24 June 2017

Walking the Talk: Asymmetric Lessons Learned...

Operational Risk Management (ORM) is about "Walking the Talk." What are you advocating in your solutions or services and advice to clients or within your own organization? When you "Walk the Talk", this means that you believe in and demonstrate first to yourself and your own organization that you execute and comply with what you say is policy and is a key factor in your own Continuity of Business Operations.

You carry out in a demonstrable form the rule-sets, best practices, ethics and behaviors that you are asking your own customers and your suppliers to follow. Your failure to do so, can have tremendous ramifications.  Nicholas Weaver explains:
The payload of CrashOverride is rather elegant in its simplicity; in a way it’s reminiscent of how a toddler might sabotage the lights at home. Once CrashOverride is running on a control system, it begins by mapping out all the circuit breakers. Once the payload knows where all the switches are, it can launch the primary malicious attack, either by turning off all the switches or—potentially more catastrophically—by repeatedly flipping them on and off until the substation in question is isolated.
Asymmetric Warfare is about an indirect strategy and the ability to compromise your target through non-traditional methods.  You and your organization might just be a pawn in a more sophisticated, planned and smart attack on a much more worthy adversary. Whether the intended target is a Critical Infrastructure organization in the financial, energy or defense industrial base (DIB) doesn't really matter.

Supply Chain Risk Management (SCRM) is not just about validating where and how embedded circuits, EPROMs or other systems software are ensured for quality and without tampering. SCRM is about your vendors themselves being compliant within their own enterprise with the manufacturing of their own products or the operational environment of their solution ecosystem.

The trust and confidence of your extended partners, clients, contractors and key suppliers is ultimately about "Walking the Talk." 
Malicious and trusted insiders pose a range of challenges in terms of counterintelligence risks and physical threats, and experts say policy needs to catch up quickly to the new technologies available to help mitigate the problem.  Mackenzie Weinger is a national security reporter at The Cipher Brief
If you are a prudent CSO or CISO of a critical infrastructure product or services organization, beware. You may just be what the enemy needs to perpetuate their asymmetric operations on the Homeland. Beyond your own reputation being at stake, so too is the trust, safety and security of the entire economic infrastructure of the United States.

17 June 2017

Innovation: Investing in the Linchpins...

There are new innovation initiatives that have been launched across America and internationally over the past few years.  Each has a vertical or horizontal focus to attract a particular set of entrepreneurs, coders, researchers and founders or data scientists.

You may have seen the accelerators, the incubators, training boot camps or even the H4D class being offered in your particular U.S. city or university lately.  Behind these initiatives are leaders, executives and fellow startup founders/practitioners who have developed a combination of methodologies and strategies, to produce new products and problem-solving business platforms.

After several years of practicing and mentoring in this category and recently devoting 30+ hours of first hand observation, there are several insights that were discovered.

First off, the quality and experience of instructors, mentors and the support ecosystem is vital.  You must create a robust program to recruit, train and continuously facilitate the actual people who surround the accelerator, incubator or university class and are devoting their time and resources to volunteer.

The ecosystem itself requires tested and proven processes, business rules and significant buy-in by all contributors.  The volunteers need a set of program prerequisites, a framework and the coaching along the way, to make their experience just as valuable as the participants in the innovation entities program.  Many of the mature innovation programs do this already.

Second, the founders, subject matter experts, linchpins, content providers or problem-set sponsors should have their own meetings and live interactions before and after each iteration of the participants program.  As an example, if the incubator has a cohort that is in-residence over the course of 10 weeks, on Tuesday's from 4:30-7:30PM, then the volunteers should meet for 30 minutes before and 30 minutes afterwards.

Why?

During those 3 hours there are plenty of live interactions, new learning, comments and ideas generated with the actual program participants.  It is just as valuable for the volunteers to share and interact after each iteration or cohort meeting to prepare and to debrief.  Certainly some of the follow-up learning could be captured using Slack or other online tools, yet having those linchpins face-to-face and interacting live is ever so valuable.

