ITC: Managing Risk for Security Governance...

 In our converging world of both Information and Physical Security, there are resilient risk elements for the effective management of Information Technology & Communications (ITC).

Think of it as “Security Governance”.

Security Governance is a discipline, that all of us need to revisit and rededicate ourselves towards. The policies and codes we stand by to protect our critical assets, should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A significant element that is now being mandated by the Board of Directors, is the role of “Continuous Risk Management” in Security Governance.

ITC Security Governance, like Corporate Governance requires the oversight of key individuals on the Board of Directors. In the public sector, the board of directors may come from a coalition of people from the Executive, Judicial or Legislative branches.

The fundamental responsibility of management, whether in government or the corporate enterprise, is to continuously protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to continuous Security Governance, not just an annual audit.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to continuously monitor and audit enterprise security risk management, then we are exposing precious assets to the threat actors that seek to undermine, damage or destroy our livelihood.

An organization’s top management must Identify, Assess, Decide, Implement, Audit and Supervise their strategic risks. There shall be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture, capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for continuous Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and growing resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for continuous security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will   be defined

A process should be established for risk assessment that takes into consideration:

• Impact, should the risk event be realized
• Exposure to the risk on a spectrum from rare to continuous
• Probability based upon the current state of management controls in place
  

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

ITC Security Governance best practices are still rapidly growing and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why, they are being asked to do things, rather than just following the rulebook, the system will fail.

The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival.

The role of culture in the risk for security governance, is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations.

This is why the risks the organization is facing are constantly changing and therefore why a management system for continuous security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for ITC Security Governance, is just as important to the success and compliance of the organization as Section 404 of Sarbanes-Oxley.

In fact, without effective ITC Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves after a major technology failure or privacy data or intellectual property breach; how could this happen to us?

Supply Chain Resiliency: Operational Risk Priorities in 2021…

Global Senior Executives are evaluating the resilience of their organizations international supply chains and realize the growing Operational Risks.

Why have proactive Enterprise Risk Management teams been on high alert and how are they working the issues for over the past nine months?

These are evident clues in just one one 10-Q example:

“We rely on sole direct and indirect suppliers or a limited number of direct and indirect suppliers for some or all of these components that we do not manufacture... Many of such direct and indirect component suppliers are geographically concentrated, making our supply chain more vulnerable to regional disruptions...we have experienced and continue to experience disruptions in our supply chain due to the impact of the COVID-19 pandemic.

If our direct and indirect vendors for these components are unable to meet our cost, quality, supply and transportation requirements, continue to remain financially viable or fulfill their contractual commitments and obligations, we could experience disruption in our supply chain, including shortages in supply or increases in production costs, which would materially adversely affect our results of operations.”

Inventory Management, Supply Chain Transparency and Single Source Suppliers are just a piece of a complex mosaic for many multi-million dollar U.S. businesses.

Covid-19 catalyst “Operational Risk Management” (ORM) has been a mainstream focus for months, just as it does after every major catastrophic event.

Yet, when the implications of downstream impacts to our critical infrastructure sectors such as transportation, healthcare and the continuous ICT challenges become even more apparent, the Global Executive suites must go into action.

The concepts of “Supply Chain Resiliency” are well known, yet it is continuously surprising how many organizations in 2020 have been caught off guard or are finding themselves without substantial alternative strategies to remain operational.

This is a result of diminished due diligence and a continuous analysis with your Tier 2 and Tier 3 suppliers.  Mapping each of your key lines of business with a detailed understanding of Where, How and Who your suppliers do business with, is just the beginning.  What about your own actions on:

• Increasing Inventory Levels
• Pursuit of Diversified Suppliers
• Finding New Suppliers with “Robust Supply Chain Resiliency”
• Increasing Your Geographic Diversity of Suppliers
  

In a recent Interos Inc. report (https://www.interos.ai/resource-library/ ) of 450 executives surveyed in the U.S. on their “Biggest Risks”, the following results were found:

• 76% identified COVID-19 as the biggest ongoing risk, followed by cyber threats at 44%, restricted or sanctioned entities at 36%, natural disasters at 30%, and single supplier or country concentration risks at 28%. Other risks fell below 20%.  
• This follows roughly the same order for future risks, with 66% identifying COVID-19 as the future risk companies are preparing for, followed by cyber risks at 48%, restricted/sanctioned entities at 34%, and geopolitical events at 32% (this was the largest jump from 20% now to 32% in the future). 

