Corporate Business Survival: 4D | Deter. Detect. Defend. Document.

Critical Infrastructures are those systems and assets - whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.

As ransomware attacks continue to grow, organizations need to improve their security posture to protect against an attack.  Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place.

The landscape of how we work has changed since the onset of the global pandemic.  We must assess vulnerabilities in a new way and with increased due diligence.

Our Corporate Critical Assets are "Under Attack".

4D = Deter. Detect. Defend. Document.

"Attackers use Tools to exploit Vulnerabilities. They create an Action on a target that produces an Unauthorized result."

Attackers do this, to obtain their Objective.

LESSON 1- DETER.

• What corporate critical assets are most valuable in the eyes of your adversary?
• Increase deterrence with these assets first.
• MFA / Layered Access.  [SMS vs. Authy or Authenticator]]
• Segmented Networks.
• Data / Network Encryption.
• People motivated by Financial Gain, Damage/Disruption or the Challenge.

LESSON 2 – DETECT.

• Detect the use of tools by the Attackers.
• Some tools are High Tech, others are "Social Engineered".
• They will discover vulnerabilities in:

Design.

Implementation.

Configuration.

You must continuously detect the use of attackers methods and tools to exploit your vulnerabilities.

LESSON 3 – DEFEND.

• Defend the target assets from actions by the attackers.
• Targets may include people, facilities, accounts, processes, data, devices, networks.
• Actions against the target are intended to produce the unauthorized result include:

Probe.

Spoof.

Steal.

Delete / Encrypt.

LESSON 4 – DOCUMENT.

• Document the "Normal" so you know when and where there is an Unauthorized result:

Increased Access.

Disclosure or Corruption of Information.

Denial of Service or Theft of Resources.

• Continuous Documenting and using a "Collection Management Framework"  (Logs) and how to access it for effective Incident Response.

1_ In order to understand how to defend your corporate critical assets, use Red Teams, Bug Bounties or internal testing resources.

2_ Maintain offline, encrypted backups of data and regularly test your backups.

3_ Review Third Party or Managed Service Provider (MSP) policies for maintaining and securing your organizations backups.

4_ Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.

The cost of a cyberattack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future.

Public Private Partnerships of Critical Infrastructure organizations with CISA.gov and FBI.gov are vital to enhance our National Security...

Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…

Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a security violation was being committed?
3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…

OSINT 2: When is it Time?

Wonder why some companies don't have a more proactive OSINT (Open Source Intelligence) operation inside their own institution, looking at and analyzing potential “Threat Intel” across their global domains?

While there are very expensive services that can package up exactly what you are looking for, sometimes it just takes a little more time and the right “Sources."

You could get a service at x-iDefense or even a more wide range of collection capabilities from the likes of x-Cyveillance to assist the in-house OSINT operation.

Throw in some Stratfor, OSAC and one or more variations of Symantec or Qualys or Seerist and you have it mostly covered. Except for one thing.

Plenty of "Gray Matter.”  How many qualified analysts do you have on your team?

We might agree that there is more information out there than anyone could possibly imagine accessible with a few clicks and keystrokes.

Yet the easy part is the collection and the filtering or storage. Making any sense of it all with the relevance you seek is the "Holy Grail" for you, today.

Yet that might change tomorrow.

It's the consistent development of a new hypothesis and testing it that determines who will get the next new piece of information ready for OSINT.

And still the question remains. Will this be better kept a secret, or out in the “Wild"?

The argument usually isn't whether the results of the test should be published, it's more about when to publish.

Open Source Intelligence is going to be around for some time to come. The tools are getting even better to find and process massive volumes of information.

Think AI.  Think GPU.

The only real impediment will continue to be those who want to wait and hold on to it, a little longer…

SPRINT: Folin Lane to Cislunar...

It was the year 1997 and there was another client meeting at the headquarters of Navy Federal Credit Union in Vienna, Virginia.

Traveling through Tysons Corner on Route 7, the Spring colors from Dogwoods were in full bloom. The Navy Federal HQ was tucked away in the woods just a short ride down Chain Bridge Road (123) past Westwood Country Club then a left onto Folin Lane.

The IBM Personal Computer was just now quickly replacing the old CR terminals sitting in the "Teller Windows" at 80+ branches in port locations across the USA and the world.

With NFCU overseas members branches today in Bahrain, Cuba, Greece, Guam, Korea, Italy, Japan, Singapore and Spain the Internet and use of banking protocols outside proprietary computing networks was just in it’s infancy.

