27 October 2012

Dark Pools: OPS Risk of Rogue Algorithms...

When you begin to think about the potential Operational Risks we face everyday, they are so wide and so numerous that each organization has developed their own methods for Enterprise Risk Management.  Depending upon the industry you are in and the speed of your business will determine the subject matter expertise that is required to deter, detect, defend and document your particular operational risks.

This is business as usual in the Financial Services industry.  Yet what about those low probability and high consequence incidents that are looming over the horizon?  The "Black Swans" as they have been defined in the past few years.  What if these "Black Swans" were known to exist everyday and could be witnessed swimming around in what are known as "Dark Pools."  You know, the places where the "Algo Bots", Quants and those who win, are doing so at the speed of light.  In the milliseconds of time it takes, for one algorithm to buy and another to sell within the trading exchanges, we can only continue to pray that the mathematics does not go rogue:
A news-breaking account of the global stock market's subterranean battles, Dark Pools portrays the rise of the "bots"- artificially intelligent systems that execute trades in milliseconds and use the cover of darkness to out-maneuver the humans who've created them.
In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables.  
By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. 
Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next. 
Managing Operational Risk with the underground "Dark Pools" is a stretch.  No different than trying to understand something as easy as CDO's or a tranche of sub-prime mortgages from a zip code in Las Vegas all packed up in a Wall Street product you now recognize as a Mortgage-Backed Security (MBS):
Low quality mortgage-backed securities backed by subprime mortgages played a major role in the 2007–2012 global financial crisis. By 2012 the market for high quality mortgage-backed securities had recovered and was a profit center for banks in the United States.
High Frequency Trading (HFT) is not new.  It has been evolving for years.  The battle for speed, has even changed the way organizations think about buying their circuits for telecommunications and data communications, between these increasingly complex and sophisticated computing critical infrastructures.  Here is one example:

Ridgeland, MS - September 17, 2012 -Spread Networks, LLC, a privately owned telecommunications provider, today announced the deployment of 100G technology on Spread's industry leading Chicago to New York fiber backbone. Spread's new service offers customers access to 100 gigabits per second of optical bandwidth, unregenerated, on Spread's 14.6 millisecond round-trip best-latency-in-class Ultra Low Latency Chicago-New York Wavelength service.  Spread's flagship Ultra Low Latency Chicago-New York Dark Fiber service is now operational at a roundtrip latency of 12.98 milliseconds roundtrip, a 100 microsecond improvement from Spread's previous 13.1 millisecond offering.  The latency improvement over Spread's dark fiber, which is already implemented, is the result of continuous route improvements that Spread has undertaken since going live in August, 2010.  Spread's 12.98 millisecond dark fiber offering provides customers with unlimited bandwidth on a 99.999% available service at the lowest latencies achievable by fiber optic networks between these two financial centers.  For financial customers who value low-latency and reliability for their mission critical trading applications, there is no other comparable solution.
Most people at the SEC, Federal Reserve and the DOJ fully understand the need for business to do whatever it takes to create a competitive advantage.  What however still remains our "Single-Point-of-Failure" is the math.  The mathematics that make up the algorithms.  The zeros and ones of software code that tell the computers what to do and when to do it.  How many people really can understand it and explain it?

So how do you mitigate the potential risk of a rogue algorithm?  Some have devised a mechanism called a circuit-breaker.  In other words, an alarm that something is not normal.  Let's slow down until we can understand what is going on here.  What are some other ways that we could potentially address the threat or the vulnerability?  Was the "Flash Crash" a weak signal of a pending melt down of the complete system?
We are increasingly dependent on computers for all that we do, and the government won’t always be able to prevent their malfunctioning from causing serious problems. But the many glitches that have plagued financial markets in the past couple of years should serve as a sobering reminder that financial markets have evolved much more quickly in the past decade than regulators have.As Scott Patterson, author of Dark Poolsa book about high-frequency trading, said to Yahoo Finance Monday, “We have seen a massive revolution in how exchanges work. It’s been put in place extremely fast . . . the problem is that the race for profits at the exchanges and at the high-frequency firms has outpaced their ability to manage risk.”  Read more: http://business.time.com/2012/08/08/high-frequency-trading-wall-streets-doomsday-machine/#ixzz2AWeXPorn

21 October 2012

Starfish: A Community of Resilience...