If these results are even close to being a high priority, then your own “Supply Chain Resiliency” shall be a well funded and continuously measured Business Unit within your Enterprise, in 2021 and beyond…

Organizational Integrity: Leadership of Risk…

As a leader in your organization, how long have you truly demonstrated the actions you desire for those who are following you?

Countless times each day, leaders in the global race to the finish line, ignore or disavow the rules or policies they enforce for their own team.

What are you demonstrating in your organization today and this week to build “Organizational Integrity”?

How are your own behaviors in the midst of your team, showing and reinforcing the actions that will build and activate a model of “Organizational Integrity”?

integrity
noun

in· teg· ri· ty | \ in-ˈte-grə-tē

Definition of integrity

1 : firm adherence to a code of especially moral or artistic values : incorruptibility
2 : an unimpaired condition : soundness
3 : the quality or state of being complete or undivided : completeness

Why have you made the decisions that you are more privileged than the others on your team?

Is it your personal sense of ego or power as a figure of authority, that makes you feel as if the activities and rules for you, do not apply or are different than for those who are on the front lines?

They are not.  In the midst of a legal deposition or worse, the leader who is charged, explains their own behaviors.  This is now beyond the point of no return.

Even when you are behind closed doors of the “Board Room” or the “Ready Room,” are you demonstrating the same behavior and adherence to the processes, that you wish upon all those you are leading?

Leadership of your “Executive” Team or a “Squad of Specialists” in the field, requires people who truly “Walk-the-Talk” and adhere to the same standards or rules set forth for the entire organizational operations.

You already are known as a “Leader” in your area of expertise.

Yet are you known as a leader with “Integrity,” that truly demonstrates this in the middle of your operations each day?

Cultural Cognition: The Velocity of our Future…

“The true sign of intelligence is not knowledge, but imagination” - Albert Einstein

In the culture that you are part of, there are Trust Decisions being made in seconds based upon rules.  Yet your particular culture has evolved over time, also because of the affinity that your culture attracts other people, just like you.

The question is, who do you really aspire to be?

“How do you make trust decisions about people, associations, tools, or their value when the information upon which you will rely is increasingly digital and intangible?

In a global culture in which digital trust is under attack and degrading, how can you build and engender old-fashioned human trust with your customers, business partners, associates, and employees?” -Jeffrey Ritter - Achieving Digital Trust - P. 21

When you enter the realm of a culture that is constantly being recorded, digitized, captured, communicated and transferred, the behaviors and thoughts of people will be studied.  They will be analyzed and they will be judged.

What are you doing today to learn and improve how you operate in a digital world?  How are you making decisions between trust, and pure risk?

Our cultures are rapidly evolving towards “Artificial Intelligence” and tool sets to assist humans in making more informed decisions, faster.  Why?

Quality and Velocity.

What made you decide to learn Mathematics?  How did you decide to become a Software Engineer?

What made you decide to learn the Law?  How did you decide to become a Lawyer?

You like rules don’t you.  You have a hard time living in a world, where the rules are being ignored or broken.

How fast will you be able to adapt to the change in the “Digital Ecosystems” that mankind has created on our Earth?

The truth is, you and your organizational culture is already in the midst of an “S” curve and you must now “Grow or Die”.

To improve and adapt in a world, that is accelerating and whose velocity is reaching light speed requires new tools and mechanisms to assist us in our “Trust Decisions”.

For those cultures and situations where trust is at stake, the utilization of technological inventions will evolve and grow as the standards for evaluating the truth.

We as humans are already at a point where we are trusting digital devices and machines, more than we trust ourselves.

The Safety, Security and Velocity of the evolution of our Digital Future is at stake.

Now is the time for our cultures to recognize, question, learn and improve how we engage with our machines, our software, our Mathematics and our Law.

It is now all about our TrustDecisions…

Incident Response: Leadership of Security Risk Professionals...

Leadership of Security Risk Professionals (LSRP) begins with a thorough understanding of the current state of the “Organizational Pulse” of the corporation.

