15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:


noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 October 2016

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:
  • Protecting Personal Data
  • Political Hacks and Leaks
  • Cyberspace:  A 21st Century Warzone
  • A Focus on Critical Infrastructure
  • The White House and Cybersecurity
Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets, binary code.
In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers had been circulating in security circles at that point in time.  Soon thereafter, warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.
In this decade old case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The human element, which relates to situational awareness, can't be ignored any longer.  And this can only be changed through more effective education, training, and testing of employees.  An organization that procures technology worth millions of dollars is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.
"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."
The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat.  We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.
If you start thinking of the Super Bowl championship as your motivation, you are going to miss the trees for the forest or the forest for the trees. I never could understand that one. Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees

02 October 2016

Homegrown Violent Extremism: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  New York City.  San Bernardino.  Orlando.  Dallas.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing.  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow or red flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that our process changes take place and citizens behaviors are modified.  Erroll Southers explains why we have more work ahead of us:
 At the same time, the radicalization process is not brief. Extremism smolders like a hot coal, an idea that grows into a violent fire fueled by anger, conflicts of identity, feelings of humiliation and marginalization.. It is important for the public to understand that removing any one of these elements cannot fully disrupt radicalization. All of these and other root causes need to be addressed in the effort to not just apprehend terrorists, but dissuade the radicalization that leads to terrorism.
There will be numerous accounts of heroism, people who saw or reported details that could have helped stop any of these Homegrown Violent Extremist (HVE) events.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.
Godspeed America!
  1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.

25 September 2016

ORM: "All Threats & All Hazards"...

If you are new to the discipline of Operational Risk Management (ORM) your entry point in it's vast spectrum is a vital realization. The business problem that you are trying to solve with the utilization of an effective set of protocols, policy and risk management framework, may take years to accomplish. Do you have that much time?

Operational Risk Management 101 requires an "All Threats & All Hazards" point of view from day one. It also requires a protocol that your whole organization can understand, implement and put to work on a daily basis. Whether you are in banking, drilling for oil, flying an AV-8B out of hostile conditions or preparing for hundreds of people for a "State Dinner" on the South lawn; Operational Risk Management is the versatile discipline that will enhance your safety and security.

Practitioners of ORM know, that the next threat or the unexpected hazard is almost impossible to defend against. Once you realize that you are always in "degrees of vulnerability" your mindset changes about where to spend your activity, effort and resources to maximize your returns. Did anyone see the process of turning sub-prime mortgage portfolios into securities and selling them to investors on wall street, as a future threat to our economic prosperity? Yes. The same people bought instruments to hedge this risk in the form of "Credit Default Swaps" (CDS):
Credit default swaps are often used to manage the credit risk (i.e., the risk of default) which arises from holding debt. Typically, the holder of, for example, a corporate bond may hedge their exposure by entering into a CDS contract as the buyer of protection. If the bond goes into default, the proceeds from the CDS contract will cancel out the losses on the underlying bond.
Prudent Operational Risk practitioners look at the threat and invent the correct tool, product, or countermeasure to hedge the risk. It happens on Wall Street and it happens on the urban battlefields of cities across America. A US Justice Department researcher, Lester Shubin utilized a DuPont fabric intended for tires and developed the Kevlar bulletproof vest. This inventor passed away about seven years ago and is credited with helping to save the lives of over 3,000 law enforcement officers. A heart attack took the life of a man who understood the core value of "Operational Risk Management." Godspeed Lester.

Shubin and his advocates had many obstacles to overcome in order for their idea, invention and risk management habit to succeed. First there was testing, then the legal hurdles to get companies to manufacture vests because of liability and then finally getting street cops to use them. This practitioner of Operational Risk did not stop there. He was also one of the first to suggest the use of canines to find explosives.

If you enter the ORM discipline from a safety orientation the perspective may be different than one who enters it from a security orientation. What they both have in common is managing risk. The most effective 21st century experts in Operational Risk Management realize that an "All Threats & All Hazards" mindset is crucial to the entire profession. So how do you know where to invest your activity, effort and resources? That depends on your industry sector, the environment you are operating in and the pace of the processes being performed.

Being an effective Operational Risk expert today requires a multi-faceted, mosaic-based, pervasive protocol in order to be adaptive. Working and operating in the trading pit at the Chicago Mercantile Exchange (CME) or the deck of CVN-77 in the middle of the Arabian Sea both require the same set of skills, knowledge and training. If done effectively, it will save lives and millions of dollars simultaneously.

18 September 2016

Digital Citizens: The Integrity of our Trust Decisions...

Operating globally in business requires travel across borders and into less than familiar places.  Operational Risk Management (ORM) is at the forefront of global commerce for good reason.  The tools we use to assist us; range from the smart phone airline App to hold your boarding pass and even the latest travel warnings from the U.S. State Departments "SmartTraveler" App.

Perhaps on your last trip abroad you ditched your regular personal smart phone for a pay-as-you-go model that you could throw away, upon your return.  Most likely a prudent strategy, especially if you are traveling into physical places that are known to be less trusted for their wireless communications infrastructure or for other questionable reasons.

Regardless, the use of a Virtual Private Network (VPN) on connecting a device in any country is worth the extra step of privacy.  OpenVPN or Golden Frog's VyprVPN can provide your iOS or Android device, with an encrypted tunnel to prevent eavesdropping on your Internet traffic.  Again, a wise step to take at all times.

However, even today that may not be enough.  Digital Trust is paramount in a mobile-centric 24x7 business world.  The integrity of communications from the CxO ranks while traveling abroad is vital when interacting with senior staff and other government collaboration partners.  Our Trusted Apps perhaps need to have a new and emerging set of new capabilities going forward.  Marc Canel writes:

"A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.

The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.

The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:

  • an open international protocol based on the Public Key Infrastructure (PKI)
  • an open market for competing certificate authorities
  • an ecosystem of client and server vendors around the protocol
Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations."

The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.

