26 March 2022

Human Behavior: Witnessing Salvation…

When you accelerated through the career ranks of your organization and you achieved all of the goals and challenges in front of you for a year or two, what typically happened?

You were promoted.

Now, when you were given this new title or rank this usually included new responsibilities, new relationships to be managed and in some cases a feeling of additional power within the organization.

Then what happened to your self-esteem?

This confidence and satisfaction in oneself is a valuable topic for dialogue in developing great leaders. Especially when together we witness a leader whose behavior is unjustified and abuses their given power.

Human behavior will not ever stop surprising us, even after we think that we have seen it all:

  1. Just when we think we have witnessed all of the good in life, we see an act of kindness and good will that we never saw before. We stand there in amazement as we watch salvation in real-time.
  2. Then there is the daily news. You read a story about an act of pure evil and you ask yourself, how could another human being actually do something like that?

Whether the truth is on the front page of the Washington Post or from a witness who tells the story from their first hand experience in the room, or on the front lines, how will you act? More of #1 or #2.

The self-choice of actions you take next and the demonstrated evidence of your own behavior is an indicator of your true character. Of who you really are as a human being, operating in your organization.

Over the course of your tenure with that logo on your business card or the patch on your shoulder, never forget your true character.

You have the opportunity to continuously perform and who your colleagues will follow, that your organization is proud of each day for all of your excellent actions.

“As you build your own “Self-Esteem” and confidence and satisfaction with oneself, remember #1.”

Your team or organization as a whole, will rise together to acknowledge your kindness, empathy and yet your faithful ability to accomplish so many important milestones.

Thank you for being #1. Onward!

29 January 2022

Cyber Reality: Quest for the Digital Castle...

On this Saturday morning the prayers are silent. For family, friends and also for the subject matter experts in business and the U.S. government.

They have been waking us up again to the reality of the Operational Risks we now face, to our ubiquitous digital-based economic infrastructure.

The message is clear to those insiders, who have been trying to defend our "Digital Castles" against tremendous odds of these seemingly invisible threats. Is it really, game over?

The short answer is yes. The current mindset should be, that every major business of valuable interest in the eyes of the enemy has already been compromised or soon to be. It is already too late. The stealth digital code is currently waiting in the shadows of your organizations hundreds or thousands of digital assets.

Whether it is the aging Dell Tower Desk Tops still running on Windows XP somewhere or the latest Android PDA/Apple IOS devices tethered to the corporate network does not matter. Your adversary has control of when and where to begin the attack on you and your organization.

So if this is the reality of the global state-of-play, in both the business world and also to government, what should the risk management strategy consist of going forward? How could we ever get to a point of advantage over those who seek to do us harm?

So internally, the prudent corporate business strategy should be for your General Counsel and the CIO of your organization to be already preparing themselves for the day that they will step before the press conference microphone to disclose the material breach of the companies intellectual capital or theft of assets.

They should already know, that it is just a matter time and not a denial that it will ever happen on their watch. If you are a Board Director and you still have not had "The Talk" with management about this stark reality, then you too are complicit in the scheme to present your stockholders and stakeholders with a false sense of confidence that you are safe and secure.

The new normal for forward thinking organizations is already being implemented for adverse events. The Crisis Management Team has already exercised the "Data Breach" scenario numerous times.

Your General Counsel and Chief Information Officer have rehearsed and practiced their testimony before opposing and adversarial questioning of your organizations information security processes.

The company subject matter experts are more than prepared to submit evidence of their best practices, industry standards compliance and previous tests of due diligence. The stage is set for the court room battles ahead:

The quest for the "Digital Castle" has been going on for years. Are you awake now or still living in a dream of denial on your state of achieving a Defensible Standard of Care…

05 December 2021

Managing Operational Risks: On the Wall at 100 Ft...

 After days taking in the magnificent sights at 100+ feet below the surface off Grand Cayman Island, we were reminded how Operational Risk Management is prevalent in even remote places like this.

Take for example the mandate for using dive computers, as a guest of Wall to Wall Diving. For those not initiated with Scuba Diving, you might not realize that "sensors" are utilized in measuring potential threats to your life from something called "The Bends", or decompression sickness.

Giles Charlton-Jones and his wife Deanna from Wall to Wall Diving use a combination of proven Operational Risk Management processes and tools to reduce the risks to their clients. They do this because their small business is no different than that of a Fortune 500 company. As the owners and primary shareholders of any organization, it is the law in most cases to provide Duty of Care.

Decompression sickness, (DCS), diver's disease, the bends, or caisson disease is the name given to a variety of symptoms suffered by a person exposed to a reduction in the pressure surrounding their body. It is a type of diving hazard.

Dive computers perform a continuous calculation of the partial pressure of gases in the body based on the actual dive profile. As the dive computer automatically measures depth and time, it reduces the need for the diver to carry a separate watch and depth gauge and is able to warn of excessive ascent rates and missed decompression stops.

Many dive computers also provide additional information to the diver, for example, the water temperature, or the pressure of the remaining breathing gas in the diving cylinder.

The key point is, that these sensors attached to each diver, help Deter and Detect potential threats associated with decompression sickness. This even includes a calculation when it is safe again to fly on an airplane.

Like other manufacturers in the high technology systems sector, SCUBA (Self-contained Underwater Breathing Apparatus) has it's own champions of companies who focus on the latest tools and solutions to help you manage risks. Who plan for future threat scenarios based upon collected intelligence over years of experience.

Suunto is just one example of a Finnish company, who have been developing instruments for measurement and sensors for various outdoor pursuits. Whether it be on the mountain at 20,000 ft. or underwater at 125 ft..

Weather and our Earths environment will always play a part in the daily risks mountaineers and divers face and who are proactive with the use of the correct tools, so they can operate in a more safe and secure manner.

