22 October 2017

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:
"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."
This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.

27 March 2017

Privacy Law: Scanning the Legal Horizon...

As our new knowledge-based organizations begin the startup phase, the thought of all of the implications of collecting and storing information may be secondary to raising capital.  However, once you have the core team in place and the business begins to scale, maybe it is time to look over the horizon.

Once you have reached the point in your companies growth curve to consider the hiring of a CFO and even an outside "General Counsel", the regulatory engine must be established within the enterprise.  Today, even the CISO in any major business across the United States has been challenged by rapidly changing digital privacy laws the past two years.

Especially in California, the CalECPA went into effect January 1, 2016 and in general is focused on law enforcement:
The landmark California Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.
The simple fact that a company is doing business in the State of California and has employees operating there, puts a significant set of requirements and compliance issues that are top of mind.  This is why you see technology-oriented companies who have their Headquarters based here, developing robust guides for working within federal and state privacy laws.

A "Chief Information Security Officer" is not only charged with protecting the data within a confidentiality, integrity and assurance framework, but also working in tandem with the General Counsel and a Chief Privacy Officer.  The standards and the laws have significant hurdles that also require prudent Operational Risk Management strategies.

Now take all of this into consideration as your begin to plan for implementing an "Insider Threat Program" (InTP) within your organization.  The addition of a Human Resources component, Chief Information Officer and even perhaps 3rd Party Cloud supply chain vendors will all be in play.

So What?

So what is the legal profession in California focused on these days?  Just take a look at the Agenda for a March 2017 event at Berkeley Law:

Cybersecurity Regulatory Enforcement

New regulators, new laws, and new norms are causing cybersecurity responsibilities to proliferate. This discussion will feature insights on how cybersecurity lawyers navigate the growing thicket of information security rules from the perspective of both companies pursued by the FTC and multinationals operating under different legal regimes. It will consider challenges posed by insider breaches and obligations arising from the General Data Protection Regulation.


Practitioners Panel

Privacy practitioners from leading law firms and major online companies will share insights on how to stay afloat in increasingly turbulent waters.

Privacy Award

BCLT is proud to bestow its annual Privacy Award this year on

Susan Freiwald, University of San Francisco Law School
Nicole Ozer, ACLU of California

in recognition of their leadership in securing passage of CalECPA, which establishes the “gold standard” of a judicial warrant for government access to communications, location data and other information about our daily lives.


Keynote: Too Close for Comfort – AI, Cloud Computing, and Privacy 

Recent advances in artificial intelligence, robots, and machine learning are enabled by big data, digital cameras, and cloud computing. These advances open an enormous Pandora’s box in terms of security and privacy. Groundbreaking AI researcher Ken Goldberg will present potential responses, such as a concept for “Respectful Cameras,” a privacy-preserving system for industrial automation. He will explain why claims of an impending “Singularity” are greatly exaggerated and will propose an alternative, “Multiplicity,” where diverse groups of humans work together with diverse groups of machines to innovate and to solve complex problems.

Government Access

With digital evidence central to an increasing number of criminal and foreign intelligence investigations, government demands for access seem to steadily increase. From varying perspectives, this panel will explore emerging issues in government access to data stored with third parties.

Artificial Intelligence and the Right to an Explanation

The General Data Protection Regulation requires that organizations explain to individuals the logic behind decisions rendered by algorithms. This policy is aligned with growing efforts in the machine learning community to improve the interpretability of outputs. This panel will examine a broad range of efforts to address interpretability and potential biases in complex algorithmic systems.

Consent and Contract under EU Data Protection Law


EU privacy regulation continues to have worldwide relevance, especially affecting U.S.-based companies. This session will examine how consumer data can continue to be collected and used given the different approaches in the EU and U.S. to consensual mechanisms for authorizing personal data processing.


The CISO and the entire team of Operational Risk Management professionals at your organization, should be monitoring and creating new strategies to protect the organization.  Scanning the legal horizon on what the new challenges are and how to prepare, is the sign of a sound business strategy.

19 March 2017

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:
"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."
Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:
"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."
So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:
"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."
How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."


Welcome to the new era of achieving Digital Trust...

