19 March 2017

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:
"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."
Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:
"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."
So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:
"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."
How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."


Welcome to the new era of achieving Digital Trust...

12 March 2017

Vault 7: Adapt to Live Another Day...

When you spend enough time in any austere environment, you begin to respect it's abilities to change rapidly.  You begin to respect the changing natural forces and how these new potential threats could become a new Operational Risk in just minutes.  The decisions that you make in the next few seconds, could mean a positive outcome or a significant catastrophe.

Will you turn right or go left?  Will you accelerate or slow down?  Will you ascend or descend?  These decisions that you make in your quest to adapt to your changing austere environment will forever be remembered.  Whether they are stored in the synapses of the brain or the log files of an autonomous system executing code, the trust decision is evident.

How long has it been since you really took a deep look at your decisions the past minute, hour or day?  This analysis of the evident decisions made and the environment that you are operating in will forever allow for growth or death.

Systems thinking and the continuous learning of a changing environment can happen at 12,000 feet above sea level at minus 10 degrees, or within the climate-controlled data centers or corporate offices of your global enterprise.  What are you doing today to help achieve new levels of trust, in order to survive another day?

Why is it that so many individuals are surprised when they get a call from their CxO or even corporate counsel that sounds like this?  "It looks like our Intellectual Property or Trade Secrets, are now in the hands of our competition".  "Our enterprise is encountering significant new risks to our ongoing operations and we must adapt immediately'.
Introduction
Just as American and European critical infrastructure executives were beginning to wrap their minds around the devastation of the Office of Personnel Management, ransomware erupted onto the scene. We then experienced concentrated DDoS attacks such as the Mirai botnet attack on Dyn, which enabled a quantum leap for cyber criminals of even the most novice of technical aptitude to wreak havoc on targeted organizations at the click of a button or for less than one bitcoin. Unfortunately, adversaries continue to evolve, and cyber defense remains a reactionary culture. Numerous, persistent and adaptive, cyber-adversaries can more easily, remotely and locally besiege critical infrastructure systems, than information security personnel can repel the incessant barrage of multi-vector attacks. Now, all techno-forensic indicators suggest that an under-discussed cyber-kinetic attack vector will ubiquitously permeate all critical infrastructure sectors due to a dearth of layered bleeding-edge military grade cyber security solutions. Unless organizations act immediately, in 2017 The Insider Threat Epidemic Begins.
Some people are surprised.  Yet it is the small team of "Operational Risk Professionals" in your enterprise, that have been continuously training, operating in clandestine and unknown environments and learning each day, for this moment.  They are not surprised.  They are the people who have designed their operations and systems to be resilient, to endure austere environments and to adapt to live another day.

Seek out these people in your organization.  Find the expert individuals in each of the departments or business units, that also interface with your external environment and supply chain.  Now look inside and in the mirror.  Where are the vulnerabilities inside?  How can you adapt your operations to create trust with employees and simultaneously make your organization more resilient?
Take the “Vault 7” CIA data Wikileaks released this week. Assuming it is legitimate, it originated from a network that presumably has a very small attack surface. Wikileaks expressly claims that the data is from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina,” and experts agree that seems likely. And knowing that CIA networks are probably secure and defended supports the notion that the the data was either leaked by someone with inside access, or stolen by a well-resourced hacking group. It’s far less likely that a random low-level spammer could have just casually happened upon a way in.
 Build digital trust in your organization by better understanding the entire surface for potential attacks.  Analyze the rules that are in place now and how they might need to be changed according to the continuously changing environment you operate in.

Finally, adapt to live another day...

26 February 2017

Linchpin: Trust in a Continuously Changing Environment...

In the early morning nautical twilight on a cold winter morning, thoughts about how the world is changing comes into clarity.  What do you believe in?

As the asymmetric threats seem to grow and our respective thoughts scan a vast Operational Risk landscape of people, processes, systems and external events; there is a mission worth pursuing.  It is a mission that is uncertain, full of unexpected change and potential catastrophes.

The outcomes that you seek will not always materialize as you wish, yet that is to be expected.  After all, what would an organization, state, region or country be like, without any substantial changes, unexpected events or new challenges?  You see, humans do not thrive in environments where behavior or events are 100% predictive.

We work best when there is a problem to solve, an environment or challenge that we can explore.  We can conquer or adapt to, in order to survive another day.  It is this ability to explore, to test, to solve problems that sets us apart from the current state of "Artificial Intelligence", for now.

Now, pivot your thoughts to the current ecosystem of people you encounter on a daily basis.  How does that environment change each day?  What mechanisms do you have in place to mitigate the risks that could create negative consequences and outcomes?  Think about all of the behaviors, tools and ways that you operate each day to deal with risks in your life.

The truth is, humans are curious and seek out risk.  Even if you get to a place where there is a perception that no risks are present, that no risks are over the horizon, we will look for new adventure, new learning and ways to adapt to a new environment.  So what really is the top priority for a parent, big brother/sister, manager, instructor, chief executive, commander or other organizational/constituent leader?

To create an environment of trust.  In a place where people have the ability to create the rules, teach the rules and operate within the rules.  Think about any environment where humans can't create the rules, or rely on the rules.  Where they are not effectively communicated or where people don't follow the rules.  Trust breaks down and uncertainty permeates our consciousness.  The decisions to trust become questionable.