Yet without the investment with “True Professionals” who have years of the relevant training, decades of experience and brilliant intuition, all the best tools will never be quite enough.

“How often do you encounter situations where the new threat intelligence collected and the automatic warning alerts have not been enough, to keep you out of harms way?”

As a global Fortune 500 company, the Board of Directors represents the interests of shareholders, as oversight owners of the company, in optimizing value by overseeing management performance on the shareholders' behalf.

The Board of Directors responsibilities in performing this oversight function include a Duty of Care and a Duty of Loyalty.

A Director's Duty of Care, refers to the responsibility to exercise appropriate due diligence in overseeing the management of the company, while continuously making OPS Risk decisions and performing other vital mitigation actions.

It remains refreshing to witness that even on a small island in the British West Indies, that the owners/operators are true professionals who are applying the practice of “Operational Risk Management” (ORM) in their own small employee-owned business.

First, they utilize it each day because they are Professionals. Second, they do it instinctively, because they know that it can mean the difference between life and death or predictive harm in an organizations daily operations.

As we near the end of another year of growing risks in 2021, we say congratulations to all of you who have found the science of “Operational Risk Management”.

Thank you to all of you, who have applied your own professional services “Art”, to make our world, more safe and secure in 2022! Godspeed!

20 November 2021

Metadata: Guardians on the Front Lines...

Continuous Continuity (C2) in your particular enterprise is a priority you shall not just focus upon during our U.S. Infrastructure Security Month.

Last week here, we reviewed Ten Steps your organization can practice on a regular basis to enhance your focus on Continuous Continuity and simultaneously your overall Operational Risk Management (ORM).

Let’s circle back to a few vital areas to emphasize as we increase our production and consumption of corporate or organizational “Data”.

Of Metadata. “Data that provides information about other data”.

The details on the creation date, time and application generating these words as they were originally written, is just one small example. What about the actual platform and the browser that was used:

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Screen Resolution: 1680 x 1050 (pixels)
Browser Dimensions: 1005 x 853 (pixels)
Cookie Status: Enabled

You understand that the data you can’t see on your screen and the data you may not even care about, is present, and that the metadata is being collected by some entity somewhere.

The amount of data and the speed of data is now overwhelming our global digital world we live in the year 2021 and beyond. The question remains, So What?

If you are a seasoned General Counsel (GC) today with a Fortune 1000 organization doing business on a global basis, your Blackberry :) must be "buzzing" every few minutes. Just the legal risk alone being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you are operational.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from all adversaries, such as the rogue employee, the government regulator, competitors, digital hackers, nation states and all of the plaintiff class actions.

The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics, compliance and legal messages to your employees, partners, suppliers and adversaries is ever more critical.

The true effectiveness of your relationship with internal partners such as your CEO, CFO, CSO, CISO and Internal/External First Responder leadership could mean the survival of the company itself.

When was the last time you as a GC took the “Ethics," “Compliance” and "Rule of Law" program directly to your employees in face-to-face sessions?

How might you provide your employees, partners or 3rd-Party suppliers with the first hand opportunity to meet, greet and engage with the General Counsel of your particular enterprise?

By doing this, you are directly engaging with the people on the front lines, to be our "Guardians" for your company and to build trusted relationships with all of them.
Get out There.

11 September 2021

11 September 2021: What is True...

When these words found their way from pen to paper seventeen years ago today, the truth of what was written was unknown:


11 September 2004

Third Anniversary of 9/11

As We Mark The Third Anniversary of 9/11 one can imagine how the world will be in the next three years. A globe pock marked by terrorist incidents. Russia, Malaysia are of recent headlines. How soon will the terror strike the US again? Many say before the election and only then will we have what we need to reinforce what work has already been accomplished, and will never be completed.

The people of the free world know in their hearts that the struggles of real estate and religion will continue for decades to come. Only those who are proactive, preventive and aware of the continuously changing threat will survive.

God bless us all.

Posted by Ed at 9/11/2004 10:49:00 AM


Today on this morning of 11 September 2021 at 8:46 AM, as our fellow loved ones gather around our 9/11 Memorial in the World Trade Center plaza of the former Twin Towers, the Pentagon or Shanksville and they read the names of the fallen that day, tears come to our eyes. Once Again.

For those who died that day. And for those who will have died decades afterwards.

And for all of those Americans who roll out of bed each day in our United States and Overseas, to raise our American Flag and to work until the stars are out to defend everything that it stands for.

Who we really are, as Americans, each day as we pray and every day the musical notes of “Taps” plays.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing."
--Edmund Burke

On this 9/11 day as we remember again. Each of us knows where we were, when we heard and saw the news unfolding before our very eyes.

The smoke rising from the WTC in New York City, the Pentagon in Arlington, Virginia and the fields near Shanksville, Pennsylvania. What we witnessed on 11 September 2001, was pure “Evil” at work.

"How much do you let what you wish to be true stand in the way of seeing what is really true?"

Today, as these words are written, we know the truth…Never Forget!

28 August 2021

Never Forget: The Prescience of our Risks…

Historical facts and real time data will remain an empirical reminder of our mistakes in the past, of our “Lessons Learned”. Those who study the why and the how from only our past 20 years of history, will be able to adapt, can proactively improve outcomes and will over time increase our respective levels of resiliency.

“The 19 men who hijacked and crashed the four planes were all trained by al Qaeda. Three of the suspected pilots—Mohamed Atta, Marwan Al-Shehhi, and Ziad Jarrah—were part of an al Qaeda cell based in Hamburg, Germany. All four pilots took flying lessons in the United States.

Fifteen of the hijackers came from Saudi Arabia, two from the United Arab Emirates, one from Egypt, and one from Lebanon. The oldest was 33; the rest were between 20 and 29. The group also included two sets of brothers: Wail and Waleed Al-Shehri on American Flight 11, and Nawaf and Salem Al-Hazmi on American Flight 77. The hijackers began entering the United States in January 2000 to advance the plot. All 19 were in the country by early July 2001.”