19 February 2017

Problem-Solving: Transparency of Startup Operational Risks...

The lifeblood of an organization is comprised of several key components to sustain and continuously grow the enterprise.  Founders, senior management, engineers, financial and legal subject matter expertise usually comes first.  Then once the minimum viable product or solution is ready for the intended market there is a mad dash to add the sales and business development resources.

Startup mentality that initiates the planning, demand generation and "Go-to-Market" execution for the growth engine have higher Operational Risk exposure.  Many founders and new entrepreneurs who have engineering or operational expertise, underestimate the need for substantial growth engine investment early in the startup timeline.

How many times have you attended "Demo Days" or other such events intended for the startup founders to pitch their new App or service solution, begging for a first customer?  You must recognize that the new Artificial Intelligence interface, the optimized algorithm or the faster encrypted communications is not going to create a new market overnight.

Entrepreneurs require a substantial immersion into the business environment of problem-solving.  It begins with the customer or client who detects that there is an area of risk that needs remediation.  How do you think companies like Symantec and McAfee first started?  The personal computers that were becoming so pervasive were encountering something now called malware.

Solving problems from the customers perspective requires a deep and focused process with the owners, operators and end users.  It requires substantial time being embedded at the customer level or with the people who perform their daily tasks.  You need to understand the risks that the customer is experiencing.

This "Diagnostic-to-Prescriptive" process is not new.  Yet how many times have those "Demo Day" entrepreneurs or "Accelerator" graduates ended their pitch, with a plea for a first customer?  This is a recipe for failure.

How can this be changed or addressed, in order to increase the number of successful new businesses?  What should we be doing to assist these new entrepreneurs in embracing the "Operational Risks" of a customer and inventing a new solution to solve their problems?

The engineers and inventors should embrace the idea of finding customers first, who have real and risk sensitive problems they can solve.  It is not enough to just change an interface, reduce the pricing and copy an App, to do the same general function.  How long will it now take for Snap to begin building their own data centers and infrastructure?

Entrepreneurs that utilize the "Go-to-Market" strategy early in their growth cycle, will simultaneously increase exposure to substantial Operational Risks.  Take that great idea or new "Minimum Viable Product" to an established business in the industry sector you think is going to listen.  Find the right business to adopt you as a problem-solver with this new solution and take the time to learn.

Once you have lived with the same problem across several different businesses, agencies or governments, it might be time to launch the "Go-to-Market" strategy for a single industry sector or country to start.  The learning phase and early adoption of a multitude of business development processes, will establish a more solid foundation for launching the new product / solution.

When you look at Snapchat and its growth cycle, it was not obvious up front, how privacy was going to be such a tremendous risk to the business.  How you can pivot quickly from understanding your customers appetite for transparency, to also provide a robust privacy policy program, is just one way to build a trusted set of repeat customers.
Snapchat Transparency Reports are released twice a year. These reports provide important insight into the volume and nature of governmental requests for Snapchatters' account information and other legal notifications.

04 February 2017

Higher Purpose: A Mission of Trust...

As you walk into that next meeting with another co-worker or even a colleague for a coffee catch-up, pause and reflect.  Think about how you could (1) make this encounter not only productive and (2) simultaneously enhance the relationship of trust.

All too often we are focused on getting something of value from the meeting.  We are blinded by the purpose of the meeting or have preconceived ideas on how the time together will be of value, or a waste of time.  Now think differently.

A true professional in any business, unit, agency or organization is there to "Build Trust".  The day-to-day or hour-to-hour interactions you have with others is vital.  A true professional in any domain, industry or vocation, can aspire to a higher purpose than the normal roles of a stated job description.

One thing is certain when it comes to meeting with other people and the value or outcomes obtained, trust is a major factor in the future outcomes of the relationship.  Have you ever wondered why certain people you meet, take so long to trust you?  How are you going to accomplish your intended purpose working with this superior or subordinate if they don't trust you?  What about that new client or business partner?

