28 May 2017

Memorial Day 2017: Honoring All of Our Fallen...

On Memorial Day 2017 in the United States, we remember those who have defended our freedoms and our Republic.  As the sound of modern aircraft lift off in the distance and the 50 stars and 13 stripes of our flag wave in the wind, we pause.

This day, is about a visit to Arlington National Cemetery or another ceremony, to stand and remember those who you once knew:

Neil was just one of those who have served our country with distinction and honor in Special Operations.  A man who did not die, as a result of fighting in the Civil War, World War I or II, the Korean War, or Vietnam.  He served our country with courage in the Global War on Terrorism (GWOT):

"Neil Christopher Landsberg of Frederick, Maryland, passed away May 9, 2013. Born January 13, 1980 in Wichita, Kansas, he attended Thomas Johnson High School, Frederick, MD and Valley Forge Military Academy in PA. He graduated from the Citadel, Charleston, SC and served with distinction as a Captain in USAF Special Operations receiving the Air Force Commendation Medal, Air Force Achievement Medal, Meritorious Service Medal, Defense Service Medal, Afghanistan Campaign Medal, and Global War on Terrorism Service Medal. He was employed by Blackbird Technologies."

As we bow our heads this Monday, May 29, 2017, think about our United States and about the less than 1%.  The less than 1% of U.S. citizens who have made so many sacrifices in life, for our country.  You also have to include a tremendous thank you, to all of those family and friends who were and still are the support system for our service members.

Just up the Potomac River in Langley Virginia, there are 125 or so Stars on a Memorial Wall.  These remember those individuals from the CIA who have also fallen, in the line of duty to our nation.  They too are acknowledged and remembered this Memorial Day.

 What can you do on this day to "Honor our Fallen":
  • Donate or volunteer for a cause that was important to them
  • Write them a letter
  • Talk about them
  • Fly the American flag high
As you navigate your daily routine on Tuesday, reflect on all that Neil and the hundreds of thousands of others have given their life for:
"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

20 May 2017

Board of Directors: 4D Strategy Revisited...

The Board of Directors are convening this week and there is an item back on the agenda, we haven't seen for sometime:

Recovery Time Objective (RTO) Recovery Point Objective (RPO)

These Business Continuity (BC) and Disaster Recovery (DR) parameters are being addressed for good reason.  WannaCry and the impending Tsunami of cyber worms attacking our critical infrastructure across the globe.

Designing a resilient and fault-tolerant architecture for your Operational Risk Management (ORM) strategy shall focus on critical assets and the impact of unidentified single points of failure.  Implementing a highly available IT infrastructure and resilient applications to quickly respond to major incidents or a disaster scenario is vital in our 24x7x365 operations.

Beyond a revisit to the ability to recover from a sudden disaster, the Board of Directors may be asking Senior Management about the global standard for Information Security:  ISO 27001:
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
 More importantly for organizations who may say to themselves, "well we are safe because we are in the cloud" is the standard ISO 27017:

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.

As an example, Amazon Web Services Cloud Compliance enables customers to leverage their utilization of ISO 27001 standards.  Yet there are shared responsibilities  that you must be aware of within the shared responsibility model when it comes to the relationship with your organization and AWS:

While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.

So what?

If you retain ownership and control over your content within a cloud implementation architecture, what about answers to these highly relevant questions:
  1. What does our organization need to comply with the laws pertaining to privacy and data protection?
  2. Who will have access to content?
  3. Where will storage of content be located physically /  geographically?
  4. How will the content be secured both physically and virtually?
So in this environment of shared responsibility let us ask a simple question.  Who is accountable for the configuration of the AWS provided security group firewall?  This is an area of your responsibility including all operating system, network and firewall configurations.

The Board of Directors needs to revisit Business Continuity Planning and Disaster Recovery with the CIO and all IT stakeholders at your organization, including ISP's and any third party infrastructure suppliers.


