28 October 2017

Critical Infrastructure: "Known Vulnerabilities" in Your Enterprise...

What are the known vulnerabilities in your enterprise architecture?  We will come back to this question.

Asymmetric Warfare across the globe spans a digital Internetwork that has it's roots fostered in openness and with little regulation.  We are in many instances within real possibilities of significant digital systems failures.  Here is a just small window into that battlefield.

Operational Risk Management (ORM), is a mature discipline that you and your organization shall embrace, study, expand and continuously support.  One facet of Operational Risk, the Information Technology (IT) systems in your enterprise, is not part of an evolution any longer.  It has become a pervasive and mobile social revolution, that is now accelerating beyond your comprehension.

Let's put it another way.  Known but unmitigated vulnerabilities, will likely be the origin of your demise, failure, damage, ruin and loss of precious assets.  Why do you let it continue?

You and your organization are on the edge, operating each day with peoples lives, reputations and Personal Identifiable Information (PII) at stake and even the livelihood of the enterprise itself.

Whether that is your family, business, state or even your country, you can do something more to address your known vulnerabilities.  Do you know who, what and where they are in your enterprise?

When you hear the name "Equifax" today, what do you think?  Data security breach, correct?  What about these organizations:
  • Whole Foods Market Services, Inc.
  • Discover Financial Services
  • Transamerica
  • Hyatt Hotels
  • Northwestern Mutual Life Insurance Company
  • Wells Fargo Advisors
  • Sprint
  • Massachusetts Mutual Life Insurance Company
  • Sharp Memorial Hospital
  • Virgin America
  • The Neiman Marcus Group
  • Keller Williams Realty, Inc.
  • Club Quarters Hotels
  • Hard Rock International
  • Four Seasons Hotels Limited
  • BMO Harris Bank NA
  • Bank of the West
  • Gannett Company, Inc.
These are all well known companies, who have reported data security breaches by law, to the State of California, over the past 6 months.  There are dozens more of other organizations who are not large, well known brand names such as these.  Some are as a result of the Equifax breach and organizations who were using Equifax product solutions internally.  Now multiply this by 50 states.

So what?

Our Critical Infrastructure(s) in the United States are something we just take for granted.  Bank ATM's on every corner, bridges across bays and rivers, trains and planes departing from even small cities, trauma hospitals, massive hotels and supermarkets, fiber communications and LTE wireless network connectivity almost everywhere.

Let's come back to where we started.  What are the "Known Vulnerabilities" in your enterprise architecture?  Why are you so certain, that your adversaries are not currently inside your network?

The resilience modernization of your particular enterprise, is going to be expensive.  Mostly, because it has been patched and poorly integrated for a decade or more.  In some cases, simply because your adversaries and competition are more stealthy than you are.  Faster than you are.  Smarter than you are.  Laying in wait.

So what are you going to do about it?  In your home, business, city, state, or country and beyond?
"As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, (May 11, 2017) the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation."   Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 
You are going to find, repair and replace your known vulnerabilities.  Then repeat.  When you think you are finished, you can begin the next project, on your UNKNOWN vulnerabilities.

22 October 2017

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:
"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."
This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.

15 October 2017

OPSEC: Knowledge Ecosystem Risk...

The "Leadership of Security Risk Professionals" is consistently in the news because Operational Risks within the enterprise are becoming ever more exponential.  The ability for specialists in the field or the C-Suite to operate on a 24/7/365 basis is a tremendous challenge.  In order to address a continuous spectrum of operational risks, we must actively monitor our culture and those behaviors that could make us lose sight of what we know is right.

At this moment, the explosion of mobile technologies has created a simultaneous set of new risks and opportunities to be leveraged.  Each human asset in your organization is another node in your digital ecosystem of connected machines.  The person now has the ability to stream live video from their mobile phone camera back to an Emergency Operations Center (EOC) or become an active participant in Irregular Warfare (Security, Development, Governance).  All they require is the correct App on their smart phone and 3G connectivity.  How the leaders in the enterprise that are charged with the risk management functions operate, collaborate and share relevant information, is just as important as what information.

