Michael D. Moberly August 19, 2015 ‘A blog where attention span really matters’.
Readers, there is absolutely no dispute to the globally universal economic fact that today 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, competitiveness, and sustainability lie in – directly evolve from intangible assets! So isn’t it quickly approaching the state of being a no-brainer to acquire an operational familiarity with an organization’s intangible assets, because, by doing so, better business decisions are all but sure to follow!
It’s just entirely insufficient now for management teams to (a.) merely know what intangible assets are or which one’s their company – employees have developed, (b.) utilize, or perhaps worse, (c.) succumb to conventional accountancy path of lumping all internally developed intangibles together (indistinguishably) as goodwill.
It’s now essential, if not a fiduciary responsibility to:
- sustain control, use, and ownership of IA’s.
- know precisely how the IA’s contribute to a company’s value and create sources of revenue.
- understand how to utilize, leverage, and position the assets to extract as much value and competitive advantage as possible.
- exercise effective stewardship, oversight, and management of the IA’s and consistently monitor their materiality and contributory value.
By achieving this level of operational and financial familiarity with IA’s, numerous enterprise wide multipliers can follow, for example
1. Add predictability to business transactions when intangible assets and IP are in play by being able to assess the stability, fragility, defensibility, and sustainability of the assets through an IA focused due diligence.
2. Elevate probabilities that projected returns will be achieved, competitive advantages will be sustained or enhanced, asset synergies and efficiencies will develop, and transaction exit strategies affirmed
3. Achieve effective convergence of IA accounting, reporting, and valuation by recognizing their linkages to:
- knowledge management initiatives.
- IP development and safeguards.
- the balanced scorecard.
4. Reduce probability of costly, time consuming, and momentum stifling legal challenges and disputes regarding IA’s by foreseeing circumstances that can ensnare and/or entangle IA’s that will impede a transaction, or erode or undermine its projected synergies, value, competitive advantages, or overall performance.
5. Build an IA focused organizational culture that contributes to
- recognizing, producing, and sustaining control, use, ownership, and value of IA’s.
- elevating organizational awareness to accelerate the pursuit of adverse IA issues, i.e., ownership, value, infringement, misappropriation, theft, etc.
6. Develop a comprehensive OR (organizational resilience – continuity-contingency) plan that encompasses an organization’s key ‘contributory value’ IA’s that will facilitate quicker and more complete recovery following a significant business disruption.
Michael D. Moberly August 18, 2015 ‘A blog where attention span really matters’.
Intangible assets, better explained will facilitate their integration in managerial – strategic lexicon…but, let there be no question, I am a strong and unapologetic advocate of intangible assets!
An occasionally frustrating aspect to my client work in the IA arena is sparked, in part to the murky and confusing language, sometimes perceived as contradictory, used to define (describe, distinguish) IA’s, e.g., they
- are the non-physical ‘things’ of value that a company owns.
- have no set monetary value and little or no objective (consistent) means of measurement.
- lack conventional sense of physical presence, i.e., they’re not subject to being seen or touched.
I am not suggesting this occasional frustrations can…consistently fit the increasing number of IA intensive and dependent firms regardless of the multiple realities above, e.g.,
- they lack a conventional sense of physicality.
- their performance and value is challenging to objectively monitor and measure.
I have encountered countless circumstances in which uninitiated management teams, boards, investors alike, struggle to make sense of IA’s, i.e., what the British often describe as the ‘invisibles’ which actually, is quite realistic and even understandable because, among other things, seldom, if ever, are IA’s singularly reported on company balance sheets or financial statements, that is, unless they have been acquired externally, or ‘lumped together’ as goodwill.
Decision makers and strategists are hard pressed…to deny the reality that rising percentages of organizations have far fewer tangible (physical) assets in their inventory. Instead, their ‘inventory’ is conceived and built using an array of IA’s. Forward looking-thinking organizational strategists are apt to say, and, quite correctly, the development and effective use of IA’s is essential to organization’s near and long term success and serve as cornerstones for (organization) viability, sustainability, profitability, and competitiveness.