So What?

The maturity of the systems and processes associated with the innovation initiative, will be a key factor in the long term success and longevity of a particular program.  Yet even a set of solid systems can be influenced and characterized simply by the combination and quality of people, who are interacting and supporting these systems.  The parallel effort and devotion of one-to-one development, training and post program-metrics of these instructors, mentors, problem-sponsors and facilities or resources donors is paramount.
If you are an innovation engine producing new entrepreneurs and business startups that utilizes an ecosystem of volunteers, your future success will be directly linked to these vital linchpins...

04 June 2017

Decision Advantage: The Business of Information Assurance...

The CxO's in the Global 500 are evermore involved in the state of asymmetric warfare over Intellectual Property (IP), Economic Espionage and the simple but effective use of ransomware.  The "Decision Advantage" and national security implications, intersect with international commerce and the consistent security vs. privacy policy debates.

How would you invest resources to Deter, Detect, Defend and Document (4D) within your enterprise, if you knew that your organization would be continuously vulnerable for the next 6 years?  What would you change, if this was the current state of play:
"A recent study from the RAND Corporation, a global policy think tank, determined that among any given entity's stockpile of zero-day vulnerabilities, only 5.7 percent of these bugs will be discovered and publicly disclosed by a second party within a year's time. (Note that the study does account for additional groups that may also find some of the same bugs but decide to secretly hoard them.) Moreover, the study found that exploits and their corresponding vulnerabilities have an average life expectancy of 6.9 years before they are uncovered and patched."
You won't have to invest more dollars in your pest extermination company such as Orkin to address these kind of bugs.  The software vulnerabilities that exist in your organization, will be unknown to you long enough for the adversaries to live and operate freely inside your company, for months if not years.

The mindset shift that is necessary now, is to view the enterprise as any major change management initiative.  One that is continuously evolving based upon market shifts and new product introductions.  You have to be "Adaptive" and you must respond to the competitions new marketing campaigns.

Why is it so hard for you, to take the "Strategy of Business" and make the leap to the "Strategy of Information Security?"

When the competitor launches a new feature set and the corresponding Ad campaign, how do you pivot?  What do you do to counter the potential erosion of your market share?  How much money and resources are devoted to the new roll-out, brand recognition and sales events?

Can you imagine sitting back and doing nothing for months or years, while your adversaries in business are exploiting your slow and weak response in the marketplace?

The nation-states and Crime, Inc. is betting on the reality that you don't take Information Security seriously in your organization.  They do their research to see what Global 500 organizations are keeping their Information Technology budgets flat, year-to-year.  They use this Intelligence to stack rank their list of targets for the software vulnerabilities they are buying each day on the "Deep Web."

Is your Chief Information Security Officer (CISO) still reporting to the Chief Information Officer (CIO)?  Is your Chief Privacy Officer (CPO) even part of your Senior Staff?  Can you show a line item increase for Information Security in your year-to-year budget, to address the change management reality and strategy of your enterprise?

Have you and your Board of Directors had a briefing yet on "The Shadow Brokers?"  What does it all mean for your enterprise?

It means that the traditional way of thinking about protecting and defending your organization is over.  It means that the standard "Go-to-Market" strategy and "Competitive Intelligence" investments that you are making should incorporate a parallel "Information Assurance" program.

The business of an "Adaptive Enterprise Architecture" and "Decision Advantage" requires bold new thinking and even harder changes of personal and organizational behavior.

So what?

The truth and reality of your business survival means a significant change in strategy and in investment.  Do your own research within your own organization this week.  Get the numbers and the data to show how much you are spending next budget cycle on Information Assurance vs. last year.

Find out where the budget is being allocated year-to-year and why?  You know how to do this.  Just like you have been doing it, with the Marketing and Sales Department.

What is the opportunity?

Sometimes the digital truth is difficult and in the end, the trusted reality becomes almost "Darwinian".  Survival in the next decade will be about your "Decision Advantage" at the speed of Digital Trust...