30 June 2007

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO. When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC last November 16th, 2006, her words were music to our ears:

It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security.

Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face. Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk demand new methods of risk management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding? After all, now we aren't trying to scare people into the low probability high impact incidents anymore and focusing in on the high probability incidents that may have enough impact to cause a significant business disruption. What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind then is this necessarily an area that you can ignore because you have transfered the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt. And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is operational risk management—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of an hour of computer downtime by industry group. These numbers are now seven years old:

INDUSTRY SECTOR (Millions)
  • Energy - $2.8
  • Telecommunications - $2.0
  • Manufacturing - $1.6
  • Financial Institutions - $1.4
  • Information Technology - $1.3
  • Insurance - $1.2
  • Retail - $1.1
  • Pharmaceuticals - $1.0
  • Banking - $0.996

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive. It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

26 June 2007

Insider Threat: Web 2.0 Wild West...

The Insider Threat is an Operational Risk that will never go away. It is without a doubt going to be a continuous issue for the Board of Directors, Corporate Management and shareholders for years to come. Fortunately, justice has recently sent a clear message about the implications of unleashing malicious code on a network.

The former systems administrator convicted this past summer of launching an attack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., on Wednesday.

Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as Judge Joseph Greenaway Jr. handed down the sentence. "This is a sophisticated crime," said the judge. "This wasn't an instance when an individual argues that 'I had a bad day and I made a mistake.' Its undoubtedly that Mr. Duronio, having felt wronged, came up with an elaborate, sophisticated scheme to take down a company." Judge Greeaway added that he was struck by Duronio's attempt to not only disrupt the company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securities fraud for writing, planting, and disseminating malicious code -- a so-called logic bomb -- that took down up to 2,000 servers in both UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country. The attack left the financial giant's traders unable to make trades, the lifeblood of the company, for a day in some offices and for several weeks in others.

Executives at UBS, which was renamed UBS Wealth Management USA in 2003, never reported the cost of lost business, but did say the attack cost the company more than $3.1 million to get the system back up and running.

"If it doesn't send a message, people aren't listening," said Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving the maximum for this crime doesn't send a message to people with the ability to commit a crime and to the people who employ them, they're not paying attention. The potential for the impact of an insider is uncalculable."


Whether you have an unknown system admin working against you because they didn't get a raise last year or the corporate espionage ring selling secrets or identities it will continue to increase over time. This has to do with the new generation of employees who have grown up using the Internet and downloading intellectual property or open source software. It's the wild wild West and the policies and ethics workshops are nothing more than a compliance officers single strategy of justifying their existence.

The Web 2.0 is changing these employees attitudes about sharing everything. Many of them come to the organization with a profile on Facebook and don't have any qualms about sharing their own private information. The leaks to the press on major M & A deals should be enough evidence that good old fashioned ethics are in jeopardy.

The Insider Threat in a Web 2.0 world is not only here to stay. It is just getting started.

20 June 2007

White Collar Crime: Enduring Truth...

In the 19th century a famous sleuth by the name of Al Pinkerton was quoted:

"A professional should possess the qualifications of prudence, secrecy, inventiveness, persistency, personal courage, and above all, honesty."

Inside the walls of global enterprises are the ticking time bombs waiting for the next opportunity to rationalize their malicious acts upon the organization. Individuals with advanced degrees, outstanding performance and continuous community service are operating just like Al Pinkerton has described, with one exception. Honesty.

White collar criminals are taking the corporate beaches by storm. Backdating once a common practice has now more than 100 companies under investigation. Yet, good old fashioned theft of corporate assets is running at an all time high and internal fraud is now with more tips and leaks a much more easy crime to detect, prosecute and punish. Why do so many companies look the other way and just fire an employee when company wrong doing is uncovered? Reputation.