Still, to the uninitiated…i.e., those operationally unfamiliar with intangibles, including those who are suspect and/or dismissive about IA’s contributory role and value coupled with their ambiguous definitions, contribute little to achieving the much needed ‘eureka’ moments, i.e., I get it, which is critical to these irreversibly permanent fixtures to the knowledge (IA) based global economy which most would agree, we’re only in the initial stage.
An often overlooked and misunderstood reality about IA’s is that most every organization, not just the new, IA intensive-dependent ones, through their management teams and employees, routinely create, use, and ‘bank’ a substantial amount of IA’s in the form of intellectual, relationship, structural, and competitive capital. But, unfortunately, in conventionally led enterprises, these IA’s are less apt to be recognized or efficiently utilized, because in large part I find, a not insignificant number of leaders – decision makers still perceive their organizations functioning in traditional ‘brick and mortar’ contexts, dominated by physical – tangible assets, which are presumed to be their primary means for creating value and/or serving as sources revenue.
Through my lens, there are infinite types – categories of IA’s…i.e.,
- knowledge-based, or are born out of the intellectual capital held between our ears,
- issued to our company as intellectual property, i.e., patents primarily, or
- merely the accumulation of relationships, experience, and specialized (operational) know how that creates efficiencies and adds value.
When IA’s are prudently and optimally linked to understanding how and when to effectively, efficiently, and profitably use-apply them, it’s all but sure they will produce desirable and profitable outcomes and competitive advantages.
So, whether one is operating an already successful business or overseeing an SUBUR (start-up based in university research), I find most leaders – decision makers – strategists gravitate to their respective comfort zones often comprised of facts, figures, formulas, and ratios, etc., which their operational familiarity is firmly ensconced. In other words, quantitatively tangible components unfortunately with far too much regularity remain the framework for business decisions and strategic planning.
Organization decision makers’ find these comfort zones are easy to sustain because the measurement and accounting tools they are accustom to using and relying upon remain conventionally framed through a very conventional tangible assets lens, and less acquiring confidence in IA’s!
Today, those conventional comfort zones…packed with tangible numbers which still fit neatly on balance sheets and financial statements are being, quite necessarily challenged in favor of embracing and engaging the intangible sides of organizations. Management teams are obliged to push their conventional thinking and practices beyond the tangible to the intangible relative to the contributory value IA’s consistently deliver.
So, welcome to the specialized, but ever expanding arena of the information age and its outgrowth, the knowledge (IA) based economies, wherein IA’s now routinely play increasingly significant roles as contributors – facilitators to most organization’s value, sources of revenue, competitive advantages, sustainability, and ‘building blocks’ for growth and profitability.
But, despite the rising importance of IA’s and the contributions they consistently deliver to organizations in all (industry) sectors, they unfortunately remain, for some management teams and boards, challenging to define, recognize, distinguish, and measure. Hey, you have to work at it! (Adapted by Michael D. Moberly from the work of Thomas A Stewart, ‘Trying To Grasp The Intangible’.)
Michael D. Moberly August 17, 2015 ‘A blog where attention span really matters’.
An important initial step to…achieving a more IA conscious business community, lies in bringing more operational clarity to what IA’s are, what they’re not, and how to consistently identify and how to assess and utilize them effectively. Unfortunately, there remain some challenges in the business community insofar as defining and explaining precisely what intangible assets are, how, by whom, and when they are produced, and perhaps most importantly how they contribute to an organization’s value, sources of revenue, competitiveness, and sustainability. After many years of work, research, and client engagements in the IA arena, even with more experienced, astute, and successful management teams, the words ‘intangible assets’ are seldom part of their routine discourse, integrated in their lexicon. The reasons respectfully vary, along a continuum of…
- not fully understanding or appreciating what intangible assets actually are.
- being unaccustomed – uninitiated to identifying, assessing, or exploiting IA’s compared to tangible assets.
- erroneously assuming IA’s are the (exclusive) domain of accountancy and/or intellectual property (legal) counsel.
