30 June 2023

July 4th: Protecting and Sharing Information...

Information and the transparency of information will continue to be at the center of investigations on Wall Street, the Defense Industrial Base (DIB) or any other highly regulated Critical Infrastructure industry.

"Who knew what when" is the mantra being repeated in various command posts and within task forces who are responsible now for insuring the safety and security of future employees of these firms but also the national security of the U.S..

"Insider Risk" of leaked information is at an all time high, whether you are in the "C" suite in Manhattan or the "Situation Room" on Pennsylvania Avenue. 

Information is the lifeblood of any highly functioning organization whether in the private sector or government agencies. Protecting that information of leaks to third parties who do not have a need to know, is the crux of the "Insider Trading" cases on Wall Street or even the comments made within the confines of the situation room during Bin Laden's operation.

So why do people want to tell another person something that they know is forbidden? Why do they risk sharing information with the media or others who may not have a legitimate reason to know the information?

And what about the opposite? Withholding information from the public or others who have a need to know the information, especially if it will save lives or keep the country out of harms way.

The decisions to tell or withhold information has serious consequences in either case and requires a mechanism for making sure that humans know when it is right and wrong.

Unfortunately, we live today in a world of information warfare and information operations that spans the globe from Hollywood to Kabul or London to Hong Kong.

So what?

The "Human Factors" motivation for withholding or sharing information has been studied for decades if not hundreds of years. The gratification one receives from telling another a secret only known to one person or a few provides the stimulus.

Whether that human gratification is the result of seeing someone else in pain or suffering, surprise or elation doesn't really matter. Recognizing that humans thirst for information is relentless when it comes to being first, or to gain power can provide you with the understanding to better prepare your organization for "Information Operations" (IO).

Effective Operational Risk Management (ORM) begins with understanding information and ends with protecting or sharing information.

It's your challenge to determine what is real truth and what is just another narrative to influence your perception as a human being.

As we approach our 247 years of “The United States of America”, read our Declaration of Independence

Happy 4th of July!

25 June 2023

Operational Risk: A Continuous Journey...

Back then, it was a quick and easy way for you to become your own publisher on the WWW, of what ever you wanted to write, show or discuss with others that maybe you had never known before.

It was the beginning of Fall of 2003 and a new Internet product set was gaining traction on the World Wide Web.

In those days, Google named it “Blogger” and to this day, you also may still create your own Blog.

It was a moment when you realize that maybe others might enjoy reading what you had to say about specific topics. Maybe not.

So this journey began with a focus on all things in the arena of “Operational Risk” and trying to manage those risks in your life that were not directly under the financial category. A vast jigsaw puzzle of continuous testing and verification.

The “Big Four” accounting firms and the largest Management Consulting firms such as McKinsey & Company were the leaders here on a global stage.

If you too have been one of those people that has a bunch of composition books in a box in your closet and are your journals of the day, you might have a sense of what the “Blogger” trend was all about in the early 2000s.

So this transition from just journaling to blogging at operationalrisk.blogspot.com was born 20+ years ago this September to capture the thoughts, ideas and comments on:

“Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.”

The composition books for writing the periodic thoughts, ideas, news and other global events from this writers perspective, was now headed online and there for all of us to read.

There was no longer a need for all those composition journaling books taking up space in a closet or the garage attic, in that little brick house near Reston in Northern Virginia.

So what?

Once you exceed the 1000+ entries over a span of a 20 year period, it gives you insightful context on your chosen subject area: Operational Risk Management.

Operational Risk in your business environment, in your own life is always going to be present. The question is, will you acknowledge it and do your best to try and manage it?

So whether you ever become a digital online “Blogger,” or you just continue to keep putting all of those hand written journals in a box under your desk does not really matter.

Who cares?

Until your particular learning, your continuous discovery, innovation, expression and your mindful thought could actually be a purpose you alone enjoy.

Whether you are writing about your latest recipes in the kitchen, or your side-gig business as a women’s clothing "Fashion Stylist" or documenting family adventures on vacation or even on the subjects of other human interests on space exploration, our Earth ecosystem and even future trips to Mars some day.

Your words and your story of passion on the topic or knowledge is the key. A persistent pursuit of being more knowledgeable and reliable. The person or subject matter expert that you want to continuously become into the future.

Perhaps most importantly, your words and facts may have helped someone else along their path. Someone learned something new. Someone you will never know, reduced their own "Operational Risks" or their company or their employees or even their own families.

So in closing this blog article today, just remember a few key items:

  1. Update your digital device in your hand to that latest iOS X.X version. Ha Ha.
  2. And while you are at it, train some more people at your school, office or work on “Insider Threat”, “Run, Hide, Fight”, “Business Continuity Management”, “Disaster Recovery”, or the emerging pandemic of digital “Ransomware”.

Learn how to use those life saving tools like the AED and the Tourniquet in that White box hanging on the wall in the hallway…and Never Forget!


