25 October 2015

4GW: An Act of Valor in the Private Sector...

Fourth Generation Warfare (4GW) is a stark reality in 2015 and beyond. Are American business interests as prepared as they could be, for the growing Operational Risks in the 21st century?  How many employees do you now have working outside the Homeland?

4GW involves the following key elements:
  • Are complex and long term 
  • Terrorism (tactic) 
  • A non-national or transnational base—highly decentralized 
  • A direct attack on the enemy's culture 
  • Highly sophisticated psychological warfare, especially through media manipulation and lawfare
  • All available pressures are used - political, economic, social and military 
  • Occurs in low intensity conflict, involving actors from all networks 
  • Non-combatants are tactical dilemmas 
  • Lack of hierarchy 
  • Small in size, spread out network of communication and financial support 
  • Use of Insurgency and guerrilla tactics
There are a number of methods that a private sector company can utilize to exercise its own "Business Continuity Plan" in concert with the public sector here in the United States.  Operational Risk Management (ORM) associated with people, process, systems and other potential external events can be shared with local first responders, to establish awareness or alert protocols with your particular organizations incidents. As a private sector business, you should be asking yourself how often your internal incident commanders visit your local fire station or police precinct, to share mutually relevant information. Do you invite these vital community preparedness and response professionals to engage in your own company "Continuity of Operations" and crisis planning and exercises, even if it is just a table top review?

Through public-private collaboration, government and the private sector can:
  • Enhance situational awareness 
  • Improve decision-making 
  • Access more resources and capabilities 
  • Expand reach and access for disaster preparedness and relief communications 
  • Improve coordination 
  • Increase the effectiveness of emergency management efforts 
  • Maintain strong relationships, built on mutual understanding 
  • Create more resilient communities and increase jurisdictional capacity to prevent, protect against, respond to, and recover from major incidents 
Around the country there are certain metro areas that have annual readiness and preparedness exercises because of where they are located. In some cases there are federal laws that mandate these exercises such as seaports. Norfolk, VA, Houston, TX or even the only deep water port between Los Angeles and San Francisco; Port Hueneme, CA have annual tests of their readiness and resources. Each of these seaports are significant assets to our continuous economic well being. They are surrounded by the private sector businesses who supply them with fuel, electric utilities and other critical infrastructure components that play their vital role in these regions.

Beyond the ability for these private sector organizations to engage with local first responders to exercise their continuity planning, is the ability to test new technologies, methods and even research possible ways to improve overall resilience, on a spectrum of new found asymmetric threats. These tests determine our ability to adapt or to utilize new tools in our current 4GW environment. We must remain adaptive during irregular operations by small insurgent groups such as those that have occurred in Mexico, Mumbai, India or the growing real possibility of devastating cyber attacks to our energy and telecommunication sectors.

Why are we encountering these threats on a higher frequency around the globe? You only have to look as far as the foreign published press to find the answer to this question. Or if you haven't got the time to read and translate to your native language what is being said, then make sure you see the movie "Act of Valor" to better understand what lies before us. What follows is from a foreign press article:
"The inability of the majority of the world's countries in the current circumstances to fight globalization's most powerful military machine (primarily the United States) on equal terms has led in recent years to an increase in the number of terrorist acts, armed conflicts, and local wars. Their coalescence into a single antagonistic system is giving rise to a phenomenon designated asymmetric operations by military-political theoreticians (asymmetrical conflicts and even asymmetric wars)."
As a result, we must adapt. The Naval Postgraduate School (NPS) has several educational, training and research centers that are dedicated to the readiness of the military and to the public private partnership mechanism in the United States. The one center that stands out to help us become more adaptive on small conflicts and irregular activities is "The Center for Asymmetric Warfare (NPSCAW)."
The Center for Asymmetric Warfare, or CAW, was established in 1999 as a part of the Naval Air Systems Command to support U.S. military forces, as well as local, state, and federal organizations, in identifying, countering, and controlling the effects of asymmetric warfare in the nation’s Global War on Terrorism. CAW’s initial focus was the development and conduct of multi-agency, multi-jurisdictional homeland security and homeland defense exercise and training programs, in addition to test and evaluation programs for developmental first response technologies. 
Since its inception, CAW has matured into a recognized leader in its field, by providing comprehensive education, training, and exercise programs; technology integration, test, and evaluation programs; and capability assessment and improvement programs to partners across a wide spectrum of jurisdictions. These programs include participation by Department of Defense; local, state, and federal government agencies; private sector and non-governmental organizations; academia; and international government agencies. 
In 2008, CAW was realigned as a satellite division of the Naval Postgraduate School’s National Security Institute, headquartered at Naval Base Ventura County, in Point Mugu, California. Harnessing the capabilities of the four institutes and four schools that comprise NPS, CAW can capitalize on the expertise and experience of a continuously expanding number of alumni, faculty, and students.
The U.S. private sectors proximity to high value targets are many times overlooked. Where on the West coast of the U.S., is the largest concentration of undersea telecom cables coming ashore? You might guess San Francisco or Seattle. Think again. This map will give you an idea what areas of the coastline could be more important to protect and to continuously prepare for, a future attack on these assets. The answer is San Luis Obispo.