Yet are we simply repeating the same behavior and forgotten our lessons of the true data?

A proactive set of activities are continuously required to sense the unforeseen. We shall continue to devote our time, new resources and growing intelligence towards the heartbeat of our emotions.

The hope is, that we do not lose sight of the foundations and the continuous requirements for our Operational Risk Management.

The prescience of our risks, are based upon the past and the history already laid down before us. The continuous ability for you to become even more reliable, more consistent and to hedge against significant loss is in your own hands.

How might you become more resilient to the change events that still lie ahead of us:

Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:
* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.
* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.
* Systems risk – disruption and outright system failures in both internal and outsourced operations.
* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.

How might we gain the foresight required in an evolving physical and virtual environment with:

  • More Threats.
  • More Data.
  • More Speed.
  • More Decision Makers.
  • More Competition.

We shall “Never Forget”…

21 August 2021

Always Remember: Continuous Insight After Two Decades…

After 9/11, Business Continuity got plenty of attention, yet to this day many companies remain ill-prepared for disaster. This CFO article in 2003 reinforces the reality of this fact.

Even if you have tested your Business Continuity Plan (BCP), it doesn't mean that your own organizations suppliers and partners have:

Source: Scott Leibs, CFO Magazine September 01, 2003 "In the weeks following September 11, 2001, the New York Board of Trade (NYBOT) was praised, in these pages and elsewhere, for having invested in a disaster recovery plan that proved nearly priceless. The commodities exchange had been spending $300,000 annually for a backup facility that sat idle for years, an expense that had been questioned but that paid off: the exchange not only used the site in the days after 9/11 but continues to use the site as its de facto headquarters as it transitions to a new one in lower Manhattan this month.

That was the kind of success story that was supposed to galvanize the business-continuity market, highlighting as it did the vulnerability not only of computer systems but also of phone, power, and transportation grids. What had been seen as an issue affecting primarily a company's data center was now framed as a strategic imperative affecting every aspect of infrastructure."

Here are ten steps for consideration to Practice Continuous Continuity (C2) for Enterprise Resilience:

  1. Develop and practice a contingency plan that includes a succession plan for your executive team.
  2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency won't always be available.
  3. Consider creating offsite crisis meeting places for top executives and operational teams.
  4. Make sure employees—as well as executives—are involved in the exercises so that they get practice in responding to an emergency and following orders in potential chaos.
  5. Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.
  6. Practice crisis communication with employees, customers and the outside world.
  7. Invest in an alternate means of communication in case the phone networks go down, including wireless devices.
  8. Form partnerships with local emergency response groups—firefighters, police and EMTs—to establish a good working relationship. Let them become familiar with your company and site.
  9. Evaluate your company's performance during each test, and make changes to ensure constant improvement. Continuity plans should reveal weaknesses.
  10. Regularly test your continuity plan to reveal and accommodate changes. technology, personnel and facilities as they are in a constant state of change at any organization.

As part of the audit of your Continuous Continuity (C2), include the check up on your most vital 3rd party suppliers. They must be as prepared and resilient as you are. You may require that they be included in all of your scenario exercises, to make sure that you know their level of readiness...

20 March 2021

Mission Leader: Independent Resilience...

What are you and your organization working on today, to become more independent? 

Definition of independent

(1) : not dependent: such as

   a (1) : not subject to control by others

(2) : not affiliated with a larger controlling unit

   b (1) : not requiring or relying on something else : not contingent

The Continuous Continuity of your endeavors may well be determined by how much you rely on others for your own survival.

When you or your organization becomes “Interdependent” on resources, or vital capabilities that ensure your survival, then you are increasing your exposure to becoming even more vulnerable.

“Continuous Continuity” requires a mind set that is Proactive, is full of awareness and is consistently asking “What if”?

As a leader in your small group, in your business unit or in your local County, what are you doing today to become even more resilient?

You see, it is your symbiosis and the “Interdependencies” with others, that may become your ultimate and true vulnerability to Operational Risk.

“Independent Thought Leadership” requires discipline and once you commit yourself, it means that you will now be on your way to a more resilient state of being, growing within your particular ecosystem of choice.

Where are you operating today? What is your role in the “Continuous Continuity” of your Life, your Family, your Business, your Faith and your Country?

Your future depends upon your ability to become more Resilient. How will you accomplish a strategy to assist others around you, so they also will become more independent?

What will you learn today to make you stronger, smarter or more clear in your mind about how to assist others?

How might you apply this new found skill or knowledge to your life, that will ensure your own longevity and your consistent personal satisfaction?

As an independent “Mission Leader” you too will become one additional resilient component in an environment of future risks. Here is what lies ahead of you:

The 16th edition of the World Economic Forum’s Global Risks Report analyses the risks from societal fractures—manifested through persistent and emerging risks to human health, rising unemployment, widening digital divides, youth disillusionment, and geopolitical fragmentation. Businesses risk a disorderly shakeout which can exclude large cohorts of workers and companies from the markets of the future.

A “Mission Leader” then takes this knowledge onward to teach others. They apply what they have learned and accomplished, to share it with people they care about...

23 January 2021

Predictive Intelligence: Imagine the Catalyst…

 “The true sign of intelligence is not knowledge but imagination.”

— Albert Einstein

When was the last time you found yourself preparing for something that has not happened yet?

Why were you thinking about it? Was it fear?

What did you fear? Was it the potential for a significant loss event? Loss or change of what?

How will you prepare in such a way, that it gives you some assurance that the potential loss event will not occur? Or if it does, the outcomes will not be a total catastrophe:

Definition of catastrophe

  • 1 : a momentous tragic event ranging from extreme misfortune to utter overthrow or ruin.
  • 2 : utter failure.
  • 3a : a violent and sudden change in a feature of the earth.
  • b : a violent usually destructive natural event (such as a supernova).
  • 4 : the final event of the dramatic action especially of a tragedy.

