Michael D. Moberly July 20, 2015 A blog where attention span really matter!
To no one’s surprise, the endless stream of opinions regarding the agreement reached last week to restrict (mitigate) Iran’s nuclear arms potential fit very well, at least initially, on a straight continuum with three markers, i.e., yea, in principle, and nay.
I suspect for many global citizens, their opinion of the agreement are not exclusively about whether they believe it is good or bad, rather, it’s about how large and how probable they sense the threat (posed by a nuclearized Iran) actually is. That ‘sense’ is a very personalized IA (intangible asset). Respectfully, the presence, absence, and strength of such personalized intangibles may likely be influenced by a citizen’s proximity to Tehran.
The inevitable suspected violations and the way the agreement has been structured will surely influence more to publicly assess the agreement, i.e., good or bad, probably on a daily – weekly basis versus strategic points of agreement’s 10-15 year life cycle.
The agreement is necessarily complex with many moving parts that must be in sync attitudinally, behaviorally, and definitionally. Professor Stephen Carter, Yale University School of Law suggests, (a.) the number and complexity of those moving parts can be likened to a Rubic’s Cube, or (b.) akin to a Rube Goldberg machine, i.e., a contraption that is deliberately over-engineered or overdone to perform a very simple task in a very complicated fashion.
Too, with that level of complexity, my hope is that when there are challenges, they will not be so large or politicized to undermine or cause the entire agreement to collapse. This is something every business decision maker who has engaged in a merger, acquisition, new product-service launch, buy-sell agreement, or strategic alliance understands well, i.e., how opponents to a deal will interpret suspicions – infractions as being individually or collectively significant to warrant it’s termination.
Professor Carter also suggests when one party to an agreement assumes the other party will attempt to cheat in some manner and at some point, this prompts other questions, but not solely whether the deal was good or bad, rather, were the interim (intangible) gains, i.e., psychological, attitudinal, emotional, etc., derived from an imperfect agreement sufficient insofar as mitigating or delaying what may have been otherwise inevitable. Of course, I am not talking about nuclear Armageddon.
In other words, Carter asks, were those potential (intangible) gains from having an agreement in place for a period of time, greater than the costs of not ever negotiating or producing an agreement in the first place?
Should most aspects of the agreement be adhered to by the parties, Professor Carter suggests that when one looks back on any agreement, be it business, trade, or nuclear, from the time of its signing to its potential termination, the global citizens represented by the negotiating parties were likely happier and felt safer than if the agreement had not been executed. Again, some powerful intangible assets at play here!
Michael D. Moberly July 4, 2015 ‘A long form blog where attention span really matters’!
It should come as no surprise that the way one perceives risk in general, and business risk in particular, influence how, why, and when decisions about managing (business) risk are made.
To be sure, identifying, measuring, and assessing risk are collectively important, as is meaningfulness, specificity, and perhaps most importantly in my view, commonality of (risk) understanding that fosters consensus necessary for decision makers to actually undertake appropriate (risk prevention, mitigation, or management) initiatives.
Again, to no readers’ surprise, an important aspect of recognizing (business) risk today is that it (risk) evolves over time, particularly in terms of how it is characterized, its drivers, and its potential criticality. Countless experiences of my own however, suggest there remain a significant percentage of business decision makers who ‘react’ to risk. That is, their recognition of business risk tends to be either relatively dismissive or, doing (only) what’s necessary to try to favorably restructure the odds that risk will materialize, i.e., vulnerability, probability, and criticality but, absent characterization of risk in a continuum context.
In other words, numerous business decision makers I have met perceive risk through rather fatalistic lens, i.e., assumption and acceptance that adversity (business risk) is generally present or permanent fixtures, conveying little confidence in prevention, mitigation, or management initiatives. Preferably there is change on the horizon though, as more sophisticated risk or its unfortunate counterpart ‘threat’ calculations include more meaningful and relevant probabilities (vulnerabilities, criticalities) which in turn elevate business decision makers’ understanding and fiscal comfort to address risk accordingly.
I envision with greater recognition of the irreversible prevalence – dominance of intangible asset intensive and dependant businesses and markets and the more unique and stealthy risks associated with intangibles will influence business decision makers’ to re-think risk management initiatives and necessities.
Fate and divine providence…
For long periods of time however, events and activities perceived as carrying a probability for adverse consequences, i.e., risk, were often attributed to divine providence or to the supernatural.
During the early periods, prayer and sacrifice were the prevalent means for mitigating a broad range of risks, as was the acceptance of whatever fate that followed. Sacrifice particularly was presumed to appease the spirits (gods) that could impose – bring about adverse outcomes. If however, there was no supernatural spirit or ‘god’ intervention, a business owner could anticipate incurring some level of suffering to their business or person. Presumably, if the ‘gods’ did intervene, a business owner could expect a favorable outcome.
