Friday, September 29, 2006

Digital Intelligence: Pervasive Across Our Lives...

We initially wrote about the brewing Corporate Governance affair at HP to highlight that the telecom companies should be the ones getting more scrutiny. What continues to amaze us after watching all seven hours of testimony yesterday on C-SPAN Channel three is the naivete of what "information" is for sale today.

Ms. Dunn, former Chair of the HP Board has no idea what the spectrum of techniques and tools that are utilized to collect relevant information on a daily basis. In a digital world, monitoring for abnormalities and using surveillance is a standard practice to keep our institutions safe and secure. The same reason you rely on our Armed Forces and Law Enforcement is the same reason you hire them to staff the ranks of your corporate security and information assurance departments. Peace of mind.

Under questioning, Dunn was asked why she didn't recognize that investigators would have to turn to dubious means to get personal phone records. Dunn said she relied on the advice of others, including HP's outside investigator, Ron DeLia.

Dunn testifies:
"I did not know where this information could be found publicly, but I was aware that the kinds of investigations done by Mr. DeLia had previously been based solely on publicly available information," Dunn said. "I took the understanding without any question, and I understand why that might seem strange today, knowing what I know now."

Dunn was questioned by the committee, as were HP's outside lawyer Larry Sonsini and HP IT security worker Fred Adler. A number of other former HP employees and contractors refused to testify earlier Thursday, invoking their Fifth Amendment rights against self-incrimination."


Think about the information that is being collected today in your own marketing department. Hundreds of millions of dollars are spent each year with marketing consultants, advertising and branding agencies across the Global 500 on demographics, psychographics, pay per click, adwords, and the list goes on. Paying for performance means that you have to measure who, where and when people see, hear or open your marketing messages. The technologies in use today can tell you who opened the e-mail, where they are located when they open it and if they forwarded it to anyone else. You want to know how many people are listening to a certain radio station at the intersection of the 495 and the GW Parkway at 7:30AM? You want to know the phone number and identity of everyone that called your 800 number yesterday? You want to know where my vehicle is located at any time within a few meters? This is nothing new.

As our legislators try to figure out what should be unlawful when it comes to collecting information, they should first realize how many industries and companies that may be impacted by their decisions. And I know they do. Sarbanes-Oxley (SOX) was a knee jerk reaction to Enron. Let's just hope that we don't have another strait jacket put on the private sector as a result of Hewlett-Packard's public scandal.

Tuesday, September 26, 2006

Fraud: In Developed Country Operations...

Ron Connaught's "Fraud: Where The Perps are" in Corporate Board Member hit a nerve this issue.

It is not surprising that 60% of multinational companies think fraud is more likely to occur in their operations in emerging markets than in developed ones, an opinion that surfaces in Ernst & Young'’s ninth global fraud survey. But here i’s more of an eyebrow-raiser: 75% of the known cases of fraud over the past two years actually took place in those companies’ developed-country operations, according to the same survey.


We have seen other surveys from other organizations that have raised the issue of outsourcing / offshoring to emerging markets such as India and why this is such a high risk compared to other places on the globe. The misperception here highlighted by E & Y is that maybe we have lost sight of keeping our house in order even in those operations we deem to be under control.

Multinational's know that when they set up operations outside the US that they are going to be subjected to hiring a majority of that host countries people to staff the plant, call center or software development operation. The privacy laws and other legal implications of doing background investigations and verification of previous employment is difficult at best in these foreign states. This puts a tremendous burden on management to make sure that internal controls are in place to detect fraudulent behavior long before an act occurs.

A quality assurance review (QAR) is an independent look at a companies internal audit programs. Organizations who have realized that having a periodic QAR can help reduce fraud, also understand that it's good corporate governance, beyond the compliance with SOX. Supported by a QAR, an organizations IA department has a foundation to identify improvement options and provide guidance that can reduce risk and enhance the bottom line.


A Quality Assurance Review provides the audit committee, CEO and CFO with the opportunity to discover where and how fraud has found it's way into the organization even in those locations you thought were safe and sound.

Thursday, September 21, 2006

Phishing Victims: Accept Financial Responsibility?