Your goal, is to become a "Linchpin".  As Seth Godin has described in Linchpin:  Are you Indispensable?:
"Is there anyone in an organization who is absolutely irreplaceable?  Probably not.  But the most essential people are so difficult to replace, so risky to lose, and so valuable that they might as well be irreplaceable."
How many linchpins do you have on your team?  Guess what?  If everyone is so specialized, so vital and there is little or no backup and redundancy, you may have a single point of failure.  This is why as a linchpin, you need to be continuously training and teaching to be replaceable.  If you are not confident that you have done all you can do, to become replaced, then you as a linchpin have failed.  Your resilience factor is zero.

Your tasks will create more redundant linchpins and you shall create a consistent and highly trusted environment, physical or virtual.  A changing environment is inevitable.  Achieve a culture where trust is paramount and the team, class, cohort, company and community that creates the rules, communicates the rules, enforces the rules and follows the rules.

We as curious humans seek out unpredictable places, full of risk and simultaneously we wish the environment can be trusted?  Yes we do.

Onward!

19 February 2017

Problem-Solving: Transparency of Startup Operational Risks...

The lifeblood of an organization is comprised of several key components to sustain and continuously grow the enterprise.  Founders, senior management, engineers, financial and legal subject matter expertise usually comes first.  Then once the minimum viable product or solution is ready for the intended market there is a mad dash to add the sales and business development resources.

Startup mentality that initiates the planning, demand generation and "Go-to-Market" execution for the growth engine have higher Operational Risk exposure.  Many founders and new entrepreneurs who have engineering or operational expertise, underestimate the need for substantial growth engine investment early in the startup timeline.

How many times have you attended "Demo Days" or other such events intended for the startup founders to pitch their new App or service solution, begging for a first customer?  You must recognize that the new Artificial Intelligence interface, the optimized algorithm or the faster encrypted communications is not going to create a new market overnight.

Entrepreneurs require a substantial immersion into the business environment of problem-solving.  It begins with the customer or client who detects that there is an area of risk that needs remediation.  How do you think companies like Symantec and McAfee first started?  The personal computers that were becoming so pervasive were encountering something now called malware.

Solving problems from the customers perspective requires a deep and focused process with the owners, operators and end users.  It requires substantial time being embedded at the customer level or with the people who perform their daily tasks.  You need to understand the risks that the customer is experiencing.

This "Diagnostic-to-Prescriptive" process is not new.  Yet how many times have those "Demo Day" entrepreneurs or "Accelerator" graduates ended their pitch, with a plea for a first customer?  This is a recipe for failure.

How can this be changed or addressed, in order to increase the number of successful new businesses?  What should we be doing to assist these new entrepreneurs in embracing the "Operational Risks" of a customer and inventing a new solution to solve their problems?

The engineers and inventors should embrace the idea of finding customers first, who have real and risk sensitive problems they can solve.  It is not enough to just change an interface, reduce the pricing and copy an App, to do the same general function.  How long will it now take for Snap to begin building their own data centers and infrastructure?

Entrepreneurs that utilize the "Go-to-Market" strategy early in their growth cycle, will simultaneously increase exposure to substantial Operational Risks.  Take that great idea or new "Minimum Viable Product" to an established business in the industry sector you think is going to listen.  Find the right business to adopt you as a problem-solver with this new solution and take the time to learn.

Once you have lived with the same problem across several different businesses, agencies or governments, it might be time to launch the "Go-to-Market" strategy for a single industry sector or country to start.  The learning phase and early adoption of a multitude of business development processes, will establish a more solid foundation for launching the new product / solution.

When you look at Snapchat and its growth cycle, it was not obvious up front, how privacy was going to be such a tremendous risk to the business.  How you can pivot quickly from understanding your customers appetite for transparency, to also provide a robust privacy policy program, is just one way to build a trusted set of repeat customers.
Snapchat Transparency Reports are released twice a year. These reports provide important insight into the volume and nature of governmental requests for Snapchatters' account information and other legal notifications.

13 February 2017

RSA 2017: In Search of the Truth...

The 2017 RSA Conference is set to launch this week in San Francisco.  What is true?  The state of asymmetric warfare across the globe is pervasive and nation states have been negotiating new rules of the game.

As you descend into the keynote sessions, absorb the content from your favorite track or walk the overwhelmed Expo halls, pause for a moment.  Stop, look around and look at what you see.  The ICT (Information, Communications & Technology) ecosystem is no longer a vertical.

The horizontal intrusion of smart devices, IoT and the rapid mobility sensor markets have created a juggernaut ecosystem.  The startup communities across just the United States landscape have entrepreneurs sharing and automating parts of your daily life once thought unthinkable.

The Techstars of the next generation of commerce, understand the platform better than ever.  Meanwhile, the same ambitious individuals with so much creativity are simultaneously in a battle for funding and market share.

It is a new generation of inventions that are AI-driven by Voice Recognition that are becoming the foundation for getting the information we need now; this second, not in a few minutes or even an hour from now.  We want it now and we trust that it will be true.

There are some major themes that you will see and pick-up on while attending RSA this year.  Some established companies with a tenured legacy in the industry are even making a pivot.  Look for how they are starting to craft the new narratives that will consume the marketing airwaves.