- wholly dismissing IA’s because they’re not sensed as constituting standalone assets or commodities because they are not routinely reported on company balance sheets or financial statements, unless ‘lumped together’ as goodwill.
Thus, recognizing the necessity to engage and exploit an organization’s IA’s or determine – measure their contributory value or performance which unfortunately, but frequently perceived as being neither necessary or justifiable, even though today 80+% of most organization’s value, sources of revenue and ‘building blocks’ for growth, sustainability, and profitability lie in – evolve directly from IA’s. These are economic facts – business realities that absolutely should not be dismissed, overlooked, or disregarded as somehow being irrelevant to leaders – decision makers professionally or the organization they may own and/or oversee. As noted above, even the most astute and experienced organization leaders often mistakenly characterize IA’s as being…
- more aligned with – the exclusive domains of accountancy or legal.
- mere theories best espoused in university lecture halls than actionable agenda items in boardrooms, c-suites, and among strategists.
Another critical hurdle to explaining the relevance and importance of IA’s…to organization decision makers evolves from the reality that IA’s are just that, they’re intangible. But, intuitively their presence, absence, or changes can be sensed (measured) as declines in and/or erosion of an organization’s reputation, image, goodwill, intellectual – competitive capital, etc. So, regardless whether these assets are intangible or not, it often boils down to management teams’ inclination and curiosity to identify, unravel the origins, assess, manage, monitor, and measure these increasingly critical, valuable, and certainly strategic assets. Years of conversations with organization owners and management teams…I find all know their sector competitors, particularly those which have effectively and profitably exploited their IA’s compared to those who haven’t, can’t, or won’t. But, when expressing same, seldom will there be any reference to the term ‘intangible asset’. Instead, actual IA products, i.e., reputation, brand, and goodwill will be uttered, the reason, I suspect, is they are not aware the former are actually types/categories of IA’s. For these and other reasons, IA specialists-strategists like myself…who regularly conduct briefings, awareness training, seminars, and/or consult with organization leaders about their IA’s, should always be prepared to field an array of skeptical, even dismissive, but necessary questions, particularly regarding IA valuation, reporting, and (assets) contributory value. IA specialists-strategists must also assume responsibility…for bringing as much clarity as possible to IA’s, e.g., articulating and demonstrating smarter rationales and more effective techniques for organizations to engage their IA’s, i.e., capture, utilize, manage, monitor, and monetize, and/or commoditize their intangible assets. This includes, as noted previously, clearly distinguishing…
- what intangible assets are and what they’re not.
- the various forms – categories of IA’s.
- how IA’s originate and develop, and equally important,
- how and when IA’s can be effectively and profitably applied as ‘building blocks’ to enhance an organization’s value and create (new) sources of revenue and competitive advantages.
In today’s 24/7 globally predatorial and competitive business environment…it would be expressions of wisdom should organization management teams and their boards aggressively seek – be receptive to strategies – techniques to specifically engage and exploit IA’s to the fullest extent possible. One bottom line though is, some organizations find it challenging to step outside their conventional comfort zones to engage concepts and strategies which…
- they have no formal or current awareness training.
- depart rather significantly from past practice and conventional asset reporting and accounting practices, and
- remain well under mba – business school radar.
Successful companies are typically operated by successful management teams, or so the adage goes. For the most part, successful management teams are realists and pragmatists, but still, forward looking-thinking risk takers. Understandably, their brethren, who may not be quite as successful and reluctant to knowingly engage risk, may be quite satisfied with past-current practice and therefore be skeptical and reluctant to ‘take their IA’s out for a ride’! When such skepticism translates into organizations and management teams becoming restrictively tied to practices and strategies of a tangible (physical) asset era versus the current, and for the foreseeable future, global business economy who’s future is solidly pegged to IA’s which are irreversibly embedded and climbing rapidly in all aspects of transactions, trade, and competitiveness. The former are just not likely to experience the growth, profitability, value, and revenues which most are still capable should they elect to shuffle away from practices thought to still be reliant – dependent on tangible (physical) assets.
Michael D. Moberly July 20, 2015 A blog where attention span really matter!
