Rugged DevOps: Reengineering for our Next Generation...

The reengineering of the Internet is now underway for our next generation beyond the millennials.  The unification of corporate software development and information security teams are experiencing a deja vu and reminiscent of scenes from the 1993 movie "Groundhog Day."  Operational Risk Management (ORM) is hopeful that we are having a new resurgence of software vulnerability management thinking.  Why?

"A weather man is reluctantly sent to cover a story about a weather forecasting "rat" (as he calls it). This is his fourth year on the story, and he makes no effort to hide his frustration. On awaking the 'following' day he discovers that it's Groundhog Day again, and again, and again. First he uses this to his advantage, then comes the realization that he is doomed to spend the rest of eternity in the same place, seeing the same people do the same thing EVERY day."  --Groundhog Day

We are seeing the reunification of 1990's Software Quality Assurance (SQA) thinking, combined with the rigor of new 21st century rapid software development disciplines.  It is called "Rugged DevOps."  Application development life cycles are getting shorter these days.  That is because modern day software development life cycles are taking a more component-based approach, with the reuse of standardized software capabilities.  This makes sense, as long as the use of software quality assurance tools and services are not abandoned and new tools and processes are embraced.

Welcome to "Rugged DevOps."  This Forrester report, "The Seven Habits of Rugged DevOps" will give you more context:

Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops

Habit 2: Understand The Probability And Impact Of Specific Risks

Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements

Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices

Habit 5: Standardize Third-Party Software And Then Keep Current

Habit 6: Govern With Automated Audit Trails

Habit 7: Test Preparedness With Security Games

"Enabling Digital Trust of Global Enterprises" in the next decade will require software development organizations to embrace security and risk professionals simultaneously, on a more consistent and non-adversarial basis:

DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros' expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyberattacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated life cycle. These new practices are called rugged DevOps. This report presents the seven main principles of rugged DevOps so I&O pros and developers can break down barriers with S&R pros and achieve faster releases with stronger application security.

Chief Information Officers (CIO), Chief Privacy Officers (CPO), Chief Legal Officers (CLO), Chief Operating Officers (COO), Chief Security Officers (CSO) and maybe the Chief Executive Officers (CEO) are now paying more attention to these issues.

Here are 9.5 million more reasons why:

In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.

The corporate Board of Directors conversations about the topic of "Digital Trust" is now ongoing and the subject of new business units.  Security vs. Privacy has been a recent media frenzy between some of our technology companies and the U.S. government.  Your elected officials in the U.S. House of Representatives are also on the hot seat now, to produce new relevant legislation.  The courts are adding more privacy and data breach cases to the docket each week.  The "Digital Equilibrium Project" is being established and will hopefully include an international set of stakeholders.

Authoring the rules that everyone understands and everyone can agree on, sets the stage or playing field for the environment of competition to engage with some sense of civility.  Rules will be broken in plain sight and the referee (law enforcement, judges, courts, juries) will impose a penalty, while potentially millions of people watch live.  Is it a penalty kick or just a loss of down?

Think global.  Think at the speed of light.  Think about the trust of e-commerce transactions where millions of people rely on our computing machines every waking minute of the day.  Where Zettabytes of data are in use.  The rules on the "Digital Playing Field" are vital to our future social and economic well being.

"Rugged DevOps" is another and necessary component of a safe, private and secure Internet ecosystem.  Operational Risk Management (ORM) professionals are evermore concerned, with the root cause of our current Privacy vs. (soon to be "And") Security headlines.  Digital Trust is hard to achieve and yet easy to forfeit.  It is time for us to begin "Reengineering for our Next Generation".

Zeros and Ones: Context & Proportionality Don't Translate...

"Context and Proportionality do not translate to Zeros and Ones."  This was a key take away from the 2016 RSA Conference last week in San Francisco.  Thousands of Operational Risk Management (ORM) professionals attended to listen to speakers with titles such as Attorney General, Secretary of Defense and Chief Technology Officer.

