26 November 2016

Proactive Defense: ICT Supercomputers in the Fifth Domain...

The days are numbered for the major and large scale ICT (Information, Communications & Technology) incidents.  Corporations and global 500 organizations are scaling up for the long game, in a new era of Operational Risk Management (ORM).  We are rapidly moving from Fear, Uncertainty and Doubt, to "Proactive Defense."

No longer, is the topic of digital strategy being pushed down on the list of priorities by the Board of Directors; it is now at the top.  E-commerce and digital branding are an integrated dialogue along with EBITA in the corporate board room.  The "Trust Decisions" being made each minute of each hour by the enterprise, are now being calculated by machines, sophisticated algorithms and data analytics.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.--William H. Saito  Special Advisor, Cabinet Office (Government of Japan)
Japan and other nations are racing each other to create the worlds fastest-known supercomputer.  Why?

The deep learning and artificial-intelligence (AI) trend tells us that soon more corporations will be leveraging these government-owned assets for assistance.  Whether it is for medical diagnostics, cyberspace threat intelligence or improving the speed of other humanitarian focused equations, Japan is also joining the supercomputer race for the fastest computer on earth:

"In a move that is expected to vault Japan to the top of the supercomputing heap, its engineers will be tasked with building a machine that can make 130 quadrillion calculations per second - or 130 petaflops in scientific parlance - as early as next year, sources involved in the project told Reuters.

At that speed, Japan's computer would be ahead of China's Sunway Taihulight that is capable of 93 petaflops".

Why is the global race for supercomputer superiority a nation-state issue?  What is the reason for diverting national funds to this project, over others of key importance to the welfare of the majority of the population?  Operational Risk Management of the nation itself.

The "Fifth Domain" after Air, Land, Sea and Space is that infrastructure comprised of our planetary ICT landscape.  Digital infrastructures are now so integrated that cyberspace incidents such as war in Estonia, Stuxnet in Iran, Sony Pictures in the U.S. and the more pervasive "Ransomware" worldwide, are just the initial indicators of what still lies ahead of us.

We must now turn our attention to the positive innovation and continuous "Proactive Defense" of our critical infrastructure.  Nation states such as Japan and others, who are the key gateways for undersea cables, truly understand the vital nature of their ICT assets.

A nation states "Cyberspace Strategy" has now evolved beyond the current state, to the "Fifth Domain".  Global 500 companies are fighting DDoS botnets on a daily basis trying to keep e-commerce running.  This largely invisible war, will continue to evolve as new technologies and supercomputers become the new normal.

"On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

12 November 2016

Exponential Innovation: Systems Risk with Beneficiaries...

When you have the opportunity to watch or attend TED, how does it make you feel?  Do you get the sense that the person behind the story, the idea, the innovation, is more genuine and sincere?

What about those advocating for "Exponential" change?  Individuals and organizations that have made the leap beyond incremental change and invention and are on to the concept of "Exponential Innovation".  The xPrize Foundation is a perfect example.

How can big ideas, bold inventions and people with exponential thinking accelerate their cause, advocate their blueprint or design a creative new alternative?  They need a system.  A model and community platform for ingesting ideas, testing prototypes, adapting designs and fostering continuous experimentation.

Why do you need a new system in your organization?  Let us start with some simple mathematics.  Multiply the number of people in your organization x 2.  Now think about the number of products, initiatives or major changes that you successfully implemented over the course of the last 12 months.  How many?

It is a safe estimate that each of your employees has at least two new ideas or bold ways to improve or change a product or process in your organization each working day.  500 employees x 250 working days = 250,000 potential ideas, changes or exponential innovations.  How did you capture these and utilize a system to capitalize on them, for your organization and those you serve?

What does this new innovation system have to do with Operational Risk Management (ORM)?

The Operational Risks associated with an organizational system for capturing, nurturing and producing new found Intellectual Capital are vast.  The goal however is to simultaneously accelerate, share and produce a collective thought leadership within the greater public-private community.  This in itself creates new challenges, in order to minimize the potential for significant losses and external risk events.

Across all the domains for "Exponential Innovation" from Healthcare, Space Travel, Artificial Intelligence and Ocean studies to name a few, lies one of the greatest barriers to our ultimate progress.  Adapting to the ecosystem of people utilizing the product or service.