As an Operational Risk professional in your private sector organization, make it a priority to get engaged with your local community. Visit your local first responders soon. Reach out to the Regional Fusion Center and other entities designed to facilitate a smooth information sharing process.

This should occur with government and the most valuable assets owned and operated by our private sector constituents. It all comes down to two words. Continuous Vigilance.

18 October 2015

Cyber Allies: A Whole Community Strategy...

The "New Normal" for American business is now apparent.   Operational Risk Management (ORM) is at the center of Board of Directors meetings, due to new laws and the latest attribution reports on nations state cyber hacking.  Disclosure to corporate shareholders of significant data breach or intellectual property theft incidents requires a more laser-focused industry strategy.  A private sector "Whole Community" approach to sharing vital intelligence on threat actors and new malware variants, but also developing trusted allies in industry itself.
As a concept, Cyber "Whole Community" is a means by which business, emergency management practitioners, organizational and community leaders, and government officials can collectively understand and assess the needs of their respective communities and determine the best ways to organize and strengthen their assets, capacities, and interests. By doing so, a more effective path to societal security and resilience is built. In a sense, Whole Community is a philosophical approach on how to think about conducting cyber emergency management. 
For the past decade or more the private sector has toiled at the task of creating public-private-partnerships in the Banking, Energy, Telecom, Retail, Defense and numerous other Critical Infrastructure sectors.  These organizations have focused on the challenge of sharing information that is relevant to the industry group at such a high level, the real value of the intelligence on threats or malware is often just a look in the rear view mirror.  By the time it gets to the report and into the hands of the organizational portal or is pushed via listserve to the member constituents it is stale or not relevant.

What if your corporate headquarters was located in an office park in AnyTown, USA along with several dozen other large, medium and small businesses.  What if those businesses were all tied to the same critical infrastructure for the business park.  Such as electrical power, water, and telecommunications.  In most cases, the energy provider and water supplier will be the same for all businesses in the office park.  Unlike these utilities, the telecommunications providers may be much more diverse.  There could be three or more providers of high capacity voice, data and wireless services to choose from by each of the businesses.

What if these businesses now adopted a Cyber "Whole Community" mind-set.  They would begin the process of cooperation, coordination and collaboration.  They would embark on a bold new strategy to:

 Understand community complexity.

 Recognize community capabilities and needs.

 Foster relationships with community leaders.

 Build and maintain partnerships.

 Empower local action.

 Leverage and strengthen social infrastructure, networks, and assets.

You see, national industry-based organizations are not enough to build the long term resilience your headquarters requires, and your shareholders demand.  The Chief Risk Officer, Chief Financial Officer and Chief Information Officer need to begin to reach out to your business neighbors now. The initiative will be well received by the CEO as they report at the next Board of Directors meeting.