Consequently, it was deemed unnecessary to measure risk in a conventional context due to peoples’ strong beliefs that all events, activities, and outcomes were pre-destined, i.e., they were driven by super natural forces beyond one’s control. ( The above was heavily adapted by Mr. Moberly from Dr. Aswath Damodaran’s ‘Risk Management: A Corporate Governance Manual’, Chapter 4, Stern School of Business, NYU)
Difficult to differentiate risk…
Why do people or businesses engage in risk, and why are significant percentages of people – business decision makers relatively ineffective at assessing risks which they elect to engage?
For one, I suspect there are numerous readers of this blog who have experienced challenges insofar as articulating risk to c-suite colleagues in a manner they understand which allows them to differentiate the act of engaging in circumstances and/or transactions laden with risk relative to any presumed (projected) benefits of engaging in those risks.
Their rationale may, at least in part, be characterized as an anticipated emotional – psychological ‘buzz’ by engaging in behaviors and activities in which risks are obvious and known. For example, one may experience a ‘sense of affirmative relief’ after engaging in certain high risk behaviors, i.e., seeing one’s parachute canopy being fully deployed, or successfully negotiating highway curves while driving at a high rate of speed in a new automobile, or achieving – surpassing projected returns from a risky investment or transaction.
Most of us engage – face risk everyday…
Most of us recognize the reality that we engage – face risk each day, but we wish not to become paralyzed or unnecessarily encumbered, so we proceed. That said, large percentages of us remain inclined to couch – apply the term ‘risk’ in the context of activities – behaviors in which a risk or adversity can be the outcome, particularly when our elective decision to engage that risk is unresponsive to prevention, mitigation, or management strategies we may want to deploy, but materializes anyway.
Still, there are, to be sure, some business decision-makers who do not recognize there is generally some element of risk in most every action – inaction they take. Not infrequently, decision makers elect to dismiss – write off such realities because they assume a sufficient level of (risk) control and oversight can be sustained throughout the life – value cycle of the risk itself.
I am reminded though of the risk of becoming a victim to homicide in the U.S. On the one hand should we consider only the numerical probability, i.e., x per 100,000 population, this may seem as acceptable odds particularly if we refrain from entering areas where the highest percentage of homicides are reported. On the other hand, if we consider becoming a victim of homicide on the basis of whom our murderer is likely to be, i.e., spouse, relative, loved one, or close friend, such knowledge may influence us to re-frame our choices about engaging is certain risk producing behaviors with those individuals.
There are chronic risks and acute risks…
Examples of chronic risks include such things as consistent smoking of cigarettes or eating food with high levels of trans fats known to produce adverse health. As chronic risks, individuals so engaged, may not seem to give a great deal of consideration to the harm they are producing to their body. Such personal dismissiveness is frequently linked to their perception that continuing to engage in such risky food selection-consumption behaviors and the potential adverse affects those habits produce in their bodies and manifest as physical diseases may materialize over time – in the distant future, at which point the risk taker assumes they can be reversed by surgery or managed, mitigated, or controlled by ever sophisticated medical intervention. In the interim, acknowledged assumption – continuation of those risky behaviors are likely to continue.
Most are inclined to approach what they perceive as small risks, particularly risks which spread over a period of time before they begin to experience initial adverse reactions, i.e., the materialization a the flu attributed to not getting a flu vaccination.
Indeed, it would be interesting if we could construct a cigarette that would cause immediate adverse (physiological) reactions to smokers versus risks that manifest overtime and which many no doubt rationalize and assume they have some control over, i.e., can cease at will and reverse any previous adverse harm.
Examples of acute risks, on the other hand, include rather obvious high risk activities such as sport parachuting, scuba diving, running a marathon, or becoming a ‘wing suitor’ that jumps off high elevations. For each activity deemed acute risks, there is data that describes such risks in probabilities, e.g. one in one million probability if we engaged in one of these activities, we may experience serious injury or death. (BBC World Service, ‘The Why Factor’ hosted by Mike Williams program titled ‘why people take risks’, June, 23, 2015)
Risk media paradox…
We are in the midst of a risk – media paradox. For example, commercial air travel has become an increasingly safe mode of travel. However, as air travel safety increases, i.e., passenger air miles without crashes, there tends to be greater media coverage when a airplane catastrophe does occur. Thus, the more difficult it becomes to measure – assess human assessment of real risk
Ultimately, to effectively mitigate risk, one needs to genuinely understand the risk they or others are engaging. But risk understanding – assessment does not stop there. One also needs to understand (identify – assess) each component part to the risk, that is, the variables that can emerge once a risk activity or task is undertaken and should a risk materialize, will it alter the risks’ initial calculations, i.e., mitigation, prevention, management, etc.
Understanding risk also includes identifying and factoring any systemic risks present which could exacerbate the risk activity – behavior to the point it becomes multiples of the assessment of the initial vulnerabilities – probabilities of acceptable ranges of risk.