The phrase "white-collar crime" was coined in 1939 during a speech given by Edwin Sutherland to the American Sociological Society. Sutherland defined the term as "crime committed by a person of respectability and high social status in the course of his occupation." Although there has been some debate as to what qualifies as a white-collar crime, the term today generally encompasses a variety of nonviolent crimes usually committed in commercial situations for financial gain. Many white-collar crimes are especially difficult to prosecute because the perpetrators are sophisticated criminals who have attempted to conceal their activities through a series of complex transactions.

The most common white-collar offenses include: antitrust violations, computer and internet fraud, credit card fraud, phone and telemarketing fraud, bankruptcy fraud, healthcare fraud, environmental law violations, insurance fraud, mail fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, public corruption, money laundering,embezzlement, economic espionage and trade secret theft. According to the federal bureau of investigation, white-collar crime is estimated to cost the United States more than $300 billion annually.


A true Operational Risk Management professional has to operate as Al Pinkerton described and with even more capabilities than in his day. They have competencies and subject matter expertise to address:

* Identification
* Assessment
* Design
* Implementation
* Audit
* Supervision

You have to ID the corporate assets to protect and the threats to those assets. You then have to determine the likelihood of occurrence. What are the impact to organization from a loss? One must also have knowledge and expertise in accounting, auditing, interviewing, investigation, legal elements, digital forensics, reporting, testifying and communicating. Not only does the OPS Risk professional today require honesty, it also requires much more.


Hiring good people is the constant headache of every manager in every industry in every part of the world, and bankers have probably complained about the situation the loudest. But if a bank makes a bad hire, the pain will only be felt years later when it comes out in the newspapers that both the employee and several million dollars have gone missing.

The situation should be avoidable, but the fact is that nobody can really know who it is that they are hiring. Consider the case of one senior banker, who was ready to hire a new personal assistant. Besides being the best candidate for the job, he had once known the applicant when he had worked at her previous company. Through a chance meeting with one of his old co-workers at that bank, he found out that his applicant had been fired for embezzlement, although the information had not been made public.

Actual levels of internal fraud across the industry are a closely guarded secret, although each banker will have a good idea how much it costs his or her own bank. While it is commonly agreed that the cost of internal fraud greatly exceeds that lost on credit card and other fraud, expensive systems required by regulators to manage fraud throw a monkey wrench into the works.

Whether you are in search of the facts or are rendering an opinion, the way you operate and behave within your organization and in front of those individuals you are in pursuit of, remains the same. You are a "Citizen Soldier". This means that you are not influenced by the politics nor the power of those who may try to pursuade you to see it their way. You see it as it is and your mission is to uncover the real truth and only the truth. Reputations are at stake. Lives will be changed forever. But the truth will endure.

19 June 2007

FACTA: The Writing is on the Wall...

Now that the financial community is wiping their brow with a sigh of relief on this latest Supreme Court ruling, what can a General Counsel or Chief Risk Officer expect? Will the adversarial train of plaintiff suits slow down and come to a halt. Not likely.

The U.S. Supreme Court's ruling that blocks investors from suing Wall Street investment banks under antitrust laws could save Wall Street firms a bundle by limiting investors to smaller recoveries.

In a case dating back to the dot-com bubble, the high court ruled Monday that antitrust suits would pose a "substantial risk" to the securities market. Damages in antitrust cases are tripled, in contrast to penalties under the securities laws.

The ruling struck down a lower court decision that would have allowed investors to go after Wall Street firms that they say engaged in anticompetitive practices by conspiring to drive up prices on about 900 newly issued stocks in the late 1990s.

Because the well-documented implosion of names like Enron Corp. swallowed any serious money that investors might hope to recover from that and other flame-outs, some investors have turned to the banks and other Wall Street regulars such as accounting firms that did work for such companies.