How might you prepare proactively with your Team, to alleviate fear and to provide greater confidence of action?

What particular environment are you thinking about right now?

Is it Land, Sea, Air, Space or Cyberspace? Will the Catalyst for the loss event you fear, begin in plain sight? Will you see it or hear it coming? Or could it be silent and invisible?

How will you know when it has started? What indicators or changes might you measure, to give you some early warning?

Your imagination has not been exercised hard enough or long enough. You will be vulnerable and you shall experience loss at some point.

Can you imagine working along side trusted people or colleagues together to imagine your fears? Will you Understand, Decide and Act? As a team…

How might you devote a few hours per week to the people, processes, systems and external events that you fear?

Your proactive strategy will make a difference. A purposeful journey of imagination each week will increase your “Proactive and Predictive Intelligence”.

Now imagine that a person on your particular team is your Catalyst. How will you make “Trust Decisions” to imagine what they might do or how the person will make a mistake? How could the persons actions become the genesis of a real catastrophe?

Wake up. You are vulnerable today. The proactive time and the degree of effort and resources that you devote to your own Operational Risk Management (ORM) shall make all the difference.

Between a life of trusted possibilities or one full of continuous despair…it is your choice.


19 December 2020

ITC: Managing Risk for Security Governance...

 In our converging world of both Information and Physical Security, there are resilient risk elements for the effective management of Information Technology & Communications (ITC).

Think of it as “Security Governance”.

Security Governance is a discipline, that all of us need to revisit and rededicate ourselves towards. The policies and codes we stand by to protect our critical assets, should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A significant element that is now being mandated by the Board of Directors, is the role of “Continuous Risk Management” in Security Governance.

ITC Security Governance, like Corporate Governance requires the oversight of key individuals on the Board of Directors. In the public sector, the board of directors may come from a coalition of people from the Executive, Judicial or Legislative branches.

The fundamental responsibility of management, whether in government or the corporate enterprise, is to continuously protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to continuous Security Governance, not just an annual audit.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to continuously monitor and audit enterprise security risk management, then we are exposing precious assets to the threat actors that seek to undermine, damage or destroy our livelihood.

An organization’s top management must Identify, Assess, Decide, Implement, Audit and Supervise their strategic risks. There shall be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture, capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for continuous Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and growing resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for continuous security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will   be defined

A process should be established for risk assessment that takes into consideration:

  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

ITC Security Governance best practices are still rapidly growing and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why, they are being asked to do things, rather than just following the rulebook, the system will fail.

The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival.

The role of culture in the risk for security governance, is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations.

This is why the risks the organization is facing are constantly changing and therefore why a management system for continuous security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for ITC Security Governance, is just as important to the success and compliance of the organization as Section 404 of Sarbanes-Oxley.

In fact, without effective ITC Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves after a major technology failure or privacy data or intellectual property breach; how could this happen to us?

08 November 2020

Supply Chain Resiliency: Operational Risk Priorities in 2021…

Global Senior Executives are evaluating the resilience of their organizations international supply chains and realize the growing Operational Risks.

Why have proactive Enterprise Risk Management teams been on high alert and how are they working the issues for over the past nine months?

These are evident clues in just one one 10-Q example:

“We rely on sole direct and indirect suppliers or a limited number of direct and indirect suppliers for some or all of these components that we do not manufacture... Many of such direct and indirect component suppliers are geographically concentrated, making our supply chain more vulnerable to regional disruptions...we have experienced and continue to experience disruptions in our supply chain due to the impact of the COVID-19 pandemic.

If our direct and indirect vendors for these components are unable to meet our cost, quality, supply and transportation requirements, continue to remain financially viable or fulfill their contractual commitments and obligations, we could experience disruption in our supply chain, including shortages in supply or increases in production costs, which would materially adversely affect our results of operations.”

Inventory Management, Supply Chain Transparency and Single Source Suppliers are just a piece of a complex mosaic for many multi-million dollar U.S. businesses.

Covid-19 catalyst “Operational Risk Management” (ORM) has been a mainstream focus for months, just as it does after every major catastrophic event.

Yet, when the implications of downstream impacts to our critical infrastructure sectors such as transportation, healthcare and the continuous ICT challenges become even more apparent, the Global Executive suites must go into action.

The concepts of “Supply Chain Resiliency” are well known, yet it is continuously surprising how many organizations in 2020 have been caught off guard or are finding themselves without substantial alternative strategies to remain operational.

This is a result of diminished due diligence and a continuous analysis with your Tier 2 and Tier 3 suppliers.  Mapping each of your key lines of business with a detailed understanding of Where, How and Who your suppliers do business with, is just the beginning.  What about your own actions on:

  • Increasing Inventory Levels
  • Pursuit of Diversified Suppliers
  • Finding New Suppliers with “Robust Supply Chain Resiliency”
  • Increasing Your Geographic Diversity of Suppliers

In a recent Interos Inc. report (https://www.interos.ai/resource-library/ ) of 450 executives surveyed in the U.S. on their “Biggest Risks”, the following results were found:

  • 76% identified COVID-19 as the biggest ongoing risk, followed by cyber threats at 44%, restricted or sanctioned entities at 36%, natural disasters at 30%, and single supplier or country concentration risks at 28%. Other risks fell below 20%.  
  • This follows roughly the same order for future risks, with 66% identifying COVID-19 as the future risk companies are preparing for, followed by cyber risks at 48%, restricted/sanctioned entities at 34%, and geopolitical events at 32% (this was the largest jump from 20% now to 32% in the future). 