Receptivity for engaging in calculated risks…
Of course, there is a growing percentage of individuals who are receptive to engaging in what they perceive – assume to be ‘calculated risks’ an acceptable portion of which presumably can be controlled and mitigated through preparation, practice, and exceptional equipment.
When one does incur an adverse outcome as a result of engaging in a particular risky activity where reliance on the proper functioning of equipment, machines, or processes to achieve a successful (non-injurious) outcome, but there are equipment – process failures, i.e., parachute canopy not deploying, one’s concerns for their safety are likely to heighten substantially. No ‘rocket science’ here!
But, at what point do risk probabilities actually rise to the level of getting decision maker’s ‘go – no go’ attention? Generally, it’s very challenging for people to grasp risks when they are couched in say 4 chances per million contexts.
But, when risk-probability calculations lie in the 1 or 2 per one hundred thousand or lest, at this point, decision makers – risk takers often start to take more notice and may even back away from an activity or transaction that carries such success – failure calculations. Thus, for people engaging in acute categories of risk, there are brief periods of time when the risk taker – business decision maker retains the ‘go – no go’ option.
People tend to perceive – characterize risk on very emotional scales…
It’s probably far too much to assume people should assess each and every risk they engage. But, many argue that humans are inclined to approach most risk on very emotional levels, e.g., citizen willingness to engage in commercial flying following the U.S. terrorist attacks of 911 reduced significantly
So, as people act emotionally and perhaps quite rationally to such events when they sense too much risk to fly commercially, they revert to alternative modes of travel, i.e., driving their cars. Very respectfully, while the U.S. lost 3500+ citizens to the 911 terrorist attacks, the U.S. lost an additional 1500+ above what was forecasted to automobile accidents in the year following 911, but with no comparative, emotional or otherwise, adverse reaction. (The above was heavily adapted by Michael D. Moberly from BBC’s ‘The Why Factor’, Dr Mike Aitken, Lecturer, Experimental Psychology, Institute of Psychiatry. Psychology and Neuroscience. King’s College London. Professor David Spiegelhalter, Professor of the Understanding of Risk Statistical Laboratory, Centre for Mathematical Sciences, Cambridge University worked with BBC Lab UK to create the Big Risk Test, a mass participation survey into why some people are risk-takers and other are risk averse.)
Michael D. Moberly June 15, 2015 ‘A blog where attention span really matters’!
Some time ago, there appeared to be a transition of sorts in language regarding computer – IT system security. What had traditionally been characterized as defensive actions (products, services, etc.) to prevent and/or mitigate computer – IT system vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries was undergoing change.
The language – terminology now used to describe what I believe to be similar phenomena are cyber-security and cyber-warfare. Are these distinctions without a difference?, I don’t believe they are. The latter is presumed to be executable on a broader scale, with greater frequency, sophistication, stealth, and other asymmetric features which can destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-based intangible assets from a single company and/or one of the pillars to our national infrastructure literally, in nanoseconds.
What troubles me most about the term cyber-warfare particularly, is the inference that ‘all things evil’ to computer – IT system(s) originate from afar, that is, they are state sponsored or the product of growing numbers of organized and sophisticated non-state actors, i.e., legacy free adversaries.
Let’s be clear however, I am not questioning whether either of these characterizations are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.
The attention and alarms government agencies particularly sound regarding cyber threats and cyber warfare are warranted and I seek not to dispute nor diminish their significance. After all, the adverse cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic.
Obviously, there are on-going discussions – debates in c-suites globally regarding the most effective expenditure, strategy, and/or practice to mitigate, if not prevent these persistent and ever larger risks. Only the uninformed would assume such challenges will dissipate in the future.
So, among CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel, sleep will surely be lost. Is it best to advocate your company or organization remain primarily in a defensive mode, e.g., repel, prevent, and contain?, or, independently engage in offensive and/or pre-emptive initiatives assuming such actions will produce some level of deterrence versus the sustained risk and likelihood of escalation currently experienced.
Before any company travels too far down a particular strategic path, it’s important to recognize that the U.S. is distinctive from many other countries in that most of the pillars to its national infrastructure are privately held and operated, apart from direct government control as is the case with numerous other countries.
Thus, independent action (offensive, or pre-emptive) taken by a privately held company against a specific state sponsored actor or cyber adversary would produce, as yet, unknown reactions that may well exceed an inclination to publicly expose ‘who’s doing what to whom’. From an information (intangible) asset safeguard perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by broader cyber security – warfare perspectives.
By continuing to frame computer-IT security in ever broader contexts, i.e., cyber security and cyber warfare, little or no space remains to recognize companies’ mission critical, sensitive, proprietary, and competitive advantage intangible asset-based information routinely still exist in formats other than electronic ‘ones and zeros and bits and bytes’.
I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare is misguided. Instead, I am suggesting, such perceptions and the accompanying expenditures and strategies give short shrift to the…
economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital.
