25 April 2015

Trust Decisions: Beyond RSA and Our Digital Future...

Trust Decisions are being made every few seconds as we navigate our way across the Internet oceans. After attending the RSA Conference 2015 in San Francisco this past week, there are many unanswered questions for the end users and the industry.  CIO's, CPO's and CISO's across the globe must be in awe of what we have created, to try to secure and govern the data flowing through the Internet.

The Operational Risk Management (ORM) landscape at RSA included analytics and forensics, cloud, C-Suite view, data security & privacy, governance risk & compliance, law, mobile security, policy and government and many others.  Walking the North and South Expo Halls at Moscone Center, was an immersion into the complexity and the duplicity of the current state of the information security and privacy ecosystem.

The pursuit of "Digital Trust" is a quest that the human brain is incapable of precise understanding, without the use and aide of our modern computers.  The rulebases are too large and the speed of transactions are too fast, for the human brain to process all of the rules simultaneously.  We know why we designed these tools and machines, to augment our human information processing capabilities.

The trust decisions we make to click on a link or download a new app is based upon many factors.  The evolution of the Internet and the trust we have placed in the links across the World Wide Web are now more scrutinized.  The threat of clicking on the wrong link or downloading a malicious file can cost our enterprise hundreds of millions of dollars in losses.

The RSA Conference is more evidence of our continued digital governance failure.  It is also necessary to achieve future progress.  Is it the manifestation of our inability as humans to establish and maintain the trustworthiness of systems and of standards?  The dawn of a new era for making digital "Trust Decisions" is upon us.  How shall we proceed to enable the next generation of the Internet and why?  Over a decade ago, researchers at the USC Information Sciences Institute were on to something:
Traditional trust management solutions [2] do not adequately address dynamic aspects of trust. The pre-configured, coarse and static specification of trust in conventional systems is not consistent with human intuitions of trust [11], an individual’s opinion of another entity that can evolve based on available evidence. Thus, trust relationships evolve over time and require monitoring and reevaluation. The dynamic and temporal nature of VOs (Virtual Organizations) present additional trust management challenges: 
  • temporary, as opposed to long lived, relationships present a major obstacle for trust development, since short term relationships promote “take and run” behavior; 
  • parties may not have pre-existing knowledge about one another, or any prior interactions with one another.
In our massive systems-of-systems and the growing dynamic of virtual environments, "Trust Decisions" are being made at light speed.  The rulebases that are known and the identities and attributions associated with them are constantly changing.

In the next decade and beyond, bringing order to chaos is the ultimate challenge for our industry and our global persistence.  The necessity for nation states to trade and exchange funds in a digital world is paramount.  The barriers to human communication and pervasive language translation are enabled by our digital creativity.  The ability to detect threats and defend ourselves utilizing sophisticated sensors on land and in space, will continue to help preserve our existence.

There are Operational Risk Management (ORM) inventions and new solutions yet undiscovered, that will provide the model and the global standards for making more precise and effective digital trust decisions.  The future is bright...

19 April 2015

Venture Capital: UAS Operational Risk Management...

When technology innovation in the military and clandestine community finally makes it's way out to the commercial landscape, venture capital is there to invest.  Operational Risk Management (ORM) is at the center of the strategic capabilities necessary, to accomplish the frontiers of the new markets.  The "Unmanned Aircraft System" (UAS) is now poised to launch new businesses, to address new solutions for identified problems of situational awareness.  18 months ago, The Washington Post highlights the future of the unmanned aerial vehicle (UAV):
As drones evolve from military to civilian uses, venture capitalists move in
By Olga Kharif, Published: November 1, 2013
Commercial drones will soon populate U.S. airspace, and venture capitalists like Tim Draper are placing their bets. 
Draper, an early investor in Hotmail, Skype and Baidu, is now backing DroneDeploy, a start-up that is building software to direct unmanned aircraft on land mapping and the surveillance of agricultural fields. Draper says he even expects drones to one day bring him dinner. 
“Drones hold the promise of companies anticipating our every need and delivering without human involvement,” Draper, 55, wrote in an e-mail. “Everything from pizza delivery to personal shopping can be handled by drones.” 
Venture investors in the United States poured $40.9 million into drone-related start-ups in the first nine months of this year, more than double the amount for all of 2012, according to data provided to Bloomberg News by PricewaterhouseCoopers and the National Venture Capital Association. Drones are moving from the military, where they’ve been used to spy on and kill suspected terrorists, to a range of civilian activities. 
Congress has directed the Federal Aviation Administration to develop a plan to integrate drones into U.S. airspace by 2015 and to move faster on standards for drones weighing less than 55 pounds.
As new commercial businesses invent new ways to adapt the use of a UAS, to replace a pilot inside a cockpit, there are tremendous risks.  Simultaneously there are substantial undiscovered opportunities for business and a new generation of UAS pilots.  The commercial decisions that are made to allow the use of an UAS in a particular air space, for a specific type of task or service, will be questioned and made into political television ads.  As Senators, House Representatives, County Supervisors and City Mayors across the United States, welcome the use of new automated platforms, the debate will be fierce.  The decisions evermore difficult.