Perhaps more important however, were the actual practitioners in the legal system and those "Quiet Professionals" responsible for our national security, who were clearly outlining the digital landscape and our significant challenges ahead.  For our nation and the future of our social and economic destiny.

The software engineers and companies who are writing millions of lines of software code are at risk.  Here is why.  Context and Proportionality do not translate to Zeros and Ones because lawyers are writing words with "Semantically Intentionally Ambiguous Meaning" (SIAM), in the pursuit of achieving digital trust.  Privacy and security intent in the translation from lawyers to software engineers, has been lost for a long time.

How can we summarize the entirety of what just took place this past week at RSA:

• Visibility
• Threat Protection
• Compliance
• Data Security

These four pillars are where the industry is still categorized in the majority, yet we came across some very interesting companies and products that are creating a new buzz.  Walking the halls and observing the presentations, the mobile computing generation was in full force.  As everyone shuffled between sessions like the overcrowded high school hallways, the only safe location was on an escalator where you could stare at your iPhone for 20 seconds with a little peace.  Can you imagine the amount of intellectual property intelligence being collected by competitors and adversaries using digital sensors and good old fashioned trade craft during the week?

So what?  In the spirit of all the talk and debate, the sales and marketing, the presentations and powerpoint slides, what have we learned?

"Context and Proportionality do not translate to Zeros and Ones."

Why is this so important to grasp?

At a certain point in the accelerating evolution of technology innovation there are disruptive bifurcations.  It means that the rise of a particular system achieves a point in time when instead of rising and growing on the "S" curve, the system begins its descent and erosion, until it is outdated or no longer trusted as a standard.

We are soon to reach a new bifurcation in the digital systems that run our businesses, markets and governments.  The organizations who rely on the Internet in their daily operations need to adapt.  Quickly.  Those that are able to accomplish rapid reengineering will survive.  And those who wait or miss the signals to adapt, will perish or become absorbed by the digital environment surrounding them.

RSA 2016: Ascending into a Trust Mindset...

Building awareness to a vulnerability, potentially heightens ones sensitivity to defend or build resilience to minimize damage or loss.  This is one of the foundations of Operational Risk Management (ORM), understanding what your assets are and what vulnerabilities exist.  Good old fashioned Risk Management 101, tells us to mitigate risks in the enterprise and even in our personal lives.

Is traditional Risk Management dead?  We think it is and through the eyes and inspiration of others we can now see why.  Our ability to make "Trust Decisions" is far more complex than just an emotion.  As we have evolved away from small villages where the food and water and other life essential resources were shared, trust factors have become more distant.  More shallow and less personal.  Our digital lives spanning continents and countries at light speed, now has given us a new perspective.  We must find our Trust Mindset.

As the RSA Conference opens on February 29, 2016 in San Francisco, thousands of eager professionals will converge on an event that has it's foundation and it's future built on "Achieving Digital Trust".  As we walk the Moscone Exhibition Halls observing, learning, engaged in dialogue or debate we must remind ourselves of the wisdom that comes from Jeffrey Ritter:

I have always viewed the emergence of the Internet and global computing as powerful tools to increase the velocity of the next solutions that enabled greater inter-dependence, greater accessibility to commerce, and more small steps toward peace. Through my work, however, I learned those tools were vulnerable unless, as a global society, we determine how to also build across the digital dimensions of cyberspace the capacity for humans to achieve what each transaction first requires—an affirmative decision to trust.

Jeffrey's latest book has been an inspiration for so many that have researched and lived in the Venn Diagram of the Law, Digital Technology and eCommerce.  Yet what about those people who have studied and modeled the human skills and behaviors to build trust with others that have yet to read Jeffrey's' book?  What is the fusion between the factors associated with building trust human-to-human and in a world of machines-to-machines?

"Trust Decisions" are being made by humans and computers each second of each day.  And one thing is certain about the decisions to trust by people and by the machine in your pocket, brief case or purse.  It is continuously learning and sharing.