The process for developing a more robust Operational Risk Program and sustainable services for your business enterprise, could just be a stones throw from your corporate front door.  Here is the bottom-line.  You need to develop trusted allies in your own neighborhood and community:

Benefits include: 
  • Shared understanding of community needs and capabilities.
  • Greater empowerment and integration of resources from across the community.
  • Stronger social infrastructure.
  • Establishment of relationships that facilitate more effective prevention, protection, mitigation, response, and recovery activities.
  • Increased individual and collective preparedness.
  • Greater resiliency at both the community and national levels.
Just think of the kinds of information or assets you might share with a "Trusted Ally" who is next door to your business or down the street.  What new strategies could you develop together to make yourself even more impervious, to the latest incidents caused by "Anonymous" or "Flame" and even China?
WASHINGTON – For three straight years, a group of Chinese hackers waged a cyber war against a family-owned, eight-person software firm in California, according to court records. Hackers broke into the company's system, shut down its email and web servers, spied on employees using their own webcams and gained access to sensitive company files, according to court records.
Whether you are a small-to-medium-enterprise (SME) or a Fortune Global 1000 company you can develop new trusted allies in your Cyber "Whole Community".  What are you waiting for?

11 October 2015

Culture Risk: Charting a Course for Achieving the Mission...

"It's more fun to be a pirate than to join the Navy" - Steve Jobs

Think about the culture your organization has created, from inception to present day.  What is it about the current state, that draws the kind of new people to want to get on board?  Do you have people lining up behind the recruiting table, to join the Navy or to be a Pirate?

Competition for new talent and fresh perspectives, requires the continuous pursuit of new people to join the firm, company or government agency.  It's already a historical fact, on how many applications Apple or Google receives for every job opening.  Yet other companies are struggling to find anyone to fill the ranks of the new project teams they seek.

As these new recruits come through the doors of the organization, are they ready to work within the rules of the pirate ship or learn a more proven, consistent environment of certainty and longevity? Certainly you can sense what kind of ship you are on right now.  Will your company be around in 2 years or 5 years?  How will you sustain the mission and vision you set out to accomplish?

As you embark on your next voyage with an organization, you can bet that what you see early on, is what you will get for months and years to come.  What is it about the cultural environment and the way people behave within the enterprise that is so appealing to you?  Is it the product, the service or the purpose that gets you out of bed each day, to do the job and accomplish your tasks for the greater benefit of the team?

Enthusiasm is contagious and people who are "Waving the Flag" for their group, team or organization has a tendency to get others attention and it becomes viral.  They start to wonder why there is so much energy and so many people trying to join up and participate.  The "Crowd Effect" is a known marketing strategy that has worked in advertising for decades.

And then there is another strategy that might be counter intuitive and for good reason.  The opposite might be found in slogans such as "Only a Few Good Men" or an "elite community of professionals". Many may want to join, but only the best and the most resilient will achieve the goal of becoming part of the team.

What is it, that is the same about these two kinds of organizations?  Analyze the elements of what makes them both similar and how they are able to persist over time and you will begin to see, what really matters in effectiveness of organizational design and cultural development.  You will begin to understand the essential factors to enhance in order to achieve a long lasting and perpetual enterprise. Here are a few words that would describe and define both environments:

  • Trust
  • Innovation
  • Adaptive
  • Continuous Learning
  • Empathy
  • Belief

The factors you search for with your next organization, company or project team might have some or all of these attributes.  It is up to you to determine what is in your best interest long term, whether to be a pirate or join the Navy.  Once you have made the decision, it will forever define you and shape the way you think, act and behave for much of the rest of your life.

As an Operational Risk Management (ORM) professional, first it is your job to figure out what kind of ship you are on.  Second, it is your job to make sure that the Captain achieves their destination, today, tomorrow or next week.  Finally, you must decide if the ship you are on and the Captain both, will help you fulfill your life long goals and aspirations.

Now, think about your current cultural environment.  What is your organizational course?  Who is commanding the ship?  Are you ready for the next mission with your team?  Why?

Now you are well on your way to having a more clear picture of your destiny and contributing to achieving success of your next mission...

04 October 2015

OPS Risk: Everyday is a Training Day...

When the front lines of privacy and security converge on the digital front, the decisions to trust become more vital.  The questions about what tools and what methods are appropriate to address the 21st century domains for advertising, media and entertainment, news, weather, and thousands of other human interests become more complex.

