13 December 2015

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:
"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”
Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:
  • Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
  • Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy
"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."
"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

06 December 2015

InTP: Quality of Design in a New Age of Terror...

Executive Management and the Board of Directors are waking up today, with a key thought on their minds.  As a result of the horrific act of terrorism in San Bernadino, CA USA this week, how effective are the "Insider Threat" Programs (InTP) that are now being tasked:
The FBI said Friday that it is investigating the San Bernardino, Calif., massacre as an act of terrorism, with officials revealing that the Pakistani woman who teamed with her husband in the slaughter went on Facebook afterward to pledge her allegiance to the leader of the Islamic State.
The husband terrorist was employed by a county government agency in California.  Just as your place of employment has a "Duty of Care" for the safety and security of it's employees, any nexus with home grown violent extremism or terrorism on a government or private sector ecosystem requires a strategic focus.
( U.S. Code Title 22 Chapter 38, Section 2656f(d) defines terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.”[18])
The Board of Directors or Under Secretary, in concert with Operational Risk Management (ORM) professionals within the enterprise have a fiduciary responsibility that now has a new spotlight.

The husband terrorist was a U.S. citizen working as an environmental health specialist in San Bernardino County.  He was a devout Sunni Muslim.  He had recently traveled to Saudi Arabia for two weeks, home of the 9/11 hijackers.  When he returned, he was growing a beard and married to a devout Sunni Muslim woman he met online.  Witnesses have stated that his new wife had substantial influence on his religious beliefs.  Was some or all of this a potential "Red Flag" by family members or co-workers?   Could she have been a clandestine agent?

The presence of an "Insider Threat" Program (InTP) is evident in hundreds of top tier Fortune 500 organizations and almost 100% of government contractors who may have "Sensitive Compartmented Information Facilities" (SCIF).  U.S. Executive Order 13587 requires that an organization have an InTP in place.

This still leaves thousands of vulnerable businesses and governments agencies at the state and local levels without the resources, expertise and policy-based programs to effectively administer a lawful and effective InTP or hybrid "Insider Threat" strategy.  It is imperative to assist in the continuous protection of physical and digital organizational assets, including the precious lives of all employees:
As a result, many organizations will be asking senior management about the initial implementation of an InTP or to review the effectiveness of a current InTP that is already in progress, at a Defense Industrial Base (DIB) contractor.  So what?
What does the current InTP in your organization, have to do with the adverse consequences that may occur?  Why could those potential consequences of an InTP that has been designed incorrectly or implemented without control metrics, create substantial risk and liability to the enterprise?  How can you address the Operational Risks associated with an "Insider Threat" Program?

Here are several key design areas, to mitigate the potential likelihood of unintended consequences of a failed InTP design:
  • Staff or employees who utilize the InTP incorrectly with intent or by accident
  • Top management loss of reputation by supporting an aggressive InTP Progam
  • Collision course with formal EEOC Whistle blower protections and processes
  • Friction with internal Human Resources relationships
These are just a few examples of the many areas that should be addressed in the initial design of a high performing InTP.  The problematic cases as a result of low quality design, are building bad PR and new employee lawsuits are gaining attention.  The aggressive actions by management may create a high rate of "False-Positives," that alienates employees, increases privacy violation claims and impacts corporate culture.

The integrity and the credibility of the InTP is paramount, if we are to continue to utilize it as an effective tool in the Operational Risk Management (ORM) strategic plan.  Managing risk on vital enterprise assets requires dedicated people, tested processes and robust systems that will not erode support.

Where are the vital process, training and systems areas that need focus or have the ability to be designed correctly from the start:
  1. Relationships with Management & Employees
  2. Investigation of Incidents and Reports
  3. Management Behavior after an Employee Red Flag
  4. Implications of the Culture of Trust
Organizational behaviors and the "Duty of Care" are in the spotlight again, as a result of the San Bernadino terrorist attack.  The quick reaction by hundreds of companies to implement InTP that have not done so already, will spawn thousands of new litigation examples that have a nexus with security and privacy in the workplace.

In essence, you need to have a specific executive management intervention, that does not over react.  You should have a independent facilitated off-site meeting to better understand what can go wrong, why it happens and what to keep an eye on.  Finally, what you can do about it.

