategy, shall include a "Big Data" capability combined with deep social intelligence analysis. Here is a historical FLASHBACK in time, to one example of why leadership is devoting new resources and investment to these internal risk management capabilities:
New Diplomatic Avenue Emerges, in 140-Character Bursts
By SOMINI SENGUPTA October 3, 2013
UNITED NATIONS — "Countries all over the world, dictatorships and democracies alike, have in the last few years sought to tame — or plug entirely — that real-time fire hose of public opinion known as Twitter. 
But on the sidelines of the General Assembly meeting over the last couple of weeks, ministers, ambassadors and heads of state of all sorts, including those who have tussled with Twitter the company, seized on Twitter the social network to spin and spread their message. 
At the height of the diplomatic negotiations last week over a United Nations Security Council resolution that would require Syria to turn over its stockpile of chemical weapons, the American ambassador to the United Nations, Samantha Power, used Twitter to preempt criticism of the measure as lacking teeth because it had no automatic enforcement provision."
What does this mean for the global enterprise, who circumnavigates the planet to initiate and manage daily business operations?  It means that "Information Warfare" and intelligence collection and analysis for the enterprise continues, as a top strategic and operational function.  It requires continuous Operational Risk strategy oversight.

How an organization directs personnel and manages daily decisions, is more mobile information-centric than ever before.  Just stand at any major sidewalk intersection in a major city across the world and count the number of people looking at their "Smart Phones" as they cross the street.

The speed of business that is fueled by leaders commenting via social media, can even influence commodity traders in futures markets and operational planners in the "E-ring."

Leadership has the ability to by-pass the traditional media juggernauts to get their message heard in seconds.   The President of a major stock exchange or of a G20,  has a "Duty of Care" to it's constituents to make the correct public decisions.  At the same time, a moral and ethical context begins to evolve, in the vast battle space of 140 digital characters.

The use of a social media post or Tweet from the Board Room to the Court Room; from San Francisco to Tehran, or from Wall Street to Hong Kong, is a risk-oriented asymmetric information tactic delivered in plain sight.

Those social tactics, visual in the landscape of our modern day quest for influence, notoriety or outcry, shall forever shape the breadth of our enterprise digital risk management spectrum...

07 April 2018

Privacy by Design: Trust-Based Business Integrity...

The truth is, your enterprise is under assault.  The asymmetric warfare tactics that are targeting the firewall and the e-mail Inbox, will continue to be a digital challenge.  Intellectual Property (IP) Lawyers and government regulators are gearing up, for another salvo of mandates to enable "Privacy by Design" and increase consumer protection.

Operational Risk Management (ORM), is the discipline to focus the organization, with proven tools, methods and strategies to assist in the risk mitigation associated with nation states, rogue criminal syndicates and even your own employees.

Achieving digital trust with your company and your customers is a continuous process.  It requires substantial resources and specialized subject matter expertise to remain effective.

Without a purposeful "Privacy by Design" approach within your enterprise and a renewed focus on the pervasive problem-set now clearly before us, our digital infrastructure integrity is destined for failure.
Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard. 
By reading this definition of "Privacy by Design", you may assume this problem is the responsibility of the Information Technology department to fix or manage.  Until you ascertain it is not just an Information Technology challenge.

It is an Organizational Culture issue, that persists at the Board of Directors level, either before an incident, or certainly soon thereafter.  The Board of Director's may question the market value of a Fortune Magazine web page, dedicated to updating the public on the developing company crisis:

"Facebook in recent weeks has been plagued by yet another scandal, as the social networking giant struggles to deal with the fallout from the Cambridge Analytica controversy.

On Wednesday, it was revealed that initial figures estimating Facebook exposed the data of 50 million users without direct consent were actually much higher than reported, closer to 87 million instead. And Facebook CEO Mark Zuckerberg is now set to testify in front of Congress next week.

But this isn’t the first time Facebook has been embroiled in controversy. The social media company has been involved in a number of scandals just over the past week alone."

So how do you mitigate and start to remedy an "Organizational Culture" issue like this one?  Before the government decides to try and fix it for you.

You have to start with building proactive data privacy awareness with every employee.  Especially if your revenue model is based upon selling advertising.  What is your organizations revenue model?  Are you aggregating members or users data and offering a free service platform?  Buyer beware.