At the most fundamental level, the trust gurus and authors have been writing about a spectrum of trust for eons:
Zero Trust >>>>>Trust Exists >>>>>Implicit Trust

From ground zero of your first encounters with another person, your goal is to move towards a point on the spectrum where "Trust Exists".  Then your goal is to keep moving to the right and towards a place of "Implicit Trust".  This is when you don't even think about it anymore.  How many people do you know where this is the case, even within your own family?

So what?

As an Operational Risk professional, velocity is everything.  Yet you already know that uncontrolled velocity alone can be fatal.  The risk factors associated with business, government or the manufacturing process of a highly engineered electronic component are always present.  Always changing.  Creating new obstacles or new harm.  In our current state, 24x7x365 pervasively connected society, the trust factors are even more important and vital to moving towards "Implicit Trust".

Here are a few examples in the news this past year, where Operational Risk Management (ORM) was a factor:
Samsung Galaxy Note 7

On 2 September 2016, Samsung suspended sales of the Galaxy Note 7 and announced an informal recall, after it was found that a manufacturing defect in the phones' batteries had caused some of them to generate excessive heat, resulting in fires and explosions. A formal U.S. recall was announced on 15 September 2016.
Yahoo

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.

Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
National Healthcare Fraud

Attorney General Loretta E. Lynch and Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell announced today an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings.
National Security Agency

A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case.

In each one of these few example cases, relationships between people started with a meeting encounter.  Over time, the product, service or personal relationship outcomes involved a failure of people, processes, systems or external events.  The core components of Operational Risk Management (ORM).

Raising the level of trust across personal, business or government encounters is only possible, with effective "TrustDecisions".  The Decisions to Trust another person, product or service have several elements.  These are vital for the mission to grow towards "Implicit Trust" and simultaneously with the safety and security necessary to reduce the risk of failure.

The Mission

The mission as a co-founder of a new startup or the CEO of a Global 500 is to ensure the survival of the organization. We all know the failure rate for new companies. Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days. So beyond just the survival of the organization, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new or established business endeavor. The earlier the Operational Risk Management (ORM) design begins in the trusted relationship evolution, the more resilient you will ultimately become. The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake. Take the time and include the expertise to work on the "TrustDecisions" foundation of your enterprise.

Ensure the survivability of the new products or service solutions, that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your relationships and allow it's presence while it preserves all that you have worked for and dreamed of...

31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

30 October 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 April 2016

Trade Secrets: Gearing up for DTSA...

The Fortune Global 500 and the smallest research and development organizations in the U.S. have another ruleset to keep their eye on this week.  It is named DTSA or S.1890 - Defend Trade Secrets Act of 2016 has passed the Senate.  Operational Risk Management (ORM) is preparing for the next addition to national laws.

The attribution of cyberespionage adversaries has been gearing up since the Sony Pictures hack.  The private sector has been hunting and identifying those shadow individuals and nation state special units for years.  Now the lawyers can get more aggressive with civil actions.

The question remains, will another law deter the actions by global organized crime and the intelligence community of some significant nations?  How will attribution and more aggressive civil actions in foreign jurisdictions make a difference?

As a global organization, can you access your database of confidential trade secrets?  No different than the task of the identification of information assets that you are going to protect, you need an inventory.  What are they and where are they?  Everyone knows the formula for "Coca-cola" is written on a single piece of paper that is locked up in a vault in Atlanta, GA right?  Or is it?

There are trade secrets across America that have been stolen by operatives working inside organizations.  They may be preparing to leave the U.S. for another country outside the reach of law enforcement and the legal process for seizing the stolen property.  That is going to change soon.
The EX-Parte Seizure Order is part of the Trade Secrets bill that allows a trade secret owner to obtain an order from a judge for U.S. marshals to seize back the trade secret from the alleged bad actor without prior warning. This is to protect the trade secret owner from having the alleged bad actor skip the country or destroy the evidence before it is recaptured.
Now that Trade Secrets are in the same legal and enforcement category with patents and trademarks, you can predict that your legal budgets will need to be adjusted, upwards.  In general, what is a Trade Secret?
The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. While a final determination of what information constitutes a trade secret will depend on the circumstances of each individual case, clearly unfair practices in respect of secret information include industrial or commercial espionage, breach of contract and breach of confidence.
The effort to make intellectual property a "Trade Secret" is another strategy in itself. The determinations to designate something a trade secret is going to depend on the invention or the data itself. We understand. So what?
A Chinese businessman pleaded guilty Wednesday (March 23) in federal court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors.