Meeting up that early Spring day with NFCU key IT executives and our fellow Noblestar Team of outside Software Quality Assurance (SQA) experts such as David, Gia and Howard, the topics on that days agenda was the automated testing for bugs.

"No not Cicadas. You know, Vulnerabilities. Software Errors. Cracks in the Code."

Places that credit union software systems might be broken, running across the new IBM PCs networked to replace the terminals (CRT) from Annapolis to San Diego to Guantanamo to Italy.

Our innovation then in Software Quality Assurance, was about writing automated scripts that would rapidly test software.

The testing scripts developed by our Team in the SQA software, would help simulate hundreds of real people working at their new IBM PCs doing deposits, transfers and withdrawals as just one example.

Members of our Armed Forces who were NFCU customers (members), were counting on the IT personnel in Vienna, VA to help their branch managers keep their systems up-time-all-the-time, without vulnerabilities to the swarm of growing cyber exploits via the Internet.

So what?

True innovation begins with discovering a problem-set that has high value. Then figuring out if it can be solved quickly. A SPRINT.

To find a real solution to the problem-set that allows for the widget, the software, the process or the vehicle to do its job. What it was designed to do.

Whether it is software running on the IBM PC at the Teller Window at NFCU in Guam in 1977 or the sophisticated cislunar software running on a Space Force Lunar Lander on the Moon in 2024, what matters most?

Our United States next generation abilities to use software to more rapidly discover problems and test new versions is even more vital.

Now imagine, humans working with new AI-powered software applications to augment our abilities to discover and rapidly solve new sophisticated problem-sets, a galaxy away.

This is already our SPRINT destiny…

Critical Infrastructure Protection: Resolve to be Ready...

CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises.

Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety.

Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners.

Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future.

First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. Think “Ransomware” or even Colonial Pipeline.

The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure.

In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles.

These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers, they must have a foundation of knowledge about the structures physical vulnerabilities.

However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk.

If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions.

The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events.

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount...

CERT: Make a Difference in this World...

Since the beginning of time, weather has been unpredictable. So has man.

When was the last time you witnessed the aftermath of a natural disaster?

When was the last time you saw the devastation from the Fateh-110 family of short-range ballistic weapons?

The continuous examples of risks to our world could generally be put into two major categories, 1) those we as humans can control and 2) those natural risks that we can’t control and shall have to live with.

Our spectrum of "Operational Risks" across People, Processes, Systems and External Events is vast and endless.

Where do you as a leader in your organization spend most or your time and resources to try and mitigate risks:

• Natural Disasters and Weather (External Events)
• People and Processes

Why?

Do you think that you are able to make a difference with those risks that you might be able to control?

Which is it - A) controlling the weather or B) influencing human behavior. Pick one.

What might happen if we devoted more time and resources to “B”.

How might this investment have a risk reduction impact and reduction in annual loss events to your family, organization, community, college or government?

Complacency or ignorance will continue to plague us and will make the world a more dangerous place to work and live.

Just listen to your own local news for a day. What will you learn?

Now, learn what you might do to make proactive difference.

This is one great place to begin: Community Emergency Response Team CERT.

Similar to the Community concept, why not apply this just cause of continuous training and learning to a Corporation, a Church, a Synagogue, a Campus, a Club or a Cinema.

“The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.” Albert Einstein

Antares: Innovation from Country Roads to Cislunar...

It was early February 1971 and three High School best friends consistently car pooled to do a little early morning “Country Roading”, in the white Pontiac LeMans on the way to school.

This was just a circuitous route down tree lined roads and around vast farm lands in the Midwest USA.

We were always set to arrive in the school parking lot, just in time to make it to our locker and then to 1st period before the bell rang.

Our dialogue on Capital Avenue SW and West on Beckley Road, quickly turned to the prescience of the Apollo 14 Antares Lunar Lander and it’s planned descent to the Moon in a few days time on February 4th.

Country roading this early morning gave us guys a chance to catch-up, then map and sketch out where we would rendezvous to watch together the Apollo 14 coverage of Commander Alan Shepard, Command Module Pilot Stuart Roosa and Lunar Module Pilot Ed Mitchell.

Before we as young teenage students ever knew what true innovation was really all about, we were about to see and read about it in the national news.

And little did we anticipate that when you encounter the “ABORT” signal, you sometimes have to just improvise. Test. Improvise. Test.

