31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

20 November 2016

Intuition: Security in a World Without Borders...

"Technology is not going to save us.  Our computers, our tools, our machines are not enough.  We have to rely on our intuition, our true being."  --Joseph Campbell

On a crisp Fall morning, one week after the U.S. National Election we were lining up outside the Harry S. Truman Building outside the United States Department of State.  The Bureau of Diplomatic Security - Overseas Security Advisory Council was hosting it's 31st Annual Briefing.

This years briefing was focused on "Security in a World Without Borders" and as we passed through our ID check and screening, the anticipation was high.  It's private sector constituents from the Fortune Global 500 to the small U.S.-based professional services firm had one key similarity.

Leaders in attendance recognize that their business is integrated forever with a exponentially expanding system of interconnected machines.  CxO's across the globe are competing for business in the era of "The Fourth Industrial Revolution" where the vulnerabilities extend beyond the Critical Assets of the enterprise.

This years keynote address was by Richard Davis, CEO of U.S. Bancorp.  His talk was heartfelt by many as he recounted his rise from the days at the branch level securing the vault.  Now he emphasized most of his effort was focused on Operational Risk Management (ORM).  Data, Identities and Distributed Denial of Service (DDoS) were on his mind everyday now.

Beyond the threats of a Post-ISIL Levant and operating in a world of Transnational Organized Crime, the room was almost full on Day 2 for this 10:45AM panel discussion:  "Developing an Insider Threat Program" and was moderated by Elena Kim-Mitchell, ODNI.

The OSAC participants on the panel were:
  • Roccie S., Capital One | Financial
  • Stanley B., Rolls-Royce North America | Defense Industrial Base
  • Joseph L., Southern Company | Energy
Each of these experts described the high-level architecture of their respective organizations design and approach to an "Insider Threat Program" (InTP) and they had consensus on one key element.

The "Human Factor".  The point that they all wanted to insure the audience understood clearly, is that all of the analytics software, data loss prevention (DLP) tools and sophisticated technology was not going to stop a determined and motivated adversary.

So what?

Your intuitive abilities as a human shall not be ignored or discounted.  How many times have you said to yourself, "I knew something wasn't right with that person".  In fact, many times we are alerted to the anomalous behavior of a co-worker because we have the human-factors of intuition that is working 24x7 in our brains.

Gavin de Becker has said it best in his book "The Gift of Fear," yet we must not forget that behavior is something that can be applied to everyone:
  • We seek connection with others.
  • We are saddened by loss and try to avoid it.
  • We dislike rejection.
  • We like recognition and attention.
  • We will do more to avoid pain then we will do to seek pleasure.
  • We dislike ridicule and embarrassment.
  • We care what others think of us.
  • We seek a degree of control over our lives.
As our software systems learn and we begin to rely more often on the algorithms to recognize, translate and predict, we must not lose sight of our human intuition.  Do you have it?  Yes.  Are you using it more often and more effectively?  We hope you will be.

How often have we all said, the signs were there.  How many times are the clear and present indicators in the workplace being ignored?  A organizations "Duty of Care" is continuously at stake.  Human Factors alone, just as software systems alerts alone will continuously expose the enterprise to significant loss events.  Here is just one example from the Washington Post:

The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.

While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.

What is the solution?

Government contractors, private sector businesses and their small and medium enterprises that are within the supply chain ecosystem for products and services, are continuously challenged.  They are under the growing umbrella of a myriad of federal acquisition guidelines.

In addition, various export, civil liberties and privacy laws focused on preserving the integrity and trust of the United States in an international marketplace, are compliance mandates for your global commerce.

New solutions are required as a result of the increasing spectrum of threats from individuals in the workplace, to the cyber nexus infiltrating your trade secrets and theft of intellectual property.

The TrustDecisions “Insider Threat Program” (InTP) has been designed from the ground up with organizations operating in highly regulated “Critical Infrastructure” sectors, including Financial, Energy and the Defense Industrial Base (DIB).

Many companies have already started the establishment of an “Insider Threat Program” (InTP).  Utilizing Subject Matter Experts from TrustDecisions will provide your organization with the confidence and continuous assurance that you stay on course.

“Achieving Trust” with employees, clients and suppliers is paramount in our digital 24x7x365 economy.  Designing and adapting the InTP to your unique culture and the changing threat landscape is a vital strategy.

30 October 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

15 October 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 April 2016

Trade Secrets: Gearing up for DTSA...

The Fortune Global 500 and the smallest research and development organizations in the U.S. have another ruleset to keep their eye on this week.  It is named DTSA or S.1890 - Defend Trade Secrets Act of 2016 has passed the Senate.  Operational Risk Management (ORM) is preparing for the next addition to national laws.