What is ahead of us, as we approach a digital "dead mans curve"?  Jeffrey Ritter best explains this:
"To shift toward building digital trust, nation-states must acknowledge that sanctions become increasingly difficult to enforce and must, instead, move toward a regulatory scheme that favors, and provides incentives for, stakeholders that commit to trust-based business methods. Already, both in the United States and other nations, companies that can certify their compliance with third party standards are receiving direct benefits from government agencies."
How are you improving the trustworthiness of your organization? With employees, partners and customers. Think about it long and hard during purposeful learning sessions with your Board of Directors.

So what?

What are you doing today to increase the integrity of your TrustDecisions, to enable and perpetuate your foundation for digital business integrity?

As you analyze your current state, pages of words written by lawyers in "Terms of Service" policies are not enough to satisfy your customer.

Have you strategically implemented all that is possible so far, to address your organizational culture with the pursuit of achieving digital trust?

Leadership of any organization, must perpetuate and transfer the morals and ethics of our society, into the trusted digital products and solutions that our enterprises design, distribute and sell to the public.

01 April 2018

Leadership: The Life Journey of Discovering "X"...

There, can you hear it?  The sound of the helicopters in the distance.  Where is the sun this dawn lit morning, to join all the incredible sounds of nature?  The birds with their unique languages and the insects sending their clear signals of distress.

What will this new day bring before us, this Easter Sunday, April 1, 2018?  How will our leadership be challenged with new problem-sets and the speed of making the right trust decisions?  There is one certainty today, that is unrefutable, to prove wrong by argument or evidence.

As a recognized leader in your current role, how would you describe your particular style?  Do you lead by example or do you just sit back and wait for others to make it happen?  Maybe you do it all and never let anyone else learn from their mistakes and learn the feeling of success or failure.

It all begins with your up-bringing and where and how you were raised as a child.  The roots of your leadership in many ways, has been influenced by your early years, before you were even in your mid 20's.

Maybe somewhere along the path of your career, you were administered a psychological profile test.  You know, some form of questions or exercise instrument, to help you determine what particular "Quadrant" or dichotomies of cognitive learning style you are in, as it pertains to the psychologists descriptions:

Cognitive learning styles
Yet by the time you have reached the age where an employer, agency or other unit has a reason to peel back that facade you wear on a daily basis, you are already destined.  By DNA and by your parents.

Now the question is, who do you want to be and how are you going to train or re-train to be that kind of person?  That kind of leader.  To learn how to behave in a way, that truly makes a difference in other peoples lives.

The answers that you seek will be determined by your actions.  You have heard this before.  Who you are becoming and how you will judge your progress, is worth examining further.  What is your measuring device?  How do you feel at the end of the day, if you "Have" or "Have not" seen, heard or accomplished "X"?

What is "X" in your life?  Is it a signature on the bottom of a new contract?  Is it the smile on a loved ones face?  Is it a 3 mile run or ride?  Is it a "Thumbs Up" on your latest social media posting?  Perhaps it is simple as five hours of solid sleep.  Everyone has their own particular metrics by which they are judging their progress each day.  What is yours?

Metrics and your personal measuring device may determine who you are and what you are becoming.  Discovering and knowing that "X" in your life is perhaps more of an influence than you ever anticipated.  What the psychologists and the research has proven over the years, is that DNA and environment in your early years will be a major influence on your life.

Yet when you are ready to lead yourself or others in the small world you live in, think about what "X" has been for you this particular day.  Write it down and explain it to yourself each day.  Call it a journal, or a blog or just a composition notebook.  Without writing it out and explaining it to yourself you will have missed the opportunity.
The opportunity, is your own version of leadership:   To guide on a way especially by going in advance, to direct the operations, activity, or performance of, to guide someone or something along a way...
Now, listen carefully.  Do you hear the birds singing and see the sun rising... Happy Easter!

24 March 2018

Liaison Mission: When Will You Introduce Them?

As a current Chief Executive Officer or Commander across some branch or agency, who have you named as a key "Liaison?"  Who is this vital person that you have asked to be your voice, your thinking and your representative to a partner, collaborator or strategic ally?

In Chris Fussell's book One Mission:  How Leaders Build A Team of Teams, the Task Force Liaison is described as follows:
"We clearly share a determined adversary--one that, unlike our organizations, is networked and thus moves with incredible speed. In the Task Force, we are now trying to forge a new type of model based on relationships among individuals and organizations like yours--and we'd like to be more closely connected with your organization. Winning will come from leveraging our mutual strengths, sharing insights and nuanced understanding of the problems and respecting one another's positions.

