20 July 2019

Whole Community: OPS Risk Spectrum...

Operational Risk Management is a discipline that comprises a spectrum of "All Threats and All Hazards." A "Whole Community" approach to the nexus of national security, economic security and the entirety of our citizens.

The resilience factor in your private sector organization or the entire nation, will consistently be tied to the weak links in your preparedness:
  • Prevention
  • Protection
  • Response
  • Mitigation
  • Recovery
One of these five aspects will be your nemesis, when the next incident or catastrophic event touches your company, city, state or country. These are an increasingly interdependent ecosystem that determines your resilience factor. What business units, neighborhoods, counties or states are your weak links?

With every global event, whether it be the Active Shooter/Terrorist attack, Earthquakes, Floods, Hurricanes, Fires or Oil spills, the local community has a 72 hour window that will dictate it's destiny.

Three days that will set the tone and the direction for the remaining weeks, months and years of recovery.

Time and time again we are reminded how important an effective security posture must be, before the "Whole Community" can begin to operate effectively. So what is the most effective system that focuses on people and not necessarily just a single process?

What are the correct steps soon after the event unfolds? The answer lies with the subject matter experts (SMEs) who time and time again, have been at the zero hour or day of the incident itself:
  • Security
  • Medical
  • Water
  • Shelter
  • Food
  • Counseling
Human behavior is an unpredictable factor. It can impact everything in terms of the speed and quality of post incident response. Without security, the first responders that perform medical triage will be reluctant and in harms way to treat those who may have a greater likelihood to survive.

This cascades into several discussions that we know are hot for debate. What if the first responders are your fellow tenants on the floor above you, or the office building next door? Not the professionals from the local fire or police department.

"Citizen First Responders" (CFR) are your organizations front line Operational Risk Managers.

They are the individuals who will have the "Ground Truth" and will be required to make the hard and fast decisions on what needs to be secured, who needs to be saved and where to establish incident command.

How many CFR's are ready in your organization today? Your business park? Your neighborhood? Who is in charge of security? This list goes on...

Post Incident, it all begins from the ground up with people who want to be more active as a "Citizen First Responder" that are given the programs, tools and training. Here are just three facets of the different types of CFR's that exist:
The list of Non-Government organizations (NGO), Faith-based (FBO) organizations and others that exist is exhaustive. Like most everything, you have a pyramid where only a few rise to the top to become the most effective; because they truly understand the discipline of Operational Risk Management (ORM). 

Yet security is still the concern of any civilian-based personnel and population even today.

Where is the weak link in your Operational Risk spectrum?

13 July 2019

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

06 July 2019

Business Resilience: Supply Chain Risk to National Security...

The Operational Risks associated with a major disruption is now again at the top of the Board of Directors agenda. Economic discussions inside the corporate risk management executives conference rooms, have been focused on the WEF Global Risks Report these past six months.
"The Global Risks Report 2019 is published against a backdrop of worrying geopolitical and geo-economic tensions. If unresolved, these tensions will hinder the world’s ability to deal with a growing range of collective challenges, from the mounting evidence of environmental degradation to the increasing disruptions of the Fourth Industrial Revolution."
The art of Risk Assessment and Vulnerability Management, extends far beyond the guards, gates and fire walls defending your global institutions. The risk of suppliers' "Supply Chain" disruption has grown significantly in the past few years as a result of just-in-time (JIT) inventory management.

This is further inflamed by the outsourcing momentum, as some economies continue their struggle with semiconductor trade wars or escalating natural disasters.

The implications and outcomes of a lack of effective supply chain resilience planning, can provide exposure beyond just a loss of sales. This myopic approach to effective Operational Risk Management (ORM) strategy, can extend to market share erosion and a tarnished brand image.

The risk assessment of suppliers' "Supply Chains" will not be overlooked any longer from the Board Room. More prudent audits of current supply chain exposures will take place and the corporate operations management will feel the pain for some time to come.

The independent and thorough review of the exposures to the institution are going to make some in procurement and accounting uncomfortable. The risk mitigation strategy going forward will invoke a third party review, of most supply chain strategy planning, to encompass the use of "Black Swan" scenarios and alternative thinking on the risk of volatility.

Even a survey of resilience professionals conducted by The Business Continuity Institute found that almost three quarters of supply chains had experienced significant disruption in the 12 months prior to the study.

With 28 per cent of those occurrences attributed to supplier insolvency and 20 per cent due to failure of outsource service provision, almost half of these supply chain disruptions were down to supplier or service provider failure - in other words, circumstances outside one’s own immediate control.

So how resilient is your supplier's "Supply Chain?" The security and safety of your private sector organizations supply chain is now back on the Board of Directors agenda, so how proactive is your organization?

Now think about this. What if the security and safety of your country depended upon a specialized semiconductor for an electronic component that was destined for Broadcom, Boeing, Raytheon or Cisco?

The risk of your supplier's "Supply Chain," may have significant consequences far beyond the bottom line, at the next shareholders meeting.

It could mean the difference between having a resilient economy, or even a devastating asymmetric attack on our Homeland.