The attribution of cyberespionage adversaries has been gearing up since the Sony Pictures hack.  The private sector has been hunting and identifying those shadow individuals and nation state special units for years.  Now the lawyers can get more aggressive with civil actions.

The question remains, will another law deter the actions by global organized crime and the intelligence community of some significant nations?  How will attribution and more aggressive civil actions in foreign jurisdictions make a difference?

As a global organization, can you access your database of confidential trade secrets?  No different than the task of the identification of information assets that you are going to protect, you need an inventory.  What are they and where are they?  Everyone knows the formula for "Coca-cola" is written on a single piece of paper that is locked up in a vault in Atlanta, GA right?  Or is it?

There are trade secrets across America that have been stolen by operatives working inside organizations.  They may be preparing to leave the U.S. for another country outside the reach of law enforcement and the legal process for seizing the stolen property.  That is going to change soon.
The EX-Parte Seizure Order is part of the Trade Secrets bill that allows a trade secret owner to obtain an order from a judge for U.S. marshals to seize back the trade secret from the alleged bad actor without prior warning. This is to protect the trade secret owner from having the alleged bad actor skip the country or destroy the evidence before it is recaptured.
Now that Trade Secrets are in the same legal and enforcement category with patents and trademarks, you can predict that your legal budgets will need to be adjusted, upwards.  In general, what is a Trade Secret?
The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. While a final determination of what information constitutes a trade secret will depend on the circumstances of each individual case, clearly unfair practices in respect of secret information include industrial or commercial espionage, breach of contract and breach of confidence.
The effort to make intellectual property a "Trade Secret" is another strategy in itself. The determinations to designate something a trade secret is going to depend on the invention or the data itself. We understand. So what?
A Chinese businessman pleaded guilty Wednesday (March 23) in federal court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors.

The plea by Su Bin, a Chinese citizen who ran a company in Canada, marks the first time the U.S. government has won a guilty plea from someone involved with a Chinese government campaign of economic cyberespionage.

The resolution of the case comes as the Justice Department seeks the extradition from Germany of a Syrian hacker — a member of the group calling itself the Syrian Electronic Army — on charges of conspiracy to hack U.S. government agencies and U.S. media outlets.
Our adversaries are determined. They are already here. It has been documented for years. Let the next wave of legal indictments and seizures begin. One thing is certain. The "Insider Threat" is still present and your organization can do better. The ability to effectively utilize the correct combination of controls, monitoring, technology and internal corporate culture shifts will make all the difference. What are you waiting for?

20 March 2016

Vigilance: The Casualty of the Truth...

On the other end of a planned cyber threat are the motives and plans by a person.  Sometimes that person puts into play the use of a "Bot" to carry out many of their planned steps in their scheme.  Operational Risk Management (ORM) professionals have been classifying these cybercriminals for a decade or more yet even now in 2016 they are getting more formal profiles:

BAE Systems, the London-based, multinational security company, recently released profiles of “six prominent types of cybercriminals” and detailed how they could hurt companies around the globe, officials say.

Threat intelligence experts at BAE Systems have compiled a list, “The Unusual Suspects,” that has been created from “research that uncovers the motivations and methods of the most common types of cybercriminals,” according to BAE. “The intention of the campaign is to help enterprises understand the various enemies they face so they can better defend against cyberattacks.” BAE Systems officials have profiled six cybercriminal types:
  • The Mule – naive opportunists that may not even realize they work for criminal gangs to launder money;
  • The Professional – career criminals who work 9-to-5 in the digital shadows;
  • The Nation State Actor – individuals who work directly or indirectly for their government to steal sensitive information and disrupt enemies’ capabilities;
  • The Activist – motivated to change the world via questionable means;
  • The Getaway – the youthful teenager who can escape a custodial sentence due to their age;
  • And The Insider – disillusioned, blackmailed or even over-helpful employees operating from within the walls of their own company.
These individuals and groups have caused billions of dollars in losses and caused significant harm to millions of people and organizations.  Now what?

It will be many more years to come, before the laws catch-up to the technology and those who use the vector of the Internet to carry out their crimes against humanity.  Law enforcement has their hands continually tied by the laws and the geographic challenges of a global epidemic.  Governments and politicians are in constant battle over the privacy vs. security philosophy and all the legal issues.

While the wheels of Parliament, or the U.S. Congress slowly turn and the mechanisms for law enforcement become more robust for evidence collection, investigations and prosecutions, there are significant strategies of resilience that we must focus our respective vigilance.  It is not anything new per se, just a renewed emphasis and a new commitment to redesigning our digital environments.  We can do better.

For now, what if we just pick one cybercriminal type to focus on.  The "Insider".

The "Insider" is most likely in almost every formal organization today, working diligently to mask and perpetuate their goals until they are revealed.  It is your "Duty of Care" to continuously deter, detect, defend and document within your enterprise.  The "Insider" could be anyone and so how can the organization work ever more so vigilantly?