To help our partnership, we would like to give you one of our best people as a liaison. I expect our liaison to be an asset to you, sharing anything we're doing, providing our most timely intelligence, and seeking out ways that we can help your organization accomplish its goals."
This idea is not a new strategy per se.  Similar derivations of the concept have been utilized for hundreds if not thousands of years.  So why is this so important now, to the current state of global and corporate affairs?

The first reason is that operating at the speed of "iMessaging" social media, will create chasms of misunderstanding.  The simple fact is that information being collected, interpreted and disseminated in your digital-based platforms will most likely have gaps.  The messaging and communications will be hard to decipher by others, who don't know all of the acronyms as just one example.

This is where an embedded "Liaison Officer" or representative can bridge the cultures and the lines of direct messaging.  This is how the speed of the combined network is increased in it's ability to pivot, to adapt and to solve problems, faster and with higher quality than the competition.

The second reason is that a key mission of the nominated Liaison is to establish, maintain and perpetuate trusted relationships.  Otherwise, how can the leaders of your two organizations gain any momentum, in the quality and the speed of the partnership that is desired as a relevant outcome?

Now think about your own organization.  Where do you have a blind spot?  What other entity, team, business unit or agency is now seen as a barrier or competitor?  Are you both after the same customer, the same target or the same outcome?  Is a partnership in place now, to even embed or exchange Liaison personnel?

Believe us when we say that your adversary has already done the same.  They are working together across boundaries to share intelligence, to exchange vital data and to work in tandem to perpetuate their cause, their ideology or their campaign.  They have their own trusted Liaison's working each day, to move faster than you are and to achieve new gains in their mission, while you are worried about the unknowns.

Who is it in your organization that you feel that you can't live without?  The one or two leaders that you rely on each day.  The personality that exhibits the way that "Adam Grant" describes a "Giver" or "Matcher," in the way they operate across the team and within the company.  This may be the best person for you to let go of and to be your next "Liaison" to that vital partner, agency or even country.

Looking across the landscape of America, you will find examples of this idea and methodology that is working.  You will find places across the globe where it is in total failure.  Yet how can you raise the odds, that the likelihood of the person you choose to be embedded with another organization, will indeed succeed?

As a current Team Leader, CEO or Commander, it means you will have to go a step farther.  It means that you will have to take this person side-by-side in many cases, into the same office, SOC, NOC or conference room to explain it face-to-face.  Sitting across the table from this partnered organizations top executive, you say it:

"I have carefully selected "Jill or Jack" to be our Liaison with your unit or department.  It is something we know to be of great value to the ongoing mission we both face, to address the (problem-set).

 Please know that she/he knows me very well and how I think and what our organizations real capabilities are.  We will miss them, yet want her/him to work alongside your leaders to learn as fast as possible about your greatest hurdles and problems.  It is only then, that we envision a chance for our respective teams to move faster with the most effective joint solutions, to obtain and synchronize our advantage." 

This few minutes face-to-face may make all the difference on the potential for a successful and trusted relationship.  As you stand up and leave your Liaison with their new assigned organization, remember this.

Your Liaison's ability to succeed, will only be as good as the job you have done in preparing them for the assignment.  Think about all the months or years you have worked to shape their character, to instill the ethics and integrity into their daily decisions.  How many problems did you let them solve on their own?

We look forward to hearing the stories about your "Liaison's" and their respective missions to achieve decision advantage and to reach those lofty outcomes you seek...

17 March 2018

Future Risk: Citizen Soldiers Extinct...

It is not often that we see an editorial article that prompts us to get the scissors out of the drawer to cut it out of the Washington Post.  It remains in the saved articles file from 2009 and is relevant still to this day.

This Opinion written by Matthew Bogdanos, is worth some additional consideration from an "Operational Risk Management" perspective.   He is a Colonel in the U.S. Marine Corps Reserves and now an assistant district attorney for New York City.  He writes:
"A nation largely founded on the citizen-soldier ideal finds itself, following Vietnam and the expulsion of recruiters from campuses, with the military and civilian worlds warily eyeing each other across a cultural no man's land. As budgets shrink future forces, veterans will be fewer and the chasm wider -- to our peril.
No one wants everyone to think and act alike. Diversity is a major source of our nation's strength. But this diminishing shared experience leaves us ill-prepared against global terrorism. As the British general Sir William Butler warned a century ago, "A nation that will insist upon drawing a broad line of demarcation between the fighting man and the thinking man is liable to find its fighting done by fools and its thinking done by cowards."
We will leave it up to the OPS Risk Managers of the globe, whether to agree with Col. Bogdanos and his comments. What is our take away from his words about "Duties That Are Best Shared?" We think it's quite simple:

How can an "Operational Risk Manager" make effective decisions without having walked a few "clicks" in another persons boots?   Effective decision support from the Incident Command Center is far more effective, if the person making those decisions has relevant and first hand on the ground experience.

