27 December 2015

Executive Security: Personal Protection Specialist...

Operational Risk Management (ORM) extends beyond the perimeter with some of your most valuable assets.  The Fortune 500 Chief Executive Officer and their staff team of subject matter experts are continually at risk.  Even if you are the co-founder of a new start-up with that new "Killer App" ready for testing with SOCOM, you may now require several full-time security risk professionals at your side.

In the corporate Protective Security environment, the "Advance Work" being executed by your ORM team will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy, for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality, is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation, may be technology itself. Too much reliance on pervasive high tech tools such as "Google Maps" or even the standard-issue Garmin GPS, will create a vulnerability just at the point in time when your principal says, "Let's change the itinerary or the location of the next meeting".  A "15 Minute Map" comprised from a good old fashioned road atlas, can be the low tech tool that saves lives and potential chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS), who understand the value of the "Advance" and apply it effectively, will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials, have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to rapidly changing political risks and subjective "Rule of Law" in many emerging democracies.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is ever more at risk.  Effective "Advance Work" is the most important and critical aspect of the security operation.  Site and route surveys, "eyes on" residences, airports and hotels, hospitals, police stations, restaurants and convention centers, are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work, including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity, yet is shielded from any lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

"By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself." "The way Jeff Cooper explains it is:"
  • White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
  • Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
  • Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
  • Red - you are actively defending yourself or others against a threat that has presented itself to you.
It's not just about general awareness, it's about positively identifying potential and actual threats, as you go about your daily life. It is this threat identification and acquisition process that is so valuable, that reduces your response time to those threats, if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K&R) insurance. Why?

Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks involving people in your organization exist everyday.  Insuring against losses and protecting against personnel loss events is imperative. Utilizing the correct strategy, tools and professional human assets to comprise the entire security envelope including the effective use of Protective Security Details, can make all the difference in your organizations resilience factor.

19 December 2015

Cyber Domain: International Law of Asymmetric Warfare...

The international laws and human understanding of what crosses a "Red Line" are being defined in cyberspace in real-time.  The operations of the Chief Security Officer (CSO) and Chief Information Security Officer (CISO) are now becoming more adaptive.  The Operational Risk Management (ORM) enterprise architecture, will soon call for three standard mission functions:
  • Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
  • Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
  • Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.
 Computer Network Defense (CND) has been the norm for many organizations and now, that is no longer enough.  Yet before we can determine why we must  add CNA and CNE, we better understand the breadth and depth of the cyber realm.  The "Over-the-Horizon" view, of the reality of that domain, is rapidly developing into a proactive risk management imperative, for Global 500 organizations.  Why?

The non-state actors are organizing and evolving into what could be coined for the laymen, as a modern day "Cyber al-Qaida."  A "Cyber  Taliban."  Or even a "Cyber 1st Amendment or 4th Amendment cadre of affiliated entities.  These digital non-state actors following a set of ideologies, as opposed to a set of true investigative journalists or independent non-partisan watch dogs, are metastasizing at an exponential rate.

This ideology fueled by cyber activism and directed at a particular organization or country, is on a digital battlefield that spans the globe.  It has long been said that the Internet is nothing more than a mirror, of the good and evil in our physical world.  The existence of cyber warriors who are interested in going beyond the goal of financial crimes to kinetic destruction of critical infrastructure, is a well known fact.

Who are these cyber warriors that identify with a movement or cause, that attack the well being of other humans or destroys the property or economic assets of another organization.  They are the same ideologues that have existed long before the Internet.  The difference is that the reach, speed and ubiquitous nature of the digital medium accelerates the threat and the requirement for an effective counter balance.  Putting actual skill sets aside for a moment, the real differentiator has been on a "White Hat" or ethical warrior focus:
Regarding whether there were different rules of armed conflict for cyberwarfare in dealing with states like Iran, versus terror entities like Hamas or al­-Qaida, he first noted that while there is “no consensus,” the “US, Israel, England and others” argue that “self ­defense” principles justify attacks against terror groups, even if they are not states.  --IDF Col. Sharon Afek-- Article by Yonah Jeremy Bob
The CNA, CND and CNE operations in the digital Global 500, will now employ those individuals who have an ideology that is more directly opposed to the worldview of a "Cyber al-Qaida."  In the long war, the cyber "White Hats" will endure.  The asymmetric warfare of the next decade, will encompass operational risk professionals behind the network, who have a different context.  Why? Because they believe in a ideology far more patriotic than their predecessors.  They are the "Quiet Professionals" who have retired from SOCOM active duty and now span the ranks of the corporate private sector.

The international laws of the cyber domain are in play for our prosperity or our peril.

13 December 2015

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:
"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”
Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:
  • Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
  • Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy
"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."
"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

06 December 2015

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:
The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.
The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.
( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”[18])
The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:
As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?
What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:
  • Staff or employees who utilize the InTP incorrectly with intent or by accident
  • Top management loss of reputation by supporting an aggressive InTP Progam
  • Collision course with formal EEOC Whistle blower protections and processes
  • Friction with internal Human Resources relationships
These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:
  1. Relationships with Management & Employees
  2. Investigation of Incidents and Reports
  3. Management Behavior after an Employee Red Flag
  4. Implications of the Culture of Trust
Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...