The US President's Identity Theft Task Force has released it's interim report and the final recommendations are due in November this year. The task force is co-chaired by Alberto Gonzales, US Attorney General and Federal Trade Commission Chairman Deborah Platt Majoras.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

“As with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,” said Attorney General Gonzales. “The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.”

“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”


Who pays for the loss of money stolen from your bank account as a result of ID Theft by Phishers or other Cyber Criminals using key logger trojans? Today the bank does to keep you as a customer. This is why the government and most large institutions who are the largest targets have already completed or are in the process of implementing two-factor authentication. However, will it be enough?

"The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?


When bankers realize that Online Banking is an Operational Risk that requires more proactive measures you will begin to see your customer agreements modified and you will have to accept some of the risk. Examinations and investigations are going to be a standard operating procedure if you make a claim of unauthorized withdrawls or transfers from your account. The first place to look is on your own computer for the spyware that may have been utilized to steal your login and password. It won't be too much longer before the banks will be in the business of auditing your home PC to make sure that you have the correct anti-phishing, malware and virus protections. Or even to make sure you have the correct token for access to the banking site.

At some point, the consumer might have to bear more of the burden of risk management or pay the price of accepting the fact that you may have no more recourse to recover stolen funds from your account by the institution itself. But those days are still a long way off in the future. As our new generation of "Bank Robbers" already know, you don't have to wear a mask and walk through the front door any longer. All you have to do is find a few thousand unprotected machines each day and then wait for that unsuspecting consumer to hand over the keys to their bank account.

In the end, the consumer will pay for the mounting financial losses. One way or another.

Monday, September 18, 2006

A Convergent Framework of Risk Management...

Operational Risk Management has many facets in the eyes of the modern Chief Risk Officer (CRO). Last month, the High-level Principles for Business Continuity were summarized at the Basel Committee on Banking Supervision.

Recent acts of terrorism, outbreaks of Severe Acute Respiratory Syndrome and various widespread natural disasters have underlined the substantial risk of major operational disruptions to the financial system. Financial authorities and financial industry participants have a shared interest in promoting the resilience of the financial system to such disruptions.

To that end, financial authorities have been working closely with financial industry participants to establish a consensus as to what constitutes acceptable standards for business continuity. Much of this work to date has been focussed at the national level. At the international level, while there have been several regulatory and private sector initiatives on the business continuity front there has not been a concerted effort to draw together the lessons learned from major events and translate them into a set of business continuity principles that is relevant across national boundaries and financial sectors (ie banking, securities, and insurance). Furthermore, consistent with their focus on preserving the functionality of the financial system as a whole, financial authorities undertaking these initiatives have tended to give priority to critical market participants. The lessons learned from past experience, however, are applicable to a broader audience.

This paper represents an effort to address these gaps. It is intended to support international standard setting organisations and national financial authorities by providing a broad framework within which more detailed business continuity arrangements might be developed that are more closely tailored to unique sectoral and local circumstances. The principles also provide a consistent context for those arrangements and thereby promote a common base level of resilience across national boundaries.


Since 2004, The Tower Group has been shouting the need for banks to automate now in the midst of the Basel II momentum. While business performance has converged with Basel II, the key understanding needed is what do Business Performance & Basel II have to do with my survivability as a money center bank?

Basel II introduces a convergent framework of risk management and controls that will encourage banks to invest wisely in IT and improve the efficiency of their business operations. Banks that adopt effective enterprise risk management platforms will reap business benefits that go well beyond regulatory compliance.

Knowledge Management is coming to banking in a way that the bean counters never imagined. With the focus on Operational Risks, the only way to be able to correlate new threats with the current asset base is through automation.

The industry is now at the implementation phase of Basel II. Few banks have the perspective and resources to experiment and establish their own enterprise risk management models that include this new field of operational risk. Notwithstanding their attention to business continuity and reputational risk matters, most banks have still to inscribe operational risk procedures in the broader picture of business management and operational efficiency. Not only may banks improve their operational efficiency by streamlining business processes, but they also can tap important benefits in operational resilience, responsiveness and flexibility to innovate. By adopting automation models for integrated business and risk management, proactive banks may derive significant returns from a concerted enterprise approach.

Thursday, September 14, 2006

Corporate Data Policy: How good is your Inventory Management?