In the corporate world, asking a new hired employee to take the week long orientation training, without having done it yourself, is not only bad management, it's reckless governance of the organization.

Years ago after the invasion of Baghdad, this OPS Risk manager (Bogdanos) did what we do every day. He adapted, improvised and overcame risks in order to recover stolen artifacts from the museums.  The investigation was successful because not only was he someone that had experienced what it was like to operate in a war zone, he also was a subject matter expert on much of what was recovered.

If you are going to be an effective risk manager in your government organization, startup or Fortune 500 company, you have to train with your troops in the business unit or at the base. You have to know first hand, what you are talking about.

Without these, "we risk a future without all of us working towards the same ends --whatever society decides those ends should be."

You need to "get out of the building" as we say these days.  Solving problem-sets within your agency or with your "Cash Cow" customer, requires getting right in the bulls eye of the issue.  Seeing it, touching it and hearing it first hand.

Without this insight, you lack the understanding, empathy or compassion for the people who experience the problem each day.  You fail to see how a new approach, process or new system will be better.

If you think this is sound reasoning and you are looking for others to assist you in your problem-solving journey, look no further than the Defense Entrepreneurs Forum (DEF).  You will find others who are focused on National Security innovation and have definitely been "outside the building."

Maybe even more vital, is their mindset on disciplines such as Design-Thinking, Lean Methodologies and achieving Decision Advantage.  Col. Bagdanos, "Citizen Soldiers" are definitely not extinct.

Happy St. Patrick's Day!

10 March 2018

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity, be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance, is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered, is the role of risk management in "Security Governance."

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.

The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.
If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.
An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:
  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place
The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them.

It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

04 March 2018

Perseverance: How many problems have you solved today...

"We can not solve our problems with the same thinking we used when we created them.--Albert Einstein
Measuring success, is something that happens on a daily basis in life and in business.  The metrics however are different.  Or are they?

When Wall Street or the Board of Directors measures success, the quants are looking at mathematical equations to determine Earnings Per Share (EPS) or Return on Equity (ROE) of a business.  After all, how can an investor determine where they should invest their capital.  Operational Risk is always a factor.

When people measure success about their life, the measuring tools and methods are sometimes different.  For one person, it is whether they or their children have finished the day without that feeling in their gut of starvation.  For another person, it is whether they will live long enough to see their first grand child.  For others, just living a life full of faith, integrity, ethics, trust and resilience is enough.

Some people might measure success by the car they drive, the house or neighborhood they live in or the Country Club where they are a member.  In Silicon Valley, the metric may be how many rounds (A, B, C, D) of funding, your startup has achieved.  Around the beltway in Washington, DC the metric could be, whether your "Program" was funded in the last budget cycle.

The problem-sets that we engage with in business, organizations, government and in life, require the time and the effort to truly assess the catalyst and the environment that you are operating within.  But not too long.  Speed and time to a solution, can be your strategic ally or your lethal enemy.

To solve an identified problem requires an analysis of the root cause and the final solution may be achieved in small incremental steps.  The final answer may take minutes, hours or even years.  The one factor that will remain constant, is your ability to forge successful relationships with others to assist you.

The other factors of achieving success, once you truly understand the real problem, is the ability to adapt, pivot and perseveranceThe continued effort to do or achieve something despite difficulties, failure, or opposition.

How long have you been persevering?

1 day.  1 month. 1 year.  5 years. 20 years.  40 years.  60+ years.  You see, your success is based upon experience and wisdom, yet it has only one metric.  How many problems have you solved so far?

What you see and hear today, what you think about and how you do it, is all in your ability and capacity to solve the daily problems of life and business.

So what?  This is nothing new...

You have no doubt heard or read, a famous book about similar topics and subjects.  How to be successful?

What if perseverance was that one differentiator, that determines whether you are successful, or not?

Again, you have heard it all before.  Stop doing this, start doing that.  Keep doing it.  Did you hear that from your mother, father or your latest boss?  Really, is that all success is about?