To no one’s surprise, the endless stream of opinions regarding the agreement reached last week to restrict (mitigate) Iran’s nuclear arms potential fit very well, at least initially, on a straight continuum with three markers, i.e., yea, in principle, and nay.
I suspect for many global citizens, their opinion of the agreement are not exclusively about whether they believe it is good or bad, rather, it’s about how large and how probable they sense the threat (posed by a nuclearized Iran) actually is. That ‘sense’ is a very personalized IA (intangible asset). Respectfully, the presence, absence, and strength of such personalized intangibles may likely be influenced by a citizen’s proximity to Tehran.
The inevitable suspected violations and the way the agreement has been structured will surely influence more to publicly assess the agreement, i.e., good or bad, probably on a daily – weekly basis versus strategic points of agreement’s 10-15 year life cycle.
The agreement is necessarily complex with many moving parts that must be in sync attitudinally, behaviorally, and definitionally. Professor Stephen Carter, Yale University School of Law suggests, (a.) the number and complexity of those moving parts can be likened to a Rubic’s Cube, or (b.) akin to a Rube Goldberg machine, i.e., a contraption that is deliberately over-engineered or overdone to perform a very simple task in a very complicated fashion.
Too, with that level of complexity, my hope is that when there are challenges, they will not be so large or politicized to undermine or cause the entire agreement to collapse. This is something every business decision maker who has engaged in a merger, acquisition, new product-service launch, buy-sell agreement, or strategic alliance understands well, i.e., how opponents to a deal will interpret suspicions – infractions as being individually or collectively significant to warrant it’s termination.
Professor Carter also suggests when one party to an agreement assumes the other party will attempt to cheat in some manner and at some point, this prompts other questions, but not solely whether the deal was good or bad, rather, were the interim (intangible) gains, i.e., psychological, attitudinal, emotional, etc., derived from an imperfect agreement sufficient insofar as mitigating or delaying what may have been otherwise inevitable. Of course, I am not talking about nuclear Armageddon.
In other words, Carter asks, were those potential (intangible) gains from having an agreement in place for a period of time, greater than the costs of not ever negotiating or producing an agreement in the first place?
Should most aspects of the agreement be adhered to by the parties, Professor Carter suggests that when one looks back on any agreement, be it business, trade, or nuclear, from the time of its signing to its potential termination, the global citizens represented by the negotiating parties were likely happier and felt safer than if the agreement had not been executed. Again, some powerful intangible assets at play here!
Michael D. Moberly July 4, 2015 ‘A long form blog where attention span really matters’!
It should come as no surprise that the way one perceives risk in general, and business risk in particular, influence how, why, and when decisions about managing (business) risk are made.
To be sure, identifying, measuring, and assessing risk are collectively important, as is meaningfulness, specificity, and perhaps most importantly in my view, commonality of (risk) understanding that fosters consensus necessary for decision makers to actually undertake appropriate (risk prevention, mitigation, or management) initiatives.
Again, to no readers’ surprise, an important aspect of recognizing (business) risk today is that it (risk) evolves over time, particularly in terms of how it is characterized, its drivers, and its potential criticality. Countless experiences of my own however, suggest there remain a significant percentage of business decision makers who ‘react’ to risk. That is, their recognition of business risk tends to be either relatively dismissive or, doing (only) what’s necessary to try to favorably restructure the odds that risk will materialize, i.e., vulnerability, probability, and criticality but, absent characterization of risk in a continuum context.
In other words, numerous business decision makers I have met perceive risk through rather fatalistic lens, i.e., assumption and acceptance that adversity (business risk) is generally present or permanent fixtures, conveying little confidence in prevention, mitigation, or management initiatives. Preferably there is change on the horizon though, as more sophisticated risk or its unfortunate counterpart ‘threat’ calculations include more meaningful and relevant probabilities (vulnerabilities, criticalities) which in turn elevate business decision makers’ understanding and fiscal comfort to address risk accordingly.
I envision with greater recognition of the irreversible prevalence – dominance of intangible asset intensive and dependant businesses and markets and the more unique and stealthy risks associated with intangibles will influence business decision makers’ to re-think risk management initiatives and necessities.
