InTP: “Insider Threat Program”...

Does your company have a culture of "Organizational Integrity?"

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

One key item may have revealed itself in your experience so far.  How would you improve your organization, when it comes to "Incident Response"?

One truth is, that our individuals who have a "C" in their title acronym, (CEO, CSO, CIO, CTO, CISO, CMO, CRO) have been challenged in new ways.  These same leaders have not trained enough, or long enough in this past decade.  Complacency is now becoming apparent again.

Our leadership skills have all been exposed to the vulnerabilities of people, processes, systems and external events. We have been caught off guard on a spectrum of challenging global incidents just these past 24 months.  A crisis spectrum that spans our physical world.  Also to our invisible virtual digital world.

Our growing "Incident Response Spectrum" is wide and vast.  It still requires specialized skills and knowledge to address the kind of change, that will now increasingly be required, in Fortune 500 Global Companies, Mid-Market INC 500 emerging businesses and especially, our Small-Medium Businesses (SMB).

How will we continuously Understand, Decide and Act from this point forward?

"The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats."

The U.S. National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.

Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

Many companies have already started the establishment of an “Insider Threat Program” (InTP)…have you?

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. A professional colleagues recent presentation was a timely reminder of its history and the origins.

What does your organization plan for within the Operational Risk Management (ORM) discipline? The Low Consequence “High Frequency Incident” or the High Consequence “Low Frequency Incident”?

The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio, yet what about the resilience to the "Black Swan"?

The “Back Swan” is a highly improbable event with three principal characteristics:

It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

"The astonishing success of Google was a Black Swan; so was 9/11.  For author Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives."

"Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”

Your organization is no doubt spending time on the Operational Risk Management (ORM) events, that consistently are in the high frequency "In Your Face" category.

In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy.

"Yet it is the "Outlier" incident, that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan”."

You never know when it is going to be coming, so you must plan, prepare and imagine that someday, it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long.

Just ask those people who had been working 24/7 since on any major incident.  It could have been the 9/11, "Fukushima"or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over who knew what, when?

Another lesson learned from Supply Chain Risk.  Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by nation state hackers, who are highly motivated to get at it.  Perhaps a vector through your most trusted supply chain vendors and partners.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector, because it's part of the Critical Infrastructure of the global grid, then you already know you are in the middle of the target zone.

What is amazing to many in the after-action reporting is still how much we continue to under estimate the magnitude of a lack of planning and resources devoted, to these low frequency high consequence events…

Battle-Tested Strategies: for Mission Critical Activities...

Mission Critical Activity (MCA)

Critical operational and/or business support, service or product related activity (provided internally or externally), including its dependencies and single points of failure, which enables an organization to achieve its business objective(s), taking into account seasonal trends and/or critical timing issues.

The trend to create "virtual" organizations raises a number of new issues as it pertains to interdependencies and single points of failure. The ability to provide sourcing alternatives in the event of a catastrophic failure of an MCA provider is a key priority. As the trend becomes more operational and logistically complex organizations must exercise more often to determine where processes or systems weaknesses occur.

An organizational Business Crisis & Continuity Management (BCCM) strategy ensures resilience and high reliability of MCA's. At the process level is a documented framework that identifies the organizations MCA's in the context of products or services.

Each MCA should have it's own BCM strategy that provides clarity of how the organization will provide protection for the MCA.

One key outcome is the definition of the BCCM relationship, positioning and connection with other risk related functions, e.g. Operational Risk Management (ORM) A critical component of getting this BCCM relationship connected with the risk management culture is through awareness and education training.

Merely documenting a strategy and plan provides a narrow and limited method of fully developing a true BCCM culture.

Ownership of BCCM by organizational lines of business, especially where Operational Risk originates and resides is paramount. No matter how well designed a strategy may be, exercising and testing on a regular basis is necessary to identify potential issues during a real incident.  

Good quality exercises rely on specific and relevant scenarios in the actual locations, facilities and with normal personnel in place.