We have created devices we want to trust.  Our business and global commerce requires the ability to effectively communicate with integrity.  The Open Trust Protocol (OTrP) is only the beginning.

The foundations of the Internet and the future of Artificial Intelligence (AI) will soon be at a break point.  A place in the growth curve where there is a bifurcation.  If we do nothing, the system will decline and die.  As opposed to being re-engineered now to survive and adapt, to the evolving environment ahead.  A digital environment where machines are talking to machines on a more massive scale at light speed, beyond just digital switches, routers and other mobile (IoT) devices.
The continuous integrity and assurance of our networked infrastructure to enhance "Digital Trust" is already well on its way.  Important foundations have already been established and the transformation steps are underway beyond protocols, with the education of our most promising generation of new software engineering talent.  Here is just one example in Jeffrey Ritter's University of Oxford course, "Building Information Governance":

"To govern information now requires mastery of a diverse, often international, portfolio of legal rules, technology standards, business policies, and technology, all applied across increasingly complex, distributed systems and repositories. The increased scrutiny and requirements of official agencies and business partners impose new requirements for compliance documentation and transparency. This course introduces participants to a structured design approach that will enable strong, responsive and resilient information governance to be incorporated into the design and management of digital assets. 21st century information governance must navigate and embrace records management, privacy, electronic discovery, compliance, information security, corporate governance, and transparency of operations—all of these will be considered in this course."

The future of "Privacy Engineering" is at stake in a mobile commerce digitally trusted environment.  All of the protocols being developed for moving zeros and ones from point A to point B will not mean anything, if we have not effectively enhanced our "TrustDecisions" capabilities and outcomes.

The environment is virtual.  Just like the physical world, there are places that are safe and others that are dangerous and evil.  Since the beginning, the diversity of content and the people who are operating in the environment, are good and bad.  This is the reason the virtual environment of the Internet has rules and the engineered governance that is necessary for the integrity and safety of the global citizens who utilize it.

You have to wonder what our digital world would be like without rules or any governance.  Without the international Rule of Law.  Without the enforcement of international safe havens for people to operate with integrity and in safety.  In the physical world and on the Internet.  It would be global uncontrolled chaos.

As you ascend into the next generation of mobile and global commerce, think harder about "Digital Trust".  How will the Trust Decisions that your business or your country relies on, remain in a safe haven?  Will the confidentiality, integrity and assurance of the underlying data science continually be trusted?
"These forces are concurrently driving transformations that are now already visible in how we structure the governance of our political states, our commercial consortia, our corporate digital ecosystems, and our interactions as individual users with the digital assets of the Net.
Ultimately, the Net succeeds or fails based on the cumulative affirmative decisions of individual humans to trust the networks, systems, devices, applications, and information assets that are the blocks from which the Net is constructed.   For the Net to prosper, and to be functional as a global infrastructure, the values and consequences of building digital trust must be embraced.  That evolution is already underway"...  Jeffrey Ritter

11 September 2016

9/11 2016: Remembering the Fallen...

"We Will Never Forget".  On 9/11 2016 as the names are read, we remember and we reflect upon the significance of this anniversary for each of us.  Fifteen years later from that horrific start of a new generation of Violent Extremism and International Terrorism we honor those who have fallen.

The First Responders from the ranks of the New York City Fire and Police Departments on that morning to the forward deployed from the CIA and our (AFSOC) Special Operations Forces a decade and a half later.  Four years ago today in Benghazi, we were attacked again at our U.S. Diplomatic Compound, 9/11 2012.

As we talk and discuss where we were and how we felt on that day in September 2001, it is vital we analyze what has changed and how we are now different.  Even today the kinetic war persists on the ground, in places like the Hindu Kush and Shabwah province to eliminate the threat of AQAP and ISIL or IS (Islamic State).

Meanwhile, millions gather at Mount Arafat in Saudi Arabia for the Hajj ceremonies, where Muslims believe the Prophet Muhammad gave his last sermon.  Fifteen of the 19 attackers were Saudi nationals.

Fifteen years ago the attacks were planned and coordinated by a more central and organized set of leadership in al-Qa'ida.  The erosion of Middle East states after the Arab uprising has brought us an asymmetric threat commanded online through social media and more sophisticated video enabled communications strategies.  These tangents for recruitment and online command and control has created new challenges for our counter terrorism (CT) strategies.

Watching the dual beams of light shining over New York City at Ground Zero on this anniversary we must not forget.  We must seek to understand the behavioral components of "Homegrown Violent Extremism" (HVE) as the primary future weapon of al-Qa'ida leadership.  From Paris and Nice to San Bernardino and Dallas the variants of how and where HVE will erupt is unknown and even harder to detect in advance of a violent attack.
Now that women, young children and even four-wheel truck vehicles have been utilized as simple tools to perpetuate the stealth and low-tech / high-assurance approach to killing innocents, there is still no where to hide.  There is no place that is truly safe.
The primary solution for you, your company and a nation is to continue to enhance Operational Risk Management (ORM) and to seek even more robust levels of resilience.  We have learned years ago that the ability to adapt and to survive relies on this core strategic capability.

Whether you are preparing for that next hurricane, earthquake, cyber or explosive attack does not matter.  We must all seek to better understand Operational Risk and prepare even more than we ever have in the past.

On this fifteenth anniversary, we have learned so much and still have so far to go...Godspeed!

27 August 2016

Human Capital Risk: Know Your Company...

Operational Risk Management (ORM) is about continuous innovation.  It requires a steadfast momentum towards a future spectrum of dynamic resilience.  The shift in thinking is that your ability to survive the impact of any adverse incident to your people, process, systems or other external factor is commensurate with your current-state of resiliency.

You must establish and cultivate the creative and innovating environment in your organization at the core.  Then wrapped around this ecosystem of core human potential, the culture evolves into a ripe entity of new possibility.  New hope.

Simultaneously the visions of what contributes to a healthy environment and the attributes of what creates a deterioration, starts to become more clear to you.