Expect plenty of talk about the ongoing ransomware scourge and threats against the Internet of Things (IoT) during RSA Conference 2017, which begins a week from today at the Moscone Center in San Francisco.

The conference will include 15 keynotes, including talks by RSA CTO Zulfikar Ramzan, Microsoft president Brad Smith, and Alphabet CEO Eric Schmidt. The popular cryptographers’ panel will feature Whitfield Diffie (of Diffie-Hellman-Merkle), Ronald Rivest and Adi Shamir (the R and S in RSA encryption), and Susan Landau (creator of Landau’s Algorithm). Paul Kocher, who figured out timing attacks against various RSA and DHM implementations, will moderate the panel.

With this in mind, now start to realize the places that have been behind the innovation curve.  The small and even mega markets, that have been slow to invent or work in such austere environments the tech has not reached it yet.  Start your new journey into these places to see how you can contribute, how you will be able to make a difference:

The Defense Innovation Initiative (DII)
Exploring Ideas to Better Identify the “Art of the Possible” for National Security


The Defense Innovation Initiative (DII) is a Department-wide initiative to pursue innovative ways to sustain and advance the capabilities of the “force of the future.” The U.S. changed the security landscape in the 1970s and 1980s with networked precision strike, stealth and surveillance for conventional forces. Through the DII, the Department will identify a third offset strategy that puts the competitive advantage firmly in the hands of American power projection over the coming decades.

The future of RSA and our way of life for our interconnected nations, economies and daily consumption of the truth is at stake.  We do have the ability to better cooperate, collaborate and communicate our paths forward.  Yet it begins with a conversation in person, face-to-face to establish the emotional and behavioral ties to trustworthiness.

Have a wonderful week in San Francisco...

04 February 2017

Higher Purpose: A Mission of Trust...

As you walk into that next meeting with another co-worker or even a colleague for a coffee catch-up, pause and reflect.  Think about how you could (1) make this encounter not only productive and (2) simultaneously enhance the relationship of trust.

All too often we are focused on getting something of value from the meeting.  We are blinded by the purpose of the meeting or have preconceived ideas on how the time together will be of value, or a waste of time.  Now think differently.

A true professional in any business, unit, agency or organization is there to "Build Trust".  The day-to-day or hour-to-hour interactions you have with others is vital.  A true professional in any domain, industry or vocation, can aspire to a higher purpose than the normal roles of a stated job description.

One thing is certain when it comes to meeting with other people and the value or outcomes obtained, trust is a major factor in the future outcomes of the relationship.  Have you ever wondered why certain people you meet, take so long to trust you?  How are you going to accomplish your intended purpose working with this superior or subordinate if they don't trust you?  What about that new client or business partner?

At the most fundamental level, the trust gurus and authors have been writing about a spectrum of trust for eons:
Zero Trust >>>>>Trust Exists >>>>>Implicit Trust

From ground zero of your first encounters with another person, your goal is to move towards a point on the spectrum where "Trust Exists".  Then your goal is to keep moving to the right and towards a place of "Implicit Trust".  This is when you don't even think about it anymore.  How many people do you know where this is the case, even within your own family?

So what?

As an Operational Risk professional, velocity is everything.  Yet you already know that uncontrolled velocity alone can be fatal.  The risk factors associated with business, government or the manufacturing process of a highly engineered electronic component are always present.  Always changing.  Creating new obstacles or new harm.  In our current state, 24x7x365 pervasively connected society, the trust factors are even more important and vital to moving towards "Implicit Trust".

Here are a few examples in the news this past year, where Operational Risk Management (ORM) was a factor:
Samsung Galaxy Note 7

On 2 September 2016, Samsung suspended sales of the Galaxy Note 7 and announced an informal recall, after it was found that a manufacturing defect in the phones' batteries had caused some of them to generate excessive heat, resulting in fires and explosions. A formal U.S. recall was announced on 15 September 2016.
Yahoo

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.

Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
National Healthcare Fraud

Attorney General Loretta E. Lynch and Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell announced today an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings.
National Security Agency

A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case.

In each one of these few example cases, relationships between people started with a meeting encounter.  Over time, the product, service or personal relationship outcomes involved a failure of people, processes, systems or external events.  The core components of Operational Risk Management (ORM).

Raising the level of trust across personal, business or government encounters is only possible, with effective "TrustDecisions".  The Decisions to Trust another person, product or service have several elements.  These are vital for the mission to grow towards "Implicit Trust" and simultaneously with the safety and security necessary to reduce the risk of failure.

The Mission

The mission as a co-founder of a new startup or the CEO of a Global 500 is to ensure the survival of the organization. We all know the failure rate for new companies. Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days. So beyond just the survival of the organization, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new or established business endeavor. The earlier the Operational Risk Management (ORM) design begins in the trusted relationship evolution, the more resilient you will ultimately become. The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake. Take the time and include the expertise to work on the "TrustDecisions" foundation of your enterprise.

Ensure the survivability of the new products or service solutions, that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your relationships and allow it's presence while it preserves all that you have worked for and dreamed of...

28 January 2017

The Network: 4th Industrial Revolution Strategy...

There is wisdom in continuously sensing and understanding the environment that people are operating in for their daily work or a specific mission.  The culture of an organization will determine why people are focused on the tasks and work they are performing each day; and that is where Operational Risk Management (ORM) begins.