The plea by Su Bin, a Chinese citizen who ran a company in Canada, marks the first time the U.S. government has won a guilty plea from someone involved with a Chinese government campaign of economic cyberespionage.

The resolution of the case comes as the Justice Department seeks the extradition from Germany of a Syrian hacker — a member of the group calling itself the Syrian Electronic Army — on charges of conspiracy to hack U.S. government agencies and U.S. media outlets.
Our adversaries are determined. They are already here. It has been documented for years. Let the next wave of legal indictments and seizures begin. One thing is certain. The "Insider Threat" is still present and your organization can do better. The ability to effectively utilize the correct combination of controls, monitoring, technology and internal corporate culture shifts will make all the difference. What are you waiting for?

20 March 2016

Vigilance: The Casualty of the Truth...

On the other end of a planned cyber threat are the motives and plans by a person.  Sometimes that person puts into play the use of a "Bot" to carry out many of their planned steps in their scheme.  Operational Risk Management (ORM) professionals have been classifying these cybercriminals for a decade or more yet even now in 2016 they are getting more formal profiles:

BAE Systems, the London-based, multinational security company, recently released profiles of “six prominent types of cybercriminals” and detailed how they could hurt companies around the globe, officials say.

Threat intelligence experts at BAE Systems have compiled a list, “The Unusual Suspects,” that has been created from “research that uncovers the motivations and methods of the most common types of cybercriminals,” according to BAE. “The intention of the campaign is to help enterprises understand the various enemies they face so they can better defend against cyberattacks.” BAE Systems officials have profiled six cybercriminal types:
  • The Mule – naive opportunists that may not even realize they work for criminal gangs to launder money;
  • The Professional – career criminals who work 9-to-5 in the digital shadows;
  • The Nation State Actor – individuals who work directly or indirectly for their government to steal sensitive information and disrupt enemies’ capabilities;
  • The Activist – motivated to change the world via questionable means;
  • The Getaway – the youthful teenager who can escape a custodial sentence due to their age;
  • And The Insider – disillusioned, blackmailed or even over-helpful employees operating from within the walls of their own company.
These individuals and groups have caused billions of dollars in losses and caused significant harm to millions of people and organizations.  Now what?

It will be many more years to come, before the laws catch-up to the technology and those who use the vector of the Internet to carry out their crimes against humanity.  Law enforcement has their hands continually tied by the laws and the geographic challenges of a global epidemic.  Governments and politicians are in constant battle over the privacy vs. security philosophy and all the legal issues.

While the wheels of Parliament, or the U.S. Congress slowly turn and the mechanisms for law enforcement become more robust for evidence collection, investigations and prosecutions, there are significant strategies of resilience that we must focus our respective vigilance.  It is not anything new per se, just a renewed emphasis and a new commitment to redesigning our digital environments.  We can do better.

For now, what if we just pick one cybercriminal type to focus on.  The "Insider".

The "Insider" is most likely in almost every formal organization today, working diligently to mask and perpetuate their goals until they are revealed.  It is your "Duty of Care" to continuously deter, detect, defend and document within your enterprise.  The "Insider" could be anyone and so how can the organization work ever more so vigilantly?

It begins at the core of the business and the culture that surrounds those principles within your company, your team or your relationship with suppliers.  The environment you build and sustain shall have the transparency and the elements necessary to sustain a culture where the "Insider" is incapable of operating.  Where the culture itself, makes the environment impossible for the "Insider" to operate without disclosure.

We would encourage Operational Risk Management (ORM) professionals to incorporate new found strategies, new management tools and a renewed effort to extinguish the "Insider" threat across the globe.  The best way we can do this today, is to work on the culture and to establish the foundations for future "Trust Decisions" within the enterprise.  The root of changing the culture and achieving the desired future environment, begins with every single decision to trust.