You see, when most people think about risk management they are immediately drawn to threats and vulnerabilities external to the organization.  Protect against known external threats and remediate known vulnerabilities.

How much time is devoted to understanding the maturity and the resilience of your core internal ecosystem of human capital.  From the inside out.  The same human capital that will either achieve survival after any known or unknown incident, could also contribute to it's inevitable demise.

So what are we talking about it?  How well do you know your company?  Jason Fried, CEO of 37signals.com explains:
  • As CEO, maintaining a healthy culture isn’t someone else’s job — it’s my job. I had to take responsibility for knowing my people and knowing my company. That buck starts and stops with me.
  • Answers only come when you ask questions, so the tool had to be built around questions. People generally don’t volunteer information re: morale, mood, motivation unless they’re directly asked about it.
  • The entire system had to be optional. No one at the company should be forced to use it. Forcing people to give you feedback is ineffective and builds resentment.
  • This couldn't be a burden on my employees. Employees would never have to sign up for something or log into anything.
  • Information had to come in frequently and regularly. Huge information dumps once or twice a year are paralyzing and lead to inaction.
  • I had to follow-through. If someone (or a group of people) suggested an important change, and it made sense, I had to do everything I could to make it happen. I wasn't creating this system to gather information and do nothing about it.
  • It had to be automated, super easy (for me and my employees), non-irritating, and regular like clockwork. This had to eventually become habit for everyone involved. If it ever felt like something that was in the way or annoying, it wouldn’t work. It had to be something people looked forward to every week.
  • Feedback had to be attached to real people - it couldn’t be anonymous. You need to know your people individually, not ambiguously. If someone has a problem, you need to know who it is so you can talk to them about it. This requires trust on everyone’s part.
  • Success depended on a combination of automated, and face-to-face, back-and-forth with my team. The unique combination of automated and face-to-face communication play off each other in really positive ways.
Quantity vs. Quality.  If you have read any of Jason's books such as "Rework" you know what we are talking about.  37 Signals has been in business now about 16 years and has just surpassed xx people. Congratulations Jason.

Managing Operational Risks with an organization begins with the clairvoyance and the insight gained from knowing your human capital.  Knowing your people when they come on board and knowing how they change over time.

Do you think that the person you hired two years ago is still the same person? What about ten years ago or 20?  People change for a myriad of reasons impacted by the environment on the home front and certainly their work place environment.

The resilience of your organization begins and ends with knowing your company, or government agency.  In order to know your enterprise, you need to know your people.  Your ecosystem of innovation possibility and the longevity of your organization depends on it.   As a recent agency example,  commentary by George Bamford:
In the summer of 1972, state-of-the-art campaign spying consisted of amateur burglars, armed with duct tape and microphones, penetrating the headquarters of the Democratic National Committee. Today, amateur burglars have been replaced by cyberspies, who penetrated the DNC armed with computers and sophisticated hacking tools.
Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.
Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia – though there seems little evidence backing up the accusation.

20 August 2016

Strategic Foresight: Risk Leadership into the Future...

When you really start to think long and deep on the discipline of the agile startup community,  you keep coming back to a single word.  Improvise.  The more you analyze what it takes to get an idea from "Zero to One" to a Minimum Viable Product (MVP), the more you need Operational Risk Management (ORM).  At the same time, this thought might question the notion of previous planning or preparedness:
im·pro·vise [im-pruh-vahyz] Show IPA verb, im·pro·vised, im·pro·vis·ing.
verb (used with object) 
1.  to compose and perform or deliver without previous preparation; extemporize: to improvise an acceptance speech.
2.  to compose, play, recite, or sing (verse, music, etc.) on the spur of the moment.
3.  to make, provide, or arrange from whatever materials are readily available.

Yet what the true startup and ORM professional understands is the origin of the word:

1820–30; French improviser, or its source, Italian improvisare (later improvvisare ), verbal derivative of improviso improvised; Latini mprōvīsus, equivalent to im- im-2 + prōvīsus past participle of prōvidēre to see before hand, prepare, provide for (a future circumstance). See proviso
And so this brings us to the importance today of utilizing the power of "Strategic Foresight."
Strategic foresight is a fairly recent attempt to differentiate "futurology" from "futures studies". It arises from the premise that:
  • The future is not predictable;
  • The future is not predetermined; and
Future outcomes can be influenced by our choices in the present. [1]  Strategic foresight may be used as part of the corporate foresight in large companies.[2] It is also used within various levels of Government and Not for Profit organizations. Many concepts and tools are also suited to 'personal futures' thinking.
The "Asymmetric Attributes" of enterprise risk and "Big Picture Security" today is making predictability a major task going forward.  So what do improvising and strategic foresight have to do with startups and Operational Risk Management?  Everything.  Let's go back in the "Time Machine" for a minute:
The 2010 eruption of Eyjafjallajökull were volcanic events at Eyjafjallajökull in Iceland which, although relatively small for volcanic eruptions, caused enormous disruption to air travel across western and northern Europe over an initial period of six days in April 2010. Additional localised disruption continued into May 2010. The eruption was declared officially over in October 2010, when snow on the glacier did not melt. From 14–20 April, ash covered large areas of northern Europe when the volcano erupted. About 20 countries closed their airspace (a condition known as ATC Zero) and it affected more than 100,000 travellers.
"As the crisis ran its course it went on to paralyze or seriously limit air traffic in 23 countries around the EU and its periphery bringing 300 airports to a standstill and cancelling 100,000 flights, representing three-quarters of all European traffic. Ten million individuals were affected and had to cancel their trips or find alternative travel arrangements at serious economic cost for the passengers, carriers, and insurers involved."
So what?  So the future state of a High Risk X Low Frequency event is unlikely to get the attention it requires.  The 1-in-100 year probability of an event occurrence, has been so integrated with insurance industry underwriting group think, it often falls on deaf ears.  Resources and attention are increasingly directed towards potential crisis events, that are considered High Risk X High Frequency.