The "Business" is in many cases out of "Synch" with the Information Systems / Data Management / Privacy / Security side of the enterprise.  The WannaCry issues may not impact your organization directly because you have already patched or your systems and are beyond the vulnerabilities of this Operating System specific threat.

Where the business is heading in the next six to nine months with mergers, acquisitions and even consolidation, will impact your overall enterprise architecture. The business pace of change will most likely be months even years ahead, of where the IT infrastructure is today and it must become more resilient.

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.


You must create the culture and the due diligence to see that your IT strategy becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective.  These "4D" lessons should put you on the way to creating a more survivable business.

14 May 2017

Digital Illiteracy: Trust Decisions in a Global Race...

Executive Management and the Board of Directors are asking Chief Information Officers (CIO) and CISO's about WannaCry this weekend.  The illiteracy and complacency of key officials in business and governments across the globe are again evident today:
"The ransomware strain WannaCry (also known as WanaCrypt0r and WCry) that caused Friday’s barrage appears to be a new variant of a type that first appeared in late March. This new version has only gained steam since its initial barrage, with tens of thousands of infections in 74 countries so far today as of publication time. Its reach extends beyond the UK and Spain, into Russia, Taiwan, France, Japan, and dozens more countries."
If you are an Operational Risk Management (ORM) professional in your particular organization, you may be on high alert.  You may have had a few sleepless nights since Friday, as the wave of infections propagated across systems and networks running Microsoft operating systems.

Are you or your organization a victim?  Why?

The illiteracy and complacency of senior management across commercial and government enterprises about information security, continues to plague our critical infrastructure sectors and institutions.  In 2017, this fact is our greatest vulnerability and threat.

How does any legitimate organization both public and private explain being subjected to an exploit, that has been known about for months?  What excuse could there possibly be, for not having patched a system, that is most likely far beyond "Out-of-Date"?  There will be many excuses told and so many others trying to explain to the Board of Directors about the lack of funding or the vast complexity of a systems network.  Yet here we are in 2017, with the same set of complacent attitudes and practices still in existence.

Emily Dreyfuss at Wired.com sums it up nicely from a government perspective:
"All of this underscores how digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy. It takes a multi-pronged, concerted approach, with smart internal policies, federal legislation, tech savvy diplomats, and a willingness to realize information security is a critical skill for the defense of the nation—all of which is incredibly difficult to achieve even when a government is functioning well."
At the dawn of the World Wide Web, many of us in the "Information, Communications & Technology" (ICT) industry, understood and studied the new ecosystem and battle space evolving before us.  All of those subject matter experts and government officials, have been immersed in the Internet environment for over 20 years.  Even to this day, we wonder why executives still "Don't get it."

In many cases we understand that not every executive is going to understand the tech vulnerabilities of ransomware.  Yet are the same executives capable of understanding the simple concept of Disaster Recovery Planning?  The ability to accomplish incremental and daily back-ups of data?  We think they also can understand the concept of patching systems that are vulnerable.

The budgets devoted to ICT are in many cases a mystery to illiterate executives.  CIO's and Chief Information Security Officers (CISO) would most likely say in general, that they do not have enough resources to fight the battle.  This is known.

TrustDecisions that occur within the ranks of senior management are now maturing to the point of focus on building digital trust across the enterprise.  The decisions to trust between humans is different than the decisions to trust between machines.  Or is it?

Achieving Digital Trust requires a vast yet easily comprehended set of rules and policies.  Is the United States losing the race for "Digital Trust?"  Consider this blog post from Jeffrey Ritter:

"Advances toward digital trust, whether enabling commerce or government autocracy, require enormous resources to create the inter-dependencies and inter-operabilities that enable digital information to be functional and useful. The conspicuous absence of those resources is simply leaving the United States on the sideline. The disruption of digital trust may likely gain such momentum that no amount of “catch-up” investments will enable the combined assets of government and industry to catch up in the global, wired marketplace that now exists."