Global Enterprise Business Resilience does not just happen overnight, after the CEO sends out the first Crisis-based e-mail alert.

It happens because the Organizational Pulse of the respective silos of responsibility, have been actively learning for years about their People, Processes, Systems and External Crisis Events.

Simultaneously, as the leaders of the Security and Risk domains within the enterprise “Ask”, “Listen”, and then “Clarify” or “Verify” vital information, the organization learns.

Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis.

Confronting a crisis and incident response in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.

The following question was asked at “Company A” and the top answers were:

What are the top five incidents/events that could cause a significant crisis within your organization?

• 
Fire or Flood
Violent weather/damage to facility
• Workplace violence
• Industrial accident
• Terrorism

"When the question was asked a different way, to a different group at the same company, the results were even more telling:"

What are five incidents/events that have caused your organization significant crisis in the last three years?

• 
Counterfeit products or major disruption in the supply chain
Alleged ethics violation of Foreign Corrupt Practices Act (FCPA)
• Geopolitical unrest in key overseas markets
• Extended loss of personnel at a manufacturing plant due to COVID-19
• Data Breach/intellectual property theft by a nation state

Senior executives charged with a “Duty of Care” in todays global enterprise, require new thinking, enhanced skills and relevant solutions to improve crisis leadership.

What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?

For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems. The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.

Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.

“Leadership of Security Risk Professionals” (LSRP) is for industry practitioners to “Cross the Chasm” of crisis leadership...

Single Points of Failure: Interdependencies Unknown...

Organizations such as WashingtonDCFIRST exist in our Nations Capital to address the need for a coalition of private sector companies and people to work on being proactive, not reactive.

"Defend Forward."

This requires leadership to focus on the critical interdependencies you share with your large corporate neighbor down the street or around the corner.

Do you both share the same Central Office from Verizon? Do you have the same pumping station for DC Water? Do you have a shared sub-station for power from Pepco?

If you do, then you both know some of your Single-Points-of-Failure.

While you may never be able to establish walls, or fences high enough and virtual ICS locked gates to totally protect your single-points-of-failure, you can create an architecture that deters attacks and detects changes.

And if you do have an alert or alarm go off, then you must investigate the incident no matter how insignificant it may be. Those organizations who believe that they are not in the bulls eye of some worthy adversary, should pay attention:

• Shape behavior  - The United States must work with allies and partners to promote responsible behavior in cyberspace. 
• Deny benefits  - The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.
• Impose costs  - The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.

Your competitors and even your neighbors realize that this game, is not always about eliminating threats to your own corporate assets. It's about making sure that the attackers choose a much more vulnerable target than your own...

Scenario Vs. Resource Planning: All Hazards...

"Strive not to be a success, but rather to be of value" --Albert Einstein

This article by Saul Midler on Scenario Planning Vs. Resource Planning recently caught our eye and for a good reason. The link between Corporate Risk Management and Operational Risk Management is Business Continuity Management. Brilliant!

More importantly as he indicates:

"The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.

Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:

• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.

New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.

While the scenario of airplanes being used as weapons of mass destruction is not a new concept for planning purposes, (in fact it was hypothesized long before 9/11) the fact is that organizations today have adopted an "All-Hazards" mind set. As a result of the new worldview, "Business Continuity Management" as previously mentioned, has provided a much needed conduit between Corporate Risk and Ops Risk."

What does this "All-Hazards" mentality mean for the cure to unplanned disruptions or untested scenarios? It means that you move to the proactive side of the line and away from the reactive mode that so many organizations are still coping with. The old "It will never happen" to us syndrome.

Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis. Confronting a crisis in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.

The following question was asked at “Company A” and the top answers were:

What are the top five incidents/events that could cause a significant crisis within your organization?

• Fire or Flood
• Violent weather/damage to facility
• Workplace violence
• Industrial accident
• Terrorism 

"When the question was asked a different way, to a different group at the same company, the results were even more telling:"

What are five incidents/events that have caused your organization significant crisis in the last three years?

• Counterfeit products or major disruption in the supply chain
• Alleged ethics violation of Foreign Corrupt Pracctices Act (FCPA)
• Geopolitical unrest in key overseas markets
• Extended loss of electricity at a manufacturing plant
• Data Breach/intellectual property theft by a nation state

The company is a multinational manufacturer of communications components. Senior executives charged with a “Duty to Care” in todays global enterprise, require new thinking, enhanced skills and relevant solutions to improve crisis leadership.