Wall Street institutions in the case before the Supreme Court were Credit Suisse Securities (USA) LLC, formerly Credit Suisse First Boston LLC; Bear, Stearns & Co. Inc.; Citigroup Global Markets Inc.; Comerica Inc.; Deutsche Bank Securities Inc.; Fidelity Distributors Corp.; Fidelity Brokerage Services LLC; Fidelity Investments Institutional Services Co. Inc.; Goldman, Sachs & Co.; The Goldman Sachs Group Inc.; Janus Capital Management LLC; Lehman Brothers Inc.; Merrill Lynch, Pierce, Fenner & Smith Inc.; Morgan Stanley & Co. Inc.; Robertson Stephens Inc.; Van Wagoner Capital Management Inc.; and Van Wagoner Funds, Inc.

These institutions may not have "Anti-Trust" anxiety from the Supreme Court any longer yet there are plenty of other Operational Risks on their minds. Namely International Fraud.

In an era of data warehousing, metadata management, business process management and the looming BASEL II Accord there are plenty of conversations about what to do about fraud and other regulatory compliance. Multi-factor authentication for online banking systems is not a trivial matter when it comes to Enterprise Risk Management. Is the customer service organization ready for the upgrade? Is the consumer going to be confused on what questions they are being asked to get access to their latest online credit card statement? What is my customer "churn" factor? In other words, how many of my customers are jumping ship as a result of the operational risks that have turned their loyalty into consumer driven class action fraud litigation?

An International Banking Fusion Center is on the horizon and it's not too far from the same justification that addresses Know Your Customer (KYC) and the financing of terrorism.

According to one study respondent, "Organizations are secretive of fraud losses and that inhibits our ability to work together."

"The sharing of intelligence is key to being able to take advantage of the predictability of fraud," First Data's Barwell continues. "Banks are sitting on valuable data that, if analyzed innovatively, could provide fraud intelligence worth sharing. One major bank has shown that if their internal client databases across business lines and geographies are analyzed using sophisticated link analysis tools, spurious networks of accounts can be uncovered and, when fully investigated, could uncover organized networks of first-party fraud accounts."

Barwell adds that several U.S. banks have expressed interest in taking the "quantum leap" to true data sharing.

The International Language of Fraud

"In the last eight to 10 years, fraud has really gone international," says Steve Baker, director of the Midwest region of the Federal Trade Commission (FTC). The FTC maintains a Consumer Sentinel database that includes more than 3.5 million consumer fraud complaints and is accessible to more than 3,000 law enforcement agencies internationally. In 2006, 22 percent of the reported fraud was cross border.

So What? What does information sharing have in common with:

International fraud, Identity Theft and the risk of litigation within the banking or credit card industry. Now the bankers want to sue the retailers and recover losses for the lack of privacy and security controls at the retailers. Since December 2006, plaintiffs’ class action firms in California and elsewhere have filed over 200 nationwide class actions in federal court against a broad spectrum of retailers and restaurants alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). In addition to California federal courts, FACTA cases have been filed recently in federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland and Kansas.

16 June 2007

General Counsel: Information Security Nexus...

A "Defensible Standard of Care" is a hot topic these days around the Board of Directors Audit Committee conference table. Information Security standards are consistently being discussed by the CIO and CSO in the context of compliance. So where is the nexus? Why is it so critical to enabling the enterprise business resilience of a global institution?

The answers lie in the fundamental understanding that the Board of Directors and the "C" Suite are both working towards the same focal point. Their motive is almost identical. To be able to provide the evidence and the testimony that keeps their integrity and reputation intact. The ISO 27001 controls addresses this directly:

Clause A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

15 June 2007

Making the Business Case for Enterprise Content Management...

Making the Business Case for Enterprise Content Management: A Webinar

On July 24, 2007, at 11:00 a.m-noon, EDT, KM World will be presenting a national webinar on how ECM champions can make a more successful business case for new ECM solutions. The webinar will feature Jeffrey Ritter and Walt Whalen of Waters Edge Consulting in a discussion of Waters Edge work in this area. If you wish further information, please contact info@wec-llc.com.

Welcome...

This blog will explore trusted information and the nexus of information security and the law.