Thus, the value, profitability, and competitive advantage, etc., rightfully developed and owned by a company is not exclusively housed in a computer or IT system and therefore not exclusively vulnerable to cyber attacks or cyber warfare.
Too, information asset safeguard policies and practices dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy. In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames. Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced solely through an IT – cyber security lens.
Instead, responsibilities for safeguarding valuable information (intangible) assets should be embedded in (asset) developers-owners-users respective orientation, ethic, and enterprise culture. The reason is, there is consistent and irreversible rise in intangible asset intensive and dependant companies in which information assets exist not solely as conventional tangible assets, rather as intangible assets, i.e., intellectual, structural, relationship, and competitive capital, etc.
As information (intangible) asset safeguard specialists know all too well, variations of a company’s – organization’s proprietary – sensitive business information is often prone to percolatating throughout an enterprise making it challenging to definitively restrict, confine, or limit its accessibility solely to conventional IT products, i.e., laptops desktops, or ‘the cloud’. Again, it’s relevant to recognize that intellectual (structural, relationship, and competitive) capital seldom, if ever can be wholly concentrated in electronic ‘ones, zeros, or bits and bytes’.
Similarly, information safeguard policies and practices supported by a presumptively superior IT – cyber security system-program, can be misleading. For example, if a company installs – executes a new IT-cyber security system is proclaimed it to be effective, presumably then, a company’s proprietary information is secure, seldom becomes the reality which the company aspired. In today’s aggressively predatorial global business transaction environment eager to acquire actionable intelligence that translates into lucrative competitive advantages, that is a message no company should, even inadvertently, be communicating.
(This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th, 2015 on Morning Edition.)
Michael D. Moberly June 5, 2015 ‘A blog where attention span really matters’!
‘I really don’t know’ is my answer to this question. And, I should note that I am variously dubious of most who, for whatever reason, deem it necessary to say otherwise. That said, I trust my candid response does not deter further reading.
My rationale is, there are numerous sociological, psychological, economic, personal convenience and availability of equal or greater alternatives that play varying roles in how, why, or if consumers – stakeholders will react and if so, whether such reactions may be felt economically, in supply chains, or as diminution of competitive advantages.
I am writing this post in the early morning of June 4th. During the late afternoon of June 3d, a proposed class action lawsuit was filed in a Manhattan federal court by four former employees of CVS who presumably held loss prevention positions. They claimed their superiors had ordered them to track minority customers which, as most know, translate as requisites to racial profiling which they voiced objections.
What prompted me to write about this specific event, among others of equal or greater import, is that NPR (Morning Edition) presented a 3 minute and 3 second segment about the CVS lawsuit which I then read about it in greater detail at Reuters.com where the story originated.
The lawsuit (Simpson v. CVS Pharmacy Inc, U.S. District Court for the Southern District of New York, No. 15-cv-4261) included the possibility that these plaintiffs may soon be filing a companion complaint with the EEOC. Should this occur, it would presumably allow plaintiffs to add more claims to their ‘federal’ case. I do not know whether CVS acquired a ‘heads up’ to the filing of this suit, but I suspect, with confidence, they did. Regardless, Carolyn Castel, a spokesperson for the Rhode Island based CVS Health Corporation, said ‘CVS was shocked by the lawsuit and would fight the claims’.
While I cannot presume to speak for CVS customers and stakeholders, I have come to be receptive to the ageless adage ‘if-where there is smoke there is usually fire’. My receptivity to this adage is embedded in multiple years of serving in various administrative capacities which, when adverse rumors, accusations, or innuendos came to my attention, I accepted a responsibility to engage each in a discreet follow-up to assess their voracity.
One can make the case that there are fewer business risks, when they may materialize, e.g., allegations that carry even the slightest adverse messaging can manifest as genuine reputation risks.
I, like numerous colleagues in the intangibles arena, listen to and/or read about the same company – management missteps and miscues in media (news) outlets charged with securing 24×7 content, which I suspect can render them receptive to portraying ‘news’ events in contexts with potential linkage to other events or imageries.
Ironically though, I seldom hear events which are clear predicates to potentially significant (company) reputation risk, not being characterized in the mainstream and/or social media conveyances as such. This, I remain particularly curious.
Media accounts are uncharacteristically absent language-narrative that reports the potential for reputation risk to arise even though growing numbers of adverse events that materialize produce some level of reputation risk fallout to the victim – targeted company before there has been a rebuttal or rational discussion as to its merits or truthfulness.
I am not suggesting the media standing alone are the instigators or precipitators of reputation risk to private sector firms but, to be sure, media characterizations do play a role in terms of how events are characterized for viewers, readers, and listeners, i.e., consumers and stakeholders.
Michael D. Moberly June 2, 2015 ‘A blog where attention span really matters’!