The halls of the RSA Conference will be buzzing about trust.  In all of it's manifestations, the ecosystem of the event is about "Trust Decisions" and in many cases, man and machine.  The iPhone vs. the FBI.  Security vs. Privacy.  Cloud vs. Hybrid Cloud.  Secret Clearance or Top Secret Clearance.  Pre-hire background check.  FICO.  LinkedIn profile.  You name it and the fundamental question set, comes back to a "decision to trust."

Living an ethical life of integrity and willingness to share begins at an early age.  Sharing information responsibly with your peers, director or commander, requires a process for building trust over time and with each transaction of information exchange, either building or eroding the future decision to trust.

Here is one recent example.  Sitting in a room with a dozen strangers the other day was a mini-case study.  The purpose of this particular meeting was for this group of people to establish a forum for future trusted information exchange.  We were all part of the same ISAO if you will, not the same company.

The agenda called out for each person to introduce themselves, all for the first time.  The specific rules for the introductions were not spelled out by the host and then agreed by all of the meeting participants.  What happens next is a classic example of trust erosion, when the rules are absent.  As we proceeded around the room, each person took it upon themselves to determine how much or little information they would share with the rest of the group.

Some people introduced themselves with their name, company affiliation and a "one liner" on the business they were in.  Others in addition, took the opportunity to tell us all about their entire product/service line and why the solution was something that we should be interested in.  The first impressions were already building or eroding our perceptions of trust.  Our own reality.

It should be our ambition to continuously heighten our sensitivity to behavior in an environment absent of rules and how this builds or erodes our future trust decisions.  When you share, do you always have an expectation of reciprocity?  When you boast about yourself or your organization, is it for your own ego or self-satisfaction?  Do you ever even ask the question, "How are you" or "How can I help" you?  What are the rules?

Extraordinary trust is rare these days.  True Leadership is scarce.  Courage is almost extinct.  Think about how you can stand out and at the same moment, project a feeling of care, of concern and generosity.  Giving without any expectation of return, is what is going to help you build trust in your life.  And when you achieve that with your wife, husband, children, church, business partners, employees, clients and suppliers, then you know you are well on your way to substantial well being.

If you are alone and without many true and deep relationships in your life without cyberspace, there is a good reason why.  Achieving and building trust inside your organization (company or family) has been written about for years.  Happy employees make happy customers.  You have heard this before no doubt.   Building awareness to a vulnerability, potentially heightens ones sensitivity to defend or build resilience to minimize damage or loss.  This is where we started this blog post.

As we descend on the RSA Conference with the focus on "Trust Decisions", it will be with an ascent towards a continuous mindset of sharing, of caring and of learning.

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years in the Operational Risk Management (ORM) community.  Born from the marketing collateral of the Business Intel (BI) vendors, it essentially requires hundreds of gigabytes or even terabytes of historical data and then is analyzed or data mined for so called insight.  The question is, why is this "Predictive Intelligence" and not just more "Information" in a different context?

Now introduce the nexus of our own "Trust Decisions" and the "Human Factors" associated with the science of cognitive decision making.  How do we as humans make our decisions to trust vs. how computers make their decisions to trust?  Are they not executing rules written by humans?  When is it information in a different format as opposed to true intelligence?

Christian Bonilla may be on to something here:

"Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes."

What does the fusion of human factors have to do with predictive intelligence?  That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report.  Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia.  Is it possible to predict someone's future behavior even before they commit a crime or even become violent?

Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".

Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime."  These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.

Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future.  Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait?  The demise of the banking sector and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere in 2007/2008 time frame.  The point is that you have to have context and relevance to the problem being solved or the question being asked.

The real story of the crash began in bizarre feeder markets where the sun doesn't shine and the SEC doesn't dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower--and middle--class Americans who can't pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren't talking.

Predictive analytics extracts relevant information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes.  Is it possible that there was and is too much reliance on the numbers and not enough on people's cognitive intuition?