Stewards of corporate data have little or no understanding where their data is located. Not only this, customer and consumer information was ranked less important to protect from theft or loss of confidentiality than intellectual property and sensitive business information in this survey from the Ponemon Institute.

Vontu and Ponemon Institute conducted the first U.S. Survey: Confidential Data at Risk to better understand the nature and extent of issues that occur because companies do not have adequate control over the storage of sensitive or confidential data at rest. Our independently conducted survey queried 484 respondents who are employed in corporate IT departments within U.S.-based business or governmental organizations.

The survey focused on the following four issues:

1. How pervasive is the problem of unprotected confidential data at rest?

2. How do information security practitioners locate sensitive or confidential business information that resides (somewhere) within their organization’s IT infrastructure?

3. What technologies, practices and procedures are employed by organizations to locate and control sensitive or confidential data at rest on peripheral or temporary devices such as laptops, PDAs and memory sticks?

4. What are the issues, challenges and possible impediments to effectively locating unprotected sensitive or confidential data residing on peripheral or temporary devices?


When will customers and consumers demand that their information be put on the same level of priority as a organizations own trade secrets? In most cases, an organization will not devote resources to the confidentiality, integrity or availability of customer data unless it is demanded by regulators, laws and auditors.

Not until a state Attorney General or the SEC begins their investigations do companies realize that they are way behind in the process of identifying where their data is and where it is unsecured or exposed to the possibility of being modified, destroyed or stolen.

The four types of data considered to be most at risk in an organization are intellectual property, business confidential information, customer and consumer data, and employee data. It is interesting to note that most respondents believe the most serious kinds of data breaches involve the loss or theft of intellectual property and business confidential information.

Customer and consumer data and employee data are ranked third and fourth, respectively. The types of intellectual properties believed to be most at risk include electronic spreadsheets, competitive intelligence and source code.


And companies like Vontu are well positioned to provide some of the tools to assist organizations in protecting their valuable corporate information assets. Privacy of consumer information should not have to be legislated if an organization has an effective Governance Execution Strategy. This execution of the information inventory is in many cases left up to internal employees in the IT department. Continually under staffed and fighting fires prevents the systematic and consistent execution of day to day change controls and thereby leads to a widening exposure of vulnerable data considered valuable to the company or the consumer.

When it comes to lost or stolen laptops, servers, and backup tapes, the age old saying about an "Ounce of prevention…" applies more than ever. Implementing Data Loss Prevention has become a best practice in Fortune 1000 companies that are building strategies and processes to reduce their risk associated with lost or stolen laptops, servers, and backup tapes.

Sunday, September 10, 2006

On the Eve of 9/11: Flashback to the Future...

On the eve of 9/11/2006 we look back five years and it seems like it was yesterday. Tomorrow we might be at a church memorial services, as we will in downtown Washington, DC. Saying prayers for those who have fallen, and their families.

Yet, tomorrow will not only be full of emotions of years past. It will be prayers for the future. That our children across the globe will somehow be able to call this date in history the beginning of a new world order.

The Operational Risks we all endure on a daily basis are there in front of us. Some are more obvious and predictable. They have a history and a pattern to be analyzed and forecasted. Those risks that are low probability and have little or no historical context are the events to fear.

The new world order in front of us today is increasing complex and dynamic. Chaos seems to be a good adjective for much of what we see and hear in our daily consumption of news and media. How can any person in Moscow, Beijing, Tokyo, Sydney, LA, NYC, DC, London, Paris, Madrid, Baghdad, Kabul or Rome make sense of what the future holds for mankind?

The only certainty is that the speed of change and the age of unreason will unfold at a velocity that our children will call the "New Normal". The flashback to the future is nothing more than an accelerated version of the past. Gods Speed to all of us!

Thursday, September 07, 2006

Privacy in the Board Room: The Ethics of Surveillance...

Corporate Governance in the board room itself is blazing out of control at Hewlett Packard (HP) as a result of an internal investigation. The finger pointing, board resignations and ethics questions are all in the news. And that is just a very small story on the entire landscape of corporate digital surveillance or internal investigations. This is a business your insurance company is funding and for good reason.