Throughout the 1960’s, there was consistent reference by governments and defense sectors’ about MAD (mutually assured destruction), i.e., each side possessing sufficient nuclear ‘mega-tonnage’ to assure mutual destruction of the other, should war breakout.
A similar analogy is evident today, but its origins do not lie in the delivery of nuclear weapons rather in the delivery of massive cyber attacks designed to simultaneously take down and/or substantially disrupt multiple pillars of a targeted countries’ infrastructure, ala MAD – ‘mutually assured (sector, grid) disruption’!
On the morning of September 11, 2001, I and countless others presumed the aircraft strikes in New York and Washington were diversionary, as tragic as they were, to be followed by massive cross sector cyber attacks. My anger and curiosity that a cyber attack was imminent prompted me to call acquaintances employed in various sectors throughout the U.S., one of which was the director of a top tier research university’s ‘super-computing’ center. My rationale was that a super-computing center would likely be an initial point of detection to a larger cyber attack should there be one in the offing. To my disillusionment, such a rationale was in error, at least in this instance.
The capability to thwart, mitigate, or contain the asymmetric and adverse cascading effects that a coordinated cyber attack would likely be designed to produce presents obvious challenges and creeping costs insofar as companies and organizations keeping pace with the infinite risks and threats which can seemingly materialize anytime and anyplace with no vapor trail, to maximize the intended infrastructure disruption and chaos.
I suspect there are management teams, c-suites, and boards, ranging from Fortune ranked firms to SME’s (small, medium enterprises), which have already engaged in discussions regarding the practicalities and costs of continuing to deploy state-of-the-art cyber attack – risk mitigation (data-information security) products.
There are two related reasons why I believe such discussions are inevitable…
- it is a globally universal and irreversible economic fact that rising percentages, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, relationship-social and competivity capital.
- data/information generation, storage, and retrieval needs are continually ratcheting up to the mega-terabyte arena, particularly with the rapid recognition and rise of intangible asset intensive and dependant companies.
To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering massive cyber attacks are challenges which, at this juncture, cannot be dismissed or relegated to the uninitiated.
I am not suggesting companies disregard their fiduciary responsibilities or regulatory mandates. Instead, I am suggesting a company’s desire to curtail the rising costs and operational disruptions associated with investing and deploying all-the-more nuanced IT security products that deliver consistent and measurable returns, technologies must be developed with capabilities to differentiate company information and data on a variable continuum. For example, introducing the capability to differentiate data-information that should receive the maximum safeguards, which initially I propose, encompass these four factors, i.e., the (intangible) assets…
- contributory value to a particular project, product, and/or the company’s mission.
- continued materiality to a particular project, product, and/or the company’s mission.
- relevance to a company’s reputation (image, goodwill, brand) etc.
Michael D. Moberly June 1, 2015 A blog where attention span really matters!
In the information asset protection community, there’s an adage, or perhaps more aptly characterized as an anecdotally rooted ‘rule of thumb’, the ’20-60-20 rule’ that still carries a timely relevance since it initially caught my attention some 25+ years ago. Through my lens, this represents a reasonable and plausible characterization of the persistent ‘insider threat’ which I endeavor to explain below.
Group 1 – 20% of the people we work with…are inherently honest and possess consistently high levels of (personal, professional) integrity. It’s quite unlikely individuals in this initial 20% would be influenced, inclined, or could be persuaded to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information safeguard policies or practices.
In other words, for these individuals there would be little or no concern they would be engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP)..
Group 2 – another 20% of the people we work with…function at the opposite end of this continuum of honesty – integrity. For these individuals, when their already thin sociological – psychological veneer is peeled back, it’s likely to reveal an inherently dishonest, unethical, and misguided persona with little, if any, sense of personal – professional integrity, or employer loyalty with respect to complying with company policies or government laws/regulations related to obligations for safeguarding proprietary information, trade secrets, or IP.
Too, these individuals would likely be receptive (have the internal propensity, proclivity) when certain opportunities avail or influencers are present to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.
Group 3 – then there’s the 60% of the people we work with who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk or in jeopardy. In other words, these individuals are likely to be honest and ethical.
There is a disappointing and frustrating nuance to Group 3 however. That is, anecdotal evidence which suggests individuals functioning at the fringe of this group, i.e., closest to Group 2 on the continuum, are recognizing the persistent overtures from external entities engaged in solicitation-elicitation initiatives to misappropriate or publicly leak their employers’ proprietary information assets.
This phenomenon is particularly worrisome…to information safeguard specialists on many levels, one of which is that such (highly personal and embedded) proclivities – propensities may be unknown at the time of hire, i.e., go undetected – unobserved in conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s who’s adverse proclivities may be awakened and influenced at some future point by the employee’s interpretation-assessment of…
- their employer’s reactions and sanctions imposed on those caught violating company information safeguard practices and policies.
- the degree, level, and consistency of monitoring which their employer engages relative to safeguarding its proprietary information, IP, and trade secrets.