In the private sector, as the leader of the HR functions responsible for hiring and terminations of employees, you are in the nexus of Operational Risk Management (ORM) and legal compliance.  The threats and vulnerabilities you experience and are accountable for mitigating, are going to be quite different than your fellow leader in the Information Technology department.  This is where we want to emphasize a major point:
The leader of HR, does not possess the same domain knowledge that the IT leader has, with respect to risks to the confidentiality, integrity and assurance of information stored in a Virtual Machine VM) at a third-party data center.  Just as the IT leader, does not possess the same domain knowledge that the HR leader has, with respect to the employees who have just given their two week notice.  Therefore, since both are accountable and responsible for their specific domain roles to mitigate risks to the security of the enterprise, how do they share information, collaborate and operate simultaneously to ensure the safety and security of the organization?
In order to act with unity of purpose throughout the global enterprise, each of these domains must be able to operate seamlessly, within the context of the larger enterprise ecosystem.  The leaders and stewards of the security risk profession must continue to adapt and continuously improve the decision advantage of the vast knowledge ecosystem before them.  The cultural and behavioral attributes of this ecosystem, can be a single point of failure that continues to plague our non government organizations, our private industry sectors and even our country.

What if your only role and job inside your particular organization was to make sure that information is being shared on operational risks?  How would you accomplish this?  How would you organize the mechanisms in each department for collection and dissemination of relevant information, to the other security risk professionals in the enterprise?  Believe us when we say that the answer is not another digital dashboard or wiki.
On September 30th, 2012, the 2nd season of the hit Showtime Television series "Homeland" aired in the United States.  The writers for this first episode of the season with Emmy winner Claire Danes,  made a reference in the script at one point, that brought back horrific memories of a failure of U.S. operational security. 
This reference, was to a real world event.  It was December 30th, 2009 at Forward Operating Base Chapman, in Khost Afghanistan.
This single mention in the script by the "Homeland" writers of this devastating event in history, should remind us all once again, that people, culture and the soft skills of communication, can and will be our most deadly vulnerability.  As a result of this set of cascading circumstances, five more stars are now on a wall in Langley.  This is another stark reminder of how personalities, power base and trust of information, can still fool us into a social engineering nightmare.

The future "Leadership of Security Risk Professionals" will use this event at FOB Chapman as a classic case study.  In order to enhance the effectiveness of the field specialists and the C-Suite, they must improve their ability to operate in a continuously dynamic sea of cultural behaviors, within a vast and expanding knowledge ecosystem.

07 October 2017

Unanswered Questions: Leading Teams in a Virtual Domain...

The "Art and Science" of Leadership in disconnected environments is challenging to say the least.  The science might be initially enabled by the utilization of technology-based platforms including mobile smartphones, Cloud and even SATCOM capabilities.

The art or "How" of leading teams in a geographically dispersed area, across hierarchies of people with precision and speed is the hard problem.  The problem-set for so many growing organizations today.  How do you create a leadership mechanism with the right "Linchpins," to enable trust and simultaneously execute vital tasks, across silos with a single purposeful mission?

Frankly, it is quite complex.  Yet there are proven methodologies and proven technologies, that will quickly jump start and improve your teams problem-solving abilities and to gain "shared consciousness."  It all begins with the leaders implementing a single organizational lens to view the enterprise architecture or operational landscape before them and communicate what they have experienced, witnessed and accomplished.

The shared "Network" of people, systems, philosophy, experience and purposeful mission is paramount to success.  The moving pieces of the network both human and technological or operational, work independently and yet they are becoming a single adaptive entity.

Building and enabling trust across domains, working groups, operators and the significant distance between horizontal or vertical communication, is now the nexus of the "Art and Science" of Leadership.  You have probably read countless books and seen inspiring talks, by people who have done it all, experienced it all and still to this day will admit, that the human organizational issues still keep them from sound sleep at night.

Will those individuals who are in front of the problem-set on your team, act without hesitation?  Do they have the best possible information at their finger tips to make the "Trust Decisions" to achieve their objective?  How will the outcomes of their actions build on the entire teams goals and aspirations?

Whether your team is a family, a work group, the neighborhood, a company, a municipality or an agency doesn't really matter.  The people, processes, systems and external events are going to continuously challenge the intended forward direction.

So what?

