30 November 2006

Red Flags: Mobile Data Encryption Policy...

Have any of your executives been waving any "Red Flags" lately? If you are like many CISO's across the globe, you may have to change this to a "White Flag" and surrender.

IDC reports in a recent study, that the projected number of global mobile employees would grow beyond 878 million by 2009. IDC’s report, "Comply on the Fly: Keeping Pace with the Management Challenges of Mobile Data Management," explores whether businesses are implementing initiatives to provide internal controls and address data security risks from mobile device use.

A Recent IDC Report cited at the Business Performance Management (BPM) Forum reminds the CxO's to batten down the hatches on mobile devices. Blackberry is only one of a few companies (RIM) who are being subjected to greater pressure to provide encrypted data at the device level.

The IDC report contained the following information:

* Nearly half of all respondents report that a minimum of 25 percent of all mobile devices in their organization carry mission-critical applications and information.

* Forty percent of respondents have no measures at all to manage mobile data tracking, backup and archiving for regulatory compliance purposes.

* Smaller companies ($100 million in revenue and under) face a greater risk of violations, with just 32.4 percent implementing formal mobile compliance policies.

* There is disconnect between IT executives who recognize mobile device compliance and security risks, and C-level executives who see benefits, not risks.


Yet it seems that employee's will not obey or even heed the policies set forth by their enterprise to try and protect customer information and valuable intellectual property. Thousands of laptops and other PDA's are left in taxi cabs as "On The Go" executives run for their meetings, interviews or flights.

In this digital age, the value of information on these stolen or lost devices is increasing and the losses to the enterprise far exceed the replacement of the phone, PDA or laptop. The loss extends to the notification of the customers who have exposed Personal Indentifiable Information. Studies by the Ponemon Institute have calculated this amount to be $182.00 per record.

According to the study’s 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

The 2006 Cost of a Data Breach Study tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. "The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."


The CxO on the go now realizes the importance of encryption for all mobile devices. Unfortunately for those few who still have not reallocated the funding to accomplish this important task, may cost millions more.

In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente Colorado is notifying some 38,000 members of a possible breach of their private health information.

The information was located on a laptop stolen from the personal car of a national Kaiser Permanente employee in California, reports the Rocky Mountain News and other media outlets.


Let's see: 38,000 x $182.00 = $6,916,000.00 in operational losses.

27 November 2006

Backdating: Culture Makes All the Difference...

Looking back upon your last stock option exercise, did you realize the price you were granted was backdated? If you did, then your ethical misbehavior is just another example of how corporate compensation is bringing the house down. The question now remains, how many more companies will be announcing that they need to restate their numbers for the latest financial period.

Affiliated Computer Services replaced CEO Mark A. King and CFO Warren D. Edwards on Monday, saying they had violated the company’s "Backdating" code of ethics for senior financial officers, as the company completed an internal investigation of its stock option-granting practices.

The Dallas-based outsourcing company named COO Lynn Blodgett as the new chief executive, and John Rexford, the company’s executive vice president of corporate development, as the new chief financial officer.

Mr. King and Mr. Edwards are just the latest of about 60 corporate executives who have been pressured to step down as companies have probed their stock option grants and the backdating of those grants to benefit executives. The options fallout has ensnared more than 150 companies so far.

The two ACS executives resigned effective Sunday and entered into separation agreements with the company.


You can bet that anyone who is now considering a new position where stock options will be part of the compensation package will question the ratio between incentive in stock and the cash bonus. Incentive compensation is the root of much of the corporate malfeasance we have all witnessed over the past five years. And if you look at where this story really begins, you have to look hard at the compensation consultants, head hunters or just plain human resources processes.

When you look at the way people are compensated, you generally can figure out what type of behavior you are trying to influence. The corporate governance of our companies continues to see new fraud, new corruption and a continuous stream of finger pointing. A Code of Ethics is easy to create and yet much more difficult to get people to follow. What would Warren have to say about it?