- the persistence of external advances and their potential lucrative outcomes.
Admittedly, there is nothing particularly scientific or legally defensible…regarding the 20-60-20 perspective, other than to say it probably evolved from well intentioned ‘anecdotal guesstimates’ and observed incidents. Regardless, those finding relevance in this phenomenon, does draw, and properly so, our attention to the persistent and very costly challenges presented by ‘insiders’, whomever they may be, and the necessity for more effective pre-employment screening and regular monitoring.
One rather practical approach to addressing such insider challenges can be attributed to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary – competitive advantage information that necessitates safeguarding).
I suspect Ms. Dyson may not be familiar with the ’20-60-20 adage described here and its relevance to the hyper-competitive, aggressively predatorial, entrepreneurial spirited, and winner-take-all global business transaction environment.
But, there is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts!
While most of my operational familiarity with ‘insiders’ is a direct result of personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.
Michael D. Moberly May 22, 2015 ‘A blog where attention span really matters’!
Trust between employers and employees and companies and customers (clients, consumers, etc.) is an essential and very relevant IA (intangible asset) to most company’s profitability and sustainability, irrespective of sector. Through my lens, at least in business contexts, trust is embedded in – translates as relationship capital and reputation, additional key IA’s, and, as such, play increasingly significant roles in articulating, materializing, and sustaining a company’s value proposition. But trust, like many other ‘business’ terms, are frequently prey to individualized definition and translation.
Sarcastically, when I see – hear one, in a leadership role, take a podium to evangelize about the importance of trust, I find it prudent, to recognize who, for what purpose, and the context in which they are endeavoring to characterize trust. In other words, I often find expressions of trust to be circumstance and/or context specific, but sprinkled with sufficient commonalities tantamount to self-serving glue that allows the definition to retain a semblance of palatability.
Trust, like numerous other business terms, is receptive to being defined in a manner that reflects a speaker’s circumstance to casts them in a preferred (positive) light vis-à-vis their customers, clients, superiors, and/or consumers, something which I would advise Barclays, Citigroup, J.P. Morgan, and the Royal Bank of Scotland, aka “The Cartel” to not try waste resources to argue, for some time, once again.
Aside from the financial services sector, many of us remain inclined to feel that someone whom we presume possess perspectives and values similar to our own can, and should be worthy of our trust. Thus, we would likely be receptive to their overtures. More specifically, when I am engaged with individuals, in business and IA management-safeguard initiative, whom there there is evidence of shared commonalities, it’s likely I will be inclined – receptive to feeling they have my interests in mind.
That sense of course, emanates from another assumption which is, one’s present – past experiential commonalities serve as emotional entrées to trust. One might go so far as to suggest when we are surrounded by people whom we believe are like us, there will be a reciprocating inclination of trust.
Trust is a feeling, and thus a distinctly human experience says Simon Sinek. But, merely doing everything one has expressed – been interpreted as a promise you would do, does not robotically mean people will trust you. Instead, it more objectively translates that you may be reliable. To drill down further on this, most of us have friends who, by reasonable standards of assessment, could be characterized as not being particularly reliable or trustworthy, yet, because they are like us, we are inclined to trust them and remain friends, claims Sinek.
Trust is important because, when one is in the presence of individuals with shared beliefs, we are more confident – receptive to engage in some level of risk taking, experimentation, or exploration which, it’s likely we would not be inclined to do otherwise. After all, our personal – professional survivability and sustainability are, arguably dependent upon our ability to surround ourselves – serve with others with shared beliefs!
(This post evolved from NPR’s ‘Ted Radio Hour’ that aired on May 15, 2015, hosted by Guy Raz with a segment conducted by Simon Sinek, an adjuct to RAND Corporation.)
Michael D. Moberly May 14, 2015 ‘A blog where attention span really matters’!
The absence of intangible assets in B-school curriculum is tantamount to business education heresy. Some years ago, while preparing to teach a management course, I framed and sequenced course materials to reflect my determination and eagerness to introduce MBA students not merely to IA’s, but strategies related to managing them, mitigating risks, sustaining ownership, and understanding their competitive content and contributory value.
It’s essential IA’s be incorporated as teaching-learning elements to b-school’s undergrad and graduate programming, if, for no other reason than steadily rising percentages (i.e., 80+%) of most companies’ value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability evolve directly from these non-physical asset class, particularly, intellectual, structural, and relationship capital, brand, reputation, goodwill, competitive advantages, and intellectual property, etc.
Upon commencing this MBA course, I quickly introduced students to intangible assets and affirmed they would be integral learning objectives to the course. Just as quickly, it became clear, with one exception, that, for even the most experienced and employed students, intangible assets were not part of their lexicon, repertoire of talent, or skill sets, save for one student who did acquire a limited, but far from operational familiarity for specific types-categories of intangible assets once they were pointed out. But that familiarity was generally limited to intellectual property (patents primarily), reputation, and brand. Student generally characterized intangibles in standalone – individualized contexts, not reliant on or connected to other company assets.