Could the EU have imagined the impact of volcanic ash from an erupting volcano in Iceland?  Most certainly.  Did the EU have the strategic foresight to know what to do when and if this happened?  The point is that sometimes improvising and the success of improvisation is a result of having devoted resources and time towards the planning and behavioral prediction of future outcomes.  Influenced by our choices in the present.  The impact to the organization, enterprise, nation state or individual is going to be a factor of how much is devoted to strategic foresight initiatives.

It is also imperative that we discern the risk of natural incidents caused by mother nature, to human threat actors. We must continue to evaluate the characteristics of other threat vectors related to our daily Operational Risk spectrum.  Using only the imagination of low-tech, less sophisticated and tried-and-true methods, our human adversary has a "Modus Operandi" with a continued low-risk of failure.  That low tech lower risk of failure, is still one of our greatest vulnerabilities:
The Joint Improvised Explosive Device Defeat Organization (JIEDDO, pronounced like "ji-dough") is a jointly operated organization of the U.S. Department of Defense established to reduce or eliminate the effects of all forms of improvised explosive devices used against U.S. and coalition forces.[4]
  • Formed February 14, 2006
  • Headquarters The Pentagon
  • Employees 435 government civilians and military personnel; ~1,900 contract personnel
  • Annual budget $1.6 billion for fiscal year 2013 [1]
JIEDDO is making a difference and the metrics prove that our Operational Risk Management professionals here, need to continue the course.  Not just for what has happened overseas on foreign soil, but for the surging wave on our own U.S. Homeland:  Boston, MA is one recent and relevant example.

Be Vigilant America!  Use Strategic Foresight to imagine such interdependent, unpredictable scenarios.  These growing interdependencies, are becoming ever more so prevalent:

• Rapid global economic growth
• Industrial development of non-OECD nations
• Interlinked global supply chains
• Increased worldwide awareness
• Increased media reach and individual power

These five interdependencies will be the catalyst of our future High Risk X Low Frequency incidents.
The future success ratio of agile startups and the ability for new innovation to pivot effectively, will be determined by an Operational Risk Management maturity factor. 

13 August 2016

CityNext: Trust in a New Age Public Sector...

What if you had the opportunity to establish and design a new city in the United States?  Where would you decide to put it and how would you do it differently than it has ever been done before?

This would be a Public Sector project worth doing differently than we ever have imagined.  After all, how much have we learned by 2016 about critical infrastructure, including electrical grids, solar energy, water resources and waste management?  What about the latest inventions with 5G wireless and how broadband information systems have evolved to satisfy our insatiable appetites for data, entertainment and knowledge working professionals?

How would you design the transportation systems and how would you put the economic and governance factors of the new city into place?  The Urban Planning and CityNext initiatives today are trying to apply many new ideas and thinking to established cities, not just starting from a clean slate if you will.  There might be many discussions on what U.S. State was most suited for the city,  what the size in population and square miles that would encompass housing, commercial development and the social support systems to include health care, public safety and public works.

There are several global livability indexes that exist today and ranking cities by criteria on being the most livable.  Each may put cities such as Melbourne or Zurich,  Boulder or Santa Barbara, Rochester or Bellevue at the top.  This depends on the geographic scope and other criteria to rank cities by all of these particular index factors.

Realizing that there are also so many subjective reasons for wanting to live in an environment near the ocean or the mountains, let us just focus for a minute on all the factors that make the city operate effectively and produce positive economic and governance outcomes for its citizens.  Now how would you design this ideal ecosystem for the future?

If we could do it in such a way that you could replicate the model and the support systems then is it possible that you could put a new city in the middle of some U.S. state and have it flourish over the next 2 decades and beyond?  What factors would we focus on when it comes to how people make a living and sustain their families with a decent standard of living?

All of these considerations and questions are similar whenever you are talking about putting tens, hundreds or thousands of humans together to live, work and play together.  The anthropologists, economists, architects, scientists and doctors would all have their thoughts on what to avoid and how to do it correctly.

So what?  What does any of this have to do with Operational Risk Management (ORM)?

The truth is, that the design of the ideal city, the ideal business, the ideal product or the ideal operations plan, can't evolve and survive without Operational Risk Management:
Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.
It really does not matter whether it is a single household, an enterprise business or the ideal city.  How much you focus on the "TrustDecisions" that are made each moment of every day, will determine the outcomes of your vision?

Now consider this:
Every transaction creating wealth first requires an affirmative decision to trust.

Building trust creates new wealth. Sustaining trust creates recurring wealth.

Achieving trust superior to your competition achieves market dominance.

Leadership rises (or falls) based on trust (or the absence of trust).

Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained?  Source:  "Achieving Digital Trust" - Jeffrey Ritter
 "Trust is achieved by making decisions that produce favorable outcomes."  These words and more from Jeffrey Ritter should give us pause, as we advance or society and we design new cities.

The truth is, the "Public Sector" needs to create more trusted environments, more trusted transportation, more trusted water supplies, more trusted communications, more trusted safety and security.  The public sector needs systems that use trusted data to fuel all of this and provides continuous Confidentiality, Integrity and Assurance for all of its citizens.

If the public sector can attain these levels of performance, the vast spectrum of knowledge workers will flourish and data driven business models of the future will thrive and they will have new levels of trust.  Trust in their choice on where to live, to work, to raise a family and:
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

07 August 2016

IT Transformation: Change Agent Journey into the Unknown...

The era of cloud computing is upon us and business innovation is rapidly adopting a new Information Technology strategy.  Planning for the business to be more adaptive, requires that the IT organization become more embedded with the functional leaders who are tasked with guiding the people, process and technology of the enterprise into the future.

Operational Risk Management (ORM) is about building an effective framework for business transformation executives at the CxO level to effectively coordinate and collaborate with the IT leadership.  Together, business and IT executives shall provide the organization and its customers with a seamless and almost undetectable transformation.

