16 November 2007

OSAC: The Insider Threat...

The "Insider Threat" was on the minds of Global Security Executives this week as evidenced by a half day emphasis on the current trends and issues at the OSAC Annual Briefing. The "Usual Subjects" were at hand with the crowd almost falling asleep while the speakers reinforced those due diligence rights and wrongs.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm. Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for is the means to gain a larger budget for their departments and to be able to invest in new technologies and tools. Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively. In a converging organization with outsourced services around every corner the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year! You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective operational risk program;

3. Lack of decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:

Is your policy enforced fairly, consistently and legally across the enterprise.

Would our employees, contractors and partners know if a violation was being committed?

Would they know what to do about it if they did recognize a violation?

If you don't know the answers to these questions then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management. And now in the United States there is still a feeling of a lack of guidance in the critical infrastructure sector of Banking and Finance with regard to terrorist financing. There are three main areas here to focus on from the perspective of Andrew Cochran:

  • Prepaid Stored Value Cards from Non-Money Service Businesses (MSB)
  • A List of "Politically Exposed Persons" (PEPs)
  • Updated Anti-Money Laundering (AML) manuals from the SEC
In all three areas, financial institutions are basically operating in the dark without guidance, and the risk of the unknown is the most fearsome and costly of all in this arena. As arcane as these might sound to those not working in or around the industry, I am confident that these three steps would reduce the risk of terrorist financing through financial institutions, often the first set of eyes and ears in contact with potential terrorists.

No comments:

Post a Comment