End of course teaching assessments coupled with student responses to essay questions related to intangible asset issues revealed challenges remained, particularly achieving a sufficient (operational) grasp of intangibles in several key areas, e.g., how…
- IA’s could be subject to a collective framework of (asset) management, stewardship, and oversight.
- to recognize and assess IA’s contributory value (to a company, a particular product, service, or other broader initiative.
- to distinguish particular IA’s as contributing to – being drivers of specific sources of revenue, and
- the assets’ could be persistently vulnerable to various and asymmetric risks which, once materialized, would erode and/or undermine company value, the benefits of competitive advantages, (company, product) reputation, and new product launches, etc.
Respectfully, IA’s represent a variously challenging concept to grasp and apply in value-add, revenue generation, monetization, and exploitation contexts, to name just a few. As for this course, I sensed then, and still do, that an important conceptual hurdle to understanding intangible assets along with achieving some level of operational familiarity, may reside in the word ‘intangible’. That is, IA’s lack a conventional sense of physicality, unlike tangible (physical) assets which one can see, touch, and report on balance sheets and financial statements.
Again, respectfully, this was, for these MBA students, their initial introduction to IA’s. In part, their lack of familiarity is a reflection of shortcomings in the larger business community that still struggles with how to effectively and efficiently engage and utilize the intangible assets their company – organization produces or acquires.
As the nine week course progressed, a significant percentage of the students appeared to concede the role, function, and contributory value of intangible assets. It’s worth noting, one student with an especially progressive career in financial services, clearly conveyed he was grasping IA’s, however, he consistently challenged, even resisted the positive spin I was endeavoring to espouse regarding the relevance and contributory value of intangible assets across all industry sectors.
This particular student articulated his reticence by describing numerous multi-million dollar loan and acquisition transactions which he personally oversaw, throughout which there was absolutely no mention, recognition, or accounting of intangible assets being in play, in either valuation, collateral (securitization) or due diligence contexts.
At the conclusion of the last class, this student said to me in a respectful, yet very definitive tone…”I understand what you’re saying Mr. Moberly about IA’s, but I just don’t see IA’s ever becoming an issue in my bank as you are suggesting they should and will, at least while the current (bank) officers remain in place. In my bank, it’s solely about identifying and assessing the value of physical assets as collateral”.
Of course, the point to all of this is, does the same attitude and perspective hold true for business management teams, c-suites, and boards, in general? To be sure, attitudes toward and fundamental operational familiarity with IA’s is changing as the economic fact – business reality becomes clearer, i.e., 80+% of most company’s value and sources of revenue emanate from IA’s.
Introducing intelligent, seasoned, and already successful business decision-makers, boards, and management teams to intangible assets, and that the time they devote to learning about intangibles, their valuation, and strategies to effectively use and extract value from them, along with the necessity to safeguard and monitor the assets’ value, risk, and materiality are indeed worthy of their time. Unfortunately however, intangible assets remain somewhat of a hard sell!
May 12th, 2015. Published under Organizational resilience and business continuity/conti. No Comments.
Michael D. Moberly May 12, 2015 ‘A blog where attention span really matters!’
In my corner of the business world where 80+% of most company’s value and sources of revenue lie in – evolve directly from IA’s (intangible assets), it’s routine for me to cross paths with very astute, experienced, and financially successful company management team members (c-suites). Somewhat ironically, at least through my lens, many quite cavalierly express the view that it’s impossible to eliminate all (business) risk. I have come to interpret, quite correctly I believe, that mantra is symbolic of the subjective manner in which many c-suites treat risk.
My response to such views is usually to politely hedge a little by suggesting it is possible to mitigate a large percentage of most business’ risk! However, and here comes the hedging part, the resources a company may have to dedicate – reallocate to a (risk) mitigation initiative, and the resulting restrictions, subjective as they may be, would likely be embedded with some untenable impracticalities.
Regardless of how subjective risk mitigation may be, at least how I see it being practiced. Few organization decision makers would knowingly assume risk mitigation practices that would…
- impede operation effectiveness and efficiency or disturb the flow and integration of IA’s,
- particularly intellectual, structural, relationship, and competitivity capital.
Any company doing so would rapidly find its viability, profitability, and sustainability substantially undermined, if not ‘go to zero’, unless of course, those assets were transferrable.
Through my lens, there are a significant, but actually unknown percentage of companies in which their tolerance – appetite for risk…
- varies over time and is often circumstance – transaction specific, i.e., influenced by…
- the products – services a company produces, delivers, and its target customers.
- the perceptions – beliefs held by c-suites and boards regarding business risk climate.
- a prior adverse experience or shared anecdote from another company.
- the manner and locations in which a company interacts with – engages its primary markets, i.e., customers, supply chains, and myriad stakeholders.