The opportunity now is for you to strategically implement or adjust the InTP within your organization.  Why you do this and how you proceed, is vital to the enterprise risk management of the company.  How you and your employees behave from this point forward, will forever impact the culture of trust in your organization.

Our thoughts and prayers to all of the victims and the families impacted by this act of terrorism in the U.S. Homeland...

22 November 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system.
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.

27 September 2015

Safe Harbor: Achieving a Defensible Standard of Care...

"Achieving a Defensible Standard of Care" within the enterprise requires an astute and proactive legal framework.  Operational Risk Management becomes a key component of the legal framework in multiple junctions of technology, data science and privacy law.

U.S. National Security continues to be in the center of the legal jousting between the European Union and the United States.  Underlying the debate is the data flowing through the Internet from data centers in Europe owned by U.S. companies.

What are the implications of a change in the Rule of Law and the rules associated with the collection, storage and analysis of data by companies such as Facebook?  How will the future of Operational Risk decisions impact the safety and security of nation states?  Is "Safe Harbour" ready for legal reengineering and a new updated global data privacy architecture for the Internet of Things (IoT).

III –  Conclusion 237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:

Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
  Chief Privacy Officers and General Counsel within the ranks of Amazon, Google and Facebook are on a proactive mission quest.  How to keep business models fueled by advertising from erosion of data flows from outside the U.S. if precluded and if, all data from the EU must stay within the EU.

The Office of the Director of National Intelligence (ODNI) will be tracking the data privacy legal frameworks across the globe and the continuous changes that will be necessary to stay in compliance with U.S. laws.  Henry Farrell sums this up nicely in his WP analysis:
Thus, if the court rules as expected, the U.S. has to choose between two unattractive options. The first is to refuse to make any concessions on surveillance, hence endangering the business models of big and influential U.S. e-commerce firms, and making life much harder for other big corporations that e.g. have to transfer personnel files across borders. The second is to make real concessions to the EU on spying, moving away from indiscriminate surveillance to a system that would provide real protections for European citizens.
We are on the edge of many years of new business process reengineering (BPR), but this time it is not about the demise of proprietary client / server architectures and the addition of Internet Protocols.  The new data privacy BPR is now just underway and it has all to do with creating the sound contractual negotiations of digital devices across borders.  More importantly, the trusted business assurance questions being asked by Operational Risk Officers and the building of digital trust as data and rules are executed at the speed of light.

Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted. 

As you pick up your mobile device to access Messenger, or Wickr, the rule of law is being put in motion in nanoseconds.  When you type the message to your colleague in Ireland or Germany from Detroit, your data is being processed across data centers in multiple countries.  Machines executing business rules with other machines.  Are the rules correct?  Are they all legal?

"Achieving a Defensible Standard of Care" in the next decade will be one of our most interesting challenges.  The Safe Harbor of our way of life may go beyond the simple integrity and assurance that the message simply gets delivered.

06 September 2015

Rule of Law: The Privacy vs. Security Paradox...

Chief Privacy Officers and Operational Risk Officers are watching with anticipation as Microsoft argues it's case with the U.S. Court of Appeals in New York, USA on September, 9, 2015.

The trustworthiness of data and the future of "Achieving Digital Trust" for companies and countries is a priority.  The wealth created from the management, storage and processing of data across global borders is at stake.  The "Rule of Law" that intersects with that data and the legal disclosure to government authorities, has been accelerating in countries such as Ireland, Belgium and Brazil.
The company hasn’t always been so eager to comply. A year earlier, it rebuffed a request from the Department of Justice for a suspected drug trafficker’s e-mails. Those were in a data center in Dublin -- and according to Microsoft, the arm of American law enforcement doesn’t extend to Ireland. That set in motion a legal challenge putting Microsoft and its general counsel, Brad Smith, in the lead of a charged battle between the U.S. technology industry and the U.S. government.
More than two dozen companies, including Apple Inc. and Cisco Systems Inc., have filed briefs on Microsoft’s behalf in the case, which is about due process and the right to privacy, and money. Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws -- and from unilateral U.S. search-and-seizure missions.
The privacy vs. security business is apparent and a defensible standard of care remains vital.  Several companies in the data privacy industry have made the decision to establish their legal business entity in Switzerland.  Silent Circle, Proton Mail and Golden Frog are a few examples.  Why?

