31 December 2016

2017: Navigating to Digital Trust...

Looking into the 2016 Operational Risk Management (ORM) rear view mirror, you may be asking yourself several questions.  How many significant losses have occurred this past year, from the failed people, processes, systems or external events in your organization?

You could be asking your team why you have yet to become the target of our adversaries also known as COZYBEAR, APT28 or APT29, CloudDuke, or even Energetic Bear.  If you don't know who these are, then you probably already are "owned" by this adversary.  It may finally be a priority, to become a participant in the "Automated Indicator Sharing" (AIS) initiative.

Where are you navigating to in 2017?

As we look across the vast landscape of our rapidly changing business and government domains, there is no turning back.  There is no ability to retreat or to acquiesce, in a world so full of continuous Operational Risk.

There is no certainty.  There is no true assurance.  There is only the ability to solve problems faster than your adversary or competition.  Some may call this resilience.

Therefore, the direction you take will forever shape your continued exposure to risks and your strategy for opportunities, that you do have control over.  It is a choice and the questions by the Board of Directors, the Plaintiff Bar or the U.S. Attorney, are not going to be the most difficult ones to answer.

In 2017, any major influential organization will be getting more transparent.  The metrics and the formulas (think mathematical algorithms) for counting and creating wealth will be further disclosed, the rules will change faster and more transparently.  Buyers and Sellers of digital content and intelligence, will increase their levels of "Digital Trust".

How will these parties, partners and participants in a vast and exponentially expanding ocean of digital rules become more trustworthy?  They will begin to better understand the DNA of their respective TrustDecisions.

The constituents of organizations, countries and ICT (Information, Communications & Technology) entities will finally realize that transparency of the rules is a vital step to trustworthiness.  Better understanding the "Rules for Composing Rules" is a place to start.  Jeffrey Ritter is the visionary on this topic:
To be part of the disruption, any business must look in two directions—toward the companies that supply digital information to them, and toward the companies with whom their own digital assets are shared. To succeed in creating wealth, and enriching the trust that exists throughout a company’s ecosystem, companies must evaluate how they can be more transparent with their information suppliers, and what levels of transparency to demand from those companies who are outbound recipients. What are the right metrics to show how data or content (like videos) are performing? How will the reporting occur? Are the economic exchanges properly balanced by the value of the data being shared?
The negotiations have been in progress for days, months and years.  The question remains; where are you navigating to in 2017 and beyond?  What resources will you require to get you to your planned destination?  How will you adapt along the way, as the environment you are operating in changes?

To survive the journey to your intended destination in 2017, will require bold new thinking.  It will be necessary to make many sacrifices along the way, to your intended destination.  On the ground, or in a virtual domain.  The solution-sets that you utilize, will require new entities (change agents) to be even more effective in solving problems that arise.

These new entities (human and digital), that will solve problems more efficiently and effectively with you, are ready now.  So what will you do next to adopt, embrace, espouse, endure, tolerate, and even endure the journey ahead?

May your exploration and travels in 2017 produce the intended outcomes.  We wish you a productive and Happy New Year!

17 December 2016

Sprint: Accelerating into the Unknown...

"If you want to go fast, go alone.  If you want to go far, go together"...
  --African Proverb
When you or your organization makes the decision to trust a market, a client, a solution and a model for business; there has already been an adaptive process.  The Operational Risks that you take as an entrepreneur, a designer, a software developer, a financier and the delivery mechanism are continuously changing.  People, Process, Systems and External Events.

You started this project to solve a large problem.  A big issue in a market or with an industry.  The "World's Most Innovative Companies" have been following a proven formula for decades.  What is their secret Intellectual Property?

In the R & D sections of the Defense Industrial Base or the Information, Communications and Technology (ICT) sector, the lights are never turned off.  The competitive world we live in requires that the proven process runs, finishes and repeats.  Then it is replicated across business units, departments and subsidiaries in other countries.

What if you are now testing new ideas to save lives or reduce potential harm to a small team or even the public at large.  What if you will be introducing your solution to a highly regulated market with a long process for government approvals?  What if the current bureaucratic overhead to accelerate your ideas prevents you from achieving the trust you require with your beneficiaries?  Answer:  You pivot to this 5 Step Process:
  • Map
  • Sketch
  • Decide
  • Prototype
  • Test
Five simple steps accomplished over the course of five days may seem easy.  It isn't.  The process for solving big problems and getting to a place where a financier is going to fund your project, is really difficult.  It requires perseverance and an insatiable desire to achieve outcomes that you and your team know can work.  That will improve the odds of survival.  Here is just one example, of a Map for a "Universal Communication Service" device problem-set:

TrustDecisions | Digital Reasoning | All Rights Reserved.
When you start the process with the Strategy, Voice of the Beneficiary, Subject Matter Experts and pieces of previous efforts by creating a "Map",  your overall risk factors start to become more apparent.  By stimulating the visual elements of the human brains capacity for creative inspiration, you begin to see all the possibilities and also the challenges ahead.

Next, you start with the target beneficiaries perspective, by starting with the end (outcomes) in mind.  A "Backwards from Perfect" process or variation that seeks to understand and answers the question, Will the beneficiaries of the solution, trust our expertise?  Will they utilize this solution?

The human imagination is endless.  Rarely does it flourish when you want it to.  So be careful to plan for the fact, that the best ideas and new breakthrough thinking will not happen in the same room with all of the stakeholders, looking at a Map or a Sketch.  It just might happen as one of the participants is in the shower on Day 3, or taking an evening walk after dinner, with a colleague on Day 4.

So what?

The questions asked and process delivered, is vital to any organization who is solving big problems.  Solving problems are only finally accomplished, when the beneficiary says so.  When the market accepts the solution or the human using the tool achieves enough trust in it, to use it again and again.  When the point in time arrives that the solution is verified and desired by enough people, then perhaps the problem has been sufficiently solved.

Until the next human decides to improve on it.  Or the next human believes there is a better way.  Or the environment that the solution was designed for, changes dramatically.  Now it may be time to get back into that room down the hall, with all the White Boards, Post-it Notes, Markers, Timers and some Healthy Snacks.

What does the unknown future look like?  At dawn, just early enough to know it is time to move forward faster than your opposition...

Begin Morning Nautical Twilight


The start of that period where, in good conditions and in the absence of other illumination, enough light is available to identify the general outlines of ground objects and conduct limited military operations. Light intensification devices are still effective and may have enhanced capabilities. At this time, the sun is 12 degrees below the eastern horizon. Also called BMNT...

11 December 2016

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:
  • Past 12 months the number of incidents reported increased 16%
  • The per incident monetary loss (mean) was $394,700.00
Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:
  • 72% of the incidents were handled internally without any legal action or law enforcement.
  • 29% of these incidents could not identify a subject responsible for committing a crime.
  • 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
  • Duty of Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:
  1. What did you know?
  2. When did you know it?
  3. What are you doing about it?
While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:
  • Fraud
  • Sabotage
  • Espionage
  • Trade Secrets Theft
The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:
  • Some individuals who make threats ultimately pose threats.
  • Many individuals who make threats do not pose threats.
  • Some individuals who pose threats never make threats.
Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.