If these results are even close to being a high priority, then your own “Supply Chain Resiliency” shall be a well funded and continuously measured Business Unit within your Enterprise, in 2021 and beyond…

18 October 2020

Organizational Integrity: Leadership of Risk…

As a leader in your organization, how long have you truly demonstrated the actions you desire for those who are following you?

Countless times each day, leaders in the global race to the finish line, ignore or disavow the rules or policies they enforce for their own team.

What are you demonstrating in your organization today and this week to build “Organizational Integrity”?

How are your own behaviors in the midst of your team, showing and reinforcing the actions that will build and activate a model of “Organizational Integrity”?


in· teg· ri· ty | \ in-ˈte-grə-tē

Definition of integrity

1 : firm adherence to a code of especially moral or artistic values : incorruptibility
2 : an unimpaired condition : soundness
3 : the quality or state of being complete or undivided : completeness
Why have you made the decisions that you are more privileged than the others on your team?

Is it your personal sense of ego or power as a figure of authority, that makes you feel as if the activities and rules for you, do not apply or are different than for those who are on the front lines?

They are not.  In the midst of a legal deposition or worse, the leader who is charged, explains their own behaviors.  This is now beyond the point of no return.

Even when you are behind closed doors of the “Board Room” or the “Ready Room,” are you demonstrating the same behavior and adherence to the processes, that you wish upon all those you are leading?

Leadership of your “Executive” Team or a “Squad of Specialists” in the field, requires people who truly “Walk-the-Talk” and adhere to the same standards or rules set forth for the entire organizational operations.

You already are known as a “Leader” in your area of expertise.

Yet are you known as a leader with “Integrity,” that truly demonstrates this in the middle of your operations each day?

01 August 2020

Cultural Cognition: The Velocity of our Future…

“The true sign of intelligence is not knowledge, but imagination” - Albert Einstein

In the culture that you are part of, there are Trust Decisions being made in seconds based upon rules.  Yet your particular culture has evolved over time, also because of the affinity that your culture attracts other people, just like you.

The question is, who do you really aspire to be?

“How do you make trust decisions about people, associations, tools, or their value when the information upon which you will rely is increasingly digital and intangible?
In a global culture in which digital trust is under attack and degrading, how can you build and engender old-fashioned human trust with your customers, business partners, associates, and employees?” -Jeffrey Ritter - Achieving Digital Trust - P. 21
When you enter the realm of a culture that is constantly being recorded, digitized, captured, communicated and transferred, the behaviors and thoughts of people will be studied.  They will be analyzed and they will be judged.

What are you doing today to learn and improve how you operate in a digital world?  How are you making decisions between trust, and pure risk?

Our cultures are rapidly evolving towards “Artificial Intelligence” and tool sets to assist humans in making more informed decisions, faster.  Why?

Quality and Velocity.

What made you decide to learn Mathematics?  How did you decide to become a Software Engineer?

What made you decide to learn the Law?  How did you decide to become a Lawyer?

You like rules don’t you.  You have a hard time living in a world, where the rules are being ignored or broken.

How fast will you be able to adapt to the change in the “Digital Ecosystems” that mankind has created on our Earth?

The truth is, you and your organizational culture is already in the midst of an “S” curve and you must now “Grow or Die”.

To improve and adapt in a world, that is accelerating and whose velocity is reaching light speed requires new tools and mechanisms to assist us in our “Trust Decisions”.

For those cultures and situations where trust is at stake, the utilization of technological inventions will evolve and grow as the standards for evaluating the truth.

We as humans are already at a point where we are trusting digital devices and machines, more than we trust ourselves.

The Safety, Security and Velocity of the evolution of our Digital Future is at stake.

Now is the time for our cultures to recognize, question, learn and improve how we engage with our machines, our software, our Mathematics and our Law.

It is now all about our TrustDecisions

12 July 2020

Incident Response: Leadership of Security Risk Professionals...

Leadership of Security Risk Professionals (LSRP) begins with a thorough understanding of the current state of the “Organizational Pulse” of the corporation.

Global Enterprise Business Resilience does not just happen overnight, after the CEO sends out the first Crisis-based e-mail alert.

It happens because the Organizational Pulse of the respective silos of responsibility, have been actively learning for years about their People, Processes, Systems and External Crisis Events.

Simultaneously, as the leaders of the Security and Risk domains within the enterprise “Ask”, “Listen”, and then “Clarify” or “Verify” vital information, the organization learns.

Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis.

Confronting a crisis and incident response in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.

The following question was asked at “Company A” and the top answers were:

What are the top five incidents/events that could cause a significant crisis within your organization?

Fire or Flood
Violent weather/damage to facility
  • Workplace violence
  • Industrial accident
  • Terrorism
"When the question was asked a different way, to a different group at the same company, the results were even more telling:"
What are five incidents/events that have caused your organization significant crisis in the last three years?
Counterfeit products or major disruption in the supply chain
Alleged ethics violation of Foreign Corrupt Practices Act (FCPA)
  • Geopolitical unrest in key overseas markets
  • Extended loss of personnel at a manufacturing plant due to COVID-19
  • Data Breach/intellectual property theft by a nation state
Senior executives charged with a “Duty of Care” in todays global enterprise, require new thinking, enhanced skills and relevant solutions to improve crisis leadership.

What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?

For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems. The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.

Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.

“Leadership of Security Risk Professionals” (LSRP) is for industry practitioners to “Cross the Chasm” of crisis leadership...

18 April 2020

Single Points of Failure: Interdependencies Unknown...

Organizations such as WashingtonDCFIRST exist in our Nations Capital to address the need for a coalition of private sector companies and people to work on being proactive, not reactive.

"Defend Forward."

This requires leadership to focus on the critical interdependencies you share with your large corporate neighbor down the street or around the corner.

Do you both share the same Central Office from Verizon? Do you have the same pumping station for DC Water? Do you have a shared sub-station for power from Pepco?

If you do, then you both know some of your Single-Points-of-Failure.