Guess what?  Are you still alive?  Did you, or your children or parents go to bed hungry tonight?  If the answer is yes that you are reading this, and no one was hungry...you have been successful today.

Remember, tomorrow you will be solving more problems and persevering...to persist in a state, enterprise, or undertaking in spite of counterinfluences, opposition, or discouragement..

Godspeed!  Have a prosperous journey...

25 February 2018

Decision Advantage: Cognitive Apps to Achieve Digital Trust...

There are several nation states racing towards substantial "Decision Advantage" priorities that includes Quantum computing.  The reason is becoming more obvious to those who operate somewhere within the Information, Technology, Communications (ICT) sector.  Operational Risk Management (ORM) is a top of mind dialogue for industry and governments.

Countries are being measured on their "Dimensions of Digital Trust" as these authors in Harvard Business Review recently revealed:

"What these stories underscore is that our digital evolution and our productive use of new technologies rests on how well we can build digital trust. But is it possible to measure digital trust and compare it across countries? Are there countries where guaranteeing trust is a more urgent priority and will draw a larger share of trust-building resources and regulations?"
Sweden's attitude towards Digital Trust is highest, with China in second place.  China leads the behavior category on how users respond to frictions in digital experiences.  Yet there are low levels of trust in the environment and experience categories in China, compared to the rest of the world.

As business races to gain market share and industry continues to own 85% of critical infrastructure, you will see three clear trends and business requirements emerge for "Artificial Intelligence":
  • Process Automation
  • Cognitive Insight
  • Cognitive Engagement
These are the key places today that Artificial Intelligence technologies are being applied in business.  You will see a continuous race to apply this new innovation where business requirements exist for:
  • Automating Business Processes
  • Gaining Insight Through Data Analysis
  • Engaging with Customers and Employees
Organizations are currently evaluating how these emerging "Artificial Intelligence" technologies can assist in some capacity to make humans make faster decisions.  Will AI make more accurate decisions and enhance the overall user experience with vast oceans of new and rapidly changing data sets?

The capability to utilize new data to become more predictive, improves over time with "Cognitive Insight" applications.  These kinds of applications can recognize images and speech and attempt to mimic our brain.  Now think about how these are being applied outside of business, in the National Security domains.

The ICT applications that are now being tested and applied in the "Cognitive Engagement" realm, include chatbots and other intelligent agents that are providing answers to frequently asked questions (FAQs).  The immaturity of this category is on a slower pace with business, including Facebook that has found its Messenger chatbots, could not satisfy 70% of customer requests without a human assistant.

So what?

Organizations and industry, will need to create a portfolio of active projects within the enterprise.  The trend is a larger pool of (1) process automation apps, followed by (2) cognitive insight and then a smaller set of true (3) cognitive engagement applications.  The maturity curve of these applications is accelerating rapidly.

Will the application of cognitive computing increase the level of "Digital Trust?"  How will humans verify that the decisions made by Artificial Intelligence are true and correct?  Jeffrey Ritter has been a leader in assisting organizations and governments in achieving digital trust.  He writes:
"Building for digital trust must become a priority of the nation-state and its components. Once ubiquitous computing is achieved, digital trust will become the competitive differential within the global space of the Net. Nation-states that position their regulatory rules to enable private sector companies to build digital trust more effectively will generate genuine advantage for both the public and private sector. But nation-states must also invest in building digital trust in their own infrastructures and services."
Where are there "Use Cases" to examine how these capabilities are currently being applied?

xView is one of the largest publicly available datasets of overhead imagery. It contains images from complex scenes around the world, annotated using bounding boxes. The DIUx xView 2018 Detection Challenge is focused on accelerating progress in four computer vision frontiers:
  • Reduce minimum resolution for detection
  • Improve learning efficiency
  • Enable discovery of more object classes
  • Improve detection of fine-grained classes
The dimensions of "Digital Trust" are expanding globally. Our human cognitive abilities are being assisted with rules being applied to expanding data sets. What are the "Rules for Composing Rules?" (authoring rules that are effective when crossing the chasm between the ambiguity of broad, governing rules (such as statutes or regulations) and the binary precision required by the executable code of software applications) 

The complexity of our "Operational Risks" has now become exponential.  Systems are in battle against other systems.  The speed and accuracy of our TrustDecisions will determine our "Decision Advantage."  In the near future, cognitive technologies will finally propel industry and countries, to a new strategy for achieving Digital Trust.