If you are waking up today and know you may not return home alive, how would that change your thoughts about the tasks and environment ahead of you?  What kind of attitude would you have about your ability to improvise, adapt and navigate over the course of your mission that day, to return safe and secure?

Working along side individuals each day that are vital to a "Network" that knows the risk of survival is low, changes you.  The Operational Risks that you will likely encounter, can make you deviate from the primary goal for the mission.  The outcomes that are primary on the minds of each person on the team are the same, until you have to adjust, pivot and adapt on the fly.

This is where the mindset of "Resilience" is born.  The brain learns what is working, and when it encounters a setback, a shock, or a denial of the goal, it quickly responds to the new environment.  You change your tactics to keep moving forward in pursuit of your planed destination.  Resilience and networks have been symbiotic since Genesis.

So where is your environment located today?  Are you waking up in the Hindu Kush or Palo Alto?  Is it going to be sunny in the Sahel or downtown London?  How will you travel today, by foot or in a vehicle that travels fast enough to require a seat belt?  If it requires a seat belt, you are already applying your OP Risk skills to survive the day.

Now pivot your thoughts back to the asymmetric "Network".  You may not be tasked today to travel in a physical environment.  Your mission is to navigate across the globe to a different place, and the map you will use looks like this.  The network you will operate in today, has hundreds of thousands of adversaries.  Most will not be human, they are nodes and machines that will sense your presence and try to deter your assigned mission.

The resilience of the "Network" is not about just the other people on your team.  It is about the intelligence of your abilities to navigate, adapt and survive the minute, hour or day of your mission.  Whether the resilience is in the physical realm or inside the zeros and ones of a virtual cyberspace, there are some similarities to achieve survival.

Whether you have an OODA Loop or "Board Principles of Resilience" does not matter as long as you understand the culture and the environment you will be operating in that day.  Then use it.  Operational Risk Management works when you apply the right tools, tactics and procedures to the time, place and circumstances.  Consider these principles from Future of Digital Economy and Society System Initiative  | World Economic Forum:
  • Responsibility for Resilience
  • Command of the Subject
  • Accountable Officer
  • Integration of Resilience
  • Risk Appetite
  • Risk Assessment & Reporting
  • Resilience Plans
  • Community
  • Review
  • Effectiveness
The "Network," is the new playing field.  The new market.  The new adversary.  The new strategic thinking necessary, to make it through the day safely and securely.  To come home to your loved ones.  Use Operational Risk Management (ORM), in order to thrive and survive:
Against the background of these developments, this year’s Global Risks Report explores five gravity centres that will shape global risks. First, continued slow growth combined with high debt and demographic change creates an environment that favours financial crises and growing inequality. At the same time, pervasive corruption, short-termism and unequal distribution of the benefits of growth suggest that the capitalist economic model may not be delivering for people. The transition towards a more multipolar world order is putting global cooperation under strain. At the same time, the Fourth Industrial Revolution is fundamentally transforming societies, economies, and ways of doing business. Last but not least, as people seek to reassert identities that have been blurred by globalization, decision-making is increasingly influenced by emotions. World Economic Forum - Global Risks Report 2017

21 January 2017

Asymmetric Advantage: Dawn Across Arlington...

One only has to stand behind the "Tomb of the Unknowns" and gaze across the national mall past the Washington Monument to begin to feel the magnitude of the challenges ahead.  As the wind swirls around the grave markers and the sound of sirens and jets are distantly present, you can feel an emotional wave of inspiration.

Today in Washington, D.C., the dawn of a new government administration is waking up and the rest of the world is waiting.  How will the asymmetric problems we face be solved faster?  Why does the decision to use "Solution X" make sense over "Solution Y", to address our nations adaptive Operational Risks?

Why would a U.S. citizen feel inspired this day and from this vantage point in Arlington?  It is because the future will bring new conflicts that are different than years past.  It will bring new opportunities for us to excel.  Every decade that wars occur, there are far less warfighters actually put into harms way.  The number of casualties slows.  Why?

The reason is that the kinetic types of wars are using new inventions and technologies to save lives.  Whether it is MWRAP's or tourniquets built into uniforms, or sophisticated "Geospatial Intelligence", the goal is to keep our warfighters safe and alive.

Now also in parallel, the conflicts are being waged 24 x 7 x 365 in another growing operational domain, where the IO Analyst is navigating electronic networks and complex lines of software code.  Information Operations are full of new challenges and substantial learning curves in order to gain the advantage.

Welcome to the #Virtual Caliphate:
Decades of border disputes, violent conflict, and shifting refugee populations have left millions of Muslims without a clear national identity. ISIL’s virtual caliphate offers them citizenship free from terrestrial constraints, which can be accessed from anywhere in the world.
How the United States responds to this threat of a growing set of virtually-inspired terrorists, who carry out their physical acts in the homeland, remains a substantial problem-set.  What else is in store for our Homeland?