This blog has documented the "11 Elements of Prediction" in the past.  Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and raw numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

The future state of Predictive Intelligence will combine the science of "Trust Decisions" with the art of "Data Analytics" to achieve our desired outcomes.

Workplace Violence: Cues and Clues to Teach...

Operational Risk Management (ORM) is your foundation for crisis leadership. It will also prepare the enterprise for the potential for Homegrown Violent Extremism (HVE).  Is there a nexus with the cues and clues of traditional workplace violence and domestic terrorism? A domestic terrorist differs from a homegrown violent extremist in that the former is not inspired by, and does not take direction from, a foreign terrorist group or other foreign power.

All work locations have distinct categories of threats that are relevant to the site, people and type of business. Assessing the violent factors is the role of Senior FBI profiler (retired) Mary Ellen O'Toole and there are four categories according to a study entitled: "The School Shooter: A Threat Assessment Perspective:"

1. A Direct Threat
2. An Indirect Threat
3. A Veiled Threat
4. A Conditional Threat

Employees must be trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational. Based on the O'Toole study these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:

• Low tolerance for frustration
• Poor coping skills
• Failed relationships
• Signs of depression
• Exaggerated sense of entitlement
• Attitude of superiority
• Inappropriate humor
• Seeks to manipulate others
• Lack of trust/paranoia
• Access to weapons
• Abuse of drugs and alcohol

Source: O'Toole, Mary Ellen, "The School Shooter: A Threat Assessment Perspective," by the Critical Incident Response Group (CIRG), the National Center for the Analysis of Violent Crime (NCAVC) and the FBI Academy.

The court and the jury will look upon your employers ability to apply the basics of workplace violence and threat assessment. What did you know? When did you know it? What have you done about it? They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace. What grade would you give your company today for these fundamentals?

Let's take it to the next step in terms of your ability to even meet the requirement by the Occupational Safety and Health Administration (OSHA) in the United States. Awareness programs are expected on the four primary types of workplace crimes:

1. Those crimes committed by people not connected to the workplace.
2. Aggression by third parties including customers, clients, patients, students, or any others for whom you provide a service or product.
3. Employee-to-Employee violence or a former employee who returns to the workplace with the intention to injure a former supervisor.
4. Aggression related to a personal relationship inside or outside the workplace.

The organization who understands the foundation for creating a proactive and preventive team for incidents in the workplace should not stop there. Once you have developed the framework for Incident Command, Emergency Operations Center, Shelter in Place, Medical Triage and Evacuation you have a good baseline to extend to a complete "Continuity of Intelligence Operations" strategy. This requires a deeper analysis into the threats inside your organization that may put you out of business entirely:

The ISIS assault on Paris and the ISIS-inspired massacre in San Bernardino, California, share a disturbing fact, no one saw them coming. Today, the biggest terrorist threat to the United States is not like al Qaeda. ISIS is wealthy, agile, sophisticated online, and operates freely in a vast territory of its own. It prefers to be called the Islamic State. The U.S. government calls it ISIL. Reporters tend to call it ISIS for the Islamic State in Iraq and Syria. But whatever the name, it has the manpower, means and ruthlessness to attack the U.S. The man who is supposed to stop that attack is John Brennan, the director of the CIA. And tonight, in a rare interview, we talk to Brennan about a world of trouble and we start with the most pressing danger.

Once the organization has adopted the "All Threats - All Hazards" intelligence mentality then it is well on it's way to becoming a survivable business.  Operational Risk Management (ORM) is a discipline that incorporates this approach and enables owners, operators and business suppliers with the tools, methods and strategy to handle workplace violence incidents or a catastrophic act of mother nature.

Trusted Enterprise: Digital Science in Business...