True "IT Transformation" has a trajectory to an unknown destination that is constantly adapting and becoming more agile.  It is a non-linear project plan, that is evolving towards a "Future State" where people and culture must change with it.  As a result, true "IT Transformation" requires experts in managing Operational Risks that encompass far more than just new cloud infrastructure for compute, storage, database and networking.

A culture transformation from an "As is" to a "Future State" is a professional services initiative that senior leaders are co-designing.  It is recognized that the vision of the future is still unknown as the business adapts to its environment and marketplace.  If you were an organization that had made the decision to move the business into international locations, how would you do that effectively?

An "IT Transformation" initiative to a new international marketplace requires far more time and resources.  The change mindset and culture shift for the employees will be imperative in order for the IT mechanisms to perform effectively and successfully.  How will this shift in business strategy impact the coding, architecture, inventory and customer service processes in the enterprise?
Let us be clear.  Transformation is different.  It is not "Developmental Change".  It is not "Transitional Change".  It requires a mindset, culture and systems change that operates in the unknown and where peoples emotions and behaviors are exaggerated.  It can't follow a linear project plan and that is why some organizations never attempt true transformation.
So what?  The decision for true "IT Transformation" requires a journey into the unknown yes, just as any explorer. This however also requires a mindset shift to that of the explorer, to prepare for the unknown and to plan for the contingencies to survive the trip.  Whether the journey is weeks or months does not matter.  There is always an opportunity to prepare before the launch.

 Consider these ORM categories as you begin the preparation for your true "IT Transformation":
  • Governance of Accounting (International pricing/regulatory compliance)
  • Access and Security Controls (Data privacy or legal considerations)
  • Asset Management
  • Application Risk (Availability, Disaster Recovery and backup)
  • Incident Triage and Continuous Monitoring
  • Configuration Change Management
  • Release and Deployment Management
 Now consider this:

Who will you embark on the journey with?  Who are the people in your organization that are ready, in condition and have the time to devote to your exploration journey?  What is each person currently working on and what is their particular "Powerbase" in the enterprise?

Now, who is the partner outside the organization that you will utilize as your "Change Agent"?  That change agent who is currently external to your company and enterprise is a vital choice.  How will the firm or company you choose to assist you in your transformation work with you side-by-side to endure the hardships, the emotions and the outcomes of the work ahead?

As your change agent team embarks on your "IT Transformation" journey, remember that the unknown is the reason that you were chosen.  You were chosen because your experience and skill sets add overall strength and resilience to the entire team.  The resilience of the team requires that you endure the journey until the objectives for innovation have been achieved.

Achieving the future state of your journey, puts you in a place you never imagined, because you have never been there before.  Yet the experience of getting there and the knowledge gained during the preparation, the team interaction and the accomplishments along the way, have made you a better person.  A trusted team member.

An "IT Transformation" professional...

30 July 2016

POTUS 45: The Future of Information Warfare...

The spectrum of asymmetric warfare being waged across the globe has been accelerating for over a decade.  The physical realm, has now migrated to an environment of "zeros and ones" traveling at the speed of light.  Operational Risk Management (ORM) remains a significant factor for Senior Leadership in government and the private sector.

Information collection, deception, attribution and mutual response is consuming our airwaves and IP addresses, like a digital Tsunami.  Wikileaks vs. Edward Snowden, is a battle for digital privacy branding and a communications platform for the evidence of the truth.

The average world citizen is now reading content and consuming video by the petabyte, to satisfy their particular knowledge appetite.  The personal or nation state requirements of the continuous search for the truth, or perseverating on a single target to achieve a mission, is now the state of play.

As the United States pursues the election of its 45th President, the digital trust of our electoral systems and historical decision process are currently at stake.  Data provenance is at the center of legal and national security policy discussions.  "Trust Decisions" are ever more in our minds and simultaneously at the center of our democratic way of life.
Gawker publishing opposition research.  APT29 malware?  Guccifer2 account by a lone individual? Any similar attributes between the U.S. DNC malware servers and the German Bundestag malware servers?
The speed and sophistication of nation state plots or non-state actors, will continue to feed the novels for people such as John le Carre and yet to be written movie screenplays.  Yet what is now over the horizon for humanity and our future, lies in the innovation and current capability of Artificial Intelligence (AI):
Rob McHenry: Public-funded research has always pushed the state-of-the-art in advanced autonomy, which then drives commercial AI. I think many people would be surprised by the advanced capabilities that autonomous systems for defense are already demonstrating – capabilities that many might guess wouldn’t be achievable for many years.

For example, DARPA and the Navy are testing at sea today an autonomous ship that is designed to go “toe-to-toe” against a human adversary in the wild during complex unconstrained military operations. The ACTUV (Anti-submarine warfare Continuous Trail Unmanned Vessel) program has delivered an unmanned ship that can not only comply with the complex Rules of the Road in the open ocean, but simultaneously track and harass a manned submarine, keeping a step ahead of a highly trained human submarine captain. This is an example of AI that can understand humans, in both competitive and supportive roles.
As the U.S. Navy and others pursue the asymmetric battlefield across the oceans, we can only hope the human factor remains the man-in-the-middle.  Artificial Intelligence may very well be good at searching, collecting and manipulating data, yet it is still the human behind the intent.

In essence, humans remain the architects of the design, coding and the implementation of the programs, weapons and capabilities.  Where is the trail of evidence leading and where is the response?

Achieving digital trust and the future integrity of our global "TrustDecisions" will remain a tremendous challenge for our governments and the private sectors,  that establish our critical infrastructure.

You can be certain that the response will be calculated and the attribution will be thorough, even as new classified information is involved in the analysis.

23 July 2016

ECPA: Reality of Homegrown Violent Extremism...

In the United States, Operational Risk Management Executives in the private sector are consistently balancing the legal requirements for public safety and their customers right to privacy. The Internet Service Provider (ISP) General Counsel's duty to facilitate the rule of law within the private sector organization, has been on a collision course with protecting the homeland for over a decade since 9/11.