It is because the business of privacy is becoming a big business.  It is creating wealth.  Data privacy and the use of cloud-based products and services is now so pervasive across borders, that the collision of private companies and governments was inevitable.  Nation states are making it easier for global companies to locate, manage and operate in their data privacy friendly countries.

Digital Trust is at the center of the dialogue.  Operational Risk Management (ORM) surrounds the core conversations as you analyze the implications of building a data-centric business with the ability to comply with all of the regulatory and legal requirements.  The Electronic Communications Privacy Act (ECPA) of 1986 is being interpreted in Microsoft v. United States of America:

The Government’s brief confirms this much: Nowhere did Congress say that ECPA should reach private emails stored on providers’ computers in foreign countries. Small surprise for a statute written in 1986, before the creation of the global internet, when the notion of storing emails halfway across the globe was barely imaginable.

Congress can and should grapple with the question whether, and when, law enforcement should be able to compel providers like Microsoft to help it seize customer emails stored in foreign countries. Microsoft has outlined many reasons why Congress would be wary of granting that power: It would establish a norm that would allow foreign governments to reach into computers in the United States to seize U.S. citizens’ private correspondence, so long as those governments may assert personal jurisdiction over whatever company operates those computers. It would offend foreign sovereigns.

Business and Government across the globe are working diligently to create a balanced, legally sound and vital information sharing environment.  Consumers will continue to have a choice, on what vendor, device or data hosting company they utilize for their communications.  The features, functions and benefits will be carefully thought out, by the marketing and business executives.  Yet the question will be asked by each companies respective stakeholders:  What is the value of trustworthiness in the markets we operate in and how will we decide to create "Digital Trust"?

The consumer must also understand how these tools are being utilized by the dark and evil components of our human society.  Citizens must better understand the motivations for government to protect consumers and those organizations who choose to use certain tools on the Internet.  Those who have a fear of government also like the idea of law enforcement protecting their neighborhoods.  There are two sides to the private enterprise:
They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us. If they are to meet this challenge, it means coming up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.
As private companies and nation states collaborate to attract new business commerce and tax revenues, your privacy and your company will be at the center of the negotiation.  The consumers preference of where you want your data stored and the legal environment where you want your data to be subjected to legal jurisdictions will continue.  For the good guys and the bad guys.  "Achieving Digital Trust" will be with all of us for some time to come.  As mankind evolves and the most valuable assets of our world become virtual, we can only hope "Trust Decisions" and the "Rule of Law" will stand the test of time.

23 August 2015

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:
As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

16 August 2015

Decision Advantage: Operational Risk Strategic Vision...

When the Board of Directors asks for a report on the Operational Risk Strategic Vision for the enterprise, will you have it ready?  The execution of strategy with the discipline of Operational Risk Management (ORM), requires a look "Over-the-Horizon" (OTH).  Why?

You have to realize the pace at which technologies are advancing.  You have to realize how your competitors are creating a decision advantage.  How will you apply the use of new data science, advanced hardware and software capabilities to augment your Human Capital, to replace Human Cognition?  So what are some of the categories that you should be researching, testing and implementing?   New strategic systems to secure, protect and improve the situational awareness or resilience of your organization?

Many of the places you will need to address, have to do with enhanced processing and management of data, from disparate places:
  • Coping with Scale - Advanced Analytics
  • Very Large Dataset - 4D Visualization
  • Data Standards and Governance - Sensor Priority Processing, Optimized Data Movement
Bringing tools to the data, data trust and provenance tracking, are a subset of governance.  Machine translation and wire speed language recognition, are subsets of a Multi-lingual textual data processing platform.

So what?  Why is all of this innovation required in the modern Operational Risk domain and why is it so important?  The simple answer is, international competition, from your adversaries.  Dynamic, Smart Metadata, metadata relationships and data that finds the analyst, are challenging areas today.  Natural language processing techniques and wire speed data tagging are vital.

