25 August 2019

Red Team: The Unknown Adversary...

Anticipating risks and potential threats to critical assets takes a "Red Team" mentality. Communities and companies need to be training, planning and adapting to all hazards.

Whether they be the structural failure of a bridge, ransomware of major municipalities or the next major attack on our U.S. Homeland.

Critical infrastructure is physical and cyber-based systems, that are essential to the minimum operations of the economy and our government.

This means that many states are in a continuous review of their own critical infrastructure. When the analysis is done and the finger pointing is over, we will have one more example of why the public private partnership is essential for the future of government and business.

Organizations such as WashingtonDCFIRST, ChicagoFIRST and others around the U.S. are working on putting more emphasis on critical infrastructure resiliency.

InfraGard in San Francisco, Los Angeles, New York Metro, Chicago, the Nations Capital or any of the other 70+ major metro areas, is just another example of how private business is interacting with government in the context of cooperation, coordination and connecting tens of thousands of subject matter experts.

The people who can make a difference long before an incident, or minutes after one occurs, can be found in each of these local chapters. How the local community takes advantage of these resources is up to government leadership.  Since over 85% is owned and operated by the Private Sector.
"The ability to anticipate an opponent’s intent is critical to many forms of planning, analysis, design, and operations. While this need is recognized in the military and intelligence communities, infrastructure providers and first responders find themselves on the front line facing a range of potential threats, that in many cases exceed the defenders direct experience."
Having this "Red Team" mentality can save lives and dollars, through continuous exercises and a business resilience approach to discovering and eradicating new found vulnerabilities...

18 August 2019

Performance Management: Risk on the Front Line...

As a leader in your particular organization, how often during your busy day do you think about culture.  The organizational pace.  The transparency and integrity that each key leader exemplifies, as they operate each hour with employees, partners and your most important community stakeholders.

Competent leaders who model peformance management processes to make Operational Risk Management (ORM) an enabling and growth oriented mechanism, truly understand that this requires a mind-set shift.

Executing on how to enable more risk taking and catalyst innovations to achieve superior growth, requires the ability to effectively incorporate risk management into your daily work products.

When you login to your APP, create a new document, start a new e-mail or enter new data into the database in the course of your daily work, you are playing the role of an information risk manager.  When you meet with, counsel, or coach another fellow employee, you have full control of how you are achieving new levels of trust.

The degree to which you follow protocols, procedures and training involved with corporate records management, information security and work place employment policies, creates the foundation for how much risk and trust, you will generate today.

Now think about how this, will impact your continuous ability to be innovative, competitive and productive, while building a trusted culture, that employees, partners and community stakeholders will quickly recognize as trustworthy and extraordinary:
So, what is trust?  
"Trust is the affirmative output of a disciplined, analytical decision process that measures and scores the suitability of the next actions taken by you, your team, your business, or your community. Trust is the calculation of the probability of outcomes. In every interaction with the world, you are identifying, measuring, and figuring out the likelihoods. When the results are positive, you move ahead, from here to there. When the results are negative, you rarely move ahead; you stay put or you find an alternate path."   Jeffrey Ritter- Achieving Digital Trust
Turning risk management into performance management, shall begin on the front line of the enterprise, with the ideal compensation strategy and the behaviors you are seeking from your front line customer service and field-based revenue generators.

Whether it's direct or in-direct channel personnel, you have to understand how to use the right mix of compensation and incentives, to drive a revenue risk appetite, that is appropriate for your organizaition.

Performance Management could also be enabled or supressed, by the amount of power you give your 2nd Tier leadership. Do they have the ability to make a $1M decision or just $10K decisions when it comes to investing budgeted capital into their particular business unit growth?

Do they manage risk on a field or geographic level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office, dictating the way they spend or the way they invest?

The ability to know how to manage operational risk, at the point of creating new information is the nexus of several disciplines and requires substantial situational awareness training.

Every minute that goes by, with derailed leadership or a negative culture, puts the enterprise at greater risk to lost performance opportunities.

Your cultural trustworthiness depends on how effective you are as a leader, to communicate with those who you trust the most in your organization.

You need them to assist you, with perpetuating a culture that understands the relationship with operational risk and performance management simultaneously on the front line...

10 August 2019

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and threats, that expose those weak points in community or organizational operations.

How can a U.S. community such as Las Vegas, NV, Dallas, TX, San Bernardino, CA, Dayton, OH or El Paso, TX in concert with law enforcement, public safety, emergency management and private sector entities, embrace a collaborative process to improve intelligence sharing?