"The U.S. is considered a high-priority intelligence target by many foreign intelligence entities. While traditionally the threat has been to our political, military, and diplomatic interests at home and abroad, the loss of sensitive economic information and technology is a growing threat to our national security. In recent years, economic espionage conducted by foreign intelligence entities, corrupt insiders, and corporate competitors has exploited vulnerabilities in cyberspace that may weaken our economic advantage. Cyber espionage has not replaced traditional espionage as a way to steal secrets, but the ability to focus technology on lesser protected information is a significant and growing threat." DNI.gov Domestic Approach to National Intelligence

The rules will be changing soon.  The tools will be too powerful and the threats too great, for the military to have their hands tied or their legal authorities limited.  The next generation of domestic cyber warfighters will now go into action, side-by-side from CyberCom, Homeland Security, FBI, CIA and a new coalition of advanced private sector contractors.  They will work across the Homeland from SCIFs in every state, with a new enhanced mission and a new unified command.

How will this save lives and give all of our warfighters what they need?

As the billion dollar budgets within the Pentagon shift their focus to platforms such as DIUx, or IARPA, innovative answers will be more apparent.  The growing solutions pipeline will become the basis for rapid deployment to our Operators.  The new Corps of men and women raising their hands from classrooms across the Homeland, will become exponential...they will serve in new roles and in new ways.

The future is bright and the changing of the guard at the "Tomb of the Unknowns", will soon see fewer ceremonies to bury our heroes or even hang another star on a wall in Langley...

15 January 2017

Inspired Outcomes: A Culture of Why...

Why does your organization exist?  Most people answer this question with the kinds of products or services provided.  This is "What you do".  Some people talk about how they provide the service or how the product works.  This is "How you do it".  This does not answer the question.

Most organizations have it backwards.  What >> How >> Why.  Now think, Why >> How >> What.

Why your organization exists, is paramount to understanding the real purpose and DNA of your culture.  It is vital to the people who show up every day, the core reason they perform their role or contribute to the measurable outcomes of the team.  True Operational Risk Management (ORM) professionals discover the "Why" at the beginning.  Without the truth behind "The Why", nothing after it, has enough context.

When you begin the journey to build a better product, or invent a new process you better know the answer to "Why".  Discovering this first, will provide the inspiration, the creativity and the fortitude to get you and your team out of bed the next day, to do it all over again.  Without the "Why", we as humans lose sight of our destined purpose.

Over seven years ago, Simon Sinek was advocating for "Why" in his book and on Ted Talks.  A few years later, he was helping the Air Force hone new leadership skills in it's pilots:
"I told the guys, it's not enough any more to be ace of the base," said Col. Richard "Tex" Coe, commandant of the United States Air Force Weapons School. "We have to bring others with us.

Coe believes the school's new leadership curriculum will translate to success in the global war on terrorism, particularly in the fight in Afghanistan.

"What we're going to be doing is purposely developing these innovative and creative leaders that will go out there and face problems," Coe said.

"We don't even know our problems yet, and we'll be able to put our pieces together and use resources and other people around us to get the mission accomplished."

Coe, a master navigator with more than 3,000 flight hours including 460 combat hours, left Afghanistan in 2002. Today, the country "is a new and different place" he said.

"It's a completely different problem than it was back then. It's ever changing, and we're preparing them for that ever-changing problem."
"What we believe" is not the same as "Why We Exist".  It is different and it could mean the difference to owners, employees, partners and external customers or clients.  Here is just one example from Palantir:
Why
We’re Here

"We believe in augmenting human intelligence, not replacing it.

With good data and the right technology, people and institutions today can still solve hard problems and change the world for the better."
How could you make this even more compelling?  More inspiring and motivating, so that you want to jump out of bed each day at the sound of the morning alarm.

Behind every process, product and service there are humans who must see, feel and smell the "Why".  If and when they do, now they are ready to endure the journey, the quest and the challenges ahead.  They are there for a purpose they can internalize and outcomes that they can pursue vigorously, each day.

Discover the "Why" from your clients and customers, if you have not already done so.  Understand deeply the reason why they are doing business with you.  You may be surprised to know that your clients are paying you more than your competitors, for the same product or service.  You may soon find out the real value of "Trust."

Making the "Decision to Trust" one product or service over another, can not be under estimated.  Yet so many organizations and companies fail to find the truth about "Why" in their ecosystems of followers.  Is it the location, the price, the ease of use, the color, the feel, the endurance, the speed, the intelligence?

Once you have discovered the truth on "Why", you must know "How".  Then the "What" will follow, with the name of your product or brand.  Isn't it interesting that when you are attending a networking or convention event, that when you meet someone new, they may ask:  "What do you do?"

What if you answered the question like this.  "I work with "X" and we exist to "Y".  The cause and reason for your organizations existence transcends everything.  It provides the foundation for why this person is going to trust you and your organization.  Now if they would only start the conversation with:  "Why does your organization exist?"

Once you have a solid foundation for "Why", then you must know "The How" and then "The What".  Here is another example:
SpaceX designs, manufactures and launches advanced rockets and spacecraft. The company was founded in 2002 to revolutionize space technology, with the ultimate goal of enabling people to live on other planets.
Or how about:

"SpaceX exists to enable people to live on other planets.  We manufacture rockets and launch them so that our customers can supply other spacecraft or travel to other destinations beyond Earth."

Now think about your organization.  Take a deep look at your culture.  What is the fuel that will propel it into the future to achieve extraordinary outcomes?  Exponential results...

08 January 2017

Symbiosis: Information Advantage in a Virtual Battlespace...