From a business perspective the Operational Risk Management (ORM) strategy is essentially the same whenever a new product is launched.  Yet this debate will start much more different than the one we had, as the Personal Computer was launched or the Cellular Telephone.  Privacy was an after thought then. Not any longer.

You see, UAS platforms will be information collectors just as PC's and Smartphones.  So what has changed?  The public has now been more educated on how information can be collected by the businesses who operate these new inventions.  The public better understands how their own personal information may be used for purposes to serve advertisements or optimize a particular information-based service, such as mapping and activity-based intelligence.  They understand how governments may use the information to protect the homeland.

The Venture Capitalist markets for the introduction of UAS technologies have a myriad of Operational Risks, beyond just the privacy debate.  The liability and insurance markets will also be spinning up to address the potential of loss events.  This in itself, will complicate the launch of new products and services to the general public.  So what.  Now turn to the innovations that could be making a difference for mankind.  The marketplace is evidently ready according to this April 14th, 2015 WSJ article:
Chinese consumer drone maker DJI is in talks to raise funding at a valuation as high as $10 billion, according to people familiar with the matter, in what would be a sizable bet by investors that flying robots will overcome looming regulation and safety concerns.
Think about the possibilities.  Think about the ways that a customized UAS could save lives.  Think about how the information collected, with specific sensors may provide new insight.  Think about business decisions beyond those the Venture Capitalists have seen and thought about so far.  The adoption of services, to reduce human intervention and increase efficiency will come first.  But go farther.  Reach beyond these, to unlock how a third dimension of information, perspective, speed and agility may improve our planet.

Think humanitarian.  Think disaster management.  Think ecological. Think about how gaining timely information and applying it to good use, it changes everything.

12 April 2015

Communications Styles: Leadership of Security Risk Professionals...

When you communicate with fellow Operational Risk Management (ORM) colleagues in your organization, what considerations do you take with regard to the other persons communications style?  During any vital crisis communications exchange under extreme levels of stress, whether it be a team of First Responders or JSOC, there is no time or reason to take this into consideration.  This is because, a team of this type has trained together for months if not years, in exercises that put them to the test of how to effectively communicate in multidimensional crisis scenarios.  They know how to effectively communicate what needs to happen and when, not how.  These crisis teams have practiced to the point where they know exactly what to do when a real incident occurs.

In the halls of corporations across the globe, the likelihood of a crisis occurring on a daily basis is high. The consequences and type of threat are unknown.  Whether it be a key disruption in the supply chain for a vital component for manufacturing your products or the data leakage of trade secrets to your competition, the crisis scenario involves multiple inside people.  When you engage in information exchange with your colleagues from HR, to IT and the office of the Chief Security Officer, the personalities and communications styles must be taken under consideration.  Why?

Security Risk professionals in the global enterprise who are part of the Crisis Management Team have been selected for specific reasons.  Maybe it is because of their title or position in the organization.  The Vice-President of Human Resources, Chief Risk Officer, VP of Information Technology, Chief Security Officer (CSO), General Counsel, Chief Privacy Officer and even Chief Executive Officer (CEO) are tasked with the ultimate safety and security of the assets of the institution.  They are called upon in times of crisis to be the face to the public and the heads of leadership during and throughout the time frame of the organizational incident.

In order for the leadership of security risk professionals to be more effective in the face of any incident, communications style is a significant factor.  Deep down below the facade of a persons title and the office they command is the DNA and the personality of the individual.  The way they process information and the way that the person expresses themselves in a crisis communications encounter, is a vital factor in overall crisis strategy.

How often have you seen the spokesperson from a Fortune 500 company in front of a congressional inquiry, press conference or jury trial answering questions about their organizations or their own behavior?  What kinds of evidence do we have, of the impact of communications and communications style during the heat of a crisis incident?  So we have to go back to the leadership during a crisis.