The entire episode—beyond its impact on the boardroom of a $100 billion company, Dunn’s ability to continue as chairwoman and the possibility of civil lawsuits claiming privacy invasions and fraudulent misrepresentations—raises questions about corporate surveillance in a digital age. Audio and visual surveillance capabilities keep advancing, both in their ability to collect and analyze data. The Web helps distribute that data efficiently and effortlessly. But what happens when these advances outstrip the ability of companies (and, for that matter, governments) to reach consensus on ethical limits? How far will companies go to obtain information they seek for competitive gain or better management?


It will be interesting to see if the California Attorney General is going to get into the middle of the battle. Yet, there seems to be less discussion about the ability of a skilled investigator using "Social Engineering" techniques to obtain the information in question.

Hackers like Kevin Mitnick call it "social engineering." Other folks call it plain old lying. But today's private investigators have a new word for obtaining information under false pretenses; they call it "pretexting," and it's apparently big business.


We wonder about the new legislation brewing in state capitals to extend the data privacy laws and the national Gramm-Leech-Bliley Act (GLBA)to telcos, ISP's and other repositories of personal information. Bankers have been working for a decade to stop the same criminal activity of stealing information to use in a fraudulent manner. It won't be long before your phone company will be sending you those privacy disclaimers in the mail and two-factor authentication will be the norm when you log in to Verizon Wireless.

Friday, September 01, 2006

Strategy Acceleration: Surviving the Basel 7...

So what are the seven loss event categories of Operational Risk Management according to Basel:

Internal Fraud

Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity, discrimination events, which involves at least one internal party.

External Fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party. These activities include theft, robbery, hacking or phishing attacks.

Employment Practices and Workplace Safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination.

Clients, Products & Business Practice

Losses arising from unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature of design of a product.

Damage to Physical Assets

Losses arising from loss or damage to physical assets from natural disaster or other events. See disaster recovery or business continuity planning.

Business Disruption & Systems Failures

Losses arising from disruption of business or system failures. This includes loss of due to failure of computer hardware, computer software, telecommunications failure or utility outage and disruptions.

Execution, Delivery & Process Management

Losses from failed transaction processing or process management, from relations with trade suppliers and vendors. This includes Transaction Capture, Execution & Maintenance Miscommunication, Data entry, maintenance or loading error Missed deadline or responsibility, Model / system misoperation Accounting error, entity attribution error, Delivery failure, Collateral management failure Reference data maintenance, Monitoring & Reporting Failed mandatory reporting obligation, Inaccurate external report (loss incurred), Customer Intake & Documentation Client permissions / disclaimers missed Legal documents missing / incomplete, Customer / Client Account Management Unapproved access given to accounts, Incorrect client records (loss incurred), Negligent loss or damage of client assets, Trade partners, non-client vendor misperformance and vendor disputes.


Operational Risk Management in your enterprise may be centralized or decentralized based upon your organizational structure. However, one item should not be overlooked when it comes to effectively executing across these categories. Strategy Acceleration is paramount if you are going to survive.

THERE ARE 6 WAYS to ACCELERATE STRATEGY EXECUTION.

Creating strategic foxholes with your executive team. This ensures that your senior team is clear on strategic intent, aligned with what it will take to make any endeavor "executable," and committed to achieve expected results.

Identifying and implementing key levers for strategic performance improvement. This ensures that result measures are tied to the business and behavioral changes needed to produce them and establishes accountability for results.

Rapidly cascading strategic clarity, buy in, rollout plans and commitment from the executive suite to the front line. Getting everyone who is essential to strategic results executing from the same playbook.

Operationalizing a Strategy Realization Office. Putting the execution infrastructure and resources in place to manage acceleration and ongoing execution of your critical business strategies. Defining, designing and staffing the function of Strategy Execution Officer.

Applying a strategy portfolio management approach to maximize return on investment and minimize shareholder risk. Providing the mechanism for your executive team to manage priorities, timing, investment, risk, return, resources, capacity and results from your strategies.

Increasing the nimbleness of your leaders and people at all levels so they are prepared to absorb any strategic initiative needed to ensure your organization's success. Leaders from top to bottom will learn the key steps to building a nimble company - one that is capable of executing major strategic initiatives more effectively and efficiently than any of your competitors.