Warren Buffett's "Tone at the Top"

A few months ago, Warren Buffett sent this memo to managers at Berkshire Hathaway:

To: Berkshire Hathaway Managers ("The All-Stars")
From: Warren E. Buffett

Date: September 27, 2006

The five most dangerous words in business may be "Everybody else is doing it." A lot of banks and insurance companies have suffered earnings disasters after relying on that rationale.

Even worse have been the consequences from using that phrase to justify the morality of proposed actions. More than 100 companies so far have been drawn into the stock option backdating scandal and the number is sure to go higher. My guess is that a great many of the people involved would not have behaved in the manner they did except for the fact that they felt others were doing so as well. The same goes for all of the accounting gimmicks to manipulate earnings - and deceive investors - that has taken place in recent years.

You would have been happy to have as an executor of your will or your son-in-law most of the people who engaged in these ill-conceived activities. But somewhere along the line they picked up the notion - perhaps suggested to them by their auditor or consultant - that a number of well-respected managers were engaging in such practices and therefore it must be OK to do so. It's a seductive argument.

But it couldn't be more wrong. In fact, every time you hear the phrase "Everybody else is doing it" it should raise a huge red flag. Why would somebody offer such a rationale for an act if there were a good reason available? Clearly the advocate harbors at least a small doubt about the act if he utilizes this verbal crutch.

So, at Berkshire, let's start with what is legal, but always go on to what we would feel comfortable about being printed on the front page of our local paper, and never proceed forward simply on the basis of the fact that other people are doing it.

A final note: Somebody is doing something today at Berkshire that you and I would be unhappy about if we knew of it. That's inevitable: We now employ well over 200,000 people and the chances of that number getting through the day without any bad behavior occurring is nil. But we can have a huge effect in minimizing such activities by jumping on anything immediately when there is the slightest odor of impropriety. Your attitude on such matters, expressed by behavior as well as words, will be the most important factor in how the culture of your business develops. And culture, more than rule books, determines how an organization behaves. Thanks for your help on this. Berkshire's reputation is in your hands.


What kind of culture exists in your organization?

17 November 2006

Enterprise Resilience: Investing in Intellectual Capital...

This weeks 21st Annual OSAC (Overseas Security Advisory Council) Briefing was entitled Global Resiliency: Operating in Challenging Environments.

The United States Department of State Bureau of Diplomatic Security sent a clear message that Enterprise Resilience is going to be a major theme moving forward as global firms experience extended supply chains. As this footprint becomes more expansive and spans multiple continents, so too are the operational risks. The conference was opened by Ms. Deborah Wince-Smith of the Council on Competitiveness who presented a case for why private sector CEO's should care about this strategic initiative:

There are at least four reasons why CEOs should care about integrating security and resilience into their business strategy.

1. Business risks are growing, irrespective of 9/11 and the threat of global terrorism.

2. Resilience, in the face of increasing risk, is a shareholder value issue.

3. New corporate governance rules may mandate more rigorous integrated management systems than are currently in place.

And for many firms, operational risk management is not a priority. According to recent surveys:

Only 36% of U.S. CEOs believe that risk management is a priority concern, versus 45% of European CEOs and 67% of Asian CEOs (Conference Board, 2006).

Only 25% of Directors of non-financial companies report that the Board considers all major risks to the company, versus 55% of financial industry directors (Conference Board 2006).

During the past 12 months, 1 in 5 companies surveyed suffered significant damage from a failure to manage risk and over half had experienced at least one near miss (Economist Intelligence Unit and Lloyds, 2006).

4. Industry continues to face a risk of reactive regulation for homeland security.

5. Empirical evidence from the case studies highlight missed opportunities to leverage security investments to increase efficiencies and revenues.