"Data Mining will bring us "Cyber Situational Awareness", "Human-Assisted Machine Learning" and "Pattern of Life modeling".  Decision and intelligence advantage, is the key to many of these strategic initiatives."

Again, from a business perspective, so what?  If your organization is in the Information Technology Sector, then of course you understand that the competition is tough and your new advanced VM and/or shiny systems "Box" does need to stand out, with it's unique features and differentiators in the marketplace.  It must have some value-proposition to the customers, that few or no one else can provide at the moment.  Otherwise, why would you spend the money on educating the market, writing a check to Gartner, advertising, sales and business development?  Right?

The Board of Directors today might just understand the concept of "Decision Advantage."  What if you went to the next meeting of the outside directors and provided a narrative and presentation on "Decision Advantage"?  You want them to authorize the substantial budget for your own Operational Risk R&D.  You are asking them to invest in the future risk mitigation of the enterprise, that they have a fiduciary responsibility to safeguard for the shareholders.

You see, you are way behind the international competition.  When you view this visual of the current state-of-play going on this hour, this minute and this second, you really don't have the time to waste on authorizing more resources, to address many of the areas previously discussed here.  The future of your enterprise and the livelihood of your country is at stake.

The Research & Development (R&D) budgets for Operational Risk Strategy execution are tremendous.  Add it all up.  The question is, how effective is it for the enterprise to spend risk management and mitigation funds in each individual department of IT, HR, Marketing, Sales, Finance and Facilities.  Without a complete understanding and vision of how the spectrum of risks, threats and mitigations, are all interconnected and what tools, processes or technology are actually interdependent.

When something such as Enterprise Risk Management or even National Security is so mutually dependent,  (depending on each other) you have to ask the Board of Directors to pause, and to require the Operational Risk Strategic Vision.  Once completed, you will see what new technologies to invest in for your total budget of Research & Development funds, and where to spend it.

Perhaps the most important reason for this vision, is also to ensure your "Intelligence Advantage"...

22 March 2015

Board Directors Perspective: Data Risk Business Process Reengineering...

The ranks of established Fortune 500 companies have been studied in the latest NYSE Corporate Board Member's Annual Directors Survey.  Spencer Stuart asked several telling questions in the Operational Risk Management (ORM) domain and the results may be enlightening:
Corporate Board Member's 12th Annual Director Survey Delves into How Directors Are Managing Some of Today's Most Pressing Issues for Public Companies While Keeping Their Boards Nimble:

This year we received nearly 500 responses from directors who didn’t mind sharing their opinions and comments on these issues. More than 70% came from those who identified themselves as outside directors, and another 20% said they serve as board chair or lead director. Forty-four percent have served on a board for more than 10 years, and another 33% have served five to 10 years. Just over 30% are at companies whose annual revenues are in the $1.1 billion to $5 billion range.

In fact, 55% of the directors we surveyed don’t believe it’s reasonable to expect that a public company board can ever fully get its arms around all the different aspects of risk in the current corporate environment (Figure 1), particularly the newer forms of technology risk like cyber risk and social media risk.
If you think "Social Media Risk" is NOT on the mind of the Board of Directors these days, then you would be correct:

Figure 2

Has Your Board Put Social Media on the Agenda?

Yes - 35%
No - 65%


The Social Media Risk to the enterprise has yet to be clearly defined to the majority of the Directors these days or they need more education on what the risks really are to the company.

If you think in 2015 a majority of the Board of Directors are still unsure about "Cyber Risk" you would also be correct:

Figure 6

How Confident Are You That Your Board Is Adequately Overseeing Cyber Risk?

Very -15%
Somewhat - 63%
Not Confident - 23%


The oversight of "Cyber Risk" to the enterprise is still in question by 85% of the Directors.  Why?

To quote Spencer Stuart's Report:
Boards must be ready to oversee a myriad of risks, especially those related to cyber security—and the social media realm—which is unfamiliar territory for some current directors (Figure 6). As a result, forward-thinking boards looking to refresh their ranks will want to add members who have technological and social media experience to guide the board in an arena where it is all too easy to make innocent but often damaging corporate blunders. Boards also value directors who have industry, financial, and regulatory experience, our results show.
Unfamiliar territory for Board Members?  Some current directors who are focused on corporate strategy or mergers and acquisitions would certainly not always have the knowledge or understanding of what the real "Operational Risks" are in the cyber and social media categories.  This makes sense.

