27 June 2015

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:
  1. Security policy - management direction
  2. Organization of information security - governance of information security
  3. Asset management - inventory and classification of information assets
  4. Human resources security - security aspects for employees joining, moving and leaving an organization
  5. Physical and environmental security - protection of the computer facilities
  6. Communications and operations management - management of technical security controls in systems and networks
  7. Access control - restriction of access rights to networks, systems, applications, functions and data
  8. Information systems acquisition, development and maintenance - building security into applications
  9. Information security incident management - anticipating and responding appropriately to information security breaches
  10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  11. Compliance - ensuring conformance with information security policies, standards, laws and regulations
Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

21 June 2015

IP Theft: The Erosion of Homeland Security...

"Above all, watch with glittering eyes the whole world around you, because the greatest secrets are always hidden in the most unlikely places. Those who don’t believe in magic will never find it." —Roald Dahl
What is the latest headline to get your attention this past few weeks?  As an Operational Risk Management (ORM) professional you have to be amazed and in shock from several of the global loss incidents.  Was it from the Financial, Technology, Energy or Government sector or just a tragic crime or terrorist event with significant loss of life somewhere?

The people, processes, systems and external events that make up your particular Operational Risk ecosystem are dynamic.  The threats are evolving both in the physical world and even more so in our data hungry processor driven virtual workplace.  You probably can't remember the last time your organization required you to operate the whole day without the use of computer systems; to operate the business in a manual mode over a Saturday in an orchestrated and scenario-driven Business Continuity exercise.

If you can't remember, then as a corporate leader or head of a Board of Directors audit committee you are in denial.  The attitude that your organization will never have a data breach or become the victim of a natural disaster such as an earthquake, flood or hurricane is naive.  What about the rogue "Insider" who has perpetuated an act of industrial espionage or a long term fraud scheme?  The continued theft of Intellectual Property to the United States has been well documented since 2013:

Key Findings
The Impact of International IP Theft on the American Economy Hundreds of billions of dollars per year.

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.”
When you really sit down and think about the risk to the Homeland Security of the United States today, this has to be at the top of the list.  The reason is that the "IP Theft" threat is not like ICBM's coming over the horizon suddenly.  This metastasized problem set, is eating away at the economic security and our U.S. national security simultaneously.
"While IP theft is not new to the planet, today’s scale of economic impacts—with national security ramifications, international dimensions, significant foreign-state involvement, and inadequacy of legal and policy remedies and deterrents—makes for an unprecedented set of circumstances."  
 CHAPTER 1: THE NATURE OF THE PROBLEM- The Commission on the Theft of American Intellectual Property

What are the solutions?  The answer is plural because there is no single way to address the magnitude and the severity of the threat.  The security of the U.S. Homeland begins with intelligence.  The degree to which the intelligence gathered, analyzed and shared is capable of being absent of bias is a start.

Homeland Security Intelligence (HSI) is quickly evolving beyond the group think of a catastrophic physical terrorist event.  The focus now is on counterintelligence, as much as on counterterrorism and for all of the interdependent connections to the rest of the world.  As your organization begins it's next strategic planning cycle or engages in the thought of a continuity of operations exercise you should think wider and deeper.  The survival of your business and organization is dependent upon your internal counterintelligence mechanism.

As one example, take a minute to better understand the diversity of languages being spoken within your organization.  Who are the people within the enterprise who have the fluent ability to speak and to translate English to some other foreign language?  How does your enterprise engage with other countries to engage in International business?  The degree to which you have multiple languages being translated, or utilized for business transactions and necessary for daily operations is both a risk and an opportunity.

The secrets inside your organization are knowable.  The ability to hedge the Operational Risks to Intellectual Property within your enterprise is greater than you may realize.  The interdependency with U.S. Homeland Security is evident.

13 June 2015

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission


Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.


The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:
  • Design
  • Implementation
  • Configuration
The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission


Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission


Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion

A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business."

07 June 2015

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...