15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...

22 June 2019

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events. The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.

This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance. The design and architecture of software needs a human-based fail-safe. It requires a human interface that allows and simultaneously requires human intervention. Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities and for a human-factor to ask "What if" questions. Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.

Now we go back to Operational Risk and the nature of thinking from a security and safety perspective. What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?

We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth? Is it true? What evidence do we have that this is true? How do you know that the evidence is not spoiled or compromised? If we know the truth, then what do we do next? Is the software really telling us the truth?

The security and the safety of the enterprise is counting on you. And more importantly, the enterprise is asking you to question the software. The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Is our system learning? In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions? Are you with us? The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.

"Active Defense" has been and is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.

Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.

Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety...

08 June 2019

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.
How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.
BALTIMORE -
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.
Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

04 May 2019

Neurodiversity: Leveraging the Capital of the 4th Industrial Revolution...

"Grasping the opportunities and managing the challenges of the Fourth Industrial Revolution require a thriving civil society deeply engaged with the development, use, and governance of emerging technologies. However, how have organizations in civil society been responding to the opportunities and challenges of digital and emerging technologies in society? What is the role of civil society in using these new powerful tools or responding to Fourth Industrial Revolution challenges to accountability, transparency, and fairness?"  World Economic Forum

Is automation the current answer to all of our problems?  When will the research tell us the true impact of too much "Screen-Time" on our brains?  What will be the next terror incident in our society, that is "broadcast live" over the Internet?

These questions and more, are on the minds of community leaders in government, the R&D scientists and also the Chief Operational Risk Officer of your organization.

Our cultures, innovators and tools are on a major collision course, that will prove to be more challenging than we could ever have anticipated.  Even those working in the early days of the IBM Watson project, would probably tell you of their fears of the future.

Yet our youth across the globe, are being submerged in technology and software interfaces so early in life, that they may not learn how to think or work in manual/analog mode.  They will only have the creativity to code or to automate with software, unaware that history may have accomplished some of the same tasks without software, hundreds of years ago.

How might the older generations teach the younger generations about the way it used to be done?  Why would we even try to do this in a more manual method or process?  To provide context and generate cognitive creativity.

The truth is, that educators believe that innovation of technologies is driving their curriculum and our communities own economic development.  The impacts of automation and technology are being continuously researched in the wave of change known as the "Fourth Industrial Revolution".

These trends have significant risk implications on our workforce and the future opportunities of the vocational education and training of our future force.  This is clearly evident across our communities, business entities, military service and government policy.

The rapid adoption of digital innovation has impacted the requirements of certain knowledge workers to be more versatile.  They must be more adaptive, collaborative and have expanded skill-based capabilities for problem-solving.

Do not underestimate the importance of the soft skills and people skills for continuous development and reducing risk.  Simultaneously, we must understand the impact of advanced technologies on our workforce and the real opportunities in leveraging our neurodiversity assets.

How might we better understand the diagnostics of our own human capital, to leverage and apply the right people, with the correct technology, in the most compatible job?

What is your business, military branch or government agency doing today to cross-train and educate your employees?

When was the last time you put your STEM engineering group, through a soft-skills course on communications?  How might your business development team, become immersed in the new design for a next generation digital tool?

So what?

The Operational Risk before you is all about people and your evolving human capital.  When was the last time your Board of Directors contemplated the interaction with your Human Resources department and the workforce recruitment processes?

When was the training of new hired employees and even employees with 1, 3 and 5 years or more of tenure focused on new soft-skills?  New skills and techniques for Collaborative Dialogue, Negotiation or Management Coaching?

The human capital risks in your organization are changing rapidly and they are not always about automation and disruptive technologies.

The greatest risk to you and our society is your managements failure to recognize and apply, what you have learned about your people...

23 February 2019

OPS Risk: Military Lesson for Wall Street...

 "There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  Stanley A. McChrystal
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy
Almost ten years ago, Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska, quoted the essence of Operational Risk Management.

Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:
"Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a Wingman."
Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations, consider this.

Effective "Operational Risk Management" will improve your organizations resilience factor.

The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" is his understanding, that most of us will become more complacent the minute we hit the parking lot.

You see, OPS Risk is not just something being advocated in the Wall Street workplace. It should be just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

What most organizations the size and complexity of Facebook under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what privacy risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

"Facebook Inc. (FB - Get Report) and the Federal Trade Commission currently are negotiating details of a settlement related to the Cambridge Analytica scandal, the Washington Post reported, citing people familiar with the matter.

The penalty imposed by the FTC likely would be a multi-billion dollar fine, which would easily be the largest fine ever issued to a tech company by the FTC. In 2012, Alphabet Inc.'s (GOOGL - Get Report) Google was fined $22.5 million by the agency for user privacy offenses.

The two sides are still negotiating the amount of the fine. If no agreement is reached, the FTC could take the issue to court, according to the Washington Post.

Facebook's privacy issues date back to 2012. Facebook settled a case with the FTC in August 2012, when the two parties reached an agreement that "Facebook must obtain consumers' consent before sharing their information beyond established privacy settings," according to a press release from the FTC published at the time the deal was made.

Facebook's privacy issues continued last March when news broke that Cambridge Analytica, a political research company, had harvested user data beyond what was acceptable. It later became evident that Facebook likely was aware of Cambridge's actions on the platform"

Whether it's collecting user data to sell to your supply chain or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it...

26 January 2019

Davos 2019: A War on Trust...

As the World Economic Forum Annual Meeting comes to a close in Switzerland, "Trust Decisions" are on our mind.
"The corporate, political and cultural elite gathered in Davos are expressing worries about a disturbing trend: The erosion of public trust in institutions and companies.

World Economic Forum attendees said the lack of faith in everything from governments to social media platforms is hampering innovation and contributing to widening inequality."
 Why?

Over five years ago the new rules for business and the Net were in plain sight.  Articulated in a way that most business owners, CEO's of global enterprises and even our politicians could understand.

Yet at this years Annual Meeting, trust is becoming a buzzword in the panel discussions and around the dinner tables in Davos.  How might the institutions attending the World Economic Forum, strive to build a planet where "Achieving Digital Trust," is the basis for starting a business or at ground zero of creating a new product?

In 2015, Jeffrey Ritter published his book:

"In reading this book, you will explore and acquire an entirely new portfolio of tools and strategies to help shift the momentum of that war. As in any combat or battle, to succeed, it is essential for you to understand what is at stake. What we are facing is more than a war to control information. It is a war on our ability to trust information. Yes, a war on trust." Achieving Digital Trust by Jeffrey Ritter

To presume the trustworthiness of information is now a continuous question. GDPR and other forward leaning regulations are beginning to shape the way we design our systems.

So what?

How will those citizens and consumers that are devouring information from that electronic photography and RF device in the palm of their hand, think differently in the next few years?

How will the designers and engineers of Samsung, Apple, IBM, Amazon, Google, Facebook and others architect their new software and solutions with trust embedded in all that they produce?

When will our citizens understand that not selling your data, does not actually mean that your data has not been given away for free?

The future of our institutions, governments, products and relationships must be built on trust.  As you sit across the table from your editor, your CEO, your elected official or your senior software engineer you must ask the question, how will we achieve digital trust?

What if there was a Green, Yellow, or Red banner across the top of the display screen, as a quick identifier whether the information being delivered and displayed was in compliance with the new "World Digital Trust Standard"?

Yet we know that "Green Padlocks" in front of our URL and the "Privacy Essentials" grade in the top of our browser, just isn't enough.  Especially when we know that there are U.S. DHS Emergency Directives such as 19-01 in place:

"In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents1 involving Domain Name System (DNS) infrastructure tampering." 


Jeffrey Ritter is correct.  It is a war on our ability to trust information.  Do you understand what is at stake in your nation state?  Your organization?  Your household?  Yes, a "War on Trust"...