12 August 2012

Travel Risk: Adaptive Survival Instruction...

Travel risk to corporate executives is on the rise. Even if you are not an executive who can afford the services of personal body guards and armored cars, there are some prudent ways to mitigate the risk of traveling to the global hot spots.

The Mission

Travel safety is becoming more of a main stream issue with savvy operational risk managers. In fact, the likes of some new firms are emerging by former FBI or other law enforcement heavy weights. The fact is, most of these so called travel safety courses are being taught from only one side of the equation.

In a world of global commerce, CSOs are often tasked with building their company's corporate travel safety programs. The job calls for a proactive approach to educate employees about precautions they can take to stay safe, whether they're the CEOs of multibillion-dollar conglomerates who fly on company jets that land on secured tarmacs or rank-and-file staff riding in commercial airline coach.

The Take-Away

Business has to be done in some of the most dangerous places on the planet, even when it comes to being exposed to kidnapping, terrorism and corrupt governments. Our advice is to make sure your instructor transfers skills to people on "how" to detect, deter and defend against the attackers. Not just the "What to do".

The how is not easy to teach unless you have been there and experienced it. One of the reasons why most CEO's are "Age Experienced" is that it takes time to acquire enough leadership lessons. It does not happen in a week or a month or even a few years. Learning the skills to survive in strange cities, cultures and countries requires instruction by age experienced and "Quiet Professionals". Much of this instruction is about training people to be "Adaptive."

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to reduce the operational risks associated with key personnel in your organization. Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

Comprehensive "Adaptive Survival Instruction" for international business executives is a primary mission for OPS Risk leadership because it saves lives.

04 August 2012

SCRM: ICT Supply Chain Risk Management...

What is your private sector enterprise doing today to improve your ICT Supply Chain Risk Management (SCRM)?  Cyber-espionage campaigns have been operating for years across the ICT domains and are exposed every year in the trade press to John Q. Citizen, soon after "Black Hat" and "Defcon".  Once again, the origins of these sophisticated and viable adversaries are located inside nation states.

The head of U.S. Cybercom continues to emphasize to the White House and Capitol Hill, the need for more effective legislation to modify behavior on the cyber security of critical infrastructure.  For many who remain committed to the silent war and the warriors who are fighting it each day on a 24 x 7 basis, they know the operational risks associated with this modern day battlefield.

Do you know where your information is today?  No, not your "Personal Identifiable Information" (PII), but the crown jewels of your latest Research and Development project.  Or the details on the "Merger and Acquisition" (M&A) activity associated with your cash cow law firm client.  Guess again, because you may not be the only one who now has copies of these trade secrets or confidential and proprietary information.  Bloomberg's Michael Riley and Dune Lawrence capture some of the discussion that follows:
The methods behind China-based looting of technology and data -- and most of the victims -- have remained for more than a decade in the murky world of hackers and spies, fully known in the U.S. only to a small community of investigators with classified clearances. 
"Until we can have this conversation in a transparent way, we are going to be hard pressed to solve the problem," said Amit Yoran, former National Cyber Security Division director at the Department of Homeland Security." 
Yoran now works for RSA Security, Inc., a Bedford, Massachusetts-based security company which was hacked by Chinese teams last year.  "I'm just not sure America is ready for that," he said.
The Information Communications Technology (ICT) supply chain is at risk and the days are numbered until our final realization that this issue is far past the policy makers control.  Is this an operational risk that we have done all we can do, to mitigate the impact on our U.S. national security?  Everyone should know the answer to this question.

The complexity and the complacency of the problem continues to plague those who are working so diligently to fend off the daily attacks or counterfeit micro-components.  The strategy is now morphing as we speak, from defense to offense and the stage is being set for our next generations reality of global cyber conflicts and ICT due diligence.  Richard Clarke and others are beyond the ability to say much more than they already have so far.

So where are the solutions?  Where are the answers?  They can be found very much in the same way organizations, companies and nation states realized what was necessary to deter, detect, defend and document operational risks to their institutions for the past several decades.  The science has changed rapidly but the foundational solutions remain much the same using these six factors:

  • Identify
  • Assess
  • Decide
  • Implement
  • Audit
  • Supervise

These six factors of your respective "Operational Risk Management Enterprise Architecture," is the framework for these solutions.  The ability for these to continuously operate within your enterprise will determine how effective you are in surviving what Richard Clarke and others have predicted for a long time.  Dave Aitel captures much of the issue before us in getting the private sector to get it right in making changes to its defense:
The key hangup for this bill is that its solution is unprecedented. Until now we've never viewed private industries, like FPL, Duke Energy, Exxon and NASDAQ, as being responsible for the nation's defense. But that's just what this bill does -- it recognizes "critical' industries like energy, transportation, emergency services and financial networks, as the new targets in the cyberwar battlefield and requires them to upgrade to military-style defense. This won't be easy, but it's the right thing to do. For the first time ever, rival nations now have the ability to launch relatively easy "kinetic" attacks on U.S. soil, complete with plausible deniability. This is the new world we live in.