The conference also had keynotes from our own (DNI) Ambassador John D. Negroponte and the CEO of Archers Daniel Midland, Patricia Woertz who made a case for the "Chief Resiliency Officer". Yet the most compelling remarks and insight comes from someone who has lived on the front lines for decades. Someone who understands the threats corporations, NGO's and governments face on the new global battlefield. Henry (Hank) Crumpton is now the Ambassador-at-Large and Coordinator for Counterterrorism after joining the CIA in the early 80's. He led the CIA's Afghan campaign in the first critical months of this new strategy against "Non-State Actors."

These small, nimble and flexible attack units known as "Micro-Actors" can deliver "Macro-Impact" using cover of corporations, exploiting our modern transporation and communications networks and gaining new 4th generation weapons. We must realize the innovations and the technologies we create will be utilized against us.

Here are some words of wisdom from one of the most admired and fearless patriots of the United States:

1. We must begin investing more in our own Intellectual Capital and to better understand the enemy.

2. We must build interdependencies and strong interdependent networks. (People)

3. People need to demand more from government to build stronger partnerships.

4. The private sector needs to give more to the government. (Intelligence)

5. We need more leadership.


Resilient organizations learn and adapt. It changes and morphs as new risks evolve. Given the new revolution of protection converging with recovery, we can only pray that business leaders finally realize that this is not about mitigating losses. It is about putting on a new pair of glasses with a new prescription that is perfect. Clarity of the new lens allows people to see that new found investments can Enable Global Enterprise Business Resilience.

12 November 2006

Safeguards Rule: The ID Theft Battle...

Unlike Europe and other forward thinking regions of the globe, the United States is still wrestling with a national data security and privacy law. If the new democratic powerbase is successful, the ID Theft and privacy battle ground will now shift from a corporate focus to a more consumer focus.

A new ID theft task force comprised of 17 US Government agencies has been working on a strategy report that is due by February 2007. It will be highlighting "ID Theft Red Flags" or rules that need to be addressed when they occur. The Federal Trade Commission (FTC) will be gearing up enforcement on those companies who provide PII (Personal Identifiable Information) Intel such as they did this past year with ChoicePoint and others.

Organizations are being pressured to retain data longer, up to two years as a more modern FISA (Foreign Intelligence Surveillance Act) is contemplated. This will assist law enforcement and corporate security departments in evidence collection and investigative process to detect and defend our company assets and national security from "Lone Wolf" terrorists and everyday fraudsters, counterfeiters or pirates. If you are currently a consumer using Vonage, Skype or someother VOIP service, you can bet that all of your calls are going to be accessible for some time to come.

As the Federal Civil Rules on Electronic Discovery change December 1st, the records retention policies and data categorization or mapping exercises will be in full swing. If they aren't, be prepared for quick judgements and settlements from your organization if your litigation readiness factor is in the red or even the yellow zone. In terms of your 3rd Party or outsourced relationships, you can bet that a SAS 70 Type II will not be enough to ensure that your partner has been doing enough to protect your customers PII.

So what does all of this mean? SO What!


It means that the 8 Million+ small and medium enterprises in the US will be subjected to the FTC scrutiny on the SafeGuards Rule:

According to Orson Swindle, former commissioner of the U.S. Federal Trade Commission,

We're going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren't financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we're talking about a financial institution or a university or a shoe store.


As the committee's in congress are sorted out and the first 100 hours of the new Democratic regime take hold, don't be surprised if your organization is now in the cross hairs of the governments regulatory enforcement teams. The US Attorney in your jurisdiction is ready to begin a new era to get business to invest in soundness and safety, even if you are not traditionally a highly regulated entity. You think ID Theft is just another bother?

Woe to you, friend, if that's your attitude. Data security may be dead in Congress this year, but the Federal Trade Commission is on the case, and that could mean trouble for lax companies.

"The FTC has stepped into the void," said Emilio Ciividanes, a partner in Venable LLP. "And every proposal for comprehensive legislation has the FTC playing an important role."

For one thing, the commission is now putting its finishing touches on its ID Theft Red Flags Rule, requiring that companies spot and address identity theft risks.