One of the critical tools for Homeland Security Intelligence (HSI) is the "Electronic Communications Privacy Act (ECPA) and for good reason. The law provides the tools for law enforcement and national security intelligence analysts while simultaneously protecting the privacy interests of all Americans. In a 2011 statement before the Committee on Judiciary, United States Senate, Associate Deputy Attorney General - James A. Baker outlines the basis for ECPA:
"ECPA has never been more important than it is now. Because many criminals, terrorists and spies use telephones or the Internet, electronic evidence obtained pursuant to ECPA is now critical in prosecuting cases involving terrorism, espionage, violent crime, drug trafficking, kidnappings, computer hacking, sexual exploitation of children, organized crime, gangs, and white collar offenses. In addition, because of the inherent overlap between criminal and national security investigations, ECPA’s standards affect critical national security investigations and cyber security programs."
The criminal elements and their organized syndicates are leveraging modern day technologies and capabilities of the private sector. The legal first responders for our 21st century homeland threats don't always wear a badge and drive a Crown Vic on patrol around our city streets. Many spend their hours on patrol in cyberspace or analyzing terabytes of data online with sophisticated software to determine the what, who, why and how of the current threat stream.

The US government has a fiduciary and legal duty to protect the privacy and civil liberties of all US citizens. Parallel to this task is the rapidly changing use of communications and other mobile technologies to facilitate and support the activities and operations of individuals and networks of people, who exploit the design, configuration or implementation of our countries homeland defense architecture.

Whether this architecture includes the utilization of 72 Fusion Centers or the methods for collecting "Suspicious Activity Reports" (SARS) from those first responders, the fact remains that the pursuit of national security threats is a lofty task. This is happening today, on the ground and in the digital domain. Therefore, the speed that these individuals can legally obtain the data they require to make informed decisions is at stake and so we must eliminate any new impediments put before them. From Mr. Bakers statement on "Government Perspectives on Protecting Privacy in the Digital Age" he explains further:
Addressing information associated with email is increasingly important to criminal investigations as diverse as identity theft, child pornography, and organized crime and drug organizations, as well as national security investigations. Moreover, email, instant messaging, and social networking are now more common than telephone calls, and it makes sense to examine whether there is a reasoned basis for distinguishing between the processes used to obtain addressing information associated with wire and electronic communications. In addition, it is important to recognize that addressing information is an essential building block used early in criminal and national security investigations to help establish probable cause for further investigative techniques. Congress could consider whether this is an appropriate area for clarifying legislation.
Any changes to the ECPA laws should be considered carefully with not only the government but the private sector. The combination shall work together to find the correct balance between national security requirements and the privacy of the customers of mobile communications, e-mail, and social networking entities. The time that it takes our first responders to rule-in or rule-out a person of interest in an ongoing investigation can mean the difference between a failed or successful attack on the homeland. The private sector shall determine the prudent cost to the government for providing the legally obtained information of non-telephone records such as a name, address and other metadata. By the way, has anyone noticed that the criminals, terrorists, spies and other malicious actors have decided to use Telegram, or WhatsApp instead of their mobile telephone?

Homeland Security Intelligence (HSI) first responders will be the first to tell you that the crime syndicates and non-state actors have gone underground and have stopped using the tools that leave the data more easily accessible by law enforcement. Now, they are creating and operating their own private and secure infrastructures within the confines of private sector companies. These clandestine groups have organized hierarchy and specialized skills and therefore, the US government must continue to step up the pace, legally.

What does this all mean? It means that there will be a lower chance of under cover law enforcement officers becoming members of the these organized crime syndicates that in many cases are the genesis for homegrown violent extremism (HVE).

Homegrown extremists can be individuals who become violently radicalized, perhaps after exposure to jihadi videos, sermons and training manuals available on the Internet, security officials say. Such plotters are harder for counterterrorism officials to spot because they have few links with known terrorist operatives and often don’t travel overseas for training.

Another implication is that there is a higher chance that private sector researchers will understand the new trade craft of HVE actors, long before law enforcement and national security intelligence analysts. This is because the standard approach to the "Seven Signs of Terrorism" have been focused on the physical infrastructure. Organizations in the private sector have been researching, tracking and profiling since the late 1990's on the methods and modus operandi of the digital extremists who have plagued our banks and other financial institutions with cyber crime.

The time is now for these two distinct disciplines and professionals to converge. The public as eyes and ears combined with the legal tools to extract the timely information from technology providers is part one. Part two is the integration of intelligence analytic training with the curriculum of the police and fire academies for new recruits. Providing these first responders with the methods, tools and capabilities to be more effective collectors on the street level, will provide the fusion centers with a more robust set of relevant information streams. Here is an example from a graduate certificate class in criminal intelligence analysis from AMU:

The graduate certificate in Intelligence Analysis provides you with a fundamental understanding of the issues, problems, and threats faced by the intelligence community. This online graduate program helps you develop a comprehensive knowledge of how intelligence agencies in the U.S. assess and counter international threats in order to guard U.S. global interests and protect U.S. national security from adversaries. Knowledge from this certificate program is applicable to many career fields within the military, security companies, government contractors, or federal agencies.

We have a choice to provide our first responders with the correct training and OPS Risk education for today's Homeland Security Intelligence (HSI) mission. Our national policy makers have a choice to assist them in getting the information they need to do their jobs quickly, efficiently and while protecting civil liberties. The choices that we make fifteen years after 9/11, will define the landscape for homegrown extremism and the legal framework for ensuring the safety and security of all Americans for years to come.

16 July 2016

Utility of Attack: Target Selection and Execution...