Symbiosis with machines to gain information advantage, is a challenging problem-set.  The magnitude of Operational Risks will now soar, as we pivot towards machines that are performing more as autonomous colleagues.  Pre-programmed instructions has been the standard for our software-based systems, until now.

The integration challenges ahead on the leading edge of "Information Advantage", produces a spectrum of new-born problems to solve.  User interfaces that are speech driven or by a new Virtual Reality (VR) capability, is just the dawn of a new era.  DARPA (BAA-16-51) is already headed this direction:
The symbiosis portfolio develops technologies to enable machines to understand speech and extract information contained in diverse media, to learn, to reason and apply knowledge gained through experience, and to respond intelligently to new and unforeseen events. Application areas in which machines will prove invaluable as partners include: cyberspace operations, where highly-scripted, distributed cyber attacks have a speed, complexity, and scale that overwhelms human cyber defenders; intelligence analysis, to which machines can bring super-human objectivity; and command and control, where workloads, timelines and stress can exhaust human operators.
"Technological surprise" is a complex area of research.  The problems to be solved are tremendous.  Information advantage in virtual environments has been developing for years.  15 plus years before the U.S. Department of Defense utilized the concept of a public "Bug Bounty" style program for vulnerability discovery on public-facing systems, Bug Bounties were used by the private sector.

Automated Testing tools and the ability to run software scripts that can simulate a human behind the keyboard, were invented more than a decade ago.  It is time for the next generation of information advantage to be addressed; combined with a strategic and policy focused initiative.

Why?

Principal Investigators understand the stakes within the cyber domains.  The myriad of adversaries have advanced far beyond current capabilities and are even utilizing our own infrastructure against us.  Their abilities to adapt and change direction, cloak their presence and attack from new locations is finally being understood in the Board Room.

Yet what is the business problem that is being addressed?  Who are going to be the primary beneficiaries of any new invention or solution?  More importantly, why will they continue to use it?

In between commercial-off-the-shelf (COTS) and military unique systems is the zone we shall be navigating to in the next few years.  Military adapted commercial technology is the place for tremendous opportunity and new innovation.

How will we get there?

Since there is no viable rapid acquisition structure in place, it means that new leadership and resources will be required to deploy these solutions.  The entrants to this area will prosper, if they are able to mobilize strategically and with speed.

Information advantage is a lofty goal and worth the ambition to achieve it soon.  The speed to attain even a slight edge over the adversary is a whole different strategy when you are talking about information operations.  Different than traditional air or sea domains, the speed and ability to scale, deploy and execute with COTS is exponential.

How long did it take start to finish, for physical solutions such as "PackBot", "TALON", "Sand Flea", "BigDog", "Cheetah", "Perdix", "RiSE", "BEAR" and "WASP" to make it onto the operational arena?  The ARGUS-IS camera on a "Global Hawk" UAS generates 1 million terabytes of data daily with a "persistent stare", to track all ground movements in a medium size city from 60,000 ft.  How long did the procurement take to get this capability into the physical domain?

The speed in the current information warfare domain is exponential using COTS and IoT.  Using existing Virtual Machines on AWS-like infrastructure, combined with IP-addressable CCTV cameras to launch a DDoS on a DNS provider in minutes or hours is just one example. The "Mirai botnet" is just another tool (weapon) in the information advantage virtual battlespace.

So what?

Symbiosis with machines to gain information advantage, is a challenging problem-set.  Think about the time it takes to design, procure and deploy a robot solution on the physical field of play.  Now think about the same, in the almost limitless virtual domains across the globe.  The challenges ahead are formidable and the really hard problems to be solved, remain endless...

31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

03 December 2016

Digital Innovation: Architecture for the Future...

You are the Senior Operational Risk Management (ORM) Officer in your organization.  One early morning on a crisp Fall day, your "Black Phone" rings.  It is your boss calling.
"We need your leadership and assistance in the reorganization of our enterprise.  Your job will be to head up the new "Digital Innovation" mission group.  We need you to integrate and collaborate effectively with the other 9 mission centers in our organization."
You hang up the phone and your mind begins to wander.  How will you address the digital challenges ahead?  Where will you start?  Will you combine the current silos of the security and privacy domains?  What will the new Enterprise Architecture reveal about the new focus on the potential "Insider Threat"?  Is your enterprise ready to migrate to AWS?

The time has finally arrived at this point in the organizations maturity, to address and accept the new reality.  In 2016, digital has become pervasive and the undisputed core of the lifeblood of our economy and business.  Not only has this reality started to finally gain traction with Board of Directors and Senior leadership, it is now a mandate for our total reorganization.

What is the key reason why?  Exponential change and development of the operational ecosystems of the world.  Our global ICT (Information, Communications & Technology) infrastructure has created an international trust issue.  Achieving digital TrustDecisions across directorates, business units and international partners is now clearly mission critical.  Encryption is at the center point of the dialogue.

As you glance at your e-mail, after signing in using the "Digital Authenticator" also on your "Black Phone," it hits you square in the face.  The silos of security and privacy across the enterprise will have to be integrated and a new play book will have to be implemented early.  How will you architect this vital component of the mission group?

Digital Innovation going forward requires that you effectively integrate with a previous decades old organizational structure. No longer will the owner of the digital innovation mission, reside with the person or department that runs the "Compute Utility". Whether this has been called the CTO, CIO or VP of xyz does not really matter. They have been overseeing the group who is responsible for the hardware, software and the functions that keep the compute utility running.