And no BCCM is complete without measurement and audit. You must verify compliance independently to highlight key material deficiencies and issues to ensure their resolution.

Each stage of the BCCM life-cycle may require a unique audit process depending on that stage of the life cycles maturity.

At the end of the day, the question is this.

Has the organization introduced risk management controls to eliminate, mitigate, reduce, transfer the effects of identified threats, vulnerabilities, exposures or liabilities to MCA's?

operational risk

Corporate Directors: Continuous Continuity (C2) of the Enterprise...

The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity.

A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare.

These nightmares are "Loss Events" that could have been prevented or mitigated all together.

The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

• Table-top testing: Discussing how business recovery arrangements would react by using example interruptions
• Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles
• Technical recovery testing: Testing to ensure information systems can be restored effectively
• Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location
• Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions
• Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

Many of these best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here.

What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as supply chain management. The effective BCCM framework will become a core process within the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C2, or "Continuous Continuity”.

Having survived several large quakes in Southern California in years past, we are not sure that all of the testing in the world can prepare people for human behaviors that come from within.

"People literally lose all sense of common sense when you are on the 42nd floor of the 50+ sky scraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people."

Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios. These historically large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems.

Corporate Boards of Director’s are now being continuously subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise.

It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.

Corporate Directors are ultimately responsible for Continuous Continuity (C2) of the Enterprise…

Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last few months as we now embark on the path towards recovery.

The Operational Risks that have plagued our aging county, state and federal institutions are growing and the convergence factor has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking agencies the "Zero's and One's" don't lie.

The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise.

Whether it be the C-Suite, legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie.

Think about how much time the people behind organizational malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter.

Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks still remain constant.

The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to Deter, Detect and Defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out “What to do” and “How to do it” will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons.

Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right?

It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers.

"How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence?"

Stay tuned for more on this later. In the mean time remember this.

All of the newest technology, fastest AI computers and neural networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks.

It is just one more piece of the total risk management mosaic, that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.

operational risk

Maps: Finding Your Next Destination...

Where you decide to live your life and the geography that surrounds you, will shape who you become in your future.

When you were growing up, did you ever ask your Mom or Dad, why are we living here?

Did you ever have the pure curiosity to look on a map to discover where in your country your hometown was actually located? How far was it to your Nations Capital?

Your story as a young human being and where you started your early years going to a local school and taking a geography class was just your beginning.

What about the neighborhood you lived in and the friends and places around you that shaped many of your thoughts on life forever. That single map you were curious examining, was just a small world view of our entire globe and your opportunity.

In 2025, you now have the satellite imagery resolution and cloud-based services such as ESRI, Maxar or even just Google Maps to quickly explore your next destination.

Explore your next city, state and geography to live or work.

Your parents probably did not have those high tech tools when you were growing up across from the big lake, in just a small Mid-West community in our United States.

Now, how might you utilize a myriad of new technologies and online tools to research your next destination in life?

What questions might you ask yourself to begin to zero-in on a particular Zip Code or a proximity to the ocean, the mountains or the city with tall skyscrapers?

Would you begin with the weather site? Would you begin with ZipRecruiter dot com? Would you begin with Rent dot com? Would you begin with CrimeMapping dot com?

Yes, and unfortunately these days, people must consider all kinds of “Operational Risks” in their own particular community. Why?

We have all heard or experienced first hand the news reports from city names of where significant “Loss Events” have occurred across our America.

The spectrum of risks are wide and so unpredictable. Here are just a few such examples:

• Northridge Earthquake in Los Angeles, California in 1994.
• Hurricane Sandy in 2012 from the Bahamas to the Mid-Atlantic to North Eastern US/Canada.
• Sandy Hook Elementary in Newtown, Connecticut in 2012.
• The Marshall Fire in Boulder County, Colorado in 2021.
• The Palisades Fire in Los Angeles, California in 2025.

