Sunday, October 30, 2016

Legal Risk: Tools for Trusted Governance...

One of the reasons that the United States has endured is because of transparency and the rule of law.  There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system.  Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions.  The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies.  It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law.  It is in the day of the Internet even more accessible.  Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism.  One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization.  In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise.  Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury.  The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:
The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.
An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry.  A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction.  The rules are clear.  Trust is preserved.

What are the outcomes and benefits of effective Operational Risk Management (ORM):
  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.
ORM is a continual process that when utilized effectively will provide the four benefits described.  Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk.  This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization.  They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions.  What can you do different?  What will you do to make it better?  How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

Sunday, October 23, 2016

Intelligence-led Enterprise: CIU Success Factors...

Intelligence-led processes applied within the corporate global enterprise, continues its relevance for reasons being published in the popular press. "Operational Risk Management (ORM) Specialists" utilize these processes, to mitigate a growing spectrum of domestic and transnational threats:
Developing relevant intelligence to run daily business decisions in your institution may seem like an important task day to day. The question is, how embedded is the "Corporate Intelligence Unit" in developing the relevant intelligence your decision makers need every few minutes or hours to steer the organization away from significant losses? Is your internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in real-time by the employees in each department or business unit?
Do you have an organized, synchronized media and communications function working within your Corporate Intelligence Unit (CIU), to continuously post the correct content and manage the RSS feeds from each global business unit? Why not?
The "Information Operations" (IO) of your company are the lifeblood of how your employees will make relevant decisions on where to steer clear of significant risk.  Based upon what other business units are doing or what is going on in the external environment of your state, sector or geography, consider these scenarios:
If the internal RSS Feed for the IT department reported that there was a Distributed Denial of Service  (DDos) Attack going on at the moment, how might that impact the decision by the marketing department to delay the posting of the new product release information to the Twitter site? The synchronization of intelligence-led processes is lead by the head of the Corporate Intelligence Unit. The CIU is staffed with people who have a tremendous understanding of the corporate enterprise architecture and have the skills and talents to operate as effective operational risk management professionals.

If the internal RSS Feed for the Facilities Security department reported the presence of a "White Truck Van" with blacked-out windows trolling the perimeter of the corporate parking lot, how might this change the decision for the CEO to leave that minute for her scheduled trip to the airport? Skilled CIU staff within would quickly notify the CEO via the "Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under cover corporate security personnel would then be immediately approaching the vehicle for a recon drive by.

If the internal RSS Feed reported the recent change in industry legislation that would change the way the Federal Trade Commission defined the elements regarding consumer privacy, how might this affect the latest strategy on how the institution was going to encrypt it's data in servers and on laptops? The CIU staff would advise the Chief Information Officer and other Information Security Risk staff to step up the roll-out for the latest version of PGP for the enterprise.
And the list goes on. The modern day intelligence-led Corporate Intelligence Unit (CIU), in concert with other highly specialized Operational Risk Management professionals in the enterprise can keep you safe, secure and keenly aware of new threats to your corporate assets. The degree to which you provide the right resources, funding and continuous testing/exercising of your capabilities will determine your likelihood for loss outcomes.

If your organization has been impacted by loss outcomes that continuously put your employees, stakeholders or assets at risk, then look hard and deep at your "Operational Risk" quotient, to determine if you are the best you can be...

Saturday, October 15, 2016

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:
Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.
This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

Sunday, October 09, 2016

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all ready with their specific area of questions to address such topics as:
  • Protecting Personal Data
  • Political Hacks and Leaks
  • Cyberspace:  A 21st Century Warzone
  • A Focus on Critical Infrastructure
  • The White House and Cybersecurity
Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies are consistently giving financial institutions new challenges to secure their real assets, binary code.
In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers has been circulating in security circles since late last year after warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.
In this case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles and deep learning analysis.

The human element, which relates to awareness, can't be ignored any longer.  And this can only be changed through education, training, and testing of employees.  An organization that procures technology worth millions is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.
"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."
The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The topics and news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios.  We will continue our security vs. privacy policy debates.  Yet at the end of the day, maybe the answers are as simple as Rubik's Cube.

Sunday, October 02, 2016

Homegrown Violent Extremism: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  New York City.  San Bernardino.  Orlando.  Dallas.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing.  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow or red flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that our process changes take place and citizens behaviors are modified.  Erroll Southers explains why we have more work ahead of us:
 At the same time, the radicalization process is not brief. Extremism smolders like a hot coal, an idea that grows into a violent fire fueled by anger, conflicts of identity, feelings of humiliation and marginalization.. It is important for the public to understand that removing any one of these elements cannot fully disrupt radicalization. All of these and other root causes need to be addressed in the effort to not just apprehend terrorists, but dissuade the radicalization that leads to terrorism.
There will be numerous accounts of heroism, people who saw or reported details that could have helped stop any of these Homegrown Violent Extremist (HVE) events.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.
Godspeed America!
  1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.