When is the last time you were in an environment where trust was implicit?  A place where the people you were working along side, shared a unity of purpose and a single mission.  Once you experience this, it is forever engraved in your mind and felt deep in your soul.  A "Starfish Community," walking together with such a high degree of mutual trust, it will endure and remain resilient against all Operational Risks that may be encountered.

Enabled by the wisdom and thinking from Rod Beckstrom and Ori Brafman's book "Starfish and the Spider:  The Unstoppable Power of Leaderless Organizations, the "Starfish Community" is growing rapidly across the globe.  A group of decentralized networks that are able to work without hesitancy and with moral courage.  It does not matter if the model is used on the battlefield or in business, the desired outcomes are the same.  Joby Warrick at the WP describes the latest work of al-Qaeda:
Authorities in Jordan have disrupted a major terrorist plot by al-Qaeda-linked operatives to launch near-simultaneous attacks on multiple civilian and government targets, reportedly including the U.S. Embassy in the capital, Amman, said Western and Middle Eastern officials Sunday.  The Jordanian government issued a statement confirming the plot and saying that 11 people with connections to al-Qaeda’s affiliate in Iraq have been arrested. 
The foiled attack, described as the most serious plot uncovered in Jordan since 2005, was viewed with particular alarm by intelligence agencies because of its sophisticated design and the planned use of munitions intended for the Syria conflict — a new sign that Syria’s troubles could be spilling over into neighboring countries, the officials said.
The alleged plotters are Jordanian nationals. The officials said the group had amassed a stockpile of explosives and weapons from Syrian battlefields and devised a plan to use military-style tactics in a wave of attacks across Amman.  
The scheme called for multiple strikes on shopping centers and cafes as a diversionary tactic to draw the attention of police and security officials, allowing other operatives to launch attacks against the main targets, which included government buildings and embassies.  A Western official briefed on details of the plot confirmed that the U.S. Embassy in Amman was among the targets. Like others interviewed for this report, the official spoke on the condition of anonymity because the investigation is still unfolding.
The ability for the Starfish Community to evolve, adapt and to consistently execute against its agreed upon mission manifests itself in terrorist acts and simultaneously in humanitarian and disaster response.  The ability for the human race to at one moment be so evil and at the same moment so forgiving and good, will continue to amaze us all:
Syrian Arab Republic, 2012
HISG has provided food, blankets, medicine, and other assistance to families that have been affected the by political turmoil in Syria. Many of these people have lost their only source of income because businesses have shut down. Others have simply fled the larger cities to escape the violence. 
The assistance has gone to families like these: In one household, the mother had died from illness, leaving the father to care for five small children. He was not able to keep his job, and now sells small items door to door or on the streets, but it was not enough to provide for his children. When his family received food packs and heating oil in the winter, he was overwhelmed with gratitude. 
Late 2011 and early 2012 brought on an unusually cold winter in Syria, and the harsh temperatures coupled with the protests and demonstrations drove the price of heating oil to 4 times its usual price. The blankets were delivered to insulate people from the cold and help them survive the bitter cold.
The business world evolves around us with mergers and acquisitions, incidents of fraud and corruption while a silent and clandestine army of cyber warriors wage conflict on our critical infrastructure and copy or steal our intellectual assets.  The ability for the "Starfish Community" to survive in the virtual environment of the Internet is no different than the cities of Aleppo or Amman.  This is why Wikipedia and other open source projects are able to continuously adapt, grow and survive the threats or vulnerabilities to this resilient and self-healing network.

How have organizations like Google and others designed their business to withstand the tests of both physical and virtual threats to it's global well-being?  
8.  The need for information crosses all borders.
Our company was founded in California, but our mission is to facilitate access to information for the entire world, and in every language. To that end, we have offices in more than 60 countries, maintain more than 180 Internet domains, and serve more than half of our results to people living outside the United States. We offer Google’s search interface in more than 130 languages, offer people the ability to restrict results to content written in their own language, and aim to provide the rest of our applications and products in as many languages and accessible formats as possible. Using our translation tools, people can discover content written on the other side of the world in languages they don’t speak. With these tools and the help of volunteer translators, we have been able to greatly improve both the variety and quality of services we can offer in even the most far–flung corners of the globe. 
A crisis appears in your business only when you are unable to adapt and withstand the impact of the virtual or physical forces thrust upon you.  Whether it is the economic well being of the U.S. or the privacy laws in Europe.  The shock wave of a VBIED or insider threat.  Your organization could reach an Operational Risk crisis state, if you have not embraced the architecture of the "Starfish Community".  Learn from the best on how to withstand the test of time and and all that humanity has in store for us.  And to all of those who are on the front lines of crisis everyday.  God Speed.  You know who you are.