Executive management across America has a choice.  You as an individual could raise your education and awareness level on your ICT landscape, in several ways.  This in turn, may reduce the overall level of illiteracy and complacency across our critical infrastructure domains.  This will eventually lower our vulnerability over time.  Here is one solution:  StaySafeOnline.org

Let us start the lesson by defining the landscape and the battle space.  What is the "Deep Web?"  It is that part of the online universe, that is not indexed by traditional search engines.  But how large is it?  When asked this question to many executives, they have no idea.  Not a clue.

The "Deep Web" is 500+ times larger than the surface web and growing.  The "Deep Web" is 7500+ terabytes vs. 19 terabytes that Google and others capture.  Wake up and realize the magnitude of the problem-set, as you consider the next budget allocations for the safety and security of your enterprise.

The Trust Decisions you make with your colleagues, partners, employees, customers, communities and countries, will either make you more trustworthy, or will erode and erase trust.  At the pinnacle of your next major Trust Decision, ask yourself whether you are truly "Achieving Digital Trust..."

06 May 2017

Quiet Professional: A Leader Remembered...

Leadership has been written about since humans have been writing and recording history.  How leaders have been described, documented and chronicled over our existence here on Earth, comes back to the definition of leadership:  noun, the act or instance of leading - the office or position of a leader.

The leader and the characteristics of a particular person, are typically what is written about to document someone who is in a position of leadership.  It may start as an oldest sibling, leading younger sisters or brothers when Mother or Father is not around, or even deceased.

It may have all started in a school or church group, or as camp counselor, President of that social group, and then someday even also as a Mother or Father.  Leaders and leadership have so many facets and is in many cases just present, or absent in someone's life.

Over history, the definition of a person who has been or is a current leader, has several synonyms:

Synonyms boss man, captain, chief, foreman, head, headman, helmsman, honcho, jefe, kingpin, boss, master, taskmaster

In the broad and complex world we live in, these synonyms only describe a small facet of what true leadership is all about.  The vast realm of Operational Risk Management (ORM) also gives us additional context, when it comes to true leadership and the goal of ever increasing our overall safety, security and trust.

When someone writes your eulogy as an Operational Risk Leader, what will they say.  How will they describe you?  Perhaps none of the synonyms above are even mentioned.  Why?

It is because you are known as a "Quiet Professional."  Someone who is a leader and continues to exemplify the act of leading in so many ways and far too detailed to describe in words.  Yet you continue to aspire to improve, to listen, to learn.  You don't know it yet, but at your eulogy, others will describe you as a "Quiet Professional."

The "Quiet Professional" operates through life serving others, doing their best to continuously learn and improve on their greatest skills.  Yet at the same time, the true leader also recognizes the areas of knowledge and expertise they don't possess and so they will create alliances with others who do.

The small group, the team, the cohort, the class, the board, the executive office, the assembly, the country - they have a combination of leaders who are diverse in their skills, knowledge and aspirations and yet simultaneously, they have the same single mission.

How others will describe you and your leadership at your eulogy, is completely in your control as a human.  What are the characteristics of your particular way of leading and operating as a "Quiet Professional (QP)?"  Maybe it will sound like this:

QP was a person that not many people knew very well and that was just fine with them.  QP worked on becoming and performing each day, as the best they could be, with each person they encountered in life, one-to-one.  As a brother or sister, as a mother or father, as a friend and servant leader of others.

QP was always watching out for others.  Looking around the corner or over the horizon.  It was for three reasons.  Curiosity, building trust and continuous learning.  It was because QP always wanted to improve and to aspire for that next level of perfection.  QP wanted others close to them to feel safe and secure.

QP wanted others to feel as if they could do anything and could achieve anything.  What ever their particular mission was that day, month or year.  QP wanted those closest to them to know, they were always going to be cared for and looked after,  no matter what happened.

QP will always be remembered for their kind heart and tremendous courage.  QP will be remembered for their fierce competitiveness and simultaneous compassion.  They will be remembered for their ability to love.  Their ability to forgive.  And QP will always be remembered for their leadership.

Are you a "Quiet Professional?"...