It begins at the core of the business and the culture that surrounds those principles within your company, your team or your relationship with suppliers.  The environment you build and sustain shall have the transparency and the elements necessary to sustain a culture where the "Insider" is incapable of operating.  Where the culture itself, makes the environment impossible for the "Insider" to operate without disclosure.

We would encourage Operational Risk Management (ORM) professionals to incorporate new found strategies, new management tools and a renewed effort to extinguish the "Insider" threat across the globe.  The best way we can do this today, is to work on the culture and to establish the foundations for future "Trust Decisions" within the enterprise.  The root of changing the culture and achieving the desired future environment, begins with every single decision to trust.

The journey ahead will be long and full of new found challenges.  The vision of the future and the outcomes received will soon be more apparent.  Now the real work begins to start the journey with your own organization, with each person and understanding the environment and culture you seek.  And remember:
"In war, truth is the first casualty."
Aeschylus
Greek tragic dramatist (525 BC - 456 BC)

12 March 2016

Rugged DevOps: Reengineering for our Next Generation...

The reengineering of the Internet is now underway for our next generation beyond the millennials.  The unification of corporate software development and information security teams are experiencing a deja vu and reminiscent of scenes from the 1993 movie "Groundhog Day."  Operational Risk Management (ORM) is hopeful that we are having a new resurgence of software vulnerability management thinking.  Why?

"A weather man is reluctantly sent to cover a story about a weather forecasting "rat" (as he calls it). This is his fourth year on the story, and he makes no effort to hide his frustration. On awaking the 'following' day he discovers that it's Groundhog Day again, and again, and again. First he uses this to his advantage, then comes the realization that he is doomed to spend the rest of eternity in the same place, seeing the same people do the same thing EVERY day."  --Groundhog Day

We are seeing the reunification of 1990's Software Quality Assurance (SQA) thinking, combined with the rigor of new 21st century rapid software development disciplines.  It is called "Rugged DevOps."  Application development life cycles are getting shorter these days.  That is because modern day software development life cycles are taking a more component-based approach, with the reuse of standardized software capabilities.  This makes sense, as long as the use of software quality assurance tools and services are not abandoned and new tools and processes are embraced.

Welcome to "Rugged DevOps."  This Forrester report, "The Seven Habits of Rugged DevOps" will give you more context:

Habit 1: Increase Trust And Transparency Between Dev, Sec, And Ops


Habit 2: Understand The Probability And Impact Of Specific Risks


Habit 3: Discard Detailed Security Road Maps In Favor Of Incremental Improvements


Habit 4: Use The Continuous Delivery Pipeline To Incrementally Improve Security Practices


Habit 5: Standardize Third-Party Software And Then Keep Current


Habit 6: Govern With Automated Audit Trails


Habit 7: Test Preparedness With Security Games


"Enabling Digital Trust of Global Enterprises" in the next decade will require software development organizations to embrace security and risk professionals simultaneously, on a more consistent and non-adversarial basis:
DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros' expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyberattacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated life cycle. These new practices are called rugged DevOps. This report presents the seven main principles of rugged DevOps so I&O pros and developers can break down barriers with S&R pros and achieve faster releases with stronger application security.
Chief Information Officers (CIO), Chief Privacy Officers (CPO), Chief Legal Officers (CLO), Chief Operating Officers (COO), Chief Security Officers (CSO) and maybe the Chief Executive Officers (CEO) are now paying more attention to these issues.

Here are 9.5 million more reasons why:

In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.

The corporate Board of Directors conversations about the topic of "Digital Trust" is now ongoing and the subject of new business units.  Security vs. Privacy has been a recent media frenzy between some of our technology companies and the U.S. government.  Your elected officials in the U.S. House of Representatives are also on the hot seat now, to produce new relevant legislation.  The courts are adding more privacy and data breach cases to the docket each week.  The "Digital Equilibrium Project" is being established and will hopefully include an international set of stakeholders.

Authoring the rules that everyone understands and everyone can agree on, sets the stage or playing field for the environment of competition to engage with some sense of civility.  Rules will be broken in plain sight and the referee (law enforcement, judges, courts, juries) will impose a penalty, while potentially millions of people watch live.  Is it a penalty kick or just a loss of down?

Think global.  Think at the speed of light.  Think about the trust of e-commerce transactions where millions of people rely on our computing machines every waking minute of the day.  Where Zettabytes of data are in use.  The rules on the "Digital Playing Field" are vital to our future social and economic well being.

"Rugged DevOps" is another and necessary component of a safe, private and secure Internet ecosystem.  Operational Risk Management (ORM) professionals are evermore concerned, with the root cause of our current Privacy vs. (soon to be "And") Security headlines.  Digital Trust is hard to achieve and yet easy to forfeit.  It is time for us to begin "Reengineering for our Next Generation".