Fate and divine providence…
For long periods of time however, events and activities perceived as carrying a probability for adverse consequences, i.e., risk, were often attributed to divine providence or to the supernatural.
During the early periods, prayer and sacrifice were the prevalent means for mitigating a broad range of risks, as was the acceptance of whatever fate that followed. Sacrifice particularly was presumed to appease the spirits (gods) that could impose – bring about adverse outcomes. If however, there was no supernatural spirit or ‘god’ intervention, a business owner could anticipate incurring some level of suffering to their business or person. Presumably, if the ‘gods’ did intervene, a business owner could expect a favorable outcome.
Consequently, it was deemed unnecessary to measure risk in a conventional context due to peoples’ strong beliefs that all events, activities, and outcomes were pre-destined, i.e., they were driven by super natural forces beyond one’s control. ( The above was heavily adapted by Mr. Moberly from Dr. Aswath Damodaran’s ‘Risk Management: A Corporate Governance Manual’, Chapter 4, Stern School of Business, NYU)
Difficult to differentiate risk…
Why do people or businesses engage in risk, and why are significant percentages of people – business decision makers relatively ineffective at assessing risks which they elect to engage?
For one, I suspect there are numerous readers of this blog who have experienced challenges insofar as articulating risk to c-suite colleagues in a manner they understand which allows them to differentiate the act of engaging in circumstances and/or transactions laden with risk relative to any presumed (projected) benefits of engaging in those risks.
Their rationale may, at least in part, be characterized as an anticipated emotional – psychological ‘buzz’ by engaging in behaviors and activities in which risks are obvious and known. For example, one may experience a ‘sense of affirmative relief’ after engaging in certain high risk behaviors, i.e., seeing one’s parachute canopy being fully deployed, or successfully negotiating highway curves while driving at a high rate of speed in a new automobile, or achieving – surpassing projected returns from a risky investment or transaction.
Most of us engage – face risk everyday…
Most of us recognize the reality that we engage – face risk each day, but we wish not to become paralyzed or unnecessarily encumbered, so we proceed. That said, large percentages of us remain inclined to couch – apply the term ‘risk’ in the context of activities – behaviors in which a risk or adversity can be the outcome, particularly when our elective decision to engage that risk is unresponsive to prevention, mitigation, or management strategies we may want to deploy, but materializes anyway.
Still, there are, to be sure, some business decision-makers who do not recognize there is generally some element of risk in most every action – inaction they take. Not infrequently, decision makers elect to dismiss – write off such realities because they assume a sufficient level of (risk) control and oversight can be sustained throughout the life – value cycle of the risk itself.
I am reminded though of the risk of becoming a victim to homicide in the U.S. On the one hand should we consider only the numerical probability, i.e., x per 100,000 population, this may seem as acceptable odds particularly if we refrain from entering areas where the highest percentage of homicides are reported. On the other hand, if we consider becoming a victim of homicide on the basis of whom our murderer is likely to be, i.e., spouse, relative, loved one, or close friend, such knowledge may influence us to re-frame our choices about engaging is certain risk producing behaviors with those individuals.
There are chronic risks and acute risks…
Examples of chronic risks include such things as consistent smoking of cigarettes or eating food with high levels of trans fats known to produce adverse health. As chronic risks, individuals so engaged, may not seem to give a great deal of consideration to the harm they are producing to their body. Such personal dismissiveness is frequently linked to their perception that continuing to engage in such risky food selection-consumption behaviors and the potential adverse affects those habits produce in their bodies and manifest as physical diseases may materialize over time – in the distant future, at which point the risk taker assumes they can be reversed by surgery or managed, mitigated, or controlled by ever sophisticated medical intervention. In the interim, acknowledged assumption – continuation of those risky behaviors are likely to continue.
Most are inclined to approach what they perceive as small risks, particularly risks which spread over a period of time before they begin to experience initial adverse reactions, i.e., the materialization a the flu attributed to not getting a flu vaccination.