The journey ahead will be long and full of new found challenges.  The vision of the future and the outcomes received will soon be more apparent.  Now the real work begins to start the journey with your own organization, with each person and understanding the environment and culture you seek.  And remember:
"In war, truth is the first casualty."
Aeschylus
Greek tragic dramatist (525 BC - 456 BC)

12 March 2016

Rugged DevOps: Reengineering for our Next Generation...

The reengineering of the Internet is now underway for our next generation beyond the millennials.  The unification of corporate software development and information security teams are experiencing a deja vu and reminiscent of scenes from the 1993 movie "Groundhog Day."  Operational Risk Management (ORM) is hopeful that we are having a new resurgence of software vulnerability management thinking.  Why?

"A weather man is reluctantly sent to cover a story about a weather forecasting "rat" (as he calls it). This is his fourth year on the story, and he makes no effort to hide his frustration. On awaking the 'following' day he discovers that it's Groundhog Day again, and again, and again. First he uses this to his advantage, then comes the realization that he is doomed to spend the rest of eternity in the same place, seeing the same people do the same thing EVERY day."  --Groundhog Day

We are seeing the reunification of 1990's Software Quality Assurance (SQA) thinking, combined with the rigor of new 21st century rapid software development disciplines.  It is called "Rugged DevOps."  Application development life cycles are getting shorter these days.  That is because modern day software development life cycles are taking a more component-based approach, with the reuse of standardized software capabilities.  This makes sense, as long as the use of software quality assurance tools and services are not abandoned and new tools and processes are embraced.

Welcome to "Rugged DevOps."  This Forrester report, "The Seven Habits of Rugged DevOps" will give you more context:

Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops


Habit 2: Understand The Probability And Impact Of Specific Risks


Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements


Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices


Habit 5: Standardize Third-Party Software And Then Keep Current


Habit 6: Govern With Automated Audit Trails


Habit 7: Test Preparedness With Security Games


"Enabling Digital Trust of Global Enterprises" in the next decade will require software development organizations to embrace security and risk professionals simultaneously, on a more consistent and non-adversarial basis:
DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros' expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyberattacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated life cycle. These new practices are called rugged DevOps. This report presents the seven main principles of rugged DevOps so I&O pros and developers can break down barriers with S&R pros and achieve faster releases with stronger application security.
Chief Information Officers (CIO), Chief Privacy Officers (CPO), Chief Legal Officers (CLO), Chief Operating Officers (COO), Chief Security Officers (CSO) and maybe the Chief Executive Officers (CEO) are now paying more attention to these issues.

Here are 9.5 million more reasons why:

In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.

The corporate Board of Directors conversations about the topic of "Digital Trust" is now ongoing and the subject of new business units.  Security vs. Privacy has been a recent media frenzy between some of our technology companies and the U.S. government.  Your elected officials in the U.S. House of Representatives are also on the hot seat now, to produce new relevant legislation.  The courts are adding more privacy and data breach cases to the docket each week.  The "Digital Equilibrium Project" is being established and will hopefully include an international set of stakeholders.

Authoring the rules that everyone understands and everyone can agree on, sets the stage or playing field for the environment of competition to engage with some sense of civility.  Rules will be broken in plain sight and the referee (law enforcement, judges, courts, juries) will impose a penalty, while potentially millions of people watch live.  Is it a penalty kick or just a loss of down?

Think global.  Think at the speed of light.  Think about the trust of e-commerce transactions where millions of people rely on our computing machines every waking minute of the day.  Where Zettabytes of data are in use.  The rules on the "Digital Playing Field" are vital to our future social and economic well being.

"Rugged DevOps" is another and necessary component of a safe, private and secure Internet ecosystem.  Operational Risk Management (ORM) professionals are evermore concerned, with the root cause of our current Privacy vs. (soon to be "And") Security headlines.  Digital Trust is hard to achieve and yet easy to forfeit.  It is time for us to begin "Reengineering for our Next Generation".

07 February 2016

Trusted Enterprise: Digital Science in Business...

