25 September 2016

ORM: "All Threats & All Hazards"...

If you are new to the discipline of Operational Risk Management (ORM) your entry point in it's vast spectrum is a vital realization. The business problem that you are trying to solve with the utilization of an effective set of protocols, policy and risk management framework, may take years to accomplish. Do you have that much time?

Operational Risk Management 101 requires an "All Threats & All Hazards" point of view from day one. It also requires a protocol that your whole organization can understand, implement and put to work on a daily basis. Whether you are in banking, drilling for oil, flying an AV-8B out of hostile conditions or preparing for hundreds of people for a "State Dinner" on the South lawn; Operational Risk Management is the versatile discipline that will enhance your safety and security.

Practitioners of ORM know, that the next threat or the unexpected hazard is almost impossible to defend against. Once you realize that you are always in "degrees of vulnerability" your mindset changes about where to spend your activity, effort and resources to maximize your returns. Did anyone see the process of turning sub-prime mortgage portfolios into securities and selling them to investors on wall street, as a future threat to our economic prosperity? Yes. The same people bought instruments to hedge this risk in the form of "Credit Default Swaps" (CDS):
Credit default swaps are often used to manage the credit risk (i.e., the risk of default) which arises from holding debt. Typically, the holder of, for example, a corporate bond may hedge their exposure by entering into a CDS contract as the buyer of protection. If the bond goes into default, the proceeds from the CDS contract will cancel out the losses on the underlying bond.
Prudent Operational Risk practitioners look at the threat and invent the correct tool, product, or countermeasure to hedge the risk. It happens on Wall Street and it happens on the urban battlefields of cities across America. A US Justice Department researcher, Lester Shubin utilized a DuPont fabric intended for tires and developed the Kevlar bulletproof vest. This inventor passed away about seven years ago and is credited with helping to save the lives of over 3,000 law enforcement officers. A heart attack took the life of a man who understood the core value of "Operational Risk Management." Godspeed Lester.

Shubin and his advocates had many obstacles to overcome in order for their idea, invention and risk management habit to succeed. First there was testing, then the legal hurdles to get companies to manufacture vests because of liability and then finally getting street cops to use them. This practitioner of Operational Risk did not stop there. He was also one of the first to suggest the use of canines to find explosives.

If you enter the ORM discipline from a safety orientation the perspective may be different than one who enters it from a security orientation. What they both have in common is managing risk. The most effective 21st century experts in Operational Risk Management realize that an "All Threats & All Hazards" mindset is crucial to the entire profession. So how do you know where to invest your activity, effort and resources? That depends on your industry sector, the environment you are operating in and the pace of the processes being performed.

Being an effective Operational Risk expert today requires a multi-faceted, mosaic-based, pervasive protocol in order to be adaptive. Working and operating in the trading pit at the Chicago Mercantile Exchange (CME) or the deck of CVN-77 in the middle of the Arabian Sea both require the same set of skills, knowledge and training. If done effectively, it will save lives and millions of dollars simultaneously.

18 September 2016

Digital Citizens: The Integrity of our Trust Decisions...

Operating globally in business requires travel across borders and into less than familiar places.  Operational Risk Management (ORM) is at the forefront of global commerce for good reason.  The tools we use to assist us; range from the smart phone airline App to hold your boarding pass and even the latest travel warnings from the U.S. State Departments "SmartTraveler" App.

Perhaps on your last trip abroad you ditched your regular personal smart phone for a pay-as-you-go model that you could throw away, upon your return.  Most likely a prudent strategy, especially if you are traveling into physical places that are known to be less trusted for their wireless communications infrastructure or for other questionable reasons.

Regardless, the use of a Virtual Private Network (VPN) on connecting a device in any country is worth the extra step of privacy.  OpenVPN or Golden Frog's VyprVPN can provide your iOS or Android device, with an encrypted tunnel to prevent eavesdropping on your Internet traffic.  Again, a wise step to take at all times.

However, even today that may not be enough.  Digital Trust is paramount in a mobile-centric 24x7 business world.  The integrity of communications from the CxO ranks while traveling abroad is vital when interacting with senior staff and other government collaboration partners.  Our Trusted Apps perhaps need to have a new and emerging set of new capabilities going forward.  Marc Canel writes:

"A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.

The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.

The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:

  • an open international protocol based on the Public Key Infrastructure (PKI)
  • an open market for competing certificate authorities
  • an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations."

The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.

We have created devices we want to trust.  Our business and global commerce requires the ability to effectively communicate with integrity.  The Open Trust Protocol (OTrP) is only the beginning.

