25 October 2014

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:
  1. What is your reputation worth?
  2. Are you being Proactive or Reactive in managing and safeguarding your reputation?
The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:
  • Economic Accountability
  • Information Management
  • Business Integrity
Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:
  1. Intellectual Property and Information Assets
  2. Demonstrations, planned boycotts and social activism
  3. Physical infrastructure including employees and suppliers
  4. Legal threats including class actions, insider trading or whistle-blowers
Microsoft closed its free Internet chat rooms in 28 countries many years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking other Social Media accounts.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

11 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

05 October 2014

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Technology, Privacy and the Rule of Law.  All three attributes for a robust Operational Risk Management (ORM) system.  The Operational Risk professionals in the critical infrastructure sectors that intersect with personal identifiable information (PII), are experts in the trio of changing technology, new laws and legal decisions while preserving the rights of privacy.  Financial services and Healthcare are currently under a significant barrage of attack.

All of these attributes are just small components of a much larger and more complex system.  The pursuit by all parties including consumers, technology innovators and those charged with our legal governance, is attaining a future state where the majority of humans will judge that system as trustworthy.

Trustworthiness begins with the basis by which you engage with a particular system.  Here is a fundamental example.  The trust that you put into the technology on your wrist or hold in your hand, requires you to take a leap of faith at first.  Can you believe that the chronometer on a MTM Patriot watch, at 132 feet below the surface of the Pacific ocean Scuba diving is accurate at 18 minutes 36 seconds?  If you can't trust the accuracy of this system to count minutes and seconds, a life may be in jeopardy from DCS.

An affirmative "Trust Decision" occurs when actions or rules are executed as a result of the systems design or planning.  A decision to ascend from 132 feet to 66 feet at 19 minutes into the dive is a "Trust Decision" leveraging the system programmed to keep accurate time and the divers planning in advance.

You have come to trust many systems in your lifetime.  Simple computers on your wrist or the complexity of the engineering associated with a BMW, Apple iPhone 6 or IBM Watson, requires the human to experience enough favorable outcomes, to begin to trust that particular system.  Those positive outcomes for safe and secure highway travel or the end-point IoT device will strive to establish trust over time. Even one of the virtual machines (VM) on the massive servers in over 100 Equinix Data Centers across the globe, are the basis for your trust as these particular invisible systems store and retrieve your most personal, sensitive intellectual property.

Think of a specific system that is trusted universally.  Think about all of the computers that support the system.  Each computer has been provided instructions coded in software or firmware.  For the most part, these rules have been programmed by humans.  In many cases, the software has automated a previous system that was manually operated by humans, for decades or longer.  Now this new trusted system is more efficient and the work that it performs saves us time.  It generates economic growth. Eventually, the system becomes trusted by a majority of humans and no one questions the calculus anymore.  Our current banking system in the U.S. is one that is top of mind.

When you have a fusion of Technology, Privacy and the Rule of Law that requires trust, not just by humans, but by systems-to-systems, then you must also have something else.  In order for the complete system and all of it's attributes to be accepted, adopted, codified, tested, ruled-upon, pervasive and universally utilized, it must be trusted by the other "systems" themselves.  Here is another example.

When you look at the architecture of the new "One World Trade Center" (Freedom Tower) scheduled for completion this year in New York City, do you think about:
Structural redundancy, enhanced fireproofing, biological and chemical air filters, extra-wide pressurized staircases, interconnected redundant exits, safety systems incased in three feet concrete wall, dedicated firefighter staircase, special "areas of refuge" on each floor.
You should think about it and so does Skidmore, Owings & Merrill, LLP.  The architect of the Freedom Tower.  If only we could utilize this metaphor for what we have learned about the architecture and construction of the new Freedom Tower.  Will you trust 1 WTC as a system?  Why?

The systems talking to other systems in order to design, build and occupy 1 WTC have been vast.  The technology incorporated to satisfy a complex set of business rules, building codes and privacy or security governance is extraordinary. "Trust Decisions" to accomplish affirmative outcomes have been executed for years by Skidmore, Owings and Merrill (SOM) not only in New York but on a global basis.

The trustworthiness of a system goes far beyond just the edifice.  The device.  The packaging.  The marketing.  The brand.  You will always have to look deeper for your "Trust Decisions".  You must discover how these trusted systems are being utilized, to provide you the affirmative economic results you seek.  And without the positive outcome of the creation of new found time or monetary assets, you will then abandon the tool, the machine, the system and simultaneously your trust.