While you may never be able to establish walls, or fences high enough and virtual ICS locked gates to totally protect your single-points-of-failure, you can create an architecture that deters attacks and detects changes.

And if you do have an alert or alarm go off, then you must investigate the incident no matter how insignificant it may be. Those organizations who believe that they are not in the bulls eye of some worthy adversary, should pay attention:
  • Shape behavior  - The United States must work with allies and partners to promote responsible behavior in cyberspace. 
  • Deny benefits  - The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.
  • Impose costs  - The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.
Your competitors and even your neighbors realize that this game, is not always about eliminating threats to your own corporate assets. It's about making sure that the attackers choose a much more vulnerable target than your own...

07 March 2020

Scenario Vs. Resource Planning: All Hazards...

"Strive not to be a success, but rather to be of value" --Albert Einstein
This article by Saul Midler on Scenario Planning Vs. Resource Planning recently caught our eye and for a good reason. The link between Corporate Risk Management and Operational Risk Management is Business Continuity Management. Brilliant!

More importantly as he indicates:

"The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.

Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:

• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.

New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.

While the scenario of airplanes being used as weapons of mass destruction is not a new concept for planning purposes, (in fact it was hypothesized long before 9/11) the fact is that organizations today have adopted an "All-Hazards" mind set. As a result of the new worldview, "Business Continuity Management" as previously mentioned, has provided a much needed conduit between Corporate Risk and Ops Risk."

What does this "All-Hazards" mentality mean for the cure to unplanned disruptions or untested scenarios? It means that you move to the proactive side of the line and away from the reactive mode that so many organizations are still coping with. The old "It will never happen" to us syndrome.

Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis. Confronting a crisis in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.

The following question was asked at “Company A” and the top answers were:

What are the top five incidents/events that could cause a significant crisis within your organization?
  • Fire or Flood
  • Violent weather/damage to facility
  • Workplace violence
  • Industrial accident
  • Terrorism 
"When the question was asked a different way, to a different group at the same company, the results were even more telling:"
What are five incidents/events that have caused your organization significant crisis in the last three years?
  • Counterfeit products or major disruption in the supply chain
  • Alleged ethics violation of Foreign Corrupt Pracctices Act (FCPA)
  • Geopolitical unrest in key overseas markets
  • Extended loss of electricity at a manufacturing plant
  • Data Breach/intellectual property theft by a nation state
The company is a multinational manufacturer of communications components. Senior executives charged with a “Duty to Care” in todays global enterprise, require new thinking, enhanced skills and relevant solutions to improve crisis leadership.

What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?

Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.

For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems.

The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.

How will you provide your senior executives with the knowledge, skills and strategic solutions that enables global enterprise business resilience for years to come?  Leadership of Security Risk Professionals...

08 February 2020

Business Risk: Grow or Die...

In a previous issue of Corporate Board Member magazine in a PwC survey, the question is asked:

Has your board discussed what to do if the company is hit by a major Crisis?

  • No - 51%
  • Yes - 41%
  • Not Sure - 8%
What is the definition of "Crisis" in the minds eye of the Board of Directors today?

n. pl. cri·ses (-sz)

1. A crucial or decisive point or situation; a turning point.

2. An unstable condition, as in political, social, or economic affairs, involving an impending abrupt or decisive change.

3. A sudden change in the course of a disease or fever, toward either improvement or deterioration.

4. An emotionally stressful event or traumatic change in a person's life.

5. A point in a story or drama when a conflict reaches its highest tension and must be resolved.

How can these numbers be correct? Why don't these results make sense?

It does seem almost impossible that just over half of those surveyed said, that they have not discussed what their company would do in the event of a crisis.

In light of the latest corporate governance and catastrophic events any board member who would answer no, is either not attending the meetings or is so new to the board, that they haven't been part of the conversations yet.

The Pwc survey of 1,103 directors who responded have illustrated many of the risk management issues that are taking up much of the shareholders time.

They also indicate where they wish they were spending more time, as 59% hoped they could be doing more "Strategic Planning."

Is there a correlation between those who have not been part of discussions of crisis management and the wish to focus more on strategy?  We hope there is.

Our experience is that corporate management and the board need a 3rd party facilitating the mechanisms for change and towards the "Big Picture" of the future.

If management sees the board as an overzealous parent and not working on behalf of the shareholders the tension increases.

Once the board and corporate management have found a "strategic facilitator" to guide them towards a model of "Enterprise Architecture" everything becomes crystal clear.

The factions now see the blueprint for change and the path to implement the strategy and the tactics to achieve it.
The Importance Of Leadership In Uncertain Times

In an age of global unrest, strength and courage at the helm are more important than ever. As a director, it's your job to ensure your CEO has what it takes.
At the end of the day, the deliverable is to continually grow and whenever that significant crisis or "Breakpoint" occurs, the engineered resilience of the business enables its survival and the next phase of growth to begin...

11 January 2020

Davos 2020: Culture in a Complex, Interdependent World...

"No institution or individual alone can address the economic, environmental, social and technological challenges of a complex, interdependent world"...
In 9 days, leaders on the planet Earth will be converging on Davos, Switzerland for the World Economic Forum Annual Meeting. What will this years pressing themes tell us, about what is on the minds of Presidents, CEOs, Managing Directors, Chief Information Security Officers, Chief Risk Officers, Generals, Secretarys and Activists?

Davos 2020 will be focused on the following four themes:

__1. How to address the urgent climate and environmental challenges that are harming our ecology and economy.

__2. How to transform industries to achieve more sustainable and inclusive business models as new political, economic and societal priorities change trade and consumption patterns.

__3. How to govern the technologies driving the Fourth Industrial Revolution so they benefit business and society while minimizing their risks to them.

__4. How to adapt to the demographic, social and technological trends reshaping education, employment and entrepreneurship.