Indeed, it would be interesting if we could construct a cigarette that would cause immediate adverse (physiological) reactions to smokers versus risks that manifest overtime and which many no doubt rationalize and assume they have some control over, i.e., can cease at will and reverse any previous adverse harm.
Examples of acute risks, on the other hand, include rather obvious high risk activities such as sport parachuting, scuba diving, running a marathon, or becoming a ‘wing suitor’ that jumps off high elevations. For each activity deemed acute risks, there is data that describes such risks in probabilities, e.g. one in one million probability if we engaged in one of these activities, we may experience serious injury or death. (BBC World Service, ‘The Why Factor’ hosted by Mike Williams program titled ‘why people take risks’, June, 23, 2015)
Risk media paradox…
We are in the midst of a risk – media paradox. For example, commercial air travel has become an increasingly safe mode of travel. However, as air travel safety increases, i.e., passenger air miles without crashes, there tends to be greater media coverage when a airplane catastrophe does occur. Thus, the more difficult it becomes to measure – assess human assessment of real risk
Ultimately, to effectively mitigate risk, one needs to genuinely understand the risk they or others are engaging. But risk understanding – assessment does not stop there. One also needs to understand (identify – assess) each component part to the risk, that is, the variables that can emerge once a risk activity or task is undertaken and should a risk materialize, will it alter the risks’ initial calculations, i.e., mitigation, prevention, management, etc.
Understanding risk also includes identifying and factoring any systemic risks present which could exacerbate the risk activity – behavior to the point it becomes multiples of the assessment of the initial vulnerabilities – probabilities of acceptable ranges of risk.
Receptivity for engaging in calculated risks…
Of course, there is a growing percentage of individuals who are receptive to engaging in what they perceive – assume to be ‘calculated risks’ an acceptable portion of which presumably can be controlled and mitigated through preparation, practice, and exceptional equipment.
When one does incur an adverse outcome as a result of engaging in a particular risky activity where reliance on the proper functioning of equipment, machines, or processes to achieve a successful (non-injurious) outcome, but there are equipment – process failures, i.e., parachute canopy not deploying, one’s concerns for their safety are likely to heighten substantially. No ‘rocket science’ here!
But, at what point do risk probabilities actually rise to the level of getting decision maker’s ‘go – no go’ attention? Generally, it’s very challenging for people to grasp risks when they are couched in say 4 chances per million contexts.
But, when risk-probability calculations lie in the 1 or 2 per one hundred thousand or lest, at this point, decision makers – risk takers often start to take more notice and may even back away from an activity or transaction that carries such success – failure calculations. Thus, for people engaging in acute categories of risk, there are brief periods of time when the risk taker – business decision maker retains the ‘go – no go’ option.
People tend to perceive – characterize risk on very emotional scales…
It’s probably far too much to assume people should assess each and every risk they engage. But, many argue that humans are inclined to approach most risk on very emotional levels, e.g., citizen willingness to engage in commercial flying following the U.S. terrorist attacks of 911 reduced significantly
So, as people act emotionally and perhaps quite rationally to such events when they sense too much risk to fly commercially, they revert to alternative modes of travel, i.e., driving their cars. Very respectfully, while the U.S. lost 3500+ citizens to the 911 terrorist attacks, the U.S. lost an additional 1500+ above what was forecasted to automobile accidents in the year following 911, but with no comparative, emotional or otherwise, adverse reaction. (The above was heavily adapted by Michael D. Moberly from BBC’s ‘The Why Factor’, Dr Mike Aitken, Lecturer, Experimental Psychology, Institute of Psychiatry. Psychology and Neuroscience. King’s College London. Professor David Spiegelhalter, Professor of the Understanding of Risk Statistical Laboratory, Centre for Mathematical Sciences, Cambridge University worked with BBC Lab UK to create the Big Risk Test, a mass participation survey into why some people are risk-takers and other are risk averse.)
Michael D. Moberly June 15, 2015 ‘A blog where attention span really matters’!
Some time ago, there appeared to be a transition of sorts in language regarding computer – IT system security. What had traditionally been characterized as defensive actions (products, services, etc.) to prevent and/or mitigate computer – IT system vulnerabilities and infiltrations by hackers or economic-competitive advantage adversaries was undergoing change.
