19 March 2017

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:
"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."
Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:
"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."
So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:
"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."
How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."


Welcome to the new era of achieving Digital Trust...

12 March 2017

Vault 7: Adapt to Live Another Day...

When you spend enough time in any austere environment, you begin to respect it's abilities to change rapidly.  You begin to respect the changing natural forces and how these new potential threats could become a new Operational Risk in just minutes.  The decisions that you make in the next few seconds, could mean a positive outcome or a significant catastrophe.

Will you turn right or go left?  Will you accelerate or slow down?  Will you ascend or descend?  These decisions that you make in your quest to adapt to your changing austere environment will forever be remembered.  Whether they are stored in the synapses of the brain or the log files of an autonomous system executing code, the trust decision is evident.

How long has it been since you really took a deep look at your decisions the past minute, hour or day?  This analysis of the evident decisions made and the environment that you are operating in will forever allow for growth or death.

Systems thinking and the continuous learning of a changing environment can happen at 12,000 feet above sea level at minus 10 degrees, or within the climate-controlled data centers or corporate offices of your global enterprise.  What are you doing today to help achieve new levels of trust, in order to survive another day?

Why is it that so many individuals are surprised when they get a call from their CxO or even corporate counsel that sounds like this?  "It looks like our Intellectual Property or Trade Secrets, are now in the hands of our competition".  "Our enterprise is encountering significant new risks to our ongoing operations and we must adapt immediately'.
Introduction
Just as American and European critical infrastructure executives were beginning to wrap their minds around the devastation of the Office of Personnel Management, ransomware erupted onto the scene. We then experienced concentrated DDoS attacks such as the Mirai botnet attack on Dyn, which enabled a quantum leap for cyber criminals of even the most novice of technical aptitude to wreak havoc on targeted organizations at the click of a button or for less than one bitcoin. Unfortunately, adversaries continue to evolve, and cyber defense remains a reactionary culture. Numerous, persistent and adaptive, cyber-adversaries can more easily, remotely and locally besiege critical infrastructure systems, than information security personnel can repel the incessant barrage of multi-vector attacks. Now, all techno-forensic indicators suggest that an under-discussed cyber-kinetic attack vector will ubiquitously permeate all critical infrastructure sectors due to a dearth of layered bleeding-edge military grade cyber security solutions. Unless organizations act immediately, in 2017 The Insider Threat Epidemic Begins.
Some people are surprised.  Yet it is the small team of "Operational Risk Professionals" in your enterprise, that have been continuously training, operating in clandestine and unknown environments and learning each day, for this moment.  They are not surprised.  They are the people who have designed their operations and systems to be resilient, to endure austere environments and to adapt to live another day.

Seek out these people in your organization.  Find the expert individuals in each of the departments or business units, that also interface with your external environment and supply chain.  Now look inside and in the mirror.  Where are the vulnerabilities inside?  How can you adapt your operations to create trust with employees and simultaneously make your organization more resilient?
Take the “Vault 7” CIA data Wikileaks released this week. Assuming it is legitimate, it originated from a network that presumably has a very small attack surface. Wikileaks expressly claims that the data is from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina,” and experts agree that seems likely. And knowing that CIA networks are probably secure and defended supports the notion that the the data was either leaked by someone with inside access, or stolen by a well-resourced hacking group. It’s far less likely that a random low-level spammer could have just casually happened upon a way in.
 Build digital trust in your organization by better understanding the entire surface for potential attacks.  Analyze the rules that are in place now and how they might need to be changed according to the continuously changing environment you operate in.

Finally, adapt to live another day...