31 August 2014

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk Management (ORM) uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

24 August 2014

Inspect v. Study: Quality of Operational Risk Management...

As this weblog reaches it's 1,060th post in the next few months, much has been documented on the course of "Operational Risk" over the past ten years. We have continuously witnessed the dawn of new threats and vulnerabilities that could only have been imagined in the last millennium.

At the same time, we could not have predicted the new found solutions, to many of the same operational risk related incidents that have plagued our institutions, governments and the planet we call Earth. Every time you think you have heard or witnessed it all and that all new future risk events will just be some variant of those that have preceded us in history, we are surprised and blind-sided. The "Black Swan" has visited us once again.

Yet one item that remains consistent over the course of risk incidents and numerous after action findings is this fact. We have not devoted enough resources in preparation and in scenario-based exercises to improve our resiliency. We remain in denial that we could ever be subjected to the 1-in-100 year event. However, there is someone named Warren Buffet who to this day, is still adding reinsurance companies to the Berkshire Hathaway portfolio. Do you think it is because Mr. Buffet is betting on more risk or less in the world over the next decade?

Risk Managers think about the "What if" more than anyone else, in many cases because they are paid to do this on behalf of their employer. Yet as human beings, we take risks every day without even thinking twice about how much risk we are taking on and what the possible outcomes could be. We just move through life in a wait and see totally reactive mode. So how do you get at least a majority percentage of the people walking around the halls of your organization to think more like a savvy risk manager? What does it take to inject a little more "What if" into the consciousness of each person and the roles and jobs that they play in your institution?

The first is to design and engineer your management system to incorporate a risk-based standard for operations. Secondly, to incorporate the applicable risk management controls to produce the rules-based behavior that you are adopting. Finally, to test the rule-sets with a continuous approach to ever so incremental improvement over time. Sounds familiar doesn't it. Plan-Do-Check-Act.

Whether you are trying to improve the awareness, implementation and/or measurement of Operational Risk on the deck of the aircraft carrier, at the FOB, on the trading or manufacturing floor or within the supply chain of the vital resources that fuels your organization, "Plan-Do-Check-Act" (PDCA) works. And you have heard it before, those who are hit by the "Black Swan" event will die or go out of business relative to the previous attention they have paid over the years to PDCA.


PLAN
Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By making the expected output the focus, it differs from other techniques in that the completeness and accuracy of the specification is also part of the improvement.
DO
Implement the new processes, often on a small scale if possible, to test possible effects. It is important to collect data for charting and analysis for the following "CHECK" step.
CHECK
Measure the new processes and compare the results (collected in "DO" above) against the expected results (targets or goals from the "PLAN") to ascertain any differences. Charting data can make this much easier to see trends in order to convert the collected data into information. Information is what you need for the next step "ACT".
ACT
Analyze the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that will include improvement. When a pass through these four steps does not result in the need to improve, refine the scope to which PDCA is applied until there is a plan that involves improvement.


It's clear to the "Operational Risk" professional why PDCA has one little flaw. The "Check" could and should be replaced by "Study" to emphasize analysis over inspection as Dr. W. Edwards Deming has said. To analyze and study takes us to the core of the issue. People are always looking for expected results, not unexpected outcomes. If we are to expect "unexpected" results, perhaps the "Analyze-Study" mindset would then perpetuate the plethora of risk professionals who are still caught up on the "Check". Inspection will get you killed and it will produce more "Black Swans" in your lifetime than you would ever expect. Check = Inspection. Study = Analyze.

So we think it is safe to say, that Warren Buffet is betting on the current trend of a mentality of inspection and not study. He is investing in the future of insurance companies needing insurance to hedge their own underwriting failures. Study and analysis are the ingredients of success for the most sought after risk managers on the globe. Unfortunately, too many still have not figured out that "Check" is out and "Study" is in.