The foundations of the Internet and the future of Artificial Intelligence (AI) will soon be at a break point.  A place in the growth curve where there is a bifurcation.  If we do nothing, the system will decline and die.  As opposed to being re-engineered now to survive and adapt, to the evolving environment ahead.  A digital environment where machines are talking to machines on a more massive scale at light speed, beyond just digital switches, routers and other mobile (IoT) devices.
The continuous integrity and assurance of our networked infrastructure to enhance "Digital Trust" is already well on its way.  Important foundations have already been established and the transformation steps are underway beyond protocols, with the education of our most promising generation of new software engineering talent.  Here is just one example in Jeffrey Ritter's University of Oxford course, "Building Information Governance":

"To govern information now requires mastery of a diverse, often international, portfolio of legal rules, technology standards, business policies, and technology, all applied across increasingly complex, distributed systems and repositories. The increased scrutiny and requirements of official agencies and business partners impose new requirements for compliance documentation and transparency. This course introduces participants to a structured design approach that will enable strong, responsive and resilient information governance to be incorporated into the design and management of digital assets. 21st century information governance must navigate and embrace records management, privacy, electronic discovery, compliance, information security, corporate governance, and transparency of operations—all of these will be considered in this course."

The future of "Privacy Engineering" is at stake in a mobile commerce digitally trusted environment.  All of the protocols being developed for moving zeros and ones from point A to point B will not mean anything, if we have not effectively enhanced our "TrustDecisions" capabilities and outcomes.

The environment is virtual.  Just like the physical world, there are places that are safe and others that are dangerous and evil.  Since the beginning, the diversity of content and the people who are operating in the environment, are good and bad.  This is the reason the virtual environment of the Internet has rules and the engineered governance that is necessary for the integrity and safety of the global citizens who utilize it.

You have to wonder what our digital world would be like without rules or any governance.  Without the international Rule of Law.  Without the enforcement of international safe havens for people to operate with integrity and in safety.  In the physical world and on the Internet.  It would be global uncontrolled chaos.

As you ascend into the next generation of mobile and global commerce, think harder about "Digital Trust".  How will the Trust Decisions that your business or your country relies on, remain in a safe haven?  Will the confidentiality, integrity and assurance of the underlying data science continually be trusted?
"These forces are concurrently driving transformations that are now already visible in how we structure the governance of our political states, our commercial consortia, our corporate digital ecosystems, and our interactions as individual users with the digital assets of the Net.
Ultimately, the Net succeeds or fails based on the cumulative affirmative decisions of individual humans to trust the networks, systems, devices, applications, and information assets that are the blocks from which the Net is constructed.   For the Net to prosper, and to be functional as a global infrastructure, the values and consequences of building digital trust must be embraced.  That evolution is already underway"...  Jeffrey Ritter

11 September 2016

9/11 2016: Remembering the Fallen...

"We Will Never Forget".  On 9/11 2016 as the names are read, we remember and we reflect upon the significance of this anniversary for each of us.  Fifteen years later from that horrific start of a new generation of Violent Extremism and International Terrorism we honor those who have fallen.

The First Responders from the ranks of the New York City Fire and Police Departments on that morning to the forward deployed from the CIA and our (AFSOC) Special Operations Forces a decade and a half later.  Four years ago today in Benghazi, we were attacked again at our U.S. Diplomatic Compound, 9/11 2012.

As we talk and discuss where we were and how we felt on that day in September 2001, it is vital we analyze what has changed and how we are now different.  Even today the kinetic war persists on the ground, in places like the Hindu Kush and Shabwah province to eliminate the threat of AQAP and ISIL or IS (Islamic State).

Meanwhile, millions gather at Mount Arafat in Saudi Arabia for the Hajj ceremonies, where Muslims believe the Prophet Muhammad gave his last sermon.  Fifteen of the 19 attackers were Saudi nationals.

Fifteen years ago the attacks were planned and coordinated by a more central and organized set of leadership in al-Qa'ida.  The erosion of Middle East states after the Arab uprising has brought us an asymmetric threat commanded online through social media and more sophisticated video enabled communications strategies.  These tangents for recruitment and online command and control has created new challenges for our counter terrorism (CT) strategies.

Watching the dual beams of light shining over New York City at Ground Zero on this anniversary we must not forget.  We must seek to understand the behavioral components of "Homegrown Violent Extremism" (HVE) as the primary future weapon of al-Qa'ida leadership.  From Paris and Nice to San Bernardino and Dallas the variants of how and where HVE will erupt is unknown and even harder to detect in advance of a violent attack.
Now that women, young children and even four-wheel truck vehicles have been utilized as simple tools to perpetuate the stealth and low-tech / high-assurance approach to killing innocents, there is still no where to hide.  There is no place that is truly safe.
The primary solution for you, your company and a nation is to continue to enhance Operational Risk Management (ORM) and to seek even more robust levels of resilience.  We have learned years ago that the ability to adapt and to survive relies on this core strategic capability.

Whether you are preparing for that next hurricane, earthquake, cyber or explosive attack does not matter.  We must all seek to better understand Operational Risk and prepare even more than we ever have in the past.

On this fifteenth anniversary, we have learned so much and still have so far to go...Godspeed!