27 September 2005

Rita and The Suicide Bomber...

Now that the U.S. is dealing with the aftermath of a Category 3 hurricane "Rita" and the U.K. is analyzing it's response to the 7/7 "Suicide Bombers", what operational risks do they have in common?

The answer is plain and the truth hurts. There is no stopping either threat and they will always find a way to inflict significant losses to our property and human lives. These threats are at opposite ends of the spectrum however when it comes to the event itself.

One attacker is tracked and shown on national television as it grows and bears down on it's next target. We know when and where. The other attacker is hard to detect in advance and operates in stealth. Now the question again is, what do they have in common? In both cases, we know they are coming again.

Our preparation and planning for the next incident itself, using a myriad of scenario-based exercises or tests can assist those who deter and detect these threats as well as those who will be tasked to alert or defend and help recover from the next one. These are both risks that you can help mitigate the consequences and the impact although one could argue the likelihood is inevitable and increasing.

What is less predictable is human behavior. The emotions, actions and attitudes of dozens, thousands or millions of people can't be predicted. One can only learn from these events and over the course of history, establish a baseline of knowledge. The next incident will be different and it will have some of the same characteristics.

Human behavior is the key to our greatest risk management challenges. Both the U.K. and the U.S. have seen the pictures of bomb and hurricane casualties in the past three months. Human behavior in one case has the attributes of a well-trained and coordinated response. The other case is rapidly becoming a "Case Study" for those public servants who are learning what went wrong. While it's unfair to compare the scope of the two scenarios, it's obvious that we still don't have a firm grasp on human behavior.

23 September 2005

Survive: A Strategy for Every Business...

Well over two years ago upon our founding, 1SecureAudit joined a global organization of people who really "Get it". Who understand and demonstrate the necessity and true philosophy of Business Crisis and Continuity Management. Is your U.S. institution a member? Do you have top executives who are contributing strategic resources and knowledge to the survival of your business? Ignoring the multitude of significant threats and business disruptions to your enterprise is nothing less than a lack of corporate strategy for long term survival.

Launched in 1989, Survive has since grown throughout the world to become the leading forum for expertise and information exchange among business continuity management practitioners and professionals, and all managers and directors with responsibility for ensuring the resilience and ultimate survival of their companies.

Originally focused largely on the back-up and recovery of IT and communications systems, Survive is now the only organisation of its kind in the world addressing the continuity needs of the entire organisation.

Our members are concerned about everything from protecting the company data and staff safety, to safeguarding the reputation and value of the whole enterprise.

The demands are growing on public and private sector organisations to prove they have processes in place to maintain continuous impressive performance 365 days a year, regardless of unusual internal or external circumstances. Such demands can be almost impossible to meet. But through understanding how organisations of different shapes and sizes tackle the difficult issues, members learn how to build resilience into their businesses and how to make business continuity a core part of the their company culture.

Business continuity management is about not making excuses. It's about being wise before the event. It is a state of mind that understands great organisations never moan they didn't do well because of the state of the economy, a fire at the warehouse, an internal fraud, or a strike by a group of key workers. Great organisations do well anyway.


As another Category 4 hurricane bears down on the U.S. for the second time in a month, we can only hope that the business community in Texas is ready. Gods speed to the people of Houston and beyond.

21 September 2005

Adaptation + Visible OPS = Managed Change

Managing Complextiy and change in any enterprise is an Information Technology nightmare. Adaptive can assist you in managing change.

A picture is worth a thousand words.

A model is worth a thousand pictures.

An Adaptation is worth a thousand models.

The Zachman Framework™ is often mistaken by some to be a 6 x 6 matrix. We believe that it is not. We see it as a structured, multidimensional management framework that helps organizations plan, design and implement complex, adaptable information systems. Our view of the framework is shown in this Adaptive rotating hexagon.

We believe that the Zachman Framework guides an organization to define its own unique business and technology "language". This language answers the questions about Why, What, How, Who, When and Where related to an enterprise's strategies, business processes and a number of more concrete levels of an information technology architecture.

The Framework is designed so that people with different perspectives can communicate. The different user perspectives are analagous to those with any complex engineering scenario - "Planner", "Owner", "Designer", "Builder", "Sub-contractor" and the final result - "Operating Enterprise".


In this article from George Spafford he articulates the essence of change management in the IT worldview.