“After separating from the command module in lunar orbit, the LM Antares had two serious problems. First, the LM computer began getting an ABORT signal from a faulty switch. NASA believed the computer might be getting erroneous readings like this if a tiny ball of solder had shaken loose and was floating between the switch and the contact, closing the circuit. The immediate solution – tapping on the panel next to the switch – did work briefly, but the circuit soon closed again.”

Software engineering and Software Quality Assurance (SQA) is a continuous cycle of development, testing, errors, changes, testing and deployment. The software teams at MIT knew this first hand.

“A second problem occurred during the powered descent, when the LM landing radar failed to lock automatically onto the Moon's surface, depriving the navigation computer of vital information on the vehicle's altitude and vertical descent speed. After the astronauts cycled the landing radar breaker, the unit successfully acquired a signal near 22,000 feet (6,700 m). Mission rules required an abort if the landing radar was out at 10,000 feet (3,000 m), though Shepard might have tried to land without it. With the landing radar, Shepard steered the LM to a landing which was the closest to the intended target of the six missions that landed on the Moon.”

As our United States continues our next generation of the commercial race to the Moon, we can only anticipate future “ABORT” signals. Prototypes. Testing. Innovation.

After so many years working in global places where Software Quality Assurance was mission critical, you finally will learn as a professional, that it is never finished. It is never perfect.

So what?

Our USA will always be a leader because we have already been there, with humans actually operating on the Moon.

We know what will be challenging and why a hypothesis might end up being changed and adapted.

As our next human race to the Moon continues and our cislunar challenges are encountered, we know that we must continuously improve and innovate.

The same strategy shall also work here for you today on Earth, in your own small town…around your own dinner table each night…

Godspeed!

Analytic Priorities: Crossing the Digital RubiCON...

The governance of information within the government enterprise or the private sector enterprise remains very much the same. Both are subjected to a myriad of laws to help protect the civil liberties and privacy of U.S. citizens. Yet the data leaks, breaches and lost laptops keep both private sector and government organizations scrambling to cover their mistakes and to keep their adversaries from getting the upper hand. Again, the governance of information is the core capability that must be addressed if we are to have effective homeland security intelligence sharing to defeat the threats to the homeland 100% of the time.

The stakeholders in the information sharing environments will say that they have all the laws they need to not only protect information and also to protect the privacy of and liberties of U.S. citizens. What they may not admit, is that they do not have the assets within the context of their own organizations to deter, detect, defend and document the threats related to too much information being shared or not enough. These assets are a combination of new technologies, new education and situational awareness training and the people to staff these respective duties within the enterprise architecture.

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.

operational risk

Operational Risk: Volatility of Change...

What is volatility and how could this be an operational risk in your particular institution or organization?

The threat of "Volatility" depends on what is being measured. The stock price. The return on capital. The key is that you want to reduce volatility in most cases.

It scares some people. Long term investors, employees and customers.

Volatility is the standard deviation of the change in value of a financial instrument with a specific time horizon. It is often used to quantify the risk of the instrument over that time period.

Who likes volatility?

Volatility is often viewed as a negative in that it represents uncertainty and risk.

However, volatility can be good in that if one shorts on the peaks, and buys on the lows one can make money, with greater money coming with greater volatility.

The possibility for money to be made via volatile markets is how short term market players like day traders make money, and is in contrast to the long term investment view of buy and hold.

So volatility is in the "eye of the beholder". The point is that some people thrive on it and others are better off with that smooth and predictable future.

Risk in a financial institution is defined in terms of earnings volatility. Earnings volatility creates the potential for loss. Losses, in turn, need to be funded, and it is the potential for loss that imposes a need for institutions to hold capital in reserve.

This capital provides a balance sheet cushion to absorb losses, without which an institution subjected to large (negative) earnings swings could become insolvent.

How much capital is allocated to Operational Risk is a measurement issue. The decisions an institution makes in managing Operational Risks is not risk versus return, but risk versus the cost it takes to avoid these threats.

The key determinant of an institutions risk factor against operational failures is not the amount of reserve capital, it is the performance of management.

In fact, in a few spectacular cases of operational failures, incremental capital would have made no difference to the firm's survivability. It comes back to strategy, safety, security and soundness.

How volatile are your earnings? At the end of the day the question is about management controls and measurement.  What if your measurements were not earnings, but the number of workplace accidents and acts of violence?

How effective are they at mitigating operational risks in the areas of the institution that can't be insured?

Look at places where "Change" is happening in huge volumes and at a rapid pace and you will know where to begin.

Trust Decisions: "Lake Anne to Davos"...

The 2024 Annual Meeting of the World Economic Forum (WEF) in Davos Switzerland kicks off January 15-19. Are you traveling this weekend on your way to attend?