The lifeblood of your organization is "Data." This can be found in more than just one place within the organization. This data can be found far beyond just the "Zeros and Ones" being stored as a bulk repository, or "data lake," for analytics; backup & recovery; disaster recovery; and serverless computing.  How will you address the data across the landscape of your field operations with partners, suppliers, 3rd parties and each of their own intellectual capital?  Think about it this way:
  • Compute
  • Storage
  • Database
  • Migration
  • Networking & Content Delivery
Your current architecture is simply a utility.  Nothing more.  You want to turn it on, pay for only what you use when you use it, turn it off when you don't need it and have it available 24x7x365.  Right?  Just like your electric utility.

The new "Digital Innovation" mission center will now have a new mind-set.  A new architecture for the future:
Why?

The truth is, it starts with a model that is decades old.  It has sometimes been called "Backwards from Perfect".  Imagine yourself as one of dozens of "End-Users" in your enterprise.  What data do you need to do your job and fulfill your mission at that particular moment?  What type of device will connect to the utility to allow you to explore and create your model.

How will you build your understanding and the insight you require to fulfill the current question?  The hypothesis?  How will you deploy the new digital innovation with your stakeholders, collaborators and the trusted insiders to your latest mission?

Using a simple model like "Backwards from Perfect" with your Field Rep, Service Agent, Partner Consultant, War Fighter, Station Chief or Mission Program Manager is just the beginning.  Your future success and survival now is directly, tied to where we started.  Operational Risk Management.

There isn't one person, one department or one mission that doesn't need you and your mission to succeed.  The safety and security of your people your business unit and your purpose on the planet is at stake.  They are all depending on you...

Godspeed...

26 November 2016

Proactive Defense: ICT Supercomputers in the Fifth Domain...

The days are numbered for the major and large scale ICT (Information, Communications & Technology) incidents.  Corporations and global 500 organizations are scaling up for the long game, in a new era of Operational Risk Management (ORM).  We are rapidly moving from Fear, Uncertainty and Doubt, to "Proactive Defense."

No longer, is the topic of digital strategy being pushed down on the list of priorities by the Board of Directors; it is now at the top.  E-commerce and digital branding are an integrated dialogue along with EBITA in the corporate board room.  The "Trust Decisions" being made each minute of each hour by the enterprise, are now being calculated by machines, sophisticated algorithms and data analytics.
In an increasingly virtual world, it’s easy to lose sight of the fact that human networks, relationships and trust are more important than ever. Those bonds can be sparked in face-to-face discussions. Meanwhile, we can’t allow ourselves to be passive when our opponents are actively engaged and financially motivated. Since we have such a determined foe, we need to challenge each other on the stage. We need to change from thinking defensively to proactively on ICT.--William H. Saito  Special Advisor, Cabinet Office (Government of Japan)
Japan and other nations are racing each other to create the worlds fastest-known supercomputer.  Why?

The deep learning and artificial-intelligence (AI) trend tells us that soon more corporations will be leveraging these government-owned assets for assistance.  Whether it is for medical diagnostics, cyberspace threat intelligence or improving the speed of other humanitarian focused equations, Japan is also joining the supercomputer race for the fastest computer on earth:

"In a move that is expected to vault Japan to the top of the supercomputing heap, its engineers will be tasked with building a machine that can make 130 quadrillion calculations per second - or 130 petaflops in scientific parlance - as early as next year, sources involved in the project told Reuters.

At that speed, Japan's computer would be ahead of China's Sunway Taihulight that is capable of 93 petaflops".


Why is the global race for supercomputer superiority a nation-state issue?  What is the reason for diverting national funds to this project, over others of key importance to the welfare of the majority of the population?  Operational Risk Management of the nation itself.

The "Fifth Domain" after Air, Land, Sea and Space is that infrastructure comprised of our planetary ICT landscape.  Digital infrastructures are now so integrated that cyberspace incidents such as war in Estonia, Stuxnet in Iran, Sony Pictures in the U.S. and the more pervasive "Ransomware" worldwide, are just the initial indicators of what still lies ahead of us.

We must now turn our attention to the positive innovation and continuous "Proactive Defense" of our critical infrastructure.  Nation states such as Japan and others, who are the key gateways for undersea cables, truly understand the vital nature of their ICT assets.

A nation states "Cyberspace Strategy" has now evolved beyond the current state, to the "Fifth Domain".  Global 500 companies are fighting DDoS botnets on a daily basis trying to keep e-commerce running.  This largely invisible war, will continue to evolve as new technologies and supercomputers become the new normal.

"On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

12 November 2016

Exponential Innovation: Systems Risk with Beneficiaries...

When you have the opportunity to watch or attend TED, how does it make you feel?  Do you get the sense that the person behind the story, the idea, the innovation, is more genuine and sincere?

What about those advocating for "Exponential" change?  Individuals and organizations that have made the leap beyond incremental change and invention and are on to the concept of "Exponential Innovation".  The xPrize Foundation is a perfect example.

How can big ideas, bold inventions and people with exponential thinking accelerate their cause, advocate their blueprint or design a creative new alternative?  They need a system.  A model and community platform for ingesting ideas, testing prototypes, adapting designs and fostering continuous experimentation.