Operational Risk Management (ORM) is evolving as the dynamic mobile digital environments adapt and continuously change the rules of the game.  Now that Edward Snowden has finally set up his Twitter account, the world can engage with him on a more direct basis.  On the metro, sitting in an industry conference watching him via Skype or your own back yard.

Here's his first tweet -- an apparent Verizon Wireless joke and subtle dig at the spy agency:

Can you hear me now?

— Edward Snowden (@Snowden) September 29, 2015

The world is becoming a more dangerous place, as millions of new IP devices become more connected and human behavior is influenced ever more rapidly.  That favorite App that you encounter tomorrow, may be feeding you interesting content that you believe is being customized according to your requests.  More likely, it has also been modified to fit your history of clicks, location, comments and other online behavior.  Everyday becomes a "Training Day"...

You see, the ICT-based machines are storing and learning your behavior, each second and each minute you are connected to the Internet.  The massive analytics engines are consuming Yottabytes across multiple hard drives and data centers, preparing and adapting to your particular behavior.  The unique "Trust Decisions" that are being made according to the rules coded by humans, are now being executed in nanoseconds.

Where is the future of Operational Risk, destined to arrive in the years ahead and just Over-the-Horizon (OTH)?  Think about how we forecast the weather risks associated with the planet Earth.  Soon we will be utilizing the same kind of forecasting for the ecosystem of digital environments.  Using science and sophisticated engineering sensor data will provide us with early warning of Internet thunderstorms, hurricanes and snow storms.  Soon thereafter even the Cyber Insurance and Cyber Legal domains will become even more robust.  Why?

Uncertainty in Internet weather patterns, will create new products and services in order to find more certainty.  The current state of the Cyber Insurance industry, is in it's infancy as a result of the few documented historical events and actuarial knowledge on data breaches.  Yet as insurance corporations and the legal frameworks grow towards enterprise risk, so too will the ability to more effectively hedge the cyber risk.  The likelihood that a Fortune 50 company will now file a claim is at 50% and growing, as each company becomes insured by the modern Cyber Insurance policy product.

The assumption of data breach is now becoming the new normal.  Boards of Directors are preparing for the organizations inevitable need to file a claim, with one of the myriad of insurance companies that are now operating in the Cyber Domain.  The Cyber Reinsurance business, is now starting up.

High Risk / High Frequency events, become insured and the mitigation tools for dealing with the potential for high levels of capital being paid out for remediation, introduces exposure to the bottom line.  Cyber Insurance is a risk mitigation tool to the enterprise, just as any substantial class action law suits trend and other litigation exposure.  So what?
Where are the professional Operations Risk Officers going to focus, after these kinds of events?
We shall make our way to the next major area that could bring down the entire organization.  It is in another Quadrant of High Risk / Low Frequency.  Why?  This is where your organization is now most vulnerable.  This is where the next risk exposure becomes so great, that you may not survive the next major loss event.  Think about the environment you operate in and the stakeholders you answer to, on a daily and quarterly basis.  The stakeholders have little understanding of where you are actually concentrating your thinking, expertise and resources.  You are focused on the next unknown:  High Risk x Low Frequency = Next Target Zone.

Where is the emerging target zone within your enterprise today?  What are you working on to address this, in the time frame that it takes, for the rest of the risk mitigation products and industry to mature.  Will you catch-up to the reality of the actual threat and the potential loss to the enterprise?

So what and where is the mindset of the most highly trained and capable Operational Risk experts concentrating today:
  • Operations that use tried-and-true technologies
  • Operations that rely only on general knowledge and that attackers can obtain easily
  • Operations that require clandestine activities
Your adversaries are using these three, to ensure their success.  It makes the possibility go up in their favor, that they will achieve their goal.  Their target.  Their mission.

As you convene your next meeting on the digital privacy and security issues that will occur in the next few months, where will you be focused?  How will you allocate resources?  Will your enterprise be ready and waiting in that Target Zone of High Risk and Low Frequency?

Your Operational Risk strategy shall evolve.  The elements may include both looking through an Internal and External environment.  Intentional Misconduct and Negligent Conduct are major factors.  It is time to increase the RPM's.  Recognizing, Prioritizing and Mobilizing (RPM).  Now Execute.

Everyday is a "Training Day"....