Together and ultimately, to increase the ability to deter, detect, and prevent domestic terrorism while safeguarding our homeland, sometimes you have to tell a story and create a narrative.

Fusion centers bring all the relevant partners together, to maximize the ability to prevent and respond to workplace violence, terrorism and other major criminal acts. By embracing this concept, these entities are able to effectively and efficiently safeguard our homeland and maximize anti-crime efforts.

Who knew, what and when?  Even before 9/11, the private sector has embraced the idea of "Fusion Centers" and for good reason.

It has often been labeled the Security Operations Center (SOC), that includes the convergence of both the physical and information-based risk management professionals, taking place to mitigate a spectrum of risks and new opportunities.
As a Board Director or Executive Committee member of your public or private organization, the economic reasons for doing this are many and the benefits of greater insight and more rapid response are a continuous mandate.
A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to mitigate internal and external risk events, by analyzing data from a variety of internal and external sources.

When you begin to coordinate the company departments or government entities, the rules of the game calls for agreements, contracts and memorandums of understanding (MOU).  These are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:
  • Involved parties
  • Mission
  • Governance
  • Authority
  • Security
  • Assignment of personnel (removal/rotation)
  • Funding/costs
  • Civil liability/indemnification issues
  • Policies and procedures
  • Privacy
  • Terms
  • Integrity control
  • Dispute resolution process
  • Points of contact
  • Effective date/duration/modification/termination
  • Services
  • De-confliction procedure
  • Code of conduct for contractors
  • Special conditions
  • Protocols for communication and information exchange
Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the power base of leadership.

One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget.  The bottom line.

The Chief Marketing Officer (CMO) is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising/branding is what generates sales leads.

Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close new revenue business.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost?

The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead.

In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis.

At today's speed of business and commerce, both are generated from raw data and information either collected internally or purchased externally to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the community and continuous operations of the organization.

In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer (CRO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the answer to consistently funding your Fusion Center just might be found in how timely data and information is utilized.

What is the true value to the continuous livelihood and resilience of your community or enterprise...

03 August 2019

Intelligence Factor: A Decisive Risk Element...

In this John Keegan book review by Thomas Powers of Intelligence in War: Knowledge of the Enemy from Napoleon to Al-Qaeda ; Mr. Powers captures the essence of the decisive risk element of local information:
"The real challenge in the war on terror is one we got right in the war against Nazi Germany and failed badly at in the war in Vietnam -- helping the locals do what they want to do on their own. The free French, the partisans in Yugoslavia, the Poles and the Czechs all desperately wanted the United States to win because our enemy was their enemy. In Vietnam, our locals were defeated by their locals, who just wanted us to leave.
The war on terror is something of an afterthought in Keegan's book, added because he believes intelligence is likely to be the decisive weapon. He is surely right about that. But victory won't come from big intelligence, the kind Americans are best at -- gathering so much information and acting on it in so timely a manner that the terrorists will be nailed as soon as they step out the door. Winning this contest requires an older kind of intelligence: the kind that grows out of deep knowledge of place, language, culture and people, and then getting the basic question right -- knowing what the locals want to do on their own and putting that first."
Operational Risk Management (ORM) in your particular Area of Responsibility or Enterprise, is about the mitigation of attacks on your assets and eliminating potential hazards, in order to be a more resilient foe, or competitor on the corporate battlefield. Intelligence is information. Only information at the right time and from the right source, can give you the edge to fend off the latest barrage of share holder law suits, denial of service attacks on your corporate web site or the smoldering fire in the janitors closet.

Whether that intelligence (information) is being gathered by sensors detecting smoke, packets on the network, or the late night cleaning crew; you will not have a chance of acting in time without the human element. The human factor is still the last fail safe for determination whether a "False Positive" or "True Negative" is at hand.

Human Intelligence is being gathered every hour of every day humans are talking to each other, writing to each other or walking around using other signals to communicate. The eyes and ears of your organization are what will ultimately determine whether you win or lose the risk mitigation battle you are fighting.

Managing risks to your operations requires a network of human intelligence from the front desk to the loading dock. Intelligence is being gathered on every sales call and each customer service call to the 800 number. However, it is not until you act on what you are learning, that all of this information is converted to something productive or protective.

Look around you. How many sensors and repositories of intelligence are walking around your organization today without anyway or anyone, to convert all of that raw information into a mechanism for effective Operational Risk Management?

The organization who truly understands how to capitalize on the collection of organizational intelligence and act on it without hesitation, will be the most resilient operators and the most formidable competitors on our global asymmetric business landscape...