Why do you need a new system in your organization?  Let us start with some simple mathematics.  Multiply the number of people in your organization x 2.  Now think about the number of products, initiatives or major changes that you successfully implemented over the course of the last 12 months.  How many?

It is a safe estimate that each of your employees has at least two new ideas or bold ways to improve or change a product or process in your organization each working day.  500 employees x 250 working days = 250,000 potential ideas, changes or exponential innovations.  How did you capture these and utilize a system to capitalize on them, for your organization and those you serve?

What does this new innovation system have to do with Operational Risk Management (ORM)?

The Operational Risks associated with an organizational system for capturing, nurturing and producing new found Intellectual Capital are vast.  The goal however is to simultaneously accelerate, share and produce a collective thought leadership within the greater public-private community.  This in itself creates new challenges, in order to minimize the potential for significant losses and external risk events.

Across all the domains for "Exponential Innovation" from Healthcare, Space Travel, Artificial Intelligence and Ocean studies to name a few, lies one of the greatest barriers to our ultimate progress.  Adapting to the ecosystem of people utilizing the product or service.

Total immersion in the marketplace or with the customer, the beneficiary of the new product, service or invention, is a significant factor for future success.  The single factor of time, being embedded with the actual end user, recipient or beneficiaries of the new found innovation, is directly proportional to the Operational Risk exposures.

Think about it.  When was the last time your CEO or chosen leader was embedded with the customer for more than a few hours or a day?  How often is the scientist, designer or engineer using the product or system side-by-side the beneficiary?  Not often enough or long enough.

Sure we have all heard the mantra about "Managing by Walking Around" for decades, yet why do we continue to see the outcomes of this failure at well managed companies such as Wells Fargo and Samsung.  Operational Risk Management (ORM) shall be a component of any major initiative and a necessary competency in any dangerous or high risk environments.

From the decks of aircraft carriers to the trading on Wall Street and within the test trials of new pharmaceuticals, to the Yottabytes of data across the Internet, Operational Risk Management (ORM) is more relevant than ever on an exponential scale.  Just ask Elon Musk, Warren Buffet, Bill Gates or Ash Carter what they think...

06 November 2016

Internet Hurricanes: Resilient Trust Decisions into the Future...

"Trust Decisions" are made in nanoseconds as a human being.  Your past experiences, data stored in your brain from sensory collection and a clear understanding of the rules and the consequences, assists you in your decision to trust.  To trust someone or some thing.

The science and the research on the process and systemic nature of how TrustDecisions occur, are ongoing.  Humans have for decades designed machines and software to mimic and replace our own decision making process.  It has been replaced with a foundation now found in semiconductors, artificial memory, databases, fiber optics, neural nets and 5G wireless networks.

Even deeper, trust decisions are now embedded in software code.  The machine languages that have created our ability to use the entire Information and Communications Technology (ICT) infrastructure to our advantage.  While simultaneously creating a tremendous vulnerability and opportunity for systemic risk.  Our Critical Infrastructure Sectors are forever integrated, with increasing complexity and intelligence of our man-made machines.

The Fourth industrial Revolution is upon us:

With significant growth in IoT and the cloud, machine learning and big data are becoming ever more important as a significant amount of previously untapped data are collected, assessed and digitized. These newly available data provide billions of dollars to potential businesses that can quickly and effectively evaluate the data.  Additionally, the International Data Corporation (IDC) forecasts global spending on cognitive systems will reach nearly $31.3 billion in 2019.   IDC further sees cognitively-enabled solutions that “offer the tools and capabilities to extract and build knowledge bases and knowledge graphs from unstructured and semi-structured information as well as provide predictions, recommendations, and intelligent assistance through the use of machine learning, artificial intelligence, and deep learning”.
So now what?  Only 50% of the population of our Earth is connected at this point in time.  What will happen over the course of the next two decades as the growth curve accelerates?  How as a corporate enterprise or global organization will we be able to weather the "Internet Hurricanes" that are ahead of us?
Whether it is a systemic cyber risk event or something worse, the opportunity exists now. We begin the journey by revisiting our Trust Decisions. The rules that have defined us and the rules that our machines are executing on our behalf.

The decisions to trust, that are occurring when our iPhone App utilizes wireless networks and GPS to guide us using Google Maps to our next destination.  The decisions to trust, as the bank debits your checking account and routes the funds to your mortgage company.  The decisions to trust, as the doctor reads the vital signs on the monitors attached to your loved one in the ER.

As Operational Risk Management (ORM) professionals, we must adopt a continuous resilience mindset.  We look at the automation and the benefit of the machine and yet we ask ourselves what if?  What if the battery fails?  What if the connection is lost?  What if the data is corrupted?

There is one idea that has been utilized to address this in an organization.  It begins as an exercise in resilience planning and beyond.  Start with a small team or project group.  Announce in advance that on a certain date and time, an "Internet Hurricane" will hit and a systemic cyber event will last 24 hours.  Could you survive?

This is not a new idea.  Clearly, the exercise for Disaster Recovery Planning (DRP) has other nuances yet it serves the point.  When was the last time your team was able to operate without access to data from a networked system?  The time has come to prepare for that next digital storm ahead of us.  Will you be ready to operate in an austere environment of your corporate domain without the Internet?

"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.Achieving Digital Trust - Jeffrey Ritter