Saturday, March 24, 2012

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever woken up one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:


  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Document Custodian or Shredder


This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are exfiltrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO? Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. If you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.

You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness on their corporate networks and Fixmo MRM for their mobile devices, that is not going to be enough.

The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

Sunday, March 18, 2012

Product Innovation: Individual Responsibility for Risk Management...

The next generation of Operational Risk Management professionals will be focused on a whole new set of thinking. Mitigating business risks that are associated with running the day to day functions of the enterprise will require people who have a command of their own accountability. The management of risks in their particular area of operations, will have an acute sensitivity to the level of experimentation, testing and innovation. This responsibility for individual levels of proactive risk management, begins with a new mind-set shift about the world of work itself, and our own management of our personal work product.

When you analyze where the financial services industry has exposed itself to tremendous losses over the years, it will no doubt be tied to some innovative instrument or product that was invented by some very creative and innovative people. These losses surrounding Credit Default Swaps (CDS) or Collateralized Debt Obligations (CDO) as an example, all started when an innovative person utilizing the latest tools available created a new product to be introduced to the marketplace. Sure, there were risk management professionals involved in the pipeline to production including lawyers, math quants and finance experts. Yet a failure of Operational Risk Management, led to serious losses and a global crisis, that may well be just the precursor to something even more sinister.

The humans quest for innovation, creativity and the ability to adapt is built into our DNA. So is the ability to survive and to overcome the adversities of our environment to sustain ourselves. Whether that is in the form of food and water or capital and manpower doesn't really matter. Leveraging the available resources to stay alive, being competitive and gaining more power in the conference rooms of Wall Street, or the Madrasahs in South Waziristan, remains a constant.

Innovation in the workplace, is vital for our employees to thrive and for new products to be discovered and old ones to be enhanced. Those new products are invented by people who will have the simultaneous task of doing a sound operational risk assessment. Managing risks at the same time you are innovating, is hard to separate from each other. The trade-offs and the decisions on whether to use this material or algorithm based upon use, shelf-life and the environment that the new product innovation will be operating in, takes prudent risk analysis.

So what will be different for our next generation of Operational Risk Managementprofessionals? What will the new thinking be all about? It will be about engineering the four-step process into everything we do, and to reinforce the compliance with each step of the teams process:

1. Assess the situation.

The three conditions of the Assess step are task loading, additive conditions, and human factors.

  • Task loading refers to the negative effect of increased tasking on performance of the tasks.
  • Additive factors refers to having a situational awareness of the cumulative effect of variables (conditions, etc.).
  • Human factors refers to the limitations of the ability of the human body and mind to adapt to the work environment (e.g. stress, fatigue, impairment, lapses of attention, confusion, and willful violations of regulations).
2. Balance your resources.

This refers to balancing resources in three different ways:

  • Balancing resources and options available. This means evaluating and leveraging all the informational, labor, equipment, and material resources available.
  • Balancing Resources verses hazards. This means estimating how well prepared you are to safely accomplish a task and making a judgement call.
  • Balancing individual verses team effort. This means observing individual risk warning signs. It also means observing how well the team is communicating, knows the roles that each member is supposed to play, and the stress level and participation level of each team member.
3. Communicate risks and intentions.
  • Communicate hazards and intentions.
  • Communicate to the right people.
  • Use the right communication style. Asking questions is a technique to opening the lines of communication. A direct and forceful style of communication gets a specific result from a specific situation.
4. Do and debrief. (Take action and monitor for change.)

This is accomplished in three different phases:

  • Mission Completion is a point where the exercise can be evaluated and reviewed in full.
  • Execute and Gauge Risk involves managing change and risk while an exercise is in progess.
  • Future Performance Improvements refers to preparing a "lessons learned" for the next team that plans or executes a task.

So what does the renewed emphasis on the process being embedded into our work actually do for our work product? It gives the human a sense that the innovation is now ready for experimentation and field testing. This means that it is still not ready for prime time or the marketplace. You see, this realization is important. The recent focus on rapid prototyping and a push to get products to the marketplace before the competition, has produced the sinister and evil outcomes we have all witnessed. Why does it take so long for a new drug to make it through the pharmaceutical pipeline and end up being advertised on the CBS Evening News?

And even then, after so much testing and study, we find that a new drug (product) is not really so safe compared to the long term complications of using it as prescribed. The risk reward equation is at stake in our financial services industry and every other economic sector that is striving to be more innovative in todays global marketplace: For individuals, here are $18 Million reasons:

Attorney Lynn Szymoniak had spent a career investigating insurance fraud when a bank moved to foreclose on her Florida home in 2008. Almost four years later, the fraud she said she uncovered by combing through mortgage documents earned her $18 million.

Szymoniak, 63, is among six whistle-blowers who will pocket $46.5 million as part of a $25 billion national foreclosure settlement that state and federal officials reached in February with five banks, including Bank of America Corp. andJPMorgan Chase & Co. (JPM), according to the U.S. Justice Department.

“When they did this to her, they picked the wrong person at the wrong time in the wrong place,” Richard Harpootlian, Szymoniak’s attorney in two whistle-blower cases, said in an interview. “They stuck their hand into the beehive.”

Szymoniak’s examination, in which she relied on her experience as an insurance-fraud investigator, led to her claims against banks for submitting fraudulent documents to the federal government asserting that they owned loans insured by the Federal Housing Administration, she said.

The national foreclosure settlement with the five banks, which resolves claims of abusive foreclosure practices, provides mortgage relief to borrowers, pays $1.5 billion to those who lost their homes to foreclosure, and sets standards for how the banks service mortgage loans.

Who will be your choice for effective operational risk management as your new innovative products are consumed by the marketplace?

A. Your employees or workplace stakeholders

B. Your customers or consumers

The choice is yours as your institution puts new resources and new incentives in front of your workplace stakeholders.