Where will you find your next place to work and/or raise a family, so that you may truly prosper and your family will be more safe and secure?

Where are the schools you will choose to associate with, that start the day with our “Pledge of Allegiance”? Where you will find “School Protective Resource Officers” are on premise and kindly greeting students as they arrive each day.

Why will you volunteer with your local Citizens Corps Community Emergency Response Team (CERT) and/or join your metro area InfraGard Members Alliance (IMA)?

Why will you learn CPR and how to use a tourniquet, organize a search and rescue team, learn self-defense and how to more effectively Understand, Decide and Act, with real-time digital active streams of relevant threat information?

Because of the geography where you grew up and it all began. Because of where you went to College and earned your degree(s). Because you learned and worked more than most in our International world of asymmetric warfare with continuous and invisible Operational Risks.

Because of your growing Christian faith. Because you have been Married once for 38+ years. Because together you and your wife raised a daughter and a son who were only 19 months apart working full-time.

Because your kids both graduated with Bachelor degrees from State Universities. Because they are now reflecting upon successful careers within a Dow Jones Industrial Fortune 500 and a few US Federal Government contractors.

Because you have your first Grandson. :-)

Because your own Mother and Father made the right decisions, on where to live and raise your family, as just another young kid on the YMCA Swim Team in that little Mid-West town.

In our wonderful and only, United States of America…USA.

Godspeed!

Vigilance is The Name of The Game...

President George W. Bush logged a victory in 2006 when the U.S. House of Representatives renewed the USA Patriot Act, a law that gave the FBI expanded powers to investigate terrorism after the Sept. 11 attacks.

When was the last time as a CxO in your organization that you reviewed the law? Here are a few of the renewed provisions:

>Section 201 Gives federal officials the authority to intercept wire, spoken and electronic communications relating to terrorism.

>Section 202 Gives federal officials the authority to intercept wire, spoken and electronic communications relating to computer fraud and abuse offenses.

>Subsection 203(b) Permits the sharing of grand jury information that involves foreign intelligence or counterintelligence with federal law enforcement, intelligence, protective, immigration, national defense or national security officials

>Subsection 203(d) Gives foreign intelligence or counterintelligence officers the ability to share foreign intelligence information obtained as part of a criminal investigation with law enforcement.

>Section 204 Makes clear that nothing in the law regarding pen registers an electronic device that records all numbers dialed from a particular phone line stops the government's ability to obtain foreign intelligence information.

>Section 209 Permits the seizure of voicemail messages under a warrant.

>Section 212 Permits Internet service providers and other electronic communication and remote computing service providers to hand over records and e-mails to federal officials in emergency situations.

"Whether you are a government or a small business you must have a layered and defense in depth approach to the safety and security of your enterprise. You have to monitor insiders, gather intelligence and keep an eye on foreign competitors."

Key people in your organization are key targets for a spectrum of threats both physical, economic and digital. When is the last time you saw a CEO, CFO, CRO or Board Member walk down to the INFOSEC department and ask the team if they had all the tools and resources they need to do their jobs effectively.

And if they did raise their hand and say they could use some help with solutions to help combat all insider threats including intellectual property leakage, vendor collusion, financial fraud, and customer data loss. You might recommend they look at the FedRamp Marketplace.

The leaders of a medium-size community bank, Fortune 500 enterprise, Private Sector Critical Infrastructure company and local city government still have the same thing in common today as with George W. Bush 18 plus years ago…

Pain or Joy: Change Management 101...

Habits are hard to change.  It takes discipline and continuous perseverance.

When was the last time you changed something that increased your revenue?  Your health.  Or your safety and security.

Change and managing change whether in the corporate ranks of your Fortune 500 Global Enterprise or back in your own personal life at home is a true challenge.

Before you even thought about what you needed to change in your business or your own life, you probably have encountered one of two experiences:

• Pain

• Joy

Which one of these two experiences have you recently encountered?

