19 December 2020

ITC: Managing Risk for Security Governance...

In our converging world of both Information and Physical Security, there are resilient risk elements for the effective management of Information Technology & Communications (ITC).

Think of it as “Security Governance”.


Security Governance is a discipline, that all of us need to revisit and rededicate ourselves towards. The policies and codes we stand by to protect our critical assets, should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A significant element that is now being mandated by the Board of Directors, is the role of “Continuous Risk Management” in Security Governance.

ITC Security Governance, like Corporate Governance requires the oversight of key individuals on the Board of Directors. In the public sector, the board of directors may come from a coalition of people from the Executive, Judicial or Legislative branches.

The fundamental responsibility of management, whether in government or the corporate enterprise, is to continuously protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to continuous Security Governance, not just an annual audit.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to continuously monitor and audit enterprise security risk management, then we are exposing precious assets to the threat actors that seek to undermine, damage or destroy our livelihood.

An organization’s top management must Identify, Assess, Decide, Implement, Audit and Supervise their strategic risks. There shall be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture, capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for continuous Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and growing resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for continuous security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will   be defined

A process should be established for risk assessment that takes into consideration:

  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place
The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

ITC Security Governance best practices are still rapidly growing and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why, they are being asked to do things, rather than just following the rulebook, the system will fail.

The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival.

The role of culture in the risk for security governance, is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations.

This is why the risks the organization is facing are constantly changing and therefore why a management system for continuous security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for ITC Security Governance, is just as important to the success and compliance of the organization as Section 404 of Sarbanes-Oxley.

In fact, without effective ITC Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves after a major technology failure or privacy data or intellectual property breach; how could this happen to us?

13 December 2020

NOEL: Our Future Life of Action…

 It is now Twelve Days to Christmas 2020.  A celebration of the birth of a boy named Jesus, who would change our world forever.

On December 25, how will you be thinking about the true meaning of Christmas?

How will you reflect on what it means to be a person of Faith?  Or not.

As you grow older, you will truly better understand history of our civilizations and how they have evolved over centuries.

You will learn the names, places and the events that occurred here on Earth.  Facilitated by Nature, by Animals or by Humans and Intelligent Machines.

Yet whether these historical events were perpetuated by humans or not, they all have one commonality.  The instinct to survive.

Operational Risks surround each of us on a daily basis.  How well you make Trust Decisions today, will make a difference tomorrow.

  • Will you think about how you may assist someone else today, beside yourself?
  • Will you do a task or deed or donate your time or resources, to a mission to benefit others?
  • Will you act to enhance your own abilities to continuously serve your own family and loved ones?
  • Will you ask for forgiveness for all that you have done that deviates from Ten written Commandments?

This is the path to an everlasting life that will provide you complete and perpetual peace of mind.

No matter when it ends.  Then it will begin.

How might you make a change in your life, these next Twelve days?

What will you DO to demonstrate to others, that you are making a positive difference of the future of our life on this Earth?

NOEL!

05 December 2020

Asymmetric Warfare: Computer Jihad...

A person does not have to spend years analyzing and witnessing the phenomenon of the Internet to understand why the pornography industry has flourished.
 
Like other social and religious facets of our global culture, connected by hyper links, web sites and chat rooms, human beings are able to quickly and efficiently discover what they are looking for. Good and bad.
 
If the Internet is just a mirror of society itself, then of course it will have both the positive and humanitarian aspects along with the negative, criminal and evil elements.

Learning new skills and spreading new ideas via the Internet is nothing new. However, one could predict that the acceleration of threats to our youth, families and nations states has been influenced by the proliferation of Apples, Dells, and Androids across the globe.
 
Whether it's in the kitchen, the library, university dorm room or the corner cyber cafe the ubiquitous ICT 5G access now available has increased our operational risks at home, at work and to our economic well being.

When subjects such as this are discussed at length in the Board Room, NOC or War Room the arguments always come back to the same thing. How many people have been killed as a result of cyber-warfare?
 
Justification of spending dollars and allocating resources is in many cases a factor of the risk management exercise, likelihood vs. impact.
 
After all, the Internet seems to be self-healing and resilient to any long term outage. But those who are well versed in 4th Generation Warfare (4GW) sitting around the table know, that computerized jihad is a tactic of a far more encompassing strategy:

"Reflecting Sun Tzu’s philosophy, many recent Chinese writings have focused on asymmetric warfare as a means of defeating a militarily superior enemy. Asymmetric warfare uses political, economic, informational and military power. Military power is the least emphasized."

The silent war being waged each second of each minute of every hour every day, over every week and month of the year is taking place on a vast digital battlefield. Who will be the victor?