29 September 2019

DEF2019: Far Beyond Innovation in U.S. National Security...

"The creativity and talent of the American warfighter is our greatest enduring strength, and one we do not take for granted."  --Summary of the 2018 National Defense Strategy

Walking away from the Defense Entrepreneurs Forum #DEF2019 Annual National Conference today in Washington, DC, produces so many simultaneous thoughts and emotions.  Being together with other colleagues and "Quiet Professionals" for an entire weekend in a small yet beautiful space, reminds us why we exist and where we are continuously navigating.

The people.  Organizations don't innovate.  Your people do the thinking and have the "Neurodiverstiy" to produce outcomes from their own TrustDecisions.  Most organizations think culture is a set of values, that you have spelled out as bullets on your web site, or the wall in your lobby.

A Decision to Act.  A Decision to Pause.  A Decision to Stop.  A Decision to Deliver.  They are all decisions, that are based upon your ability to process information and utilize your unique talents as a human being.

Culture is a management system, with passion for the mission.  Most organizations run on norms.  It's time to "Break the expletive Filter".
What kind of rebel are you?

Do you complain or do you create?

Are you "Me Focused" or are you "Mission Focused"?

What about the rules.  Do you break them or do you change them?

Do you "Alienate" or do you "Attract"?

Do you "Doubt" or do you "Believe"?

Are you "Energy Sapping" or "Energy Generating"?

Do you exemplify Anger or Passion?
From James "Hondo" Geurts - Assistant Secretary of the Navy for Research, Development & Acquistions- DEF2019 Presentation

Priority is a singular noun and your structure is your culture.  The truth is, the culture of your particular business enterprise, government agency, startup or team, is a direct manifestation of your own peoples creative spirit and their abilities to adapt and deliver outcomes, with a dynamic set of decisions in your environment.

Signing off now.  It is time to go "Deliver"...

21 September 2019

Endgame: A Life of Operational Risk Management...

"After climbing a great hill, one only finds that there are many more hills to climb. I have taken a moment here to rest, to steal a view of the glorious vista that surrounds me, to look back on the distance I have come. But I can rest only for a moment, for with freedom comes responsibilities, and I dare not linger, for my long walk is not yet ended." Nelson Mandela

Operational Risk Management (ORM) is not a project with a deadline. It is a journey of a lifetime that requires continuous and adaptive change. There have been many great leaders who understood this during their quest for improving the quality of their environment.

Flashback six year ago.  Mr. Mandela endured the challenges of managing risk his entire life. With a life purpose that burned bright, he was able to endure the journey and mitigate the threats to achieving many of his ideas. Ideas for a higher quality of life for those living and working together in South Africa.

(CBS News) People across South Africa and around the world are honoring Nelson Mandela this weekend (December 8, 2013), in spontaneous and emotional outpourings that are as much a celebration of Mandela's life as an expression of grief -- bringing home the accomplishments of the remarkable man who died this past week at age 95 after a lifetime of struggling for justice.

Whether your quest is to end apartheid, rule a nation or even a continuous battle with the Operational Risks surrounding you and your organization, the fight goes on. The process adapts to ever changing conditions, new rules, new laws and the latest formula for your adversary to achieve their goals.

Those who never lose sight of the journey, completing the endless tasks to influence change, will endure.

Operational Risk Management (ORM) requires a focus on the endgame. What does your vision of the endgame look like? Nelson Mandela achieved his and more. How long might it take to achieve yours?

15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...

01 September 2019

InTP: Insider Threat in the IT Supply Chain...

As a Board Director with your organization a "Duty of Care" discussion could be a regular roundtable dialogue.  The question is, how often does your Board of Directors dive head first into the analysis and architecture of your "Digital Supply Chain?"

The Enterprise Architecture of your Information Technology networks is a vast set of Third Party Suppliers.

They provide you a set of Critical Infrastructure domains, such as the Power and Water Sectors to start, that seems obvious at the high level.

Yet when you begin to really understand the true suppliers to your entire IT supply chain, it is not just a simple equation.  As you analyze the Cloud Provider(s), Internet Service Providers (ISP) and the total number of Third Party Software companies that make up your spectrum of InfoTech (IT) assets, the complexity rises.

The threat rises as you add the "Human Factors" of behavior and now the Operational Risks begin to soar.  The potential for simple errors, or mistakes and unintentional events becomes exponential, at each interface of the "Digital Supply Chain," in each major process of the enterprise:
  • Management
  • Human Resources
  • Legal Counsel
  • Physical Security
  • Information Technology
  • Information Assurance
  • Data Owners
  • Software Engineers
In every company, every day, employees are hired, promoted, terminated, or resigned. Each employee transition event can create legal risks if the related systems, applications and electronic data accessible to an employee, are not properly managed to protect the company’s interests.

So what?
"A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T."
The "Operational Risk Attack Surface" internally, externally and with trusted partners, has a vast set of insider ties and trusted relationships.  This is why an organization this complex, must begin the implementation of an Insider Threat Program (InTP), especially focused in the "Digital Supply Chain...