14 October 2012

Crisis Readiness: Future of Risk Response...

One of the key components of effective Operational Risk Management is a robust Crisis and Incident Readiness Response Team.  This team shall have practiced and exercised multiple scenarios over the course of their training together.  Why?  The ability to adapt on the fly regardless of the kind or type of incident is the core of what OPS Risk professionals are able to do, time and time again.  The more unknowns that are encountered in any space of time, requires the ability to Observe, Orient, Decide and Act.

Yet this is not so much about the use of the OODA Loop or any other process in effectively adapting to your new and rapidly changing environment.  It is about having the right sensors and early warning capabilities in place to detect and to deter the potential for new threats and new vulnerabilities, that may disrupt your mission.

Why do you read about Global 500 organizations that have seen their stock price erode in a day, week or month due to the ineffective response to a crisis incident?  In many cases, it is a simple fact.  The Crisis and Incident Response Team was caught in a scenario that they had never imagined.  An unfolding situation that they had never thought of and simply didn't plan for because it's likelihood was just too low.  This blog has talked about this before and it deserves repeating that exercising for the low likelihood and high impact events is where you need to spend most of your time.

The one and one hundred year events are no longer the case.  They are one in fifty or less.  Just ask your property and casualty insurance carrier about how their actuarial quants are thinking about this very topic.  Whether is it global climate change or unregulated nuclear power industries in emerging nations, the low likelihood and high impact events are becoming more of a risk.

So what is the answer?  To begin, you must first start the culture change and mind set shift to the future and to your own Strategic Foresight Initiative.  Looking into the future is not exactly the exercise.  Pick a point in time, five years, ten or twenty-five years into the future.  Select a scenario that you can't even fathom is a possibility of actually coming true that will impact your organization.  Then start your own "Backwards from Perfect" strategic foresight initiative.  What this process will do, is to get all the focus on what you still need to accomplish between now and then to get yourself into a position so that your people, systems and organization will be able to withstand the scenario incident.  Welcome to Global Enterprise Business Resilience.
Across every sector of society, decision-makers are struggling with the complexity and velocity of change in an increasingly interdependent world. The context for decision-making has evolved, and in many cases has been altered in revolutionary ways. In the decade ahead, our lives will be more intensely shaped by transformative forces, including economic, environmental, geopolitical, societal and technological seismic shifts. The signals are already apparent with the rebalancing of the global economy, the presence of over seven billion people and the societal and environmental challenges linked to both. The resulting complexity threatens to overwhelm countries, companies, cultures and communities.  Global Risks 2012 Seventh Edition
What if you happen to be a Non Governmental Organization (NGO)?  What are some of the risks that may impact you from a "Geopolitical" perspective that today have a high likelihood?

  • Global Governance Failure
  • Terrorism
  • Failure of Diplomatic Conflict Resolution
  • Pervasive Entrenched Corruption
  • Critical Fragile States
  • Entrenched Organized Crime
  • Widespread Illicit Trade

Crisis impact will be specific to your particular stakeholder group.  These will be higher or lower depending on whether you are a:

  1. NGO
  2. Business
  3. Government
  4. International Organization
  5. Academia

There are however, three main cross cutting observations by all of the these stakeholders from the Global Risks 2012 report:

  • Decision-makers need to improve understanding of incentives that will improve collaboration in response to global risks
  • Trust, or lack of trust, is perceived to be a crucial factor in how risks may manifest themselves. In particular, this refers to confidence, or lack thereof, in leaders, in the systems which ensure public safety and in the tools of communication that are revolutionizing how we share and digest information
  • Communication and information sharing on risks must be improved by introducing greater transparency about uncertainty and conveying it to the public in a meaningful way.

The way that the global citizen decides to digest information in five or twenty years will be different than it is today.  The world has already started to see this with the proliferation of mobile smart phone technologies, cameras, and knowledge systems networks such as FrontlineSMS and Ushahidi.  Do you really believe that CNN and AlJazeera will be the source of truth in the next two decades?  Social Media is here to stay and the only reason that formal news organizations will exist is to validate and verify.

Operational Risk Management and Crisis Readiness shall continue to be one of the most dynamic and challenging places for global enterprises for years to come...

06 October 2012

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of operational risk management and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:
The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?
In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.
On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 
This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.
This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.