19 May 2012

Telecom DataTecture: Cloud Resilience in 4GW...

The Enterprise Cloud computing environment is not only a topic of many private sector CIO forums this year, it is also spawning new discussions in government intelligence community circles. Simultaneously, the new economics and the aversion to buying hardware and software to house your own brick and mortar data center, is slowly but surely taking the business community by storm.

Companies such as Terremark Worldwide that already serves some of the most highly classified data traffic and storage for the intelligence and other civilian agencies, is gaining tremendous momentum in the marketplace. Why? Visit their NAP of the Capital Region 60 miles or so outside Washington, DC and you will witness part of the answer. The other part of why can be found in Terremark's sophisticated VMware-powered "Infinistructure" that provides the modern enterprise to more easily scale in bandwith and storage commensurate with daily, weekly or monthly utilization of dynamic computing utility requirements.

In order for a Small-to-Medium-Enterprise (SME) to grow with new HP or IBM Servers, EMC or NetAPP storage and sub-systems for load balancing, back-up power generation, disaster recovery and managed security services requires a substantial new Capital Expenditure (CAPEX). This strategy for a Telecom DataTecture (Cloud Data Centers) is one that architects of critical infrastructure resiliency teams can no longer ignore.

What does "Business Resilience" and critical infrastructure have to do with Operational Risk Management? At the core of OPS Risk is the concept that vulnerabilities exist in your organization across a spectrum of people, processes, systems and external events. Executives now have a new mindset that sounds like this. "I know that it's just a matter of time until we experience a significant business disruption to the organization. Now the question remains, what, who, when, where and how?". By the "Insider" who has been stealing precious intellectual property or facilitating some occupational fraud scheme to the "External" attacker that enables a data breach of "Personal Identifiable Information" (PII) at a minimum. The serious adversary will only care about major disruption or destruction; Mother Nature (Haiti) or Aurora (Hack).

Once you have achieved this mindset and the reality of the future attack, you transition to "Enabling Enterprise Business Resiliency" and a series of measures towards your own survivability. These measures in the Information Technology sector of your business or government enterprise will determine your future posture in a post incident cyber scenario. The magnitude of the incident itself is growing on a vector that now even Richard Clarke has shed more light on:


Cyber War is a powerful book about technology, government, and military strategy; about criminals, spies, soldiers, and hackers. This is the first book about the war of the future -- cyber war -- and a convincing argument that we may already be in peril of losing it. 
Cyber War goes behind the "geek talk" of hackers and computer scientists to explain clearly and convincingly what cyber war is, how cyber weapons work, and how vulnerable we are as a nation and as individuals to the vast and looming web of cyber criminals. From the first cyber crisis meeting in the White House a decade ago to the boardrooms of Silicon Valley and the electrical tunnels under Manhattan, Clarke and coauthor Robert K. Knake trace the rise of the cyber age and profile the unlikely characters and places at the epicenter of the battlefield. They recount the foreign cyber spies who hacked into the office of the Secretary of Defense, the control systems for U.S. electric power grids, and the plans to protect America's latest fighter aircraft.

The warnings and doom and gloom has been around for years and one more book will not likely change the current state of cyber arm wrestling going on around the Washington, DC 495 beltway. The Net-centric warrior of the next decade will no doubt have to rely on a much more resilient set of technologies and countermeasures to circumvent the latest nations state cyber armies, or cyber criminal syndicates. Even more important is the current state of the domestic ability to withstand the 4th Generation Warfare (4GW) being waged on our financial, energy and defense industrial base.

This asymmetry, in which we are developing offensive capability but doing little to prevent a devastating cyber attack, began in the Bush administration. In the last year of his eight-year presidency, George W. Bush signed a national-security decision called PDD-54. That directive, still classified, ordered steps be taken to improve the security of the Department of Defense and other federal-government computer networks. Critics say it did almost nothing to address the weaknesses of the national infrastructure.

13 May 2012

Red Alert: Operational Risk Quotient...