You see, our human behavior is quite predictable and it is usually one of these two motivators in life that will change your behavior.

Educating yourself and others you care about requires that you sometimes utilize one of these motivators in order to initiate new change.  Let’s begin with “Pain”.

These realities are exactly what the evil in our world today continues to prey on.  Those individuals who are unable or unwilling to change, and to manage change in their lives.

“It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.”  Page 19 - Achieving Digital Trust | The New Rules For Business At The Speed Of Light  - Author Jeffrey Ritter

In your own digital life, these habits may be as simple as using the same password on multiple accounts that each of us rely on, each day or each week of our lives.  You know who you are.

As the continued use of “Ransomware” remains so pervasive across the globe and is utilized by so many criminal gangs and nation states, each one of us must consider our personal and business habits.

At home and at work.

It is now time to change.  It is time to change your digital habits so you may avoid the pain and continue to have even more joy in your life.

Take action.

Start a new habit now of changing the weak password on your bank accounts.  Make it 20 characters, and make it random.  Easily addressed when you "Use a Password Manager App".  Then set a reminder to change it on January 1, April 1, July 1, and October 1 of each year.

“Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.

The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.

Storm-0501's recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.” —BleepingComputer

After you have successfully accomplished this simple task in your business and in your own personal life, remember:

The “Pain” of doing this simple “Change Management” step in your life, will help bring you continued “Joy” for so many years to come…:)

Godspeed!

Volatility: Enemy #1...

Organizations implement Operational Risk solutions to lower "volatility" in earnings growth and return on capital. The focus on volatility is because no institution likes to see peaks and valleys in their earnings or their return on capital. A steady and consistent growth curve without "Volatility" is the goal by many steadfast organizations.

Contrary to the goal of minimized "volatility" there are also those who feed off of the chaos and the large swings between these highs and lows in the marketplace and with specific companies in vital sectors of the financial economy. Will a Blueprint for Regulatory Reform be the answer?

As a hedge fund investor, can you explain what the strategy is for your investment fund? Do you know what your money is being invested in? Does your hedge fund manager provide transparency on calculating your return on funds invested? What was the reason you invested in alternative investments to begin with?

Carrying this analogy to the operational processes within your organization, the goal is to keep the processes running smoothly. When people or systems deviate from the agreed upon "Rule Sets" then change ensues along with the volatility of the performance measures.

Errors, Omissions and systemic "glitches" are the catalysts to volatility that creates fear, uncertainty and doubt. Do you understand the Math? When the process gets to this stage and people don't trust the rules anymore, you are on the brink of a failure and impending loss, in dollars or peoples lives.

Operational Risk Management is a discipline that is emerging in corporate ranks because it has already proven that it saves lives. The regulators and inspector generals are going to demand it.

The "Rule Sets" of playing business in the financial, health care and energy sectors are not the only ones being subjected to this increased scrutiny and renewed focus on OPS Risk.

Lessons learned are being discussed in the ranks of the U.S. Treasury Department and the Department of Defense all relating to the failure of people, processes, systems and or external events.

Whether you utilize Operational Risk Management (ORM) in the Defense Industrial Base or in the Financial Services sector it's important to revisit what it is NOT:

Operational Risk is Not:

• About avoiding risk
• A safety only program
• Limited to complex-high risk evolutions
• A program -- but a process
• Only for on-duty
• Just for your boss
• Just a planning tool
• Automatic
• Static
• Difficult
• Someone else’s job
• A well kept secret
• A fail-safe process
• A bunch of checklists 
• Just a bullet in a briefing guide
• “TQL”
• Going away

The goal of Risk Management is not to eliminate risk, but to manage risk so the mission can be accomplished with minimum impact. We manage risk to operate, not avoid risk as a means to prevent loss.

Operational Risk is all around us and now ready for prime time focus in terms of strategy execution, implementation and measurement...

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the Board of Directors.

When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC November 16th, 2006, her words were music to our ears:

“It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change.”

“Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.”

“Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects.”

“Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These types of risk demand new methods of risk management.”

Thinking back to those days, was this a way for the Chief Security Officers (CSO) of the Fortune 500 to finally shift their thinking from just security protection to something less macho?

How could "Resilience" become a platform for a mind set shift to justify new funding?

"After all, now we aren't trying to scare people into the low probability high impact incidents anymore and are focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption."

What are the incidents and areas of risk that insurance won't touch these days?

If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore because you have transferred the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room.

Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Delta?

Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of “Tort Liability” and the loss of reputation remains top of mind these days with every major global company executive.

The threat is real and increasing at a faster rate than many other real operational risks to the enterprise.

Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found.

Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation.

The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

Pulpit Rock: "The Right Stuff" and Beyond...

Walking up the path to Pulpit Rock soon after dawn in Colorado Springs just before the “Value of Space Summit” (VOSS) this week, was a time for thinking. It is a time for reflection and where our future human exploration shall take us.

The value of exploration and our innovative curiosity to learn more, is a human trait that will never leave us.

Before an ambitious set of people in the United States made the decision to travel to Earths single Moon, our human exploration was across oceans and mountains.

Imagine a quiet Michigan summer evening July 20th, 1969 sitting in front of a 21” Zenith color television with family watching Neil Armstrong and Buzz Aldrin from Apollo 11 walk on the Moon. It was truly epic.

After 24 brave and talented people from our nation have traveled to the Moon, our last mission was in 1972.

Why?

Astronaut Eugene Cernan and Astronaut Harrison Schmitt (88), spent 3 days 3 hours on the Moons surface between December 11-14 1972. This Apollo 17 will not be the last manned journey to our Moon.

After a team of dedicated people find their own “Just Cause” and purpose, there is nothing that will stand in their way to achieve it.

After 51 years, we have been taking many steps to perpetuate our journey. 

Humans have been back and forth from our Low Earth Orbit (LEO) Space Station and we have sent the James Webb and other telescopes to explore other stars and planets light years away.

The “Just Cause” of space exploration is still ahead of us and the race is on.

Our human journey to places outside (LEO) will encounter new challenges, new discoveries and even create greater learning.

Before a most favorite movie “The Right Stuff” was released in 1983, all we had were slight views into our “Just Cause”.

Once you see this movie, then you too might understand the mission ahead from a different perspective. At least you will have greater context on our “Why”…

Godspeed!

Prediction: Another Year of Living Dangerously...

Will this be another year of living dangerously?

Security forces within your organization are busy at work, contemplating a combined strategy to address a continuing barrage of new potential threats. 

2023-2024 could very well be even more dangerous than this past year.

"Enterprise Security Risk Convergence is the "Operational Risk Management" wave of the future."

How these converged entities are forming and how they will arrive at a single focal point is based on what they both have in common. Information-based assets.

“Contingency Planners” shall be more beware. Savvy CIO's and CxO’s recognize that new threats and soaring costs are two factors driving the convergence or integration of traditional and information security functions in a growing number of global organizations.

Operational Risks span the continuum from the physical to the digital environment in our enterprise ecosystems.

Prepare your organization for the day when the efficiencies and the effectiveness of having redundant safety and security responsibilities becomes a new agenda topic at the next executive retreat.

Business desire for contingency professionals who can examine and assess the risks that organizations face as a whole, is one of the tipping points behind the convergence phenomenon.

In the end, the winners will be those contingency planners that realized that all the guards, gates, firewalls and intrusion prevention systems are nothing more than tools.

What they support is the successful implementation of a Risk Management System focused on intelligence information.

The single asset that security organizations have in common is the dynamically changing information in our contingency plans.

As the Operational Risks continue to surround our supply chains to corporate enterprises, it's imperative strategic planners look at where we are spending our money and deploying our resources.

What would happen to our preparedness, readiness and recovery capabilities if we just reallocated 5% of the corporate marketing budget to our protective intelligence and risk management budget?