"Change is pervasive through the organization and has huge impacts on the operations of the business. People at all levels in IT must understand and value the fact that as the level of complexity increases in a system, the value of effective change management processes increases.

Studies have shown that 80 percent of the fires that IT fights and 80 percent of security breaches are caused by human error. The vast majority of the problems in IT, and thus for the overall organization, will arise from human limitations in the face of escalating systemic complexity."


For those of us who use and advocate "Visible Ops", here are 4 reminder steps to running more effective ITIL operations in your enterprise:

1. Stabilize the Patient

2. Catch & Release and Find Fragile Artifacts

3. Establish Repeatable Build Library

4. Enable Continuous Improvement

Visit ITPI for more.

19 September 2005

Reputation Risk: Is Murphy to Blame?

Any board member or executive today is well aware of the direct impact an adverse event or significant business disruption can have on shareholder value and customer confidence. When it does happen, how many people just throw up their hands and shout, Murphy's Law!

Murphy's Law ("If anything can go wrong, it will") was born at Edwards Air Force Base in 1949 at North Base.

It was named after Capt. Edward A. Murphy, an engineer working on Air Force Project MX981, (a project) designed to see how much sudden deceleration a person can stand in a crash.


Murphy is all about managing the "What if's" and planning for their possibility. Here is an example. Are you moving your business sometime soon? What is the possibility that when you do, you will be able to use your e-mail the day you open your new doors? More than one business has been subjected to the Law's of Murphy whenever a complex and logistical project or program is underway. If you are one of those corporate executives who has been unable to use your e-mail or web services the Monday after the big office move, you are not alone. The question is not that it could happen, it's what impact will it have on both customer and employee satisfaction the day it happens, and beyond.

This Corporate Board Member article sums up the impact of Reputation Risk on your organization.

While every Board member knows the importance of managing Enterprise Reputation Risk, the task seems overwhelming. Some Boards are not even trying to proactively manage the risk: their companies will be forced to rely on “reactive” measures after the Reputation Risk event has occurred. These after-the-fact public relations initiatives are expensive and often ineffective. And, since they are event-directed, they don’t provide an ongoing risk structure for the company to identify and control other issues which can cause Reputation Risk. Considering the enormous loss of both financial and franchise value which accompany Reputation Risk, is a Board which only reacts to risk events really doing its job?


In your future planning to mitigate the Operational Risks associated with Murphy and your reputation, we are reminded of a few of our favorite Murphy's Laws:

1. Computer systems are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable.

2. If there is a possibility of several things going wrong the one that will cause the most damage will be the one to go wrong.

3. A difficult task will be halted near completion by one tiny, previously insignificant detail.

4. High speed chases will always proceed from an area of light traffic to an area of extremely heavy traffic.

5. Every emergency has three phases: PANIC... FEAR... REMORSE.

Do you think you're spending too much time with your team planning? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

15 September 2005

The Global State of Information Security: Still Risky Business...

Operational Risks are rising and executives are more interested in preparing their employees for the next crisis.

In a recent worldwide study by CIO Magazine and PWC concerning their risks, thousands of security leaders are fanning the flames over so many breaches and so little insight.

The survey asked about next year's 2006 top priorities or To-Do List:

1. Business Crisis and Continuity Management

2. Employee Training and Awareness programs

3. Data Backup

4. Overall Information Security Strategy

5. Network Firewalls


The good news is that the budgets are finally rising in light of increased theft of intellectual property and identities along with other major information crimes. Budgets in 2005 are now 13% of the IT budget. Consolidation and compliance are issues to be managed however these have bogged down strategic initiatives for the future.

Even after spending in the billions, incidents are still rising and these are the sources of the attacks:

59% - Malicious code

26% - Unknown

25% - Unauthorized entry

21% - Denial-of-service


And what is the most enlightening or discouraging statistic from this group is the answer to the question: When an incident does occur as a result of an attack, who do you tell?

No One - 55%

Customers - 16%

Partners/suppliers - 14%


Is there some correlation between the 26% unknown sources of attacks and the 55% of the incidents where no one is told about it.

12 September 2005

The Paradox of Privacy...

The banking industry has much to do to overcome the flat curve for new online customers. If this latest Ipsos Insight Research is correct, then privacy remains a significant issue in the consumers mind.

The proliferation of "phishing" and highly publicized hacker tactics have thwarted industry efforts to convince customers that online banking is safe. Results of the survey include:

83 percent of survey respondents who conduct their personal banking online reported concerns over protecting their personal information from theft.