18 February 2018

Information Warfare: The Future of Trusted Words...

Trust is on the minds of almost every American as they read the Washington Post these days.  Reading a publication that utilizes a set of standards for journalism, may address part of your "Trust Decision" to depend on this source for your information.

Reading this Operational Risk blog, you understand that the words and opinions are not under the same editorial guidelines and grammar rule sets as the authors and journalists at the Washington Post.  The sentences and thoughts are being written freely however, by someone who you may know of, yet how do you really validate that the words were actually written by the assumed author?

At an early age in school, as a young student, your teacher at some point assigns that work called an essay, a short piece of writing that tells a person's thoughts or opinions about a subject.  Regardless of the topic assigned by the teacher, when the work is turned in to the teacher, they are assuming it was written by that particular student.  Unless they have doubts.

The trust you put into the author of words written in an essay for a class, or an article in the established news papers, has for decades relied on the integrity of institutions and the validation of persons true identities. Yet as the typewriter replaced hand written documents, so too did the act of using another person's words or ideas without giving credit to that actual person : the act of plagiarizing something.

When you read this Washington Post article, you assume that the words are actually from the journalist:
Indictment shows how Russians conspired to disrupt U.S. politics — but not how to stop them next time

By Craig Timberg February 16 The Washington Post
"Efforts to reconstruct the Russian conspiracy to sway 2016’s presidential election benefited from the digital trails left behind whenever people travel, make payments or communicate using common technology such as Facebook or Gmail. Such breadcrumbs provided plentiful evidence for Friday’s indictment by the special counsel of the Internet Research Agency and 13 Russian associates.

But even as the disinformation campaign from two years ago finally came into focus, it was far from clear how to prevent future bids to distort American politics.

U.S. intelligence agencies warned this week that the federal government remains ill equipped to combat Russian disinformation even as crucial midterm congressional elections loom this fall. And technology companies, while cooperating with federal investigators, acknowledge that they still struggle to detect and thwart foreign propaganda without impinging on the free-speech rights of Americans."
Now in the age of computing, word processing and the Internet, the integrity of written words by a person is in question?  The origin and authenticity of the actually words that are written by a human on paper, a typewriter or computer such as these, is now in question?

The utilization of various methods for "Information Warfare" is actually well known:
"Information Warfare has three main issues surrounding it compared to traditional warfare: 

The risk for the party or nation initiating the cyberattack is substantially lower than the risk for a party or nation initiating a traditional attack. This makes it easier for governments, as well as potential terrorist or criminal organizations, to make these attacks more frequently than they could with traditional war.

Information communication technologies (ICT) are so immersed in the modern world that a very wide range of technologies are at risk of a cyberattack. Specifically, civilian technologies can be targeted for cyberattacks and attacks can even potentially be launched through civilian computers or websites. As such, it is harder to enforce control of civilian infrastructures than a physical space. Attempting to do so would also raise many ethical concerns about the right to privacy, making defending against such attacks even tougher.

The mass-integration of ICT into our system of war makes it much harder to assess accountability for situations that may arise when using robotic and/or cyber attacks. For robotic weapons and automated systems, it’s becoming increasingly hard to determine who is responsible for any particular event that happens. This issue is exacerbated in the case of cyberattacks, as sometimes it is virtually impossible to trace who initiated the attack in the first place.[5]"
These words are being written by a human being.  His name is Peter L. Higgins.  Or are they?  The art and science of the truth has been evolving for hundreds of years.  What will we invent next, to validate our identities, provide assurance that the words written are actually human, and not of an Artificial Intelligence (AI)?

Whether the words you read are being written by a human-based "troll factory" in St. Petersburg or by a specialized Artificial Intelligence is not the point of this essay.  Then what is the point?

You have to make judgements as a human being about who to trust.  What to trust.  How to trust.  Why to trust.  This is a foundation of our human evolution.  Trust takes time.  TrustDecisions and the decision to trust someone or something, is actually a factor of science, mathematics and history.

Reading, writing and a decision to trust, is an Operational Risk.  True or False?

10 February 2018

Cluetrain: Manifesto Revisited...