16 June 2023

Asymmetric: Deer in the Headlights...

It was June of 2021 when the iPhone buzzed and the CxO requested a briefing on this growing threat on the horizon. Ransomware had already been gaining traction for years.

Human behavior has been repeating itself since the beginning and once again, this "Corporate Executive" was no different.

“We need a briefing on what we need to do at “Our Company” to avoid being attacked by this ransomware hacker!”

The response was immediate. “The Executive Report is ready for you now and the Executive Team whenever you all are together in the Board Room, yet when will you have just 30 minutes for our local Information Security Team to brief you today?”

Have you ever encountered a boss who had that “Deer In The Headlights” look on their face when they were asking for your assistance?

Did you see the “CBS Evening News” last evening they yell!

“CLOp, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.”

For those of us who have been operating in this business for a few decades, the behavior of uninformed corporate citizens to the continuous threat vectors in our world is never going to cease.

As Digital First Responders we then communicate with a few key messages to executive management in the “C” Suite, yet not all at once!

As you will learn, you have to communicate a measured yet continuously deliberate set of message facts over the course of a week or two, for people to slowly comprehend the vast landscape of the business problem they are now in:

  • Critical infrastructures are those systems and assets- whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters. 
  • As Ransomware Attacks continue to grow, organizations need to improve their security posture to protect against an attack. Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place. 
  • The landscape of how we work has changed. We must assess vulnerabilities in a new way and with increased due diligence
  • The cost of a cyber attack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future. 
  • Public Private Partnerships of Critical Infrastructure organizations
with CISA.gov and FBI.gov are vital to enhance our U.S. National Security.

Once you have effectively provided these top 5 bullets to your executives, then the real work shall begin:


The current ransomware crisis can be attributed to the following factors: 

  1. History of Inaction
  2. New Tactics
  3. Rapid Technology Deployment / Innovation without Security & Resilience
  4. Safe Harbors for Criminals

Since you are a “Digital First Responder”, try to remember your audience is still learning the vast and pervasive implications, of what many of us have been fighting since the dawn of the Internet and our growing Asymmetric Warfare”

08 June 2023

OPS Risk: Global Digital Spring...

Over a decade later since the Arab Spring of 2011, our planet has witnessed the growth of personal mobile communications and the explosion of the Quantum "Internet of Things".

The utilization of wireless mobile communications and its intersection with social media apps in our emerging nations civilian environments is here to stay. 

How these latest digital consumer-based applications have been now leveraged for situational awareness (GPS) and information operations is exploding across the emerging nations, where the mobile Internet is now gaining even more ubiquitous use.

What this also means for our risk managers in the C-Suites of major technology companies is a heightened sensitivity and awareness to the ways your tools and capabilities could be utilized in the hands of the wrong end user.

No different than the early days of unleashing certain web tools like Metasploit, to help understand our digital vulnerabilities within the confines of the corporate enterprise.

These same new open-source “App tools” could be utilized by nefarious cyber forces to quickly exploit the unknown weaknesses in our own U.S. government and corporate network systems.

Yet like many inventions by our mission-driven mankind, they can be used for good and simultaneously for evil in the hands of a certain person.

Operational Risk Management in the high technology sector (Ai?) will be just as much of an imperative for continuous compliance as the manufacturing and international shipment of products from Barrett or the manufacturers of Detcord.

The "Export Control" compliance mechanism is here to stay and companies who operate in the new age of emerging social media via mobile technologies, will need more effective OFAC internal controls.

Operational Risks may exist within the business processes that you use with your international sales and business development organization.

When was the last time you had a compliance-based OFAC discussion within the ranks of the C-Suite at your new emerging technology company?

Are you fully funded by the VCs and ready to sell your new encrypted FinTech or social media app for Android to the world?

Innovative organizations need to make sure that part of the roll out strategy, encompasses the effective conversations with the correct government departments.

This is also to determine the right process and the online tools available to better understand where and who you can sell your products to outside of the United States.

The worlds last “Arab Spring” and the next organized movement utilizing social media and satellite mobile Internet technologies that include encrypted messaging, GPS and live video, shall be even more closely scrutinized by internal compliance officers and the regulatory watchdogs domestically and abroad.

Yet the most effective internal management tools going forward, may just lie in the same ones used by your own Mother and Father growing up.

The ethical and the growing moral arguments in many cases can have a dramatic impact on young people at an early stage in their lives, as you hand them their first mobile phone as a parent.

Perhaps it is still not too late to remind and reinforce and to emphasize the fact that our exponential High-performance computing (HPC) cyber environments, are powering nothing more than the digital mirror image of the physical world we already know about. Both Good and Bad.

Our future of effective enterprise Operational Risk Management (ORM) online and the effective compliance with potential legal sanctions, may well begin with a heart-to-heart conversation at your next company executive retreat or “All-Hands” fire side chat meeting...