Operational Risk is in the U.S. news again this past week.  Several prominent CEOs and the Board of Directors are under fire in the United States for failures to comply with documented best practices and governance processes.  The failure to execute these processes for the effective management of Operational Risk has now become a "Red Alert" for organizations in the financial services and banking industry.   The ranks of those tasked with vetting and validating candidates for high profile positions in public companies are also under increased scrutiny.  We should look at these one at a time.  JPMorgan first:

At JPMorgan, the Ghost of Dinner Parties Past
Published: May 12, 2012 
WHAT goes around comes around. Sometimes it happens sooner than you’d think.  That round wheel turned on JPMorgan Chase last week, which disclosed that it had suffered a $2 billion trading loss in credit derivatives. That such a hit had befallen the mightiest of banks was perhaps more stunning than the size of the loss. 
So where does the karma come in? The loss, and the embarrassment it held for Jamie Dimon, the bank’s imperious chief executive, came just one month after a private dinner party in Dallas at which he assailed two respected public figures who have pushed for policies that would make banks like JPMorgan smaller and less risky. 
One was Paul Volcker, the former Federal Reserve chairman, whose remedy for risky trading by too-big-to-fail banks is known as the Volcker Rule.

The story is not about losing $2B. USD in trading derivatives.  And as Gretchen Morgenson has stated, we are witnessing a paradox.  The same rules JPMorgan is opposing in regard to proprietary trading could very well be the same rules that could provide a "Red Alert" that a threat is on the horizon.  The cost to the institution is far beyond the loss of the trade in terms of reputation and overall market value.  The credit ratings agencies and the SEC are now moving into place for their respective response to this incident.

Now let us take a look at Yahoo and a CEO who is embroiled in an error on his curriculum vitae:

Exclusive: Yahoo’s Thompson Out; Levinsohn In; Board Settlement With Loeb Nears Completion  Published on May 13, 2012  
by Kara Swisher 
Yahoo’s embattled CEO Scott Thompson (pictured here) is set to step down from his job at the Silicon Valley Internet giant, in what will be dramatic end to a controversy over a fake computer science degree that he had on his bio, according to multiple sources close to the situation. 
The company will apparently say he is leaving for “personal reasons.”  But the evolving crisis — which is just over a week old — centered on his botched resume and how he handled the thorny issue is clearly the key reason for the abrupt leaving.

This Operational Risk loss is a failure of a process that may have been outsourced to an executive recruiting firm or to the Board Director responsible for the vetting and validation of each candidates information.  What is even more compelling to think about are all of the other CEOs that are now losing sleep over night because of the same issue at their own organization.  So where did someone go wrong in this case?  Was it a missed step in the process for hiring or a simple lack of integrity by the CEO himself, Scott Thompson?

This brings us to the convergence of our discussion on Operational Risk Management for both of these incidents.  There are aspects of transparency, governance and finding the truth.  And the truth is, we are all human.  Whether we are trading derivatives to hedge risk or we are vetting the information on a resume, the human factors and behavior associated with the actual risk management tasks themselves are the focus here.  Humans will make mistakes and that is precisely why we need the controls in place, to mitigate the potential for human error, omission and stupidity.

You see, it is the rules that matter in either case that have been ignored, disregarded or as a result of a lack of awareness.  The rule-sets are vital to the effectiveness of risk management whether they are best practices, international standards of conduct or the code of law within a particular jurisdiction.  These rule-sets have been discussed on this blog in the past, back in April of 2008:  Rule-Set Reset and others such as this one in May of 2004 on NYSE Rule 446:

Operational risk focuses on firms' abilities to maintain communications with customers and to retrieve key activity records through their "mission critical systems." Financial risk relates to firms' abilities to continue to generate revenue and to retain or obtain adequate financing and sufficient capital. In this regard, an eroding financial condition could be exacerbated or caused by deterioration in the value of a firm's investments due to the lack of liquidity in the broader market, which would also hinder the ability of the firm's counter-parties to fulfill their obligations. A firm would be expected to periodically assess changes in these exposures, and in the event of a significant business disruption, the firm would consult its plan and take appropriate action contemplated by its plan. Members' and member organizations' procedures should be written and implemented to reflect the interrelationship among these risks.

What rule-sets govern your organization?  Have you created a comprehensive governance map to help you guide yourself as a CEO and the remainder of your company through the maze of ethical, regulatory, legal and even sustainable rules that are before you?  Leadership in any organization whether it is in Silicon Valley, on Wall Street or the US Navy requires a prudent and clear path, to understanding the rules and the map to navigate both securely and safely.  Even with these rules and the map, you can predict that human behavior will intervene and deliver that next surprising blow to your institution.  Now it is just a matter of how often and the magnitude of the event.

Ask yourself:  What is our "Operational Risk Management" Quotient?