According to Dr. Marc Siegel, a globally respected organizational resilience specialist, there are ways to measure and assess a company’s tolerance – appetite for risk. Most, Siegel says are dependent on their
1. Experience, e.g., the confidence level held by company management teams’ acquired largely through their familiarity with current and over-the-horizon risks, coupled with their (perceived) capabilities to effectively manage (prevent and/or sufficiently mitigate) such risks.
2. Resiliency – e.g., if or when a significant (business) risk materializes, are there policies and practices in place to (a.) mitigate – minimize the criticality produced by the risk, and (b.) rapidly return the company to a state of operational and financial – revenue normalcy in a reasonable time frame before risk resiliency is irreversible. Achieving such a desired level of risk resiliency includes minimizing the fragility and vulnerability of company’s – business unit’s intangible assets, particularly intellectual, structural, relationship, and competitive capital for the duration of the risk event.
A related question I routinely pose to management teams, focuses on how they (presumably) achieved consensus to accept or tolerate particular levels of risk relative to a specific transaction, new venture, strategic alliance, etc.? The answer is frequently some variation to the proverbial…
‘risk is an inherent feature of doing business and all successful business persons are inherently risk takers’.
I approach business risk a little differently in terms of understanding why and how I may respectfully influence management teams, boards, and c-suites, already inclined to have a greater appetite for – tolerance of certain (business) risks and not others. I find it’s frequently due to…
- types and levels of risk are subjectively measured – assessed to be low, in terms of vulnerability and probability, but extraordinarily high in criticality,
- making the cost of mitigation, i.e., risk transfer, etc., exceed potential (prospective) benefits, thus self-insurance or elevated tolerance for risk appear to be the prudent, near term option.
- the asymmetric nature of business risks, i.e., their magnitude, frequency, criticality, and cascading potential, while factoring the type of product or service a company produces, is beyond the capabilities of most to consistently prevent or mitigate.
- companies’ anticipated – projected business opportunities associated with assuming a certain level of risk, outweigh risk exposures to the point that a management team can justify – rationalize executing a particular transaction or new initiative and therefore assume a substantial portion of the risk.
(This post was inspired by the work of Dr. Marc Siegel and his work related to organizational resilience on behalf of ASIS International.)
Michael D. Moberly May 8, 2015 ‘A blog where attention span really matters’.
Competitive (business) intelligence is alive and well and it’s certainly not all cyber-based even thought there is an abundance of off-the-shelf data mining software available that mitigates the tediousness and time associated with conventional approaches to business intelligence collection.
Perhaps what concerns me most has been the continued expansion of ‘legacy free players’ (Thomas Friedman, ‘The World Is Flat’). My definition of ‘legacy free players’ is quite similar to that of Mr. Friedman’s, that is, these individuals/groups may not be necessarily aligned with or employees of nation state sponsors which are frequently technology dependant and sophisticated, or even organized units/cadres of economic spies. Instead, ‘legacy free players’ are, for the most part, independent operators or groups of individuals whose country of origin and cultural perspective about honoring the proprietary information originated by – belonging to others is a relatively new concept insofar as respecting personal, let alone intellectual property rights. In other words, there is an absence of legal, social, or cultural legacy to others’ properties of the mind, i.e., intellectual – human capital.
Setting that aside for the moment, of all the business leaders and management team members I have had the good fortune of conversing over the past 25+ years, when I introduce the subject of competitive intelligence, a substantial percentage of the time, their initial response is embedded with favorable rationalizations ranging from…
- everybody does it, to
- one is foolish if they don’t engage in some manner of competitor – business intelligence.
I am aware of no original research – objective data to indicate such characterizations are as accurate as business leaders assume, based on my many years of work-research in this arena, one would be well advised to consider the consistency of the responses suggest a significant percentage of businesses regularly engage in some level – form of competitor-business intelligence.
While their (intelligence) collection and analysis techniques may not be as sophisticated, analytical, or strategically oriented as those conducted by the countless private (independent) competitor intelligence firms operating globally, the information targeted and collected usually provides business decision makers with useable prognosticative insights variously related to the plans, intentions, and capabilities of competitors, i.e., what they are doing, have done, or, are about to do!
Simply stated, I find the adverse affects (of competitor – business intelligence) usually materialize in one of four ways, that is, the purpose, intent, and/or objective are to…
- undermine, erode, stifle, and otherwise get ahead of a competitors’ initiatives, competitive advantages, market position, and strategic planning.
Any company’s efforts to counter or mitigate the very real adverse affects of competitor intelligence begins with understanding one’s own company’s IA’s (intangible assets). This means recognizing that IA’s comprise increasing percentages – 80+% of most company’s value sources of revenue and ‘building blocks for growth, profitability, and sustainability! More specifically, IA’s are the real drivers – underliers to company’s value and sources of revenue which are precisely what competitor-business intelligence operatives are seeking, whether, I might add, they actually realize it or not!