If you only could pick one of these four very important issues facing our global societies, which would you feel you have the most ability to impact, with your own organization?

Got it?  Now, think about how your organization will change, in order to make a greater difference in that particular theme you have selected.

The culture in your organization is going to be the difference between your ability to succeed, or to be soon facing failure.  As a leader, how will you continuously adapt to your human culture, just as Davos is addressing our interdependent world?

How might you change the way you are "Visible" to your stakeholders?  Why are you the one they "Trust", to achieve organizational objectives?

You see, you are not as visible as you think you are.  You are not as trusted as you think you are.

Your organization needs you, to step out and really show them who you really are.  They need to see, hear and read about the collective mission.  Their respective purpose, for being present today.

Culture.  As a leader, it is all on you...

15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...

22 June 2019

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events. The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.

This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance. The design and architecture of software needs a human-based fail-safe. It requires a human interface that allows and simultaneously requires human intervention. Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities and for a human-factor to ask "What if" questions. Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.

Now we go back to Operational Risk and the nature of thinking from a security and safety perspective. What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?

We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth? Is it true? What evidence do we have that this is true? How do you know that the evidence is not spoiled or compromised? If we know the truth, then what do we do next? Is the software really telling us the truth?

The security and the safety of the enterprise is counting on you. And more importantly, the enterprise is asking you to question the software. The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Is our system learning? In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions? Are you with us? The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.

"Active Defense" has been and is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.

Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.

Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety...

08 June 2019

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.
How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.
Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

04 May 2019

Neurodiversity: Leveraging the Capital of the 4th Industrial Revolution...

"Grasping the opportunities and managing the challenges of the Fourth Industrial Revolution require a thriving civil society deeply engaged with the development, use, and governance of emerging technologies. However, how have organizations in civil society been responding to the opportunities and challenges of digital and emerging technologies in society? What is the role of civil society in using these new powerful tools or responding to Fourth Industrial Revolution challenges to accountability, transparency, and fairness?"  World Economic Forum

Is automation the current answer to all of our problems?  When will the research tell us the true impact of too much "Screen-Time" on our brains?  What will be the next terror incident in our society, that is "broadcast live" over the Internet?

These questions and more, are on the minds of community leaders in government, the R&D scientists and also the Chief Operational Risk Officer of your organization.

Our cultures, innovators and tools are on a major collision course, that will prove to be more challenging than we could ever have anticipated.  Even those working in the early days of the IBM Watson project, would probably tell you of their fears of the future.

Yet our youth across the globe, are being submerged in technology and software interfaces so early in life, that they may not learn how to think or work in manual/analog mode.  They will only have the creativity to code or to automate with software, unaware that history may have accomplished some of the same tasks without software, hundreds of years ago.

How might the older generations teach the younger generations about the way it used to be done?  Why would we even try to do this in a more manual method or process?  To provide context and generate cognitive creativity.

The truth is, that educators believe that innovation of technologies is driving their curriculum and our communities own economic development.  The impacts of automation and technology are being continuously researched in the wave of change known as the "Fourth Industrial Revolution".

These trends have significant risk implications on our workforce and the future opportunities of the vocational education and training of our future force.  This is clearly evident across our communities, business entities, military service and government policy.

The rapid adoption of digital innovation has impacted the requirements of certain knowledge workers to be more versatile.  They must be more adaptive, collaborative and have expanded skill-based capabilities for problem-solving.

Do not underestimate the importance of the soft skills and people skills for continuous development and reducing risk.  Simultaneously, we must understand the impact of advanced technologies on our workforce and the real opportunities in leveraging our neurodiversity assets.

How might we better understand the diagnostics of our own human capital, to leverage and apply the right people, with the correct technology, in the most compatible job?

What is your business, military branch or government agency doing today to cross-train and educate your employees?

When was the last time you put your STEM engineering group, through a soft-skills course on communications?  How might your business development team, become immersed in the new design for a next generation digital tool?

So what?

The Operational Risk before you is all about people and your evolving human capital.  When was the last time your Board of Directors contemplated the interaction with your Human Resources department and the workforce recruitment processes?

When was the training of new hired employees and even employees with 1, 3 and 5 years or more of tenure focused on new soft-skills?  New skills and techniques for Collaborative Dialogue, Negotiation or Management Coaching?

The human capital risks in your organization are changing rapidly and they are not always about automation and disruptive technologies.

The greatest risk to you and our society is your managements failure to recognize and apply, what you have learned about your people...

23 February 2019

OPS Risk: Military Lesson for Wall Street...

 "There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  Stanley A. McChrystal
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy
Almost ten years ago, Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska, quoted the essence of Operational Risk Management.

Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:
"Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a Wingman."
Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations, consider this.

Effective "Operational Risk Management" will improve your organizations resilience factor.

The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" is his understanding, that most of us will become more complacent the minute we hit the parking lot.

You see, OPS Risk is not just something being advocated in the Wall Street workplace. It should be just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

What most organizations the size and complexity of Facebook under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what privacy risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

"Facebook Inc. (FB - Get Report) and the Federal Trade Commission currently are negotiating details of a settlement related to the Cambridge Analytica scandal, the Washington Post reported, citing people familiar with the matter.

The penalty imposed by the FTC likely would be a multi-billion dollar fine, which would easily be the largest fine ever issued to a tech company by the FTC. In 2012, Alphabet Inc.'s (GOOGL - Get Report) Google was fined $22.5 million by the agency for user privacy offenses.

The two sides are still negotiating the amount of the fine. If no agreement is reached, the FTC could take the issue to court, according to the Washington Post.

Facebook's privacy issues date back to 2012. Facebook settled a case with the FTC in August 2012, when the two parties reached an agreement that "Facebook must obtain consumers' consent before sharing their information beyond established privacy settings," according to a press release from the FTC published at the time the deal was made.