Digital Trust has been a cornerstone for any serious organization in our 21st century era.  The foundation for an Operational Risk Management (ORM) design, begins with the engineering science of a sound and endurable platform for "Enabling Digital Trust of Global Enterprises."
The Accenture Technology Vision 2016 verifies "Digital Trust" as one of five major trends:
As every digital advancement creates a new vector for risk, trust becomes the cornerstone of the digital economy. Without trust, digital businesses cannot use and share the data that underpins their operations. To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future.  Source:  Accenture Technology Vision 2016
The concept of data ethics as a significant component of establishing "Digital Trust" is vital.  When you introduce the concept of ethics to the dialogue on software engineering in the global enterprise, there are several key considerations.  Adding the moral governance of actions taken as a result of insights derived from the analysis of information, is also a valid vector in the design of trustworthiness for modern digital applications.  Yet this means nothing, without first understanding how humans make their decisions to trust.  How effective the entire ecosystem of "Digital Trust" becomes will always come back to the root.  Digital Ground zero.

Ground zero for "Digital Trust" is the actual "Trust Decision" itself.  The science of the "Trust Decision" elements and process has been the focus of researchers and academic study for years.  In order for us to truly understand how to achieve digital trust in business, we must first grasp the science and evidence of the core elements and root of our "TrustDecisions."  Does "Achieving Digital Trust" in the enterprise ensure that, as a business you are "Achieving a Defensible Standard of Care"?   Not necessarily.

The two concepts are mutually exclusive, yet they still have affinity for each other.  Accenture's Technology Vision, provides the enterprise with sound reasoning about how to create a path towards improving digital trust, especially as it pertains to the reputation benefits associated with the "Brand."  Adding the element of ethics, drives the consumer thinking that the business has addressed privacy requirements in terms of the legal rules and usability factors.

Incorporating the conversation in the Board Room about data ethics (collection and use) or how as an enterprise you must design-in legal controls in order to alleviate liability, requires something new.  It requires all interested parties to go back to the root.  How does the human make a decision to trust?  How does a computer make a decision to trust another computer?

The people sitting around the Board Room table are thinking about creating more wealth.  They are not asking themselves, how do computers trust other computers?  In our digital age where decisions are being made as a result of the execution of zeros and ones at light speed, someone has to be designing the trust architecture with the right people in the enterprise.  The question is now at hand, who is that person or business unit?

The answer is going to be different in each business or organization.  What is the maturity of the particular digital ecosystem and how vast is the landscape for the computing assets?  One fact that must be acknowledged early on, is that it probably does not entirely exist today.  The ideal unit of people and systems that are necessary to achieve digital trust, are currently spread out across the typical silos of a business architecture.  IT, Marketing, Legal, Info Security, Privacy perhaps.  However, the dedicated and funded "Digital Trust" team, task force or department, has yet to be established.  So what?

Continue to operate as you are.  Without the advantage of truly understanding the elements of "Trust Decisions" and how this is relevant to "Achieving a Defensible Standard of Care."  A trustworthy computing division, may have existed in the past at your organization, yet initially with another focused mission,  "Cyber Crime" intervention.  You see, the idea of trust and why it is so vital to the success of the information technology industry is not new.  Smart malware researchers and software engineers understood this at the dawn of the Internet.  So why is this any different?

Trustworthy computing in the 90's is not the same as the application of "Trust Decisions" in the year 2016 and beyond.   Especially today, with the speed of cloud computing adoption and the outsourcing of core data transactions across borders.  The international implications of privacy laws and the routing and storing of data outside of your native country, is now in play.  Negotiations by a Nation State to bypass traditional use of mutual legal assistance treaty (MLAT) is the new normal:
If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies such as Facebook or Google with a wiretap order for the online chats of British suspects in a counter­terrorism investigation.

The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.  Source:  Washington Post
The requirements have changed.  The next era of "Achieving Digital Trust" requires so much more.  It now requires standing up and providing substantial resources to the "TrustDecisions" Unit within the enterprise.  What does this mean to the future of the Trusted Enterprise?

It means that the Chief Information Officer (CIO), Chief Privacy Officer (CPO), General Counsel and Chief Information Security Officer (CISO) will be using data and Digital Science to design a new architecture for the Trusted Enterprise.  They will deliver it to the desk of the Chief Executive Officer (CEO) very soon.

17 January 2016

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:
Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.
One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:
In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.
This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:
In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).
It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.