73 percent of people said personal information theft is a deterrent for them to use online banking survey respondents were equally concerned about banks selling their personal information to a third party, with 72 percent of respondents citing the issue as "extremely" or "very important."


Promising not to sell your information to third parties is only part of the problem. The financial institutions are still using direct marketers and other data mining companies to make sure their latest loan offer goes to the most qualified and relevant customer. In some cases, the banks are doing much of the analysis in-house and only sending the "Bulk Mailers" the correctly correlated data records.

This New York Times article, Europe Zips Lips; U.S. Sells ZIPs, by Eric Dash sums it up quite nicely:

One thing that both privacy cultures have in common is that it is becoming harder for either to control what is and isn't kept private. Information is increasingly the lifeblood of the global economy, not to mention the global fight against terrorism and the quarry of hackers.

As this year's data breaches and compromises have shown, no one really knows how safe the world's vast pool of confidential data is, and therefore how protected anyone is against an invasion of data privacy.

Mr. Reidenberg, the law professor, compares the current situation to the stock market meltdown after the 1929 crash. America responded then by creating the Securities and Exchange Commission and a host of financial disclosure and accounting reforms. The need to safeguard sensitive data, Mr. Reidenberg said, "will necessitate the United States focusing on the legal way we structure information processing, just like we needed to do in the 1930's to put the economy back on stable footing."


With Identity Theft and Money Laundering as the two top issues with almost every banking institution, you would think that these 3rd party mailers would be consistently monitored and audited just as the banks are. Nothing could be farther from reality.

08 September 2005

Corporate Social Responsibility...

Corporate Social Responsibility (CSR) is getting a real work out since our planet's latest natural catastrophe, Hurricane Katrina. Organizations and companies many of us have never heard of are contributing supplies, manpower and aid to the recovery of this key economic region of the U.S..

Social responsibility is a matter more companies are paying close attention to these days and the potential risk that a blind eye may have on the future performance of the institution. What is most interesting are the stories of corporate heroism coming out of the news reports that validates this thinking. And the reports of those organizations who have failed to answer the call to act in the best interest of their employees and customers.

The risk of failed processes and programs pertaining to social issues is a real threat to the faith people have in your company and your brand, even if they are not a customer today. Contingency planners understand the impact that adverse business disruptions can have on the performance of the company. Less known is the impact that a lack of social responsibility can have on the damage to the brand and reputation of the organization. Many will soon find out as the truth is told.


As the political lines are drawn in the sand, one can only wonder who the real heroes are going to be after this historical event is documented. The mothers, fathers, brothers and sisters. The grand parents and the aunts and uncles. Those who weathered the storm or evacuated in time to keep their loved ones out of harms way. Hundreds of thousands of their stories will never make it to the six o'clock news.

Corporate Social Responsibility spans the spectrum from the local Wal-Mart, Marriott and Bank of America to the corner grocery and gas station. Yet the real winners are those who continue to utilize their own talents and resources to contribute in some meaningful way.

01 September 2005

Begin the Lessons Learned...Again

In the aftermath of Hurricane Katrina, one can only wonder what will happen next. We are already questioning our abilities to respond. One thing is certain, this will not be the last hurricane of this season or the last crisis event facing the Homeland. In order to make sure that organizations and businesses are even more prepared for the near future and beyond, you must have the correct systems to support your worst case scenario and contingency plans.

EMAware is an emergency management system for agencies, jurisdictions and companies that need to control the flow of information before, during, and after emergencies. Using EMAware, organizations can manage inbound and outbound emergency messages and create workflow rules that automate the process of activating emergencies and notifying key staff and peer organizations.

EMAware allows you to:

* Automate maintenance of Emergency Action Plans
* Originate, receive and manage CAP and EDXL alerts
* Support staff training and testing
* Integrate siloed monitoring systems
* Manage geographically dispersed offices and mobile workforces


Total organizational awareness is critical in emergency situations. And behind the awful images of CNN live on location, are thousands of people and computers behind the scenes making the recovery even more effective. Our intelligence branches are using geo-spatial imaging to help coordinate search and rescue operations using satellite pictures. FEMA, the Red Cross and DHS are communicating over secure networks for voice, email and text messaging.

No country has the means to recover faster from a disaster of this magnitude than the United States of America. 9/11 is now in our thoughts again this week. Always remember.