The future quality of Operational Risk Management will lie in the hands of practitioners who are analyzing and studying before they apply new changes to gain new improvements. Now think about your organization. Where are the people who are patient? How long do they take to study the business problem or assess the climate you operate in every day? When you find these individuals you need to keep them close and you will soon find that you are well on your way to a more resilient future.

17 August 2014

Insider Threat: CSO Priorities...

If you are the CSO of a Fortune 50 company these days you have a few top of mind Operational Risk Management (ORM) priorities. There is only so much you can do with the resources you have been given, to preempt attacks on your enterprise regardless of the origin, internal or external. The time and resources for exercising plans and testing contingencies are getting more scarce. So where and how do you apply your knowledge and priorities to gain the most effective results?

In alphabetical order, here are some of the known attack methods to bring severe economic and human losses to bear on your business and the homeland:
  • Aircraft as a weapon
  • Biological Attack: Human Disease, Livestock, Crop
  • Chemical Attack
  • Cyber Attack
  • Food or Water Contamination
  • Hostage Taking
  • Improvise Explosive Device (IED)
  • Maritime Vessel as a Weapon
  • Nuclear Attack
  • Radiological Dispersal Device
  • Standoff Weapons: Guided
  • Standoff Weapons: Unguided
  • Vehicle-Borne Improvised Explosive Device
Now one could discuss the probability of each of these threats to determine the best strategies for preparing for one vs. another. More importantly, you could group these into clusters so that investing in prevention and preemption activities and tools would impact more than one attack method. Yet as you analyze your own specific critical infrastructure assets in your enterprise, you will then see those attack methods that will have the greatest affinity for that location or type of asset.

It is well known that the private sector owns and operates a majority of these critical assets for national security, now estimated around 85%. If you look at the list of known attack methods and realize who is "perceived" to be responsible for protecting these assets, the problem becomes more clear. The private sector expectation that the government or public sector is going to protect the critical assets that the private sector owns is the going logic. How far from the truth and reality could this perception be today?

As the Chief Security Officer (CSO) of a Fortune 50 company you no doubt have already cataloged your facilities and sub-categorized the assets within each of these facilities. You have included the "Intellectual Property" (IP) considerations for each location such as key people, R&D, Engineering, Software Development and others. You understand the value of these tangible and intangible assets as it pertains to the survivability of your organization. You have already developed the systems to recognize the moves, adds and changes to these facilities and assets so the portfolio of critical infrastructure and intellectual assets is up to date in real-time.

For many of you the last big push was to make sure that the Continuity of Operations and BCP Plans or Disaster Recovery strategies are in place to provide the peace of mind for "What if" scenarios. Your off site hot back-ups and mirrored data are functioning perfectly. The exercises have told you that operating these plans when the time comes will be touch and go but you are confident that you will get through it.

Now let's go back to our original question. So where and how do you apply your knowledge and priorities to gain the most effective results?

Your worst enemy now is your perception that the government is there to protect you first and to keep your private sector assets safe before the company next door or across the street. Your complacent attitude towards sharing vital information with the public sector authorities in your city, county and region is where you have your greatest vulnerability. How can these people who serve the local, state and federal agencies know anything about what is valuable to you if you don't tell them?

You see, it doesn't matter what your adversaries utilize as the their favorite attack method to do you harm. Of course they will want to use the ones that will have the most economic impact on our nation and it's people. Yet, without the continuous exchange of information flow from the private sector to those government officials, your business is just another casualty waiting to happen.