The threat spectrum for Operational Risk Management (ORM) professionals is wide and they are constantly evaluating opportunities to learn.  Recent data breaches, terrorist attacks and the strategies utilized by adversaries online and on the ground, has surfaced another key lesson learned:
u·til·i·ty n. (pl. -ties) 1 the state of being useful, profitable, or beneficial (in game theory or economics) a measure of that which is sought to be maximized in any situation involving a choice.  The New Oxford American Dictionary
Here are two data breach examples:
  1. On May 30, 2016, Omni Hotels discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. They have no indication that reservation or Select Guest membership systems were affected.  50,000 records are impacted.
  2. Prior to May 2016, identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2 Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people.  According to a letter Kroger sent to employees dated May 5 2016, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
Here are two terrorist attack examples:

In two major domestic terrorism events in the United States this past year, "Utility" was a major factor and should not be discounted, in analyzing motivations and "modus operandi" of homegrown violent extremists.  In San Bernardino, CA the adversaries were planning a major attack and had already stockpiled explosives and ammunition.  In Dallas (Mesquite), TX the adversary was planning a major attack and had already stockpiled a cache of explosives as well.

In both of these cases, the adversaries had accumulated and trained to use explosives in an attack.  Then they came upon a choice.  A utility.
  1. In San Bernardino, an incident with government co-workers motivated the employee attacker to deviate from the intended plans and to capitalize on the "Utility" of a workplace holiday gathering at the county facilities.
  2. In Dallas, a peaceful protest march that would attract a significant government presence of police officers, motivated the attacker to deviate from future plans and to capitalize on the "Utility" of a public gathering.
Dr. Erroll Southers is correct:
While the impetus for attack is rooted in beliefs, a terrorist’s selection of how and where to attack is based on a consideration of utility. This is the estimate of an attack’s consequences with respect to the intended target’s value as a domestic or international interest and the political impact the attack will have on the intended audience. Utility is a primary consideration for extremists during preparation for an attack, weighing desired results against the investment in activities to plan, rehearse and execute an operation. Always mindful of the aftermath, utility weighs heavily in the decision-making process of target selection, possible attack paths, methodologies and execution.  Southers, Erroll (2014-09-25). Homegrown Violent Extremism (pp. 9-10).
In both cases, the adversaries accelerated their plans.  They abandoned their use of explosives and a future planned event, to act on their emotions and motivations of the moment.  Domestic Terrorism in the United States will continue at a rapid pace without a more serious focus, on Homegrown Violent Extremism.

Whether it be online with the trust of your data systems or offline with the safety and security of your citizens, employees and facilities, beware of the changing opportunities for your adversaries, to launch their attack...
Utility, leveraged by your adversaries, is a consideration that must be continuously evaluated and analyzed in your particular threat environment. 

09 July 2016

Domestic Terrorism: Tears for Those in Blue...

The sniper ambush on those sworn officers to protect us in Dallas, Texas USA on July 7, 2016, is yet another portrait of tragedy and sorrow in our Homeland.  Whether you are an American safe today in your home after another graveyard shift or at high risk on the front lines in the shadows of a foreign country, it does not matter.  This particular domestic event targeting our protectors, and so soon after Orlando, FL, should be a another wake up call to area code (202).

Operational Risk Management (ORM) professionals across the U.S. are unified once again, in our vigilance and our mission.  Domestic Terrorism in our world, will continue to be manifested as long as people can read, listen and be influenced by other people.  Here or abroad.  The methods used for this indoctrination, whether delivered in small groups sitting in a circle over a cup of coffee or tea, or increasingly over the Internet does not matter.  The process is the same.

The "Cues and Clues to Teach" have been detailed before in this blog.  Domestic Terrorism in the United States has been moving along a spectrum of incidents at a pace that seems to be accelerating.  Lone individuals or groups who plan, train and act in order to bring their own psychological justice to reality, is one of our greatest challenges:
The statutory definition of domestic terrorism in the United States has changed many times over the years; also, it can be argued that acts of domestic terrorism have been occurring since long before any legal definition was set forth.

Under current United States law, set forth in the USA PATRIOT Act, acts of domestic terrorism are those which: "(A) involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and (C) occur primarily within the territorial jurisdiction of the United States."[2] 
The pace and the origins of domestic terrorism in the United States are vast and metastasizing.

In order to begin or enhance your journey into understanding the root causes of this growing threat in America you should start with Eric Hoffers book: The True Believer: Thoughts on the Nature of Mass Movements.  And once you are finished with it, turn to Erroll Southers Homegrown Violent Extremism.

Developing your awareness is the beginning of any journey to solving problems and developing more effective and comprehensive preventative solutions.  Building knowledge about how people can transform from a individual working in a war zone or sequestered from society, to the front pages of the Washington Post, is a worthy goal for any Operational Risk professional.  As a human resources professional at Company or Agency USA or the retail employee in the ammunition section of Dicks Sporting Goods, you also have a role to play.

Vigilant "Employees and Citizens" must be continuously trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational.  Based on the O'Toole study, these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:
  • Low tolerance for frustration
  • Poor coping skills
  • Failed relationships
  • Signs of depression
  • Exaggerated sense of entitlement
  • Attitude of superiority
  • Inappropriate humor
  • Seeks to manipulate others
  • Lack of trust/paranoia
  • Access to weapons
  • Abuse of drugs and alcohol
What did you know?  When did you know it?  What have you done about it?  They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace.  What grade would you give your organization today for these fundamentals?
Godspeed to all of those on their journey now, to better comprehend this event and to all the grieving family members across our Homeland...

03 July 2016

4th of July: Flying the Stars & Stripes of Freedom...

The United States of America celebrates 240 years tomorrow.  The Stars and Stripes of our flag will be flying high.  How far we have come and yet we still envision that we have so far to go.

Celebrating the 4th of July in the United States means different things to different people.  It all depends on your tenure here and how you have contributed to defending the freedoms we all share. And for those who have made the trip to our borders or overseas to defend our country, we give special thanks.

Nine years ago we saluted Spencer S. on Memorial Day, as he prepared to make his way to being deployed to Iraq.  An Airborne Medic and now home safe in Chicago, we are thinking about him and all those other families who have sent their sons and daughters, husbands and wives, brothers and sisters, or fathers and mothers into harms way to defend our freedom.  We are humbled by your courage and thank you for your selfless contributions to keep us more safe and secure back home.