Facebook's privacy issues continued last March when news broke that Cambridge Analytica, a political research company, had harvested user data beyond what was acceptable. It later became evident that Facebook likely was aware of Cambridge's actions on the platform"

Whether it's collecting user data to sell to your supply chain or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it...

26 January 2019

Davos 2019: A War on Trust...

As the World Economic Forum Annual Meeting comes to a close in Switzerland, "Trust Decisions" are on our mind.
"The corporate, political and cultural elite gathered in Davos are expressing worries about a disturbing trend: The erosion of public trust in institutions and companies.

World Economic Forum attendees said the lack of faith in everything from governments to social media platforms is hampering innovation and contributing to widening inequality."

Over five years ago the new rules for business and the Net were in plain sight.  Articulated in a way that most business owners, CEO's of global enterprises and even our politicians could understand.

Yet at this years Annual Meeting, trust is becoming a buzzword in the panel discussions and around the dinner tables in Davos.  How might the institutions attending the World Economic Forum, strive to build a planet where "Achieving Digital Trust," is the basis for starting a business or at ground zero of creating a new product?

In 2015, Jeffrey Ritter published his book:

"In reading this book, you will explore and acquire an entirely new portfolio of tools and strategies to help shift the momentum of that war. As in any combat or battle, to succeed, it is essential for you to understand what is at stake. What we are facing is more than a war to control information. It is a war on our ability to trust information. Yes, a war on trust." Achieving Digital Trust by Jeffrey Ritter

To presume the trustworthiness of information is now a continuous question. GDPR and other forward leaning regulations are beginning to shape the way we design our systems.

So what?

How will those citizens and consumers that are devouring information from that electronic photography and RF device in the palm of their hand, think differently in the next few years?

How will the designers and engineers of Samsung, Apple, IBM, Amazon, Google, Facebook and others architect their new software and solutions with trust embedded in all that they produce?

When will our citizens understand that not selling your data, does not actually mean that your data has not been given away for free?

The future of our institutions, governments, products and relationships must be built on trust.  As you sit across the table from your editor, your CEO, your elected official or your senior software engineer you must ask the question, how will we achieve digital trust?

What if there was a Green, Yellow, or Red banner across the top of the display screen, as a quick identifier whether the information being delivered and displayed was in compliance with the new "World Digital Trust Standard"?

Yet we know that "Green Padlocks" in front of our URL and the "Privacy Essentials" grade in the top of our browser, just isn't enough.  Especially when we know that there are U.S. DHS Emergency Directives such as 19-01 in place:

"In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering." 

Jeffrey Ritter is correct.  It is a war on our ability to trust information.  Do you understand what is at stake in your nation state?  Your organization?  Your household?  Yes, a "War on Trust"...

01 December 2018

Survival: Experiential Learning to the Rescue...

Change is in the wind.  You have heard this before and the truth is, that this is not anything new.  We have only started to understand however, how the accelerating pace of change, is impacting us.

The number of App's staring at you in the palm of your hand should be one indicator.  How many are you using on a daily basis now?  No longer are we spending a work day logged into an e-mail client, our word processor and maybe the spreadsheet or database application.

The pace of change and the number of places we access our valuable daily information is rapidly taking over our lives.  We have seen the growth of Fortnite now at exponential proportions and little did Potomac Computer Systems, now Epic Games know what was ahead of them upon their founding in 1992.

In the gaming industry they have genre(s) and Fortnite is a survival game:
Survival games are a subgenre of action video games set in a hostile, intense, open-world environment, where players generally begin with minimal equipment and are required to collect resources, craft tools, weapons, and shelter, and survive as long as possible. Many survival games are based on randomly or procedurally generated persistent environments; more-recently created games are often playable online, allowing multiple players to interact in a single persistent world. 
Wake up corporate management.  As you proceed to continue your growth in your particular industry over the next decade, think about the pace of change.  How fast will you be able to pivot, adapt and survive in your persistent environment?

Think about your latest strategic endeavors that you have launched in the past year.  Has the process and goals been achieved, without some level of challenge, disruption or even misdeeds?  The likelihood is, that somewhere along the way, the project, the business or the endgame was at risk.  Perhaps not a total failure, yet not the envisioned outcome.

It is this game of perceived survival and the new pace of change in our lives, that is the greatest Operational Risk before us.  How will we mitigate the risk of such rapid change?

Experiential business learning is a vital way forward.

"Experiential business learning is the process of learning and developing business skills through the medium of shared experience. The main point of difference between this and academic learning is more “real-life” experience for the recipient.[31][32][33]

This may include for example, learning gained from a network of business leaders sharing best practice, or individuals being mentored or coached by a person who has faced similar challenges and issues, or simply listening to an expert or thought leader in current business thinking.

Providers of this type of experiential business learning often include membership organisations who offer product offerings such as peer group learning, professional business networking, expert/speaker sessions, mentoring and/or coaching."

How are you capitalizing on the people in your organization who are part of an external group or other network of like-minded professionals?  It's difficult if you don't even understand who or where your own employees are interacting on a daily basis outside your company.

So what?

Perhaps the place to start is by asking people.  Ask them over coffee in the corporate food court or that new Open Space floor plan with the "Bistro" on every other floor.  What if they told you, that they were a member of an external or virtual organization because they could not find the information or the people with the expertise inside your own organization?

Your goal is to figure out how to capitalize on all of these external groups, organizations and "Experiential Business Learning," that is going on within your own company today.
 How might you capture that passion and the excitement this individual has for the network or "Virtuous Insurgency" they are learning from everyday?
The Operational Risks before you, spans the number of people in your team who are learning somewhere else X the number of other networks they are affiliated with.

Who on your team is gaining new insight somewhere else?  Who are building valuable relationships outside the perimeter.  Who are living in a new unpredictable world of survival...without you even knowing about it.

What could you be learning today?