Digital Trust has been a cornerstone for any serious organization in our 21st century era.  The foundation for an Operational Risk Management (ORM) design, begins with the engineering science of a sound and endurable platform for "Enabling Digital Trust of Global Enterprises."
The Accenture Technology Vision 2016 verifies "Digital Trust" as one of five major trends:

As every digital advancement creates a new vector for risk, trust becomes the cornerstone of the digital economy. Without trust, digital businesses cannot use and share the data that underpins their operations. To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future.  Source:  Accenture Technology Vision 2016

The concept of data ethics as a significant component of establishing "Digital Trust" is vital.  When you introduce the concept of ethics to the dialogue on software engineering in the global enterprise, there are several key considerations.  Adding the moral governance of actions taken as a result of insights derived from the analysis of information, is also a valid vector in the design of trustworthiness for modern digital applications.  Yet this means nothing, without first understanding how humans make their decisions to trust.  How effective the entire ecosystem of "Digital Trust" becomes will always come back to the root.  Digital Ground zero.

Ground zero for "Digital Trust" is the actual "Trust Decision" itself.  The science of the "Trust Decision" elements and process has been the focus of researchers and academic study for years.  In order for us to truly understand how to achieve digital trust in business, we must first grasp the science and evidence of the core elements and root of our "TrustDecisions."  Does "Achieving Digital Trust" in the enterprise ensure that, as a business you are "Achieving a Defensible Standard of Care"?   Not necessarily.

The two concepts are mutually exclusive, yet they still have affinity for each other.  Accenture's Technology Vision, provides the enterprise with sound reasoning about how to create a path towards improving digital trust, especially as it pertains to the reputation benefits associated with the "Brand."  Adding the element of ethics, drives the consumer thinking that the business has addressed privacy requirements in terms of the legal rules and usability factors.

Incorporating the conversation in the Board Room about data ethics (collection and use) or how as an enterprise you must design-in legal controls in order to alleviate liability, requires something new.  It requires all interested parties to go back to the root.  How does the human make a decision to trust?  How does a computer make a decision to trust another computer?

The people sitting around the Board Room table are thinking about creating more wealth.  They are not asking themselves, how do computers trust other computers?  In our digital age where decisions are being made as a result of the execution of zeros and ones at light speed, someone has to be designing the trust architecture with the right people in the enterprise.  The question is now at hand, who is that person or business unit?

The answer is going to be different in each business or organization.  What is the maturity of the particular digital ecosystem and how vast is the landscape for the computing assets?  One fact that must be acknowledged early on, is that it probably does not entirely exist today.  The ideal unit of people and systems that are necessary to achieve digital trust, are currently spread out across the typical silos of a business architecture.  IT, Marketing, Legal, Info Security, Privacy perhaps.  However, the dedicated and funded "Digital Trust" team, task force or department, has yet to be established.  So what?

Continue to operate as you are.  Without the advantage of truly understanding the elements of "Trust Decisions" and how this is relevant to "Achieving a Defensible Standard of Care."  A trustworthy computing division, may have existed in the past at your organization, yet initially with another focused mission,  "Cyber Crime" intervention.  You see, the idea of trust and why it is so vital to the success of the information technology industry is not new.  Smart malware researchers and software engineers understood this at the dawn of the Internet.  So why is this any different?

Trustworthy computing in the 90's is not the same as the application of "Trust Decisions" in the year 2016 and beyond.   Especially today, with the speed of cloud computing adoption and the outsourcing of core data transactions across borders.  The international implications of privacy laws and the routing and storing of data outside of your native country, is now in play.  Negotiations by a Nation State to bypass traditional use of mutual legal assistance treaty (MLAT) is the new normal:

If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies such as Facebook or Google with a wiretap order for the online chats of British suspects in a counter­terrorism investigation.

The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.  Source:  Washington Post

The requirements have changed.  The next era of "Achieving Digital Trust" requires so much more.  It now requires standing up and providing substantial resources to the "TrustDecisions" Unit within the enterprise.  What does this mean to the future of the Trusted Enterprise?

It means that the Chief Information Officer (CIO), Chief Privacy Officer (CPO), General Counsel and Chief Information Security Officer (CISO) will be using data and Digital Science to design a new architecture for the Trusted Enterprise.  They will deliver it to the desk of the Chief Executive Officer (CEO) very soon.

