06 October 2012

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of operational risk management and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:
The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?
In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.
On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 
This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.
This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.

No comments:

Post a Comment