07 February 2016

Trusted Enterprise: Digital Science in Business...

Digital Trust has been a cornerstone for any serious organization in our 21st century era.  The foundation for an Operational Risk Management (ORM) design, begins with the engineering science of a sound and endurable platform for "Enabling Digital Trust of Global Enterprises."
The Accenture Technology Vision 2016 verifies "Digital Trust" as one of five major trends:
As every digital advancement creates a new vector for risk, trust becomes the cornerstone of the digital economy. Without trust, digital businesses cannot use and share the data that underpins their operations. To gain the trust of individuals, ecosystems, and regulators in the digital economy, businesses must possess strong security and ethics at each stage of the customer journey. And new products and services must be ethical- and secure-by-design. Businesses that get this right will enjoy such high levels of trust that their customers will look to them as guides for the digital future.  Source:  Accenture Technology Vision 2016
The concept of data ethics as a significant component of establishing "Digital Trust" is vital.  When you introduce the concept of ethics to the dialogue on software engineering in the global enterprise, there are several key considerations.  Adding the moral governance of actions taken as a result of insights derived from the analysis of information, is also a valid vector in the design of trustworthiness for modern digital applications.  Yet this means nothing, without first understanding how humans make their decisions to trust.  How effective the entire ecosystem of "Digital Trust" becomes will always come back to the root.  Digital Ground zero.

Ground zero for "Digital Trust" is the actual "Trust Decision" itself.  The science of the "Trust Decision" elements and process has been the focus of researchers and academic study for years.  In order for us to truly understand how to achieve digital trust in business, we must first grasp the science and evidence of the core elements and root of our "TrustDecisions."  Does "Achieving Digital Trust" in the enterprise ensure that, as a business you are "Achieving a Defensible Standard of Care"?   Not necessarily.

The two concepts are mutually exclusive, yet they still have affinity for each other.  Accenture's Technology Vision, provides the enterprise with sound reasoning about how to create a path towards improving digital trust, especially as it pertains to the reputation benefits associated with the "Brand."  Adding the element of ethics, drives the consumer thinking that the business has addressed privacy requirements in terms of the legal rules and usability factors.

Incorporating the conversation in the Board Room about data ethics (collection and use) or how as an enterprise you must design-in legal controls in order to alleviate liability, requires something new.  It requires all interested parties to go back to the root.  How does the human make a decision to trust?  How does a computer make a decision to trust another computer?

The people sitting around the Board Room table are thinking about creating more wealth.  They are not asking themselves, how do computers trust other computers?  In our digital age where decisions are being made as a result of the execution of zeros and ones at light speed, someone has to be designing the trust architecture with the right people in the enterprise.  The question is now at hand, who is that person or business unit?

The answer is going to be different in each business or organization.  What is the maturity of the particular digital ecosystem and how vast is the landscape for the computing assets?  One fact that must be acknowledged early on, is that it probably does not entirely exist today.  The ideal unit of people and systems that are necessary to achieve digital trust, are currently spread out across the typical silos of a business architecture.  IT, Marketing, Legal, Info Security, Privacy perhaps.  However, the dedicated and funded "Digital Trust" team, task force or department, has yet to be established.  So what?

Continue to operate as you are.  Without the advantage of truly understanding the elements of "Trust Decisions" and how this is relevant to "Achieving a Defensible Standard of Care."  A trustworthy computing division, may have existed in the past at your organization, yet initially with another focused mission,  "Cyber Crime" intervention.  You see, the idea of trust and why it is so vital to the success of the information technology industry is not new.  Smart malware researchers and software engineers understood this at the dawn of the Internet.  So why is this any different?

Trustworthy computing in the 90's is not the same as the application of "Trust Decisions" in the year 2016 and beyond.   Especially today, with the speed of cloud computing adoption and the outsourcing of core data transactions across borders.  The international implications of privacy laws and the routing and storing of data outside of your native country, is now in play.  Negotiations by a Nation State to bypass traditional use of mutual legal assistance treaty (MLAT) is the new normal:
If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies such as Facebook or Google with a wiretap order for the online chats of British suspects in a counter­terrorism investigation.

The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.  Source:  Washington Post
The requirements have changed.  The next era of "Achieving Digital Trust" requires so much more.  It now requires standing up and providing substantial resources to the "TrustDecisions" Unit within the enterprise.  What does this mean to the future of the Trusted Enterprise?

It means that the Chief Information Officer (CIO), Chief Privacy Officer (CPO), General Counsel and Chief Information Security Officer (CISO) will be using data and Digital Science to design a new architecture for the Trusted Enterprise.  They will deliver it to the desk of the Chief Executive Officer (CEO) very soon.

17 January 2016

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:
Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.
One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:
In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.
This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:
In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).
It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.

10 January 2016

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?
As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.
Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.