When was the last time you revisited the 95 theses of the Cluetrain Manifesto? There are some nuggets here that remain timeless, even though they were written over 16 years ago. Here are some of the classics:
  • Markets are conversations.
  • Markets consist of human beings, not demographic sectors.
  • People in networked markets have figured out that they get far better information and support from one another than from vendors. So much for corporate rhetoric about adding value to commoditized products.
  • There are no secrets. The networked market knows more than companies do about their own products. And whether the news is good or bad, they tell everyone.
  • Networked markets can change suppliers overnight. Networked knowledge workers can change employers over lunch.
  • Your own "downsizing initiatives" taught us to ask the question: "Loyalty? What's that?" Smart markets will find suppliers who speak their own language.
  • Companies make a religion of security, but this is largely a red herring. Most are protecting less against competitors than against their own market and workforce.
  • To traditional corporations, networked conversations may appear confused, may sound confusing. But we are organizing faster than they are. We have better tools, more new ideas, no rules to slow us down.
  • We are waking up and linking to each other. We are watching. But we are not waiting.
In a hyperlinked, social networked, iPhone rich society the authors and founders of the Cluetrain Manifesto must have had a crystal ball. The "end of business as usual" has been accelerating and the exponential explosion of zero's and one's has produced a global economy.

Just look at the saturation of IP connections across the planet Earth and you will see where the capital is flowing and the societal impact is obvious.
"A powerful global conversation has begun. Through the Internet, people are discovering and inventing new ways to share relevant knowledge with blinding speed. As a direct result, markets are getting smarter—and getting smarter faster than most companies."
So what? So what does all of this have to do with Operational Risk Management?

It has to do with the pervasive vulnerability that an organization perpetuates, without the correct attitude and policies about managing risks. Theft of trade secrets, corporate espionage, competitive intelligence and loss of intellectual capital as the head hunters feast on your key employees to name a few.

Global enterprises with deep hierarchy in the organizational chart, continue to wonder how their best people have left and who leaked the information on the next big idea.

How would you ever put enough policies, tools, systems, training or behavior modification in place to stop the flow of new hyperlinks through your own corporate IntraNet or the public bulletin boards and social networking web sites? The fact is that you can't.

Here’s one example of how things work in a hyperlinked organization:

You’re a sales rep in the Southwest who has a customer with a product problem. You know that the Southwest tech-support person happens not to know anything about this problem. In fact, (s)he’s a flat-out bozo. So, to do what’s right for your customer you go outside the prescribed channels and pull together the support person from the Northeast, a product manager you respect, and a senior engineer who’s been responsive in the past (no good deed goes unpunished!). Via e-mail or by building a mini-Web site on an intranet, you initiate a discussion, research numbers, check out competitive solutions, and quickly solve the customer’s problem -- all without ever notifying the "appropriate authorities" of what you’re doing because all they’ll do is try to force you back into the official channels.

Game. Set. Match. Managing Operational Risks in the 21st century requires a whole new perspective. A brand new definition of the new "Normal."

03 February 2018

The 3rd Planet: On The Edge of a Digital Precipice...

After reading the Washington Post on February 3, 2018, there is little debate in our world capitals, that we are on the edge of a digital precipice.

Mobile devices in the hands of humans, has exponentially changed the transnational landscape for our communications forever.  Yet this digital precipice is just inches away from a tremendous chasm in our cultural, social and legal way of life.

Every organization, now has substantial Operational Risks to manage, within the context of their group, company, enterprise, government and even family.  This alone is not a revelation.  However, if you are a Mother, Father, Brother or Sister, you are constantly challenged by the kinds of risks that plague anyone who dares to explore and utilize the benefits of the modern day Internet.

Our children are growing up faster, as they are exposed to the dark side of life, the evil that is present in our world.  They witness violence, revenge and all of the other negative attributes of society faster than ever before.

The outcomes of mother nature and our natural disasters are always front and center.  The digital controls and censors of broadcast television are no longer pervasive across the content and web sites available, to those who know how to navigate our IP-based digital oceans.

Operational Risk Management (ORM) is now each persons responsibility.  It is no longer in the hands of a few people, in a few departments at your organization.  It is not the role of a single person in your household, to make sure the family router is configured correctly.

If you are holding your latest "Digital Device" in your hand, or tapping away on the keyboard of your new lap top it is your decision to "Give" or to "Take."

Over a year ago, Adam Grant wrote his book.  To get some context in 13 minutes, you can watch this YouTube of his Ted Talk.

We have for years been exposed to the concepts of "Pay It Forward" or even other concepts of reciprocity.  The real question is:  Are you a "Giver or a Taker?"  You might be surprised to learn what Adam Grant's research uncovers.