If we did, then we might find ourselves with fewer calls to the Courthouse, State house or even to the (202) area code...

Asymmetric: Deer in the Headlights...

It was June of 2021 when the iPhone buzzed and the CxO requested a briefing on this growing threat on the horizon. Ransomware had already been gaining traction for years.

Human behavior has been repeating itself since the beginning and once again, this "Corporate Executive" was no different.

“We need a briefing on what we need to do at “Our Company” to avoid being attacked by this ransomware hacker!”

The response was immediate. “The Executive Report is ready for you now and the Executive Team whenever you all are together in the Board Room, yet when will you have just 30 minutes for our local Information Security Team to brief you today?”

Have you ever encountered a boss who had that “Deer In The Headlights” look on their face when they were asking for your assistance?

Did you see the “CBS Evening News” last evening they yell!

“CLOp, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.”

For those of us who have been operating in this business for a few decades, the behavior of uninformed corporate citizens to the continuous threat vectors in our world is never going to cease.

As Digital First Responders we then communicate with a few key messages to executive management in the “C” Suite, yet not all at once!

As you will learn, you have to communicate a measured yet continuously deliberate set of message facts over the course of a week or two, for people to slowly comprehend the vast landscape of the business problem they are now in:

• Critical infrastructures are those systems and assets- whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters. 
• As Ransomware Attacks continue to grow, organizations need to improve their security posture to protect against an attack. Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place. 
• The landscape of how we work has changed. We must assess vulnerabilities in a new way and with increased due diligence. 
• The cost of a cyber attack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future. 
• Public Private Partnerships of Critical Infrastructure organizations
with CISA.gov and FBI.gov are vital to enhance our U.S. National Security.

Once you have effectively provided these top 5 bullets to your executives, then the real work shall begin:

THE RANSOMWARE CRISIS

The current ransomware crisis can be attributed to the following factors: 

1. History of Inaction
2. New Tactics
3. Rapid Technology Deployment / Innovation without Security & Resilience
4. Safe Harbors for Criminals

Since you are a “Digital First Responder”, try to remember your audience is still learning the vast and pervasive implications, of what many of us have been fighting since the dawn of the Internet and our growing “Asymmetric Warfare”…

Prescience: Coffee on Glebe Road...

One glorious Spring morning in the National Capital Region (NCR), the coffee meetup was scheduled just about 30 minutes away as the Jeep GC headed down the tree lined woods of Old Dominion Dr. through McLean, VA.

We were meeting at the First Floor Starbucks of the Westin Arlington on North Glebe Road.

The meeting this early Thursday was with a Chief Security Officer (CSO) of a large Defense-Industrial-Base contractor (_ _ _ _) and we had planned to catch-up and talk shop for 45 min.

As we recognized each other in the lobby and made small talk ordering our favorite Starbucks blend, the dialogue shifted to one of the key reasons for our meeting.

Our real focus on Operational Risk Management (ORM) that particular day was the “Insider Threat” best practices that we all were rapidly implementing.

Whether you are talking about an employee or a contract supplier who visits your facility or organization on a single or periodic basis, the threat exists.

It was April 2013 and little did we realize this morning, we both would be hearing the name of Edward Joseph Snowden in July.

“An ex-government (_ _ _) employee now working for another large DIB contractor based in Tysons Corner (_ _ _) as a system administrator, “Ed” might have been thinking about his eventual escape from a government regional operations center in Hawaii as we talked.”

In Northern Virginia just two months earlier, our conversation turned to the actual prescience of the DIB companies “Insider Threat Program” and how many employees working for his company were also current members of a specific large non-profit organization.

One example we discussed was a local non-profit that is excellent on educating and training members on the tools and strategies to enhance protection of intellectual property.

Gaining additional foresight, clairvoyance or the special ability to see or know about events before they actually occur, is your CSO ground zero.