What about adding new Board Members who have cyber and social media experience?  The enterprise must certainly pivot and adapt to this changing landscape of risks.  Will adding new Board Members make a difference?  Not likely.

There are some who are now advocating a "Presumption of Data Breach" strategy.  Simply put, what are we doing now, that our enterprise has been breached?  Instead of, what will we do if we ever have a data breach?  This subtle shift in thinking around the Board Room might move the percentage higher from only 15% who are "very confident" in overseeing their enterprise Cyber Risk today.

What if the Board of Directors had a discussion with management each meeting about what they were doing to contain the breach?  You see, the shift in mindset begins a whole new set of dialogue that is proactive and working on an existing business problem that requires remediation but also new thinking.  Unlike the reactive strategy of waiting until the legal and regulatory rules mandate the admission that a breach has actually occurred.

Finally, what if the enterprise were to embark on a Data Risk Business Process Reengineering (BPR) initiative?  You remember the BPR era from the 90's right?  Having a "Presumption of Data Breach" strategy should require the complete reengineering of our Data Enterprise Architecture itself.

Is end-to-end encryption the answer?  No.  Is segmentation of network design the answer?  No.  Are Next-Generation-Firewall's the answer?  No.  Is corporate end user education on cyber risks the answer?  No.  Are new rules and legislation the answer?  No.  Is a combination of all of these the answer?  Probably yes.

Data Risk Business Process Reengineering is a topic worthy of discussion at the next Board of Directors Meeting.  Include all the stakeholders.  Allocate the funds and the resources.  Next year the goal will be for 25% of directors to be very confident in the oversight of cyber risk in the Corporate Board Member survey.

In the mean time, the use of encrypted apps will become more pervasive:
Our Privacy Practices, in Brief:

Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.


We use military-grade encryption. Our encryption is based on 256-bit symmetric AES encryption, RSA 4096 encryption, ECDH521 encryption, transport layer security, and our proprietary algorithm. 
We canʼt see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before (if) it is transmitted to our servers. Because of this we donʼt know — and canʼt reveal — anything about you or how you use the Wickr App.

Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.


You own your data. We do not share or sell any data about our users. Period.

25 January 2015

Insider Threat: Trusted Systems of the Future...

In the Defense Industrial Base in particular, corporate executives are on edge these days, anticipating the next game changing crisis phone call from the General Counsel.  The conversation is one that every CxO expects to have at some point in their career, yet the pace of multi-million dollar incidents is rapidly increasing.  The origin typically begins somewhere within the Operational Risk Management (ORM) landscape including People, Processes, Systems or External events.

 INTRODUCTION

The Board of Directors are evaluating the current funding levels for Operational Risk Management programs.  The focus on "Insider Threat" is a renewed area of scrutiny in light of the number of intellectual property thefts and national security classified information leaks.  This means increased funding potential for programs of Defensive Counterintelligence.  Next we shall look at the strategic challenges involving Homeland SecurityDomestic Intelligence and Technological Innovation.

STRATEGIC CHALLENGES

You may have heard that Corporate Security and Operational Risk Officers are consistently using the acronym M.I.C.E. to describe the motivations for rogue insider employees. Money, Ideology, Compromise and Ego are the main categories that human behavior can be associated with, when the realization that an incident has occurred.

The "Why" question is asked early on by the General Counsel and the Chief Risk Officer (CRO), to try and understand the motivation by the employee.

One challenge is the current ecosystem of Homeland Security in the United States. Consistently oriented on the protection of catastrophic threats to the homeland in general and not to an individual company, much of the Homeland Security Intelligence (HSI mechanism is myopic and not predictive.  The laws associated with U.S. persons and the current state of employee protections is a white paper in itself. However, the scrutiny of laws associated with the theft of intellectual property and corporate trade secrets is gaining momentum.