What would constitute a red flag? If there are multiple addresses for a credit-card holder, according to Joel Winston, associate director of the Privacy and Identity Protection division of the FTC's Bureau of Consumer Protection, speaking at DMA06 in San Francisco.

And the FTC is aggressively pursuing companies for allowing security breaches to occur or for not having protections in place. And why not? It is getting 15,000-20,000 consumer messages a week through its Identity Theft Website and telephone number.


If you are one of the millions of Small to Medium Enterprises (SME) in the United States without a full-time Chief Information Security Officer (CISO) you may be at significant risk. Especially if your General Counsel has little or a non-existent relationship with the person you have charged with keeping the networks running and the infrastructure maintained. Be forwarned. The next new hire in your organization may be a lawyer with a CISSP or even a person with a MIS and a J.D. degree. In either case, the government is going to come knocking and your reputation is on the line.

06 November 2006

Foreign Corrupt Practices: Oil, Corruption & Borat...

Global commerce is on an upward curve of growth as the planet becomes flat or smaller based upon the increasing speed of business. Transportation, Technology and Telecommunications has spawned the reach for many U.S.-based enterprises who desire to trade products or services overseas. The Gas & Oil Industry and Energy sector have been the most scrutinized public companies for their business practices over the past three years.

Operational Risk in the Energy Sector and others could be blind-sided by the Foreign Corrupt Practices Act (FCPA) in the years to come as they race to do business in Kazakhstan and China. Here is a lesson for aggressive marketeers and business developers who will need to be wary of their business protocols and procedures when engaging in international commerce.

"So you think it's easy to stay out of jail? John MacLellan doesn't. The regional finance director of Microsoft Corp. in Asia, MacLellan is responsible for ensuring compliance with the U.S. Foreign Corrupt Practices Act (FCPA), a law that exacts strict penalties for giving or taking bribes at overseas operations. While the software giant boasts a robust internal-compliance program, recent FCPA enforcements (including actions against Titan Corp. and InVision Technologies) suggest a new urgency in the U.S. government's enforcement of the law.

Complicating MacLellan's job: in the People's Republic, it's not always clear who you're dealing with. A U.S. executive might treat a customer to a business dinner without ever knowing that one of the guests is a low-level ministry official. "We face a large number of very complex deals in China," MacLellan says. "Because of the size and influence of the government, we're exposed [to the FCPA] from the start."


The Kazakh government is getting plenty of publicity this week due to a new movie launched this past weekend named "Borat: Cultural Learnings of America for Make Benefit Glorious Nation of Kazakhstan". Simultaneosly, the country is the focus of an oil, cash and corruption probe.

"In February, the United States attorney’s office in Manhattan is scheduled to go to trial in the largest foreign bribery case brought against an American citizen. It involves a labyrinthine trail of international financial transfers, suspected money laundering and a dizzying array of domestic and overseas shell corporations. The criminal case names Mr. Nazarbayev as an unindicted co-conspirator. The defendant, James H. Giffen, a wealthy American merchant banker and a consultant to the Kazakh government, is accused of channeling more than $78 million in bribes to Mr. Nazarbayev and the head of the country’s oil ministry. The money, doled out by American companies seeking access to Kazakhstan’s vast oil reserves, went toward the Kazakh leadership’s personal use, including the purchase of expensive jewelry, speedboats, snowmobiles and fur coats, federal prosecutors say."

As American companies seek partnerships, acquisitions and IPO deals they must comply with FCPA or suffer the financial or political consequences. Even in the middle of all of the movie hype and the legal depositions the country of Kazakhstan has been elected to join the UN Economic and Social Council:

Kazakhstan says it has become the first Central Asian country to be elected a member of the UN's Economic and Social Council (ECOSOC).

The Kazakh Foreign Ministry says in a statement the vote took place at the UN General Assembly on November 2.

Kazakhstan will represent Central Asia in the 54-member UN body for the next three years. ECOSOC is the UN's central forum for discussing international economic and social issues.