The Patriots of the U.S. are vast and found everywhere, serving the country in uniform by military or law enforcement, in suits and ties or dresses among the halls of government agencies found in small towns and famous suburbs like Langley.  These millions of shadow patriots and citizen soldiers are working to defend the truth of the Declaration of Independence and our Constitution each day.

At the same time, they are all Operational Risk Managers, mitigating the daily risks to life, property and our vital economic assets.  Mike Stanley of the American Legion captures the essence of the early days of our country:
The United States of America began as thirteen different English colonies established along the eastern seaboard during the 17th and early 18th centuries. Gradually many of the colonists began to think of themselves more as Americans and less as Englishmen, a feeling that was spurred on by the decision of the British Parliament in the 1760s to tax the colonies for the expenses associated with keeping them in the British Empire. Since the colonists had no elected representatives in the British Parliament, they felt that these new taxes were “taxation without representation” and therefore, illegal.
From this point, the situation escalated quickly as Patriot groups formed to discuss the possibilities, and by the early 1770s, the Patriots had their own Provincial Congresses in each of the thirteen colonies, effectively replacing the representatives of the British government. In 1775, the Second Continental Congress was established, the Continental Army was organized, and fighting broke out when the British responded by sending combat troops to the colonies.
Finally, on July 4, 1776, the Declaration of Independence was signed, establishing the United States of America. The fierce determination of the Patriots to prevail, plus the important military and political support of the French, the Spanish and; the Dutch, insured an American victory, and in 1783, the signing of the Treaty of Paris ended the American War of Independence and guaranteed the sovereignty of the United States of America.
Conflicts in the 21st century will be fought for many of the same reasons, and with a revolution of robots.  In P.W. Singer's book, "Wired for War" he prepares us for the next 100 years:
What happens when science fiction becomes battlefield reality?
An amazing revolution is taking place on the battlefield, starting to change not just how wars are fought, but also the politics, economics, laws, and ethics that surround war itself. This upheaval is already afoot -- remote-controlled drones take out terrorists in Afghanistan, while the number of unmanned systems on the ground in Iraq has gone from zero to 12,000 over the last five years. But it is only the start. Military officers quietly acknowledge that new prototypes will soon make human fighter pilots obsolete, while the Pentagon researches tiny robots the size of flies to carry out reconnaissance work now handled by elite Special Forces troops.
Wired for War takes the reader on a journey to meet all the various players in this strange new world of war: odd-ball roboticists working in latter-day “skunk works” in the midst of suburbia; military pilots flying combat mission from their office cubicles outside Las Vegas; the Iraqi insurgents who are their targets; journalists trying to figure out just how to cover robots at war; and human rights activists wrestling with what is right and wrong in a world where our wars are increasingly being handed over to machines.
Maybe someday, Spencer will be able to stay hundreds or thousands of miles out of harms way to defend our countries freedoms, because they won't need medics on the battlefield anymore.
...and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. 

26 June 2016

Resilience 3.0: Next Generation Operational Risks...

Operational Risks are being exacerbated due to the tension and competition, for people to be noticed and heard, within a vast ocean of zeros and ones, all invisible to the human eye.  Trusted systems on the Internet, once thought to be impervious to the asymmetric threats of "Transnational Organized Crime" (TOC), Hacktivists, and even nation states are now ever so more in peril.  The next generation has four main fronts:
  • Sovereignty
  • Piracy and Intellectual Property
  • Privacy
  • Security
The global conflict being waged 24/7/365 on the Internet continues and in the next decade the Yottabytes of data will continue to be ingested, analyzed, digested and excreted at the speed of business and social commentary.  The United Nations has been gearing up for years with the UN Global Pulse Project concerning the future of the Internet:

"Global Pulse functions as a network of innovation labs where research on Big Data for Development is conceived and coordinated. Global Pulse partners with experts from UN agencies, governments, academia, and the private sector to research, develop, and mainstream approaches for applying real-time digital data to 21st century development challenges. "

As Michael Joseph Gross illustrates in his Vanity Fair article "World War 3.0"; Battle lines have been drawn between repressive regimes and Western democracies, corporations and customers, hackers and law enforcement:
"The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off­-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded."
The resilience of an organization has for hundreds and thousands of years relied upon sufficient resources:  Food, water, energy, capital, trade, defense.  Communications was long ago recognized as a game changer for achieving a greater degree of resilience and historically made the difference in World Wars and other significant planetary conflicts.

Today it is no different as the Arab Spring has seen another anniversary and people leverage the use of silicon based devices in concert with wireless mesh networks on the borders of failing nation states.

Humanitarian operations are evolving to go far beyond the establishment of the standard platforms for responding to natural disasters and other atrocities of mankind.  The ability for people to develop and run their own businesses, creates a sustainability factor that can not be underestimated.  Whether that occurs, first has to do with knowledge and resources but when you add communications to the mix the advantages of survival increase exponentially.

The Internet and wireless technologies combined with the rapid adoption of IoTs, iPhones and iPads has created another key resource that organizations must manage and plan for in the vast spectrum of Operational Risk Management (ORM).  As the governments of the world debate the Sovereignty of Internet assets and the rebels of the world order more wireless enabled devices for communications; the requirements for prudent risk management endure.

Whether you are a private sector company or the leader of an organization simply trying to communicate the truth to the rest of the world, managing Operational Risks effectively will be a continuous factor of your resilience.

The ranks of those organizing themselves on the Internet continues for every instance of what people are thinking, saying and doing in the name of communications to enable their resilience:
"Aside from wealth or arcane knowledge, the only other guarantor of security will be isolation.  Some people will pioneer new ways of life that minimize their involvement online.  Still others will opt out altogether—to find or create a little corner of the planet where the Internet does not reach.  Depending on how things go, that little corner could become a very crowded place.  And you’d be surprised at how many of the best informed people about the Internet have already started preparing for the trip."