The challenges of "Domestic Intelligence" and the intersection of "Technological Innovation" is now on a collision course in the courts.  Previous legal decisions such as United States v. Jones, 132 S. Ct. 945, 565 U.S. ___ (2012) was a Supreme Court Case that sets an example.  As interpretations of the constitutional rights of U.S. citizens are decided where the legal evidence of metadata is collected from technology innovations and is deemed to violate those rights, the challenges for domestic intelligence applications become more apparent.  This includes law enforcement and internal corporate security programs within the private sector enterprises.

CORPORATE CULTURE ISSUES

There are three competing perspectives within the enterprise organization that present a continuous cultural tug-of-war:
  • Human Resources
  • Privacy & Legal Governance
  • Security & Risk Management
In a recent break out session of a private industry focused "Information Sharing Initiative" workshop, the comments were heard by all of us present.  A Chief Security Officer in the room came right out and admitted that his team does everything they can to avoid interaction with personnel from the Human Resources department.  This "Elephant-in-the-Room" topic is one that most corporate officers need to get out on the table.  The cultural friction between a Human Resources department tasked with protecting the privacy and integrity of the employees personal data, typically clashes with those charged with securing the assets of the organization.

Even though the U.S. does not have anything close to the EU Data Protection Directive, the legal precedents are being played out in the courts.  In the U.S., workplace privacy is a rapidly evolving spectrum of technology, metadata and big data analytics:
Employees typically must relinquish some of their privacy while at the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. Although, with this problem of monitoring of employees, many are experiencing a negative effect on emotional and physical stress including fatigue and lack of motivation within the workplace.
RECOMMENDATIONS

The "Insider Threat" and Defensive Counterintelligence strategies are up against the employee privacy and data governance legal battles in the U.S..  However, there is a a way forward to design the future architecture for this particular Operational Risk Management domain, beyond more legally detailed "Acceptable Use Agreements".

Just as any agreement on standards or rules takes a process and a dedicated architecture, so will this arena of human behavior, technology innovations and vital digital information assets.  Effective and transparent "Trust Decisions" that become embedded in the architecture to enable application of the agreed upon rulesets, is the ultimate goal.  Once humans have the confidence in a mechanism for making these Trust Decisions consistently and with integrity, the presence of prudent risk management will then be realized.

The private sector will lead this effort in collaboration with government, yet it will design it's own protocols and rulesets to plug-in to new federal standards.  The application of continuous monitoring of threats within the private sector workplace will evolve quickly by using these new frameworks and new tools.  Trust Decisions will be made in milliseconds, as systems execute the rules that have been coded into software and the latest big data analytics logic.

We recommend that the private sector continue to establish a consortium of cross-sector companies to interface with the new ISE.gov framework entitled "The Data Aggregation Reference Architecture."
The need for greater interoperability is clear. To protect national interests, intelligence and law enforcement agencies must be able to collect, accurately aggregate, and share real-time analytical information about people, places, and events in a manner that also protects privacy, civil rights, and civil liberties. The President’s National Strategy for Information Sharing and Safeguarding (NSISS) recognizes this as a priority national security issue, and speaks directly to this challenge. The Data Aggregation Reference Architecture (DARA) is in direct response to NSISS Priority Objective 10, “Develop a reference architecture to support a consistent approach to data discovery and entity resolution and data correlation across disparate datasets,” The DARA provides a reference architecture that can enable rapid information sharing, particularly for
correlated data, but also for raw data, by providing a framework for interoperability between systems, applications and organizations.
These private sector companies need to standardize across sectors, just as the government is embarking on the mission to improve this across agencies.  You see, the blind spots that the government has discovered in sharing information across it's own departments and agencies is no different in private industry.  The failure of Energy companies sharing information with other Energy companies or the same within the Financial Services industry ISAC model is not new.  However, the speed and integrity of future "Trust Decisions" on Insider Threats will always depend on the timeliness and quality of the data.

The international agreements on ISO standards has a long history.  Quality and Environmental standards are most common.  The 21st century has delivered us privacy and information security "management system" standards established and agreed upon internationally.  The standards and rulesets integrated with government shall have interoperability with the private sector.  The private sector shall collaborate with government on the architecture for information sharing.  The future state outcomes will enhance our trust in the management systems that have been designed from the ground up, to execute the rules.  A good example from ISO follows:
Cloud computing is quite possibly the hottest, most discussed and often misunderstood topic in IT today. This revolutionary concept has reached unexpected heights in the last decade and is recognized by governments and private-sector organizations as major game-changing technology.