The 54th event theme this year is “Rebuilding Trust”.

On Jan 18 at 11:00 CET the session titled “Technology in a Turbulent World” will include CEO panelists from OpenAI, Salesforce, Accenture and Pfizer.

Why?

Flashback to Reston, Virginia in the 2012-2015 time frame, one of the most brilliant people on the topic of trust was across the table asking for relevant feedback.

While several meetings over coffee at home or near the plaza on “Lake Anne”, together, we were reading some of the early drafts of his anticipated book- “Achieving Digital Trust: The New Rules for Business at the Speed of Light”, byJeffrey Ritter:

“Despite decades of research on organizational trust, behavioral sociology, marketing, artificial intelligence, user interfaces, and human relationships, the vocabulary and tools needed to build digital trust simply do not exist. So, within these pages, I share with you a new portfolio of tools and resources:” (Page 24 / Achieving Digital Trust by Jeffrey Ritter).

The “War on Trust” of information was already on the way in 2012, and yet it was well over a decade since our organizations algorithms were exploring the digital universe.

Each night, downloading terabytes of World Wide Web content, for clients reporting and analysis.

“From the Board Room to our modern day asymmetric battlefield, Jeffrey Ritter’s Achieving Digital Trust will open eyes. It provides us with a reference model that management and software architects have been seeking. The survival of the Internet as we know it is currently at stake. This book provides a look into the transparency of «Trust Decisions» and how ensuring digital truth will shape our global governance for decades to come.” Peter L. Higgins, Managing Director & Chief Risk Officer, 1SecureAudit

And next week in Davos, the global key topic is “Rebuilding Trust”?

Think about who you have trusted in your life. How did it begin? Why does it last?

You just never forget sitting across the table from someone you actually trust.

Talking together face-to-face about topics of interest or working on a new innovative solution to a problem-set for all mankind.

Picture it. Looking at each other in the eyes and asking them: Why do you believe it?

• One person is a high IQ, highly educated international lawyer and Oxford professor on the evolution of the Internet.
• One person is from a small town and a college graduate / athlete, who started in business at the digital dawn, years before the Internet was born.

As we mutually reflect on the past, and imagine the future of our world on Earth as we continue to explore our Moon and beyond, we shall always remember.

At the 2015 World Economic Forum in Davos, Marc Benioff, the CEO of Salesforce observed:

“The digital revolution needs a trust revolution. There has been an incredible shift in the technology industry. . . . We’ve gone from systems of record to systems of engagement and now we are about to move into a world of systems of intelligence. But none of these will retain form or have referential integrity unless the customers trust them. Trust is a serious problem. The reality is that we all have to step up and get to another level of openness and transparency.” (Page 32 / Achieving Digital Trust)

Godspeed!

Global Risk Economy: Follow the Money...

Operational Risk in the global economy is migrating to places that 10 years ago would not have been easily forecasted.

New countries, financial institutions and software technologies have changed the playing field for our risk management executives.

Why is this happening?

One example is the movement of employment to more emerging markets where corporate tax rates are lower and the supply of talented workers with specific skill sets is prevalent.

The simple movement of people and systems to those new countries creates new found risks that may not have been as pervasive in the past for the institution.

Another example is the evolution of new computing platform paradigms such as the emergence of "The Cloud" or “Infrastructure-as-a-Service".

This outsourced IT model not only provides economy of scale in terms of just in time computing power but also the more economical licensing models.

Operational Risk within the confines of the global workplace will continue to follow what countries are attractive and where these people and the systems are now operating from.

Along with this migration of responsibilities of vital corporate processes to other cultures and countries comes the risks associated with potential lack of safeguards, both legally and to the physical protection of key corporate assets.

In the United States, our “True International Economy" explains why there are tens of millions of employees now working for US-based corporations outside the country.

Once you have accepted this fact, your personal risk mindset may also change.

How many U.S. organizations have now moved their Corporate Headquarters to Dublin?

How many American companies now have personnel in foreign countries reviewing online “Social Media” content with the assistance of AI?

"You may have heard the phrase "Follow The Money" in several contexts in the past."

Whether it was Watergate investigations in the 70's or now the 2020’s and the new “Global War in Space”.

The real-time tracking of where money flows, can be a core indicator of where Operational Risk managers need to keep their radar focused and on high alert.

Operational Risk Management (ORM) in the next decade will take on a whole new international meaning and significance than it currently does today.

The risks associated with people, processes, systems and external events will become even more exponential…

operational risk