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company.  This risk culture maturity, is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

"What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision, that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team, that you will jeopardize the overall mission."

The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem, is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office, partner or entire agency of government.

Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizational culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors ecosystem. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

Enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

The root cause of Business Assurance and Resilience is the Risk Culture.

Adverse Consequences: Enabling Digital Trust of Global Enterprises...

In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:

1. Cyberattacks
2. Critical Information Infrastructure Breakdown
3. Adverse Consequences of Technological Advances
4. Data Fraud or Theft

#1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

There are two other risks shared in this same Upper Left Quadrant in 2016:

• Weapons of Mass Destruction
• Spread of Infectious Diseases

These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?

"Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

"Adverse Consequences of Technological Advances":   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 

• A global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
• A global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.

Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)

The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:

As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)

 Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

• Machine-to-Machine
• Person-to-Person
• Business-to-Business
• Government-to-Government
• Country-to-Country

Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

Enabling Digital Trust of Global Enterprises...

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:

Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.

One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:

In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.

This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:

In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).

It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?

As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.

Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.

2016: A New Era of Operational Risk...

As we launch into 2016, Operational Risk Management (ORM) professionals are ready for another challenging year.  The current state of global events that includes uncertain political or economic behavior by nation states and the continuous barrage of certainty with "Internet Asymmetric Warfare," is the new normal.

Reflecting back on 2015, here are the top 5 blog posts by number of page views:

Insider Threat: Trusted Systems of the Future...

Trust Decisions: Beyond RSA and Our Digital Future...

Data Rupture: The Risk of Over-Classification...

Trust Decisions: The Extinction of Risk Management...

InTP: Quality of Design in a New Age of Terror...

There is now anticipation that the world economies are going to continue a meager growth rate, as we enter our 8th year since "The Big Short" in 2008:

When the crash of the U. S. stock market became public knowledge in the fall of 2008, it was already old news. The real crash, the silent crash, had taken place over the previous year, in bizarre feeder markets where the sun doesn’t shine, and the SEC doesn’t dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower- and middle-class Americans who can’t pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren’t talking.

From the analysts desktops at "Liberty Crossing" to the Cyber Security Operations Centers (SOC) of dozens of Global 500 private sectors companies, one thing remains certain.  The adversaries are too nimble, unpredictable and ever more so capable of operating on the front lines for months and years in plain sight or even for weeks and months totally undetected.

However, relying on certainty alone and not being simultaneously adaptive or innovative in an accelerating pace of business or Decision Advantage, can get your Board of Directors in real trouble.

In 2016, the dawn of a new Operational Risk Management era shall begin.  In a future state, where people and machines will operate making "Trust Decisions" with greater ease and increasing velocity.  Stay tuned...

Executive Security: Personal Protection Specialist...

Operational Risk Management (ORM) extends beyond the perimeter with some of your most valuable assets.  The Fortune 500 Chief Executive Officer and their staff team of subject matter experts are continually at risk.  Even if you are the co-founder of a new start-up with that new "Killer App" ready for testing with SOCOM, you may now require several full-time security risk professionals at your side.

In the corporate Protective Security environment, the "Advance Work" being executed by your ORM team will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy, for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality, is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation, may be technology itself. Too much reliance on pervasive high tech tools such as "Google Maps" or even the standard-issue Garmin GPS, will create a vulnerability just at the point in time when your principal says, "Let's change the itinerary or the location of the next meeting".  A "15 Minute Map" comprised from a good old fashioned road atlas, can be the low tech tool that saves lives and potential chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS), who understand the value of the "Advance" and apply it effectively, will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials, have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to rapidly changing political risks and subjective "Rule of Law" in many emerging democracies.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is ever more at risk.  Effective "Advance Work" is the most important and critical aspect of the security operation.  Site and route surveys, "eyes on" residences, airports and hotels, hospitals, police stations, restaurants and convention centers, are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work, including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity, yet is shielded from any lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

"By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself." "The way Jeff Cooper explains it is:"

• White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
• Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
• Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
• Red - you are actively defending yourself or others against a threat that has presented itself to you.

