06 December 2015

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:
The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.
The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.
( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”[18])
The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:
As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?
What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:
  • Staff or employees who utilize the InTP incorrectly with intent or by accident
  • Top management loss of reputation by supporting an aggressive InTP Progam
  • Collision course with formal EEOC Whistle blower protections and processes
  • Friction with internal Human Resources relationships
These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:
  1. Relationships with Management & Employees
  2. Investigation of Incidents and Reports
  3. Management Behavior after an Employee Red Flag
  4. Implications of the Culture of Trust
Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...

No comments:

Post a Comment