So if the government is working on the external threat through the Department of Homeland Security (TSA), Border Patrol, Coast Guard, CERT and the FBI on Counter Terrorism, Counter Intelligence and Cyber Crime what should you the CSO at your Fortune 50 company be focused on? The Insider Threat. Pure and simple.
“An individual with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
  • Due to a lack of hard data, threat definition remains difficult;
  • While education and awareness can be provided, cultural change remains more difficult and requires: 
  • Investment in structured programs and risk management; 
  • Corporate culture where trust does not run counter to prevention programs; and 
  • Improved workforce communication and cooperation so targeted efforts can address insider threats
  • Use of background checks varies among sectors and are not universally accepted; regulation is controversial; and
  • Multiple legal environments complicate Insider Threat mitigation strategies, not only domestically, between Federal, State, local jurisdictions, but also and more significantly, for those companies operating in multinational environments, complicating cohesive or comprehensive policy efforts.
The Insider Threat is real and requires continuous vigilance across the private sector. Secondly, the interface with your local first responders and law enforcement should be established early and often. Establish your own "Homeland Watch" mechanisms in your business park or metro area mapped to the local fire and police substations. Understand and get to know how they prioritize their response and investigations of suspicious activity and how it could impact you.

Finally, get very familiar with the NIPP. It could be your key to better understanding the mindset of the public sector and safeguarding your corporate assets.

10 August 2014

4th Paradigm: Predictive Risk Innovation...

21st century innovation requires new thinking, new tools and the application of a creative mind.  When it comes to innovating Operational Risk Management (ORM), take a leap towards "Predictive Intelligence".  What has been holding you back?  Is it the right combination of new thinking, new tools and the applications you haven't even thought of yet?

How could we apply the use of a High Computing Cluster (HPC) using Amazons Elastic Compute Cloud (EC2) with the right haystack of data to get the answers we seek?  Without building a new data center and for under $5K.  Think about the possibility of 10,000 plus server instances running across five data centers, with the results we seek in hours.  Utility Super Computing is here today for white hats and also even the "Black Hats."

Predictive Analytics is an art and a science, that is thriving with the use of "Fusion Infrastructure" by the hour. Why do we need to spend tens of millions of dollars on our own data center anymore, to get the rapid answers we require to run our business or to defend our nation?

Now the debate has gone beyond the infrastructure, to look at the other bottle necks.  What about the database architecture itself?  Is the traditional implementation of the disk intensive real-time Relational Database Management System (RDBMS) paradigm over?  Hadoop is here, yet requires new language learning curves and is a batch solution.  This could be one of the answers to predictive risk innovation:
MemSQL is the distributed in-memory database that provides real-time analytics on Big Data, empowering organizations to make data-driven decisions, better engage customers, and discover competitive advantages. MemSQL was built from the ground up for modern hardware to leverage dozens of cores per machine and terabytes of memory. We are entering an era that will be defined by distributed systems that scale as you need capacity and compute, all on commodity hardware.
How long will it take you to stand-up your own "Operational Risk Intelligence Center"?  One or two days or a week, with the right people and skill-sets in place.  What kinds of questions and answers will allow you to predict the future, faster than your competitor or your latest cyber adversary?
If you throw enough money at a problem there’s bound to be a solution, some think. That’s the logic of security expert Dan Geer, who this week told the Black Hat conference in Las Vegas that the U.S. government should throw a heck of a lot of greenbacks at people who discover vulnerabilities. 
How much? Ten times more than anyone else, he said in a keynote address.
Geer, chief information and security officer at In-Q-Tel, a not-for-profit venture capital company that invests in early stage companies making products aimed at U.S. intelligence agencies, maintained the U.S. should corner the market on vulnerabilities.
“Then we make them public and reduce to zero the inventory of cyber weapons that others have,” he was Geer said. “I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference.” including eSecurity Planet and ThreatPost.com.
A number of companies have so-called bug bounty programs, including Microsoft and Google. Nor is Geer the first to say governments should open their wallets. In January, researchers at NSS Labs issued a report arguing that only drastic measures can bring cyber threats under control.
Innovation in the Operational Risk Management spectrum is on the verge of massive change. Operations Security, Fraud Analytics and Supply Chain Management are just the beginning.  The Board of Directors of the commercial enterprise, Military Strategic Commands and virtual chat rooms on the deep web, are debating these very subjects.  Application of "Utility High Performance Computing" in combination with 4th Paradigm databases, puts innovation back at the forefront of the creative mind.