It's not just about general awareness, it's about positively identifying potential and actual threats, as you go about your daily life. It is this threat identification and acquisition process that is so valuable, that reduces your response time to those threats, if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K&R) insurance. Why?

Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks involving people in your organization exist everyday.  Insuring against losses and protecting against personnel loss events is imperative. Utilizing the correct strategy, tools and professional human assets to comprise the entire security envelope including the effective use of Protective Security Details, can make all the difference in your organizations resilience factor.

Cyber Domain: International Law of Asymmetric Warfare...

The international laws and human understanding of what crosses a "Red Line" are being defined in cyberspace in real-time.  The operations of the Chief Security Officer (CSO) and Chief Information Security Officer (CISO) are now becoming more adaptive.  The Operational Risk Management (ORM) enterprise architecture, will soon call for three standard mission functions:

• Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
• Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information systems and networks.
• Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

 Computer Network Defense (CND) has been the norm for many organizations and now, that is no longer enough.  Yet before we can determine why we must  add CNA and CNE, we better understand the breadth and depth of the cyber realm.  The "Over-the-Horizon" view, of the reality of that domain, is rapidly developing into a proactive risk management imperative, for Global 500 organizations.  Why?

The non-state actors are organizing and evolving into what could be coined for the laymen, as a modern day "Cyber al-Qaida."  A "Cyber  Taliban."  Or even a "Cyber 1st Amendment or 4th Amendment cadre of affiliated entities.  These digital non-state actors following a set of ideologies, as opposed to a set of true investigative journalists or independent non-partisan watch dogs, are metastasizing at an exponential rate.

This ideology fueled by cyber activism and directed at a particular organization or country, is on a digital battlefield that spans the globe.  It has long been said that the Internet is nothing more than a mirror, of the good and evil in our physical world.  The existence of cyber warriors who are interested in going beyond the goal of financial crimes to kinetic destruction of critical infrastructure, is a well known fact.

Who are these cyber warriors that identify with a movement or cause, that attack the well being of other humans or destroys the property or economic assets of another organization.  They are the same ideologues that have existed long before the Internet.  The difference is that the reach, speed and ubiquitous nature of the digital medium accelerates the threat and the requirement for an effective counter balance.  Putting actual skill sets aside for a moment, the real differentiator has been on a "White Hat" or ethical warrior focus:

Regarding whether there were different rules of armed conflict for cyberwarfare in dealing with states like Iran, versus terror entities like Hamas or al­-Qaida, he first noted that while there is “no consensus,” the “US, Israel, England and others” argue that “self ­defense” principles justify attacks against terror groups, even if they are not states.  --IDF Col. Sharon Afek-- Article by Yonah Jeremy Bob

The CNA, CND and CNE operations in the digital Global 500, will now employ those individuals who have an ideology that is more directly opposed to the worldview of a "Cyber al-Qaida."  In the long war, the cyber "White Hats" will endure.  The asymmetric warfare of the next decade, will encompass operational risk professionals behind the network, who have a different context.  Why? Because they believe in a ideology far more patriotic than their predecessors.  They are the "Quiet Professionals" who have retired from SOCOM active duty and now span the ranks of the corporate private sector.

The international laws of the cyber domain are in play for our prosperity or our peril.

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:

"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”

Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:

• Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
• Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.

These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy

"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:

The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.

The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.

( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”^[18])

The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:

As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?

What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:

• Staff or employees who utilize the InTP incorrectly with intent or by accident
• Top management loss of reputation by supporting an aggressive InTP Progam
• Collision course with formal EEOC Whistle blower protections and processes
• Friction with internal Human Resources relationships

These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:

1. Relationships with Management & Employees
2. Investigation of Incidents and Reports
3. Management Behavior after an Employee Red Flag
4. Implications of the Culture of Trust

Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...