So what?

The ethics and morals that are embedded in you at an early stage of your life, will most likely continue.  The influence your Mother and/or Father or early childhood caregiver provided you may have made a difference.  Maybe it was an old book they read to you, or someone asked you to read.

We all know that the words, content, pictures, videos and ideas on the other side of that tiny digital screen in your hand, is nothing more than a mirror, of our own human behavior.  Good or deleterious.

How will you use this iPhone tool today, to be a "Giver or a Taker?"  There might even be another option.  Turn it off and put it in a drawer.  At least for a few hours...but could you for a whole day?

When was the last time you donated your time, expertise, abilities or resources?  What will you do right now, to make a difference on the third planet from the Sun...

20 January 2018

Homeland Security: The Risk of Fusion Man...

Modern Day Operational Risk Management, requires a multi-skilled and versatile individual. Someone who understands the difference between "Information Warfare" and "Cyberterrorism." And if you were born after 1980 and part of Generation Y, then you might even have more insight on how Sam Fisher has managed his way through unimaginable risks throughout his career as a Splinter Cell operative.

You understand why Homeland Security is evermore focused on HUMINT and our national security is ever so vulnerable to an increasing reliance on the Internet Protocol (IP).

Information warfare is an attack against computers, networks, or information systems to coerce or intimidate a government and its people. These attacks result in violence against people or property and generate fear.

Attacks that disrupt nonessential services or create a costly nuisance are not considered information warfare. Cyberterrorism results in severe effects such as death, bodily injury, explosions, plane crashes, water contamination, severe economic loss, and so on.

Information warfare is easily and most effectively waged against civilians. Because of its size and reliance on technology, no nation is as vulnerable to information warfare as the United States. Information warfare can be waged anonymously, or with all the publicity in the world.

If were born before 1960 and you fall into the "Baby Boomer" category, you better spend some time with your "Generation Y" kids or nieces or nephews, if you want to better understand what is now coming over the threat horizon. There are Global Hawks and Predators seeking out their targets with skilled aviators located thousands of miles away.

These tools and systems of warfare are easily turned in our own direction and now Homeland Security finds it nexus with some new Operational Risk challenges. Accomplished authors such as P.W. Singer writes about "What happens when science fiction becomes battlefield reality"?

"If issues like these sound like science fiction, that’s because many of the new technologies were actually inspired by some of the great scifi of our time ­ from Terminator and Star Trek to the works of Asimov and Heinlein. In fact, Singer reveals how the people who develop new technologies consciously draw on such sci-fiction when pitching them to the Pentagon, and he even introduces the sci-fi authors who quietly consult for the military.

But, whatever its origins, our new machines will profoundly alter warfare, from the frontlines to the home front. When planes can be flown into battle from an office 10,000 miles away (or even fly themselves, like the newest models), the experiences of war and the very profile of a warrior change dramatically. Singer draws from historical precedent and the latest Pentagon research to argue that wars will become easier to start, that the traditional moral and psychological barriers to killing will fall, and that the “warrior ethos” ­ the code of honor and loyalty which unites soldiers ­ will erode."

Homeland Security professionals and new recruits to the various public and private sector organizations are ever more savvy and vital to managing the risks of the coming decades. Technology and the newest inventions of the human mind are consistently applied for the purpose of good and the well being of our fellow man. We are consistently pushing the outside of the envelope to fly farther and faster, even if it means becoming a "Fusion Man."

"Swiss adventurer Yves Rossy flew from France to Britain Friday propelled by a jetpack strapped to his back -- the first person to cross the English Channnel in such a way.

Rossy, a pilot who normally flies an Airbus airliner, crossed the 22 miles between Calais and Dover at speeds of up to 120 mph in 13 minutes, his spokesman said.

When the white cliffs of Dover came into view, he opened a blue and yellow parachute and drifted down in light winds to land in a British field where he was mobbed by well-wishers.

"Everything was perfect," he said afterwards. "I showed that it is possible to fly a little bit like a bird."

Rossy traced the route of French aviator Louis Bleriot, who became the first person to fly across the Channel in an aircraft in 1909.

The Swiss pilot was propelled by four kerosene-burning jet turbines attached to a wing on his back. He ignited the jets inside a plane before jumping out more than 8,000 feet above ground."

We suspect that Mr. Rossy has hired some very competent lawyers to work on his patents and licensing of intellectual property. By now, it all may be classified and Sam Fisher is taking his first test flights.