Total immersion in the marketplace or with the customer, the beneficiary of the new product, service or invention, is a significant factor for future success.  The single factor of time, being embedded with the actual end user, recipient or beneficiaries of the new found innovation, is directly proportional to the Operational Risk exposures.

Think about it.  When was the last time your CEO or chosen leader was embedded with the customer for more than a few hours or a day?  How often is the scientist, designer or engineer using the product or system side-by-side the beneficiary?  Not often enough or long enough.

Sure we have all heard the mantra about "Managing by Walking Around" for decades, yet why do we continue to see the outcomes of this failure at well managed companies such as Wells Fargo and Samsung.  Operational Risk Management (ORM) shall be a component of any major initiative and a necessary competency in any dangerous or high risk environments.

From the decks of aircraft carriers to the trading on Wall Street and within the test trials of new pharmaceuticals, to the Yottabytes of data across the Internet, Operational Risk Management (ORM) is more relevant than ever on an exponential scale.  Just ask Elon Musk, Warren Buffet, Bill Gates or Ash Carter what they think...

06 November 2016

Internet Hurricanes: Resilient Trust Decisions into the Future...

"Trust Decisions" are made in nanoseconds as a human being.  Your past experiences, data stored in your brain from sensory collection and a clear understanding of the rules and the consequences, assists you in your decision to trust.  To trust someone or some thing.

The science and the research on the process and systemic nature of how TrustDecisions occur, are ongoing.  Humans have for decades designed machines and software to mimic and replace our own decision making process.  It has been replaced with a foundation now found in semiconductors, artificial memory, databases, fiber optics, neural nets and 5G wireless networks.

Even deeper, trust decisions are now embedded in software code.  The machine languages that have created our ability to use the entire Information and Communications Technology (ICT) infrastructure to our advantage.  While simultaneously creating a tremendous vulnerability and opportunity for systemic risk.  Our Critical Infrastructure Sectors are forever integrated, with increasing complexity and intelligence of our man-made machines.

The Fourth industrial Revolution is upon us:

With significant growth in IoT and the cloud, machine learning and big data are becoming ever more important as a significant amount of previously untapped data are collected, assessed and digitized. These newly available data provide billions of dollars to potential businesses that can quickly and effectively evaluate the data.  Additionally, the International Data Corporation (IDC) forecasts global spending on cognitive systems will reach nearly $31.3 billion in 2019.   IDC further sees cognitively-enabled solutions that “offer the tools and capabilities to extract and build knowledge bases and knowledge graphs from unstructured and semi-structured information as well as provide predictions, recommendations, and intelligent assistance through the use of machine learning, artificial intelligence, and deep learning”.
So now what?  Only 50% of the population of our Earth is connected at this point in time.  What will happen over the course of the next two decades as the growth curve accelerates?  How as a corporate enterprise or global organization will we be able to weather the "Internet Hurricanes" that are ahead of us?
Whether it is a systemic cyber risk event or something worse, the opportunity exists now. We begin the journey by revisiting our Trust Decisions. The rules that have defined us and the rules that our machines are executing on our behalf.

The decisions to trust, that are occurring when our iPhone App utilizes wireless networks and GPS to guide us using Google Maps to our next destination.  The decisions to trust, as the bank debits your checking account and routes the funds to your mortgage company.  The decisions to trust, as the doctor reads the vital signs on the monitors attached to your loved one in the ER.

As Operational Risk Management (ORM) professionals, we must adopt a continuous resilience mindset.  We look at the automation and the benefit of the machine and yet we ask ourselves what if?  What if the battery fails?  What if the connection is lost?  What if the data is corrupted?

There is one idea that has been utilized to address this in an organization.  It begins as an exercise in resilience planning and beyond.  Start with a small team or project group.  Announce in advance that on a certain date and time, an "Internet Hurricane" will hit and a systemic cyber event will last 24 hours.  Could you survive?

This is not a new idea.  Clearly, the exercise for Disaster Recovery Planning (DRP) has other nuances yet it serves the point.  When was the last time your team was able to operate without access to data from a networked system?  The time has come to prepare for that next digital storm ahead of us.  Will you be ready to operate in an austere environment of your corporate domain without the Internet?

"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.Achieving Digital Trust - Jeffrey Ritter