In the January/February 2015 ISOfocus issue, we address some of the basic questions surrounding cloud computing (including the savings and business utility the technology can offer). We also explore security concerns of the cloud services industry and how these are addressed by ISO/IEC 27018, the first International Standard on safeguarding personal data in the cloud.
CONCLUSION

 The future of the "Insider Threat" solutions will not be designed by just one company or one government.  Just as the Internet standards that have evolved to support billions of IP addressable devices using data science and machine learning, so too will the private sector discover the way forward on transparency and data governance.  What are the odds that an "Insider Actor" hired at company "A" may then move to Company "B" once and if they determine the controls and processes are too difficult or will catch them in their unauthorized activities?

The safety, security and privacy of our organizations in concert with an international community is imperative.  People must believe in the integrity of the "Trust Decisions" being made each second by the Internet devices they hold in their hands and simultaneously by the organizations they devote their working lives to each day.

11 January 2015

Legal Risk: Forensic Analysis of Supply Chain...

Corporate environments where a dedicated Chief Information Security Officer (CISO) works along side the General Counsel (GC) to tackle Operational Risk Management (ORM), continues to be a significant challenge.  The introduction of court certified tools for forensic analysis of information on both desktop and mobile devices to include phones, tablets and anything with a storage capability (USB Jump Drives) has created an executive level debate.  "What" information will we perform forensic analysis on, "why" and "when" will we do it?

The "Why" question is most obvious, like the analysis of DNA, the zeros and ones (0's and 1's) that make up the digital fingerprints (user names, passwords), blood-type (e-mail, SMS) and other behavioral evidence is important to associate the identity of the person(s) using a certain digital device. In addition, the ability to track the whereabouts of a particular digital device via GPS metadata or IP address, can also provide additional context and evidence, to be considered in the forensic examination.

The "What" information is in many cases going to be preceded by the "When" and has much to do with the policy in place within the corporate environment.  Modern "Acceptable Use Policy" may spell out that any device can be examined at any time, if it is a corporate issued and owned product.  Personal devices allowed in the workplace may be subject to a completely different set of policy doctrine, that falls under state and federal statutes.

The "When" question could be on a continuous basis and tied to a particular event, such as an employee who has given notice to leave the organization.  The event could also be as a result of an alarm or alert that the Information Security team receives from an automated system, within the corporate network.  So back to the challenges faced by the CISO vs. the GC on the Operational Risk Management process and addressing all of these issues.  Is it a legally sound manner that also achieves a "Defensible Standard of Care?"
Now imagine all of this going on oblivious to the confines of a small-to-medium size enterprise (SME). These organizations are typically defined as under 1000 employees yet can be defined further by the type of business and industry.  Now imagine that this particular SME, is operating within the Defense Industrial Base and is in the professional services supply chain of the top three U.S. government contractors, who are bidding on the next generation bomber for the U.S. Air Force.  What do we mean by supply chain?  This particular SME, is one of the outside counsel for Lockheed Martin, Boeing or Northrop. Yes, this law firm is in the information supply chain, working on legal matters associated with a top tier defense contractor.
If you are the GC and CISO at LM, Boeing or Northrop, what controls and policies do you have in place or service level agreements (SLA) that spell out the process to forensically examine the mobile devices of the lawyers and associates of your outside counsel? When?  Why?  The public disclosure of law firms and their associates being the target of nation states espionage is several years old.  When was the last time as a GC or CISO you had a closed door summit with the information supply chain of law firms working for your Defense Industrial Base (DIB) corporation in the U.S.?  If you are a SME law firm, working in the supply chain of the DIB, What, Why and When are you using Forensic Analysis with all of your Partners, Associates, Paralegals and other people in your legal ecosystem?

Operational Risk Management (ORM) spans every department and every employee.  It requires prudent application of the use of forensic analysis, as a vital component of a comprehensive counterintelligence program.  And remember the why.  Spear Phishing of law firms has been a major warning since 2009 and over six years later, it is still growing because it remains so effective.