The leadership of the crisis team, is comprised of people with individual personalities.  In the middle of a crisis, those personal styles of communication will become dominant and take over.  Here are the four communications styles:
  • Analytical
  • Driver
  • Amiable
  • Expressive
In addition, the organizational pulse of your organization, will be made up of a blend of these individuals and their respective communications proclivities.  What would happen if the whole team was made up of "Drivers" or "Amiables"?  How would the performance of the team be affected by having such an overwhelming number of people who have the same style of communication?

The team will not always have a balanced set of communication styles.  The goal is to assign certain roles or accountability, to the person with the best communications style for the tasks assigned.  Is the CEO always the best person to have as the public spokesperson in the middle of a crisis?  It depends on the type of communications style the CEO possesses and also the amount of media training and experience the individual has already accomplished.  BP five years ago this month is a prime example of this:
ON the night of April 20, 2010 — the early morning hours of April 21 in London — the Macondo well erupted below the Deepwater Horizon in the Gulf of Mexico, ripping through the rig, killing 11 people and creating one of the worst environmental catastrophes in United States history. Tony Hayward was having breakfast in a London hotel when he got the news.
By now the events that followed are well known: the desperate efforts to cap the gushing well; the harrowing collapse in BP’s share price; the government inquiries; the multi-billion-dollar cleanup. On July 27, BP said that Mr. Hayward was out. He was replaced by Robert Dudley, the first American chief executive in BP’s history.
What was Tony Hayward's communications style?  What is Robert W. Dudley's?  While the crisis team at BP was in full security risk mode soon after the blow out, it may have been the "Organizational Pulse" that was in need of a change with new leadership.

The "Leadership of Security Risk Professionals" is as much about detecting and understanding your teams communications styles and diversity, as much as practicing together under extreme duress.  Only then will your team know who is the best person to handle some facet of the crisis incident and only then, will the organizational pulse be headed on the right trajectory.

04 April 2015

Intel Analysis: Executive Risk Fusion Center...

How often do you try and prove that a risk hypothesis is true? Is it possible that each piece of evidence that you collect or information you process is utilized to try and prove that your hypothesis is correct.

Analysis of executive Operational Risk Intelligence in your corporation is typically being processed within the organizational silos of your enterprise business units. How it is being shared, how often and then how it is being analyzed, compared and used to confirm or refute multiple hypotheses, can make the difference in your corporate business survival.

The ACH methodology developed by Richards J. Heuer, Jr., is a vital component of Operational Risk Management (ORM).  It can be utilized with your internal Executive "Risk Fusion" Center where the Board of Directors, Senior Management and corporate risk directors determine the correct strategic course for the future:
Analysis of Competing Hypotheses (ACH) is a simple model for how to think about a complex problem. It is an analytic process that identifies a complete set of alternative hypotheses, systematically evaluates data that is consistent and inconsistent with each hypothesis, and rejects hypotheses that contain too much inconsistent data. ACH takes you through a process for making well-reasoned, analytical judgments. It is particularly useful for issues that require a careful weighing of alternative explanations of what has happened or is happening. ACH can also be used to provide early warning or help you evaluate alternative scenarios of what might happen in the future. ACH helps you overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult; it helps clarify why analysts are talking past one another and do not understand each other’s interpretation of the data. ACH is grounded in basic insights from cognitive psychology, decision analysis, and the scientific method.
What is the likelihood that the General Manager, Global Security of your enterprise is looking at surveillance information on a rogue employee today to assess workplace threat and to help keep the company safe? Simultaneously, the Chief Information Security Officer (CISO) is analyzing the latest log data from various intrusion systems to determine if the "Advanced Persistent Threat" (APT) has changed it's cyber tactics to steal the latest software R & D architecture from the office suite business unit. The Chief Financial Officer (CFO) and Head of Internal Audit are analyzing the latest revenue reports with the Vice-President of Sales & Marketing to determine why the Asia Pacific team have been losing 8 out of 10 business deals in the forecast pipeline.

The likelihood is high. Each is formulating a hypothesis independently of each other and in most cases they will never know that there is a risk related nexus to the entire enterprise. The reason is that your Executive "Risk Fusion" Center does not exist or is unable to analyze competing questions that are being asked about potential areas of concern. So when do you use this approach and the ACH methodology?
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
The human mind needs modern software analytics, proven cognitive tools and vetted processes of thinking to arrive at the answer. While the answer may not be what you seek, it is the answer to the question, without a doubt. Live with it or discard it. This does not matter. What does matter is that the Executive "Risk Fusion" Center brought together the best of all these operational risk components and whether the human chooses to accept it or ignore it could be our corporate prosperity or peril. What do you think?