This is all great, yet it sounds like we are describing environments where all of this leadership action is taking place in a purely physical world.  What happens when 99% of it is happening in a "virtual space?"

Inside the virtual computing consciousness of the global Internet, across a domain of space made possible by Virtual Machines (VM), solid-state storage and the software comprised of just Zeros (0) and Ones (1).  Now just add billions of interconnected (IP) devices.

The good news is, that much of this virtual environment still requires having human intervention and human participation.  Simultaneously, through global systems automation and use of Bots, Artificial Intelligence (AI) and other autonomous "Machine Learning" inventions are now on our doorstep.  This is our new reality:
The speed that the autonomous machines are making decisions and the abilities they are gaining in shared consciousness, is in most cases beyond human understanding.  The global organizational and national security implications are gaining momentum.
So what does leadership need next, for us to survive the remarkable velocity of our Trust Decisions, in an exponential virtual world?  How do we put it all in perspective?  What are the remaining unanswered questions? Author Jeffrey Ritter gives us his insightful context from decades of experience:

"It is essential to our human nature to make trust decisions. The Net has become essential to our existence. Whether or not this book prescribes the right direction, we will not survive as a global community unless we commit to a new architecture that enables trust in the digital assets of our world to be established and maintained. The solution, I believe, is found in understanding that trust is the essential predicate to the creation of new wealth. Working collaboratively, the world’s population can achieve both trust and wealth.

From my earliest work with the United Nations, I have recognized that the greatest potential of the Net is its ability to enable any of us to trade with anyone else. Trade inherently creates wealth for all of the participants. The curious thing about trade is that, when it proceeds properly, enriching all stakeholders, trade is the ultimate dis-incentive for war. We simply are reluctant to do battle against those with whom we do business. If digital trust can expand our capacities to trade, and connect us effectively into a broader network with whom we can trade, the strongest possible incentives for sustaining peace emerge. That is my fondest hope for the Net, that it will be the infrastructure for enabling global co-existence. To achieve that dream, we must build digital trust."

What are your unanswered questions?...

01 October 2017

TrustDecisions: Beyond that Perfect Cup of Coffee...

You are out there helping and assisting a loved one or another person in need.  Your life has been a virtual maize of daily pathways and encounters, to where you are now.  Where, when and how will the next chapter unfold?

Our lives are a series of experiences, encounters, actions and reactions.  We each wake up each day with the unknown.  How will this day allow for creative thought, fulfilling dialogue, warm and loving feelings and maybe even just that perfect cup of coffee?

One thing is certain this new day of your life.  You have choices to make.  You are going to be challenged with new information to assess, analyze and then to make an informed decision.  The "Trust Decisions" that you process and act upon are human.

What about the TrustDecisions that are being executed by the millions of machine code and computers, that now permeate so much of our lives?  These devices to navigate you and your vehicles, silicon-based systems to calculate new found wealth or manufacture new goods or services.  The lines of program code in the software and at the heart of the hand-held machine you trust for communications, location or music, was designed and written by another human.

Or was it?

Prepare yourself for the next generation of TrustDecisions that are being executed by computers and machines, that were designed and written only by other very intelligent non-human systems.  Perhaps you will trust these inventions and the capabilities they provide, even more than you ever have in the past.  Artificial Intelligence is real.

It is the look on another persons face, the tone of your child's voice or the warm touch from your most precious loved one that really matters in life however.  Where will this day end up?  What will you do to make this day even better than yesterday in your life?

At some point you realize that you alone are responsible and capable of that next hour of joy or sorrow in your life.  You have the ability and the capacity to assist someone else in need, to contribute resources or knowledge that can change another humans course in life.

Somewhere along the way, you finally understood that you really are not in complete control.  From the day you were born, until today, October 1 2017, you have watched your life journey unfold before you.  How much of it has been all because you made the correct TrustDecisions?

The milestones of life are never guaranteed.  The perfect parents, the perfect friends, the perfect schools and teachers, the perfect spouse, the perfect kid(s), the perfect career, or even the perfect cup of coffee.

Yet today brings another life opportunity before you.  A new day to truly look around.  Think quickly about what your actions will be next.  To make a decision.  To act upon this with all your heart and mind.  Then to look to the sky and say a prayer.

You are well on your way to another purposeful day...