Concern or preparation for the potential future threat event or incident, is on the mind of every Chief Security Officer in the corporate world. Yet, what are you doing this month to improve your own sixth sense?

How many people in your organization are members of non-profit XYZ or ABCDEF that are now focused on training their members on topics of relevant interest to you?

The lesson here, is that whether you are a local Bank Manager, a School Principal, a CxO or just a parent; people in your responsibility are counting on you.

They want you to ask them questions, they want you to test them on their readiness to use CPR or a tourniquet. They want you to make them even feel more safe every day by educating them about ransomware and cyber "phishing".

When our Starbucks coffee meeting was over by 8:00AM, my hunch is that Jeff went back to his Defense Industrial Base company a mile away to do some homework and some rapid internal recruiting of key employees.

As a CxO in your particular organization, how well do you really know your employees, contractors and suppliers?

Twenty 23: For All Mankind…

Remember where you were 365 days ago.

2023 is now at our global doorstep. What journey will you embark on this next year to grow your skills and your knowledge?

How might you as an experiential learning enthusiast, leverage what you know to help others on your team, and in your community?

Your mission has always been to improve, to perfect and to deliver results. In 2023, what if you began looking through a different innovation lens?

Look around. What does your personal environment of your own dwelling say about you? Is there any room for change or improvement?

How would you rate your realm of relationships with family, friends and relatives this New Years Eve? Think about it…

Now transition to your community and assess whether you are in the right neighborhood, the correct city and even in the best state in the USA for your profession, and the work you are now inspired to perform.

"2023 will become a pivotal year for you in so many ways."

Our global future is bright and your next focus will be all about your contributions to a greater good in this world.

• With over 9 billion web-enabled personal digital devices in global circulation, how we learn from the Internet and new quantum Information Technology will continue to amaze all of us.
• Our Earth is sending us signals on regular intervals that our natural disasters are truly accelerating.
• Will mass global population growth continuously change our supply chains for food, mining of rare earth elements and sharing our scarce fresh water?

"Look up in the early evening clear blue sky as the sun sets. See all those shining stars beyond our Moon."

“For All Mankind”

have a more meaningful 2023.

Innovation: Prescient Challenge...

As our sun sets on a glorious Sunday near the Pacific Ocean, the air is cool and still. How will you spend your valuable minutes tomorrow, to devote your talents and intellectual gifts to others?

The innovation journey you are on this next dawn of summer 2022 is about “Doing”. It will encompass your greatest gifts and certainly challenge your mental and physical weaknesses as a human.

If you have been thinking lately, how you will receive something, or get handed a gift or wondering who will tell you what to do next, this message is not for you.

How might you discover a single “Prescient Challenge” or hurdle, that your direct leadership is anticipating in your community or organization? How will you research all of the facets of this problem-set they perceive to be worth solving?

It begins with you “Doing” what so many others in your neighborhood, your community or your organization are not accomplishing on a regular schedule.

Asking the curious questions, with the correct people, who have direct knowledge or experience with your particular problem-set.

This journey is for people who are courageous, proactive and willing to donate the time and individual effort to make a real difference with others.

There have been many best selling books about “Givers” and “Takers” and even the quiz to determine which kind of person you are in life. Yet this is all about who you are in your own heart.

"Doing the right activities with the correct people to solve the problem without some tangible reward, is a true first step in your long journey ahead."

Before you learned the insight and the skills to become a “Doer” in your life, you were constantly worried about survival. What others were going to provide you?

Now that you have learned the new skills and knowledge to Map & Target, Sketch a Solution, Decide & Prototype, you are well on your way to new foresights of real innovation.

You see, your future as a leader in life begins with being a Volunteer. Donating your valuable time and the intellectual or physical initiative to make a difference on worthwhile solutions.

These are the "Solutions" that solves the real risk problem, essential at the moment, in order to flourish and in many cases to actually survive.

Your own “Resilience” as a person, a neighborhood, an organization in your community is the true outcome. Who will you become…