What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?

Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.

For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems.

The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.

How will you provide your senior executives with the knowledge, skills and strategic solutions that enables global enterprise business resilience for years to come?  Leadership of Security Risk Professionals...

Business Risk: Grow or Die...

In a previous issue of Corporate Board Member magazine in a PwC survey, the question is asked:

Has your board discussed what to do if the company is hit by a major Crisis?

• No - 51%
• Yes - 41%
• Not Sure - 8%

What is the definition of "Crisis" in the minds eye of the Board of Directors today?

n. pl. cri·ses (-sz)

1. A crucial or decisive point or situation; a turning point.

2. An unstable condition, as in political, social, or economic affairs, involving an impending abrupt or decisive change.

3. A sudden change in the course of a disease or fever, toward either improvement or deterioration.

4. An emotionally stressful event or traumatic change in a person's life.

5. A point in a story or drama when a conflict reaches its highest tension and must be resolved.

How can these numbers be correct? Why don't these results make sense?

It does seem almost impossible that just over half of those surveyed said, that they have not discussed what their company would do in the event of a crisis.

In light of the latest corporate governance and catastrophic events any board member who would answer no, is either not attending the meetings or is so new to the board, that they haven't been part of the conversations yet.

The Pwc survey of 1,103 directors who responded have illustrated many of the risk management issues that are taking up much of the shareholders time.

They also indicate where they wish they were spending more time, as 59% hoped they could be doing more "Strategic Planning."

Is there a correlation between those who have not been part of discussions of crisis management and the wish to focus more on strategy?  We hope there is.

Our experience is that corporate management and the board need a 3rd party facilitating the mechanisms for change and towards the "Big Picture" of the future.

If management sees the board as an overzealous parent and not working on behalf of the shareholders the tension increases.

Once the board and corporate management have found a "strategic facilitator" to guide them towards a model of "Enterprise Architecture" everything becomes crystal clear.

The factions now see the blueprint for change and the path to implement the strategy and the tactics to achieve it.

The Importance Of Leadership In Uncertain Times

In an age of global unrest, strength and courage at the helm are more important than ever. As a director, it's your job to ensure your CEO has what it takes.

At the end of the day, the deliverable is to continually grow and whenever that significant crisis or "Breakpoint" occurs, the engineered resilience of the business enables its survival and the next phase of growth to begin...

Davos 2020: Culture in a Complex, Interdependent World...

"No institution or individual alone can address the economic, environmental, social and technological challenges of a complex, interdependent world"...

In 9 days, leaders on the planet Earth will be converging on Davos, Switzerland for the World Economic Forum Annual Meeting. What will this years pressing themes tell us, about what is on the minds of Presidents, CEOs, Managing Directors, Chief Information Security Officers, Chief Risk Officers, Generals, Secretarys and Activists?

Davos 2020 will be focused on the following four themes:

__1. How to address the urgent climate and environmental challenges that are harming our ecology and economy.

__2. How to transform industries to achieve more sustainable and inclusive business models as new political, economic and societal priorities change trade and consumption patterns.

__3. How to govern the technologies driving the Fourth Industrial Revolution so they benefit business and society while minimizing their risks to them.

__4. How to adapt to the demographic, social and technological trends reshaping education, employment and entrepreneurship.

If you only could pick one of these four very important issues facing our global societies, which would you feel you have the most ability to impact, with your own organization?

Got it?  Now, think about how your organization will change, in order to make a greater difference in that particular theme you have selected.

The culture in your organization is going to be the difference between your ability to succeed, or to be soon facing failure.  As a leader, how will you continuously adapt to your human culture, just as Davos is addressing our interdependent world?

How might you change the way you are "Visible" to your stakeholders?  Why are you the one they "Trust", to achieve organizational objectives?

You see, you are not as visible as you think you are.  You are not as trusted as you think you are.

Your organization needs you, to step out and really show them who you really are.  They need to see, hear and read about the collective mission.  Their respective purpose, for being present today.

Culture.  As a leader, it is all on you...