The language – terminology now used to describe what I believe to be similar phenomena are cyber-security and cyber-warfare. Are these distinctions without a difference?, I don’t believe they are. The latter is presumed to be executable on a broader scale, with greater frequency, sophistication, stealth, and other asymmetric features which can destroy data, deploy various types of malware, or siphon (extract) specifically targeted data-based intangible assets from a single company and/or one of the pillars to our national infrastructure literally, in nanoseconds.
What troubles me most about the term cyber-warfare particularly, is the inference that ‘all things evil’ to computer – IT system(s) originate from afar, that is, they are state sponsored or the product of growing numbers of organized and sophisticated non-state actors, i.e., legacy free adversaries.
Let’s be clear however, I am not questioning whether either of these characterizations are regular, if not the primary initiators, as there is ample evidence (anecdotal and otherwise) that is the case.
The attention and alarms government agencies particularly sound regarding cyber threats and cyber warfare are warranted and I seek not to dispute nor diminish their significance. After all, the adverse cascading havoc to any nation’s infrastructure created by a single offensive cyber strike-attack, we must recognize, could be incalculably cataclysmic.
Obviously, there are on-going discussions – debates in c-suites globally regarding the most effective expenditure, strategy, and/or practice to mitigate, if not prevent these persistent and ever larger risks. Only the uninformed would assume such challenges will dissipate in the future.
So, among CSO’s (chief security officers), CRO’s (chief risk officers), CISO’s (chief information security officers), CIPO’s (chief intellectual property officers) and certainly legal counsel, sleep will surely be lost. Is it best to advocate your company or organization remain primarily in a defensive mode, e.g., repel, prevent, and contain?, or, independently engage in offensive and/or pre-emptive initiatives assuming such actions will produce some level of deterrence versus the sustained risk and likelihood of escalation currently experienced.
Before any company travels too far down a particular strategic path, it’s important to recognize that the U.S. is distinctive from many other countries in that most of the pillars to its national infrastructure are privately held and operated, apart from direct government control as is the case with numerous other countries.
Thus, independent action (offensive, or pre-emptive) taken by a privately held company against a specific state sponsored actor or cyber adversary would produce, as yet, unknown reactions that may well exceed an inclination to publicly expose ‘who’s doing what to whom’. From an information (intangible) asset safeguard perspective, I believe the subject is being too narrowly framed and perhaps overly influenced by broader cyber security – warfare perspectives.
By continuing to frame computer-IT security in ever broader contexts, i.e., cyber security and cyber warfare, little or no space remains to recognize companies’ mission critical, sensitive, proprietary, and competitive advantage intangible asset-based information routinely still exist in formats other than electronic ‘ones and zeros and bits and bytes’.
I am certainly not suggesting the prevailing perception regarding the origins of adversaries, cyber attacks, and cyber warfare is misguided. Instead, I am suggesting, such perceptions and the accompanying expenditures and strategies give short shrift to the…
economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in – evolve directly from intangible assets e.g., intellectual property, competitive advantages, brand, reputation, and intellectual, structural, and relationship capital.
Thus, the value, profitability, and competitive advantage, etc., rightfully developed and owned by a company is not exclusively housed in a computer or IT system and therefore not exclusively vulnerable to cyber attacks or cyber warfare.
Too, information asset safeguard policies and practices dominated by an IT or cyber (risk, threat) orientation tend to minimize the reality that most companies today operate in an extraordinarily fast-paced, competitive, and predatorial knowledge-intangible asset based global economy. In this irreversible global environment, information (intangible) assets are developed, acquired, used, and disseminated in extraordinarily short time frames. Endeavoring to safeguard or secure these assets, in my view, should not be exclusively conceived or practiced solely through an IT – cyber security lens.
Instead, responsibilities for safeguarding valuable information (intangible) assets should be embedded in (asset) developers-owners-users respective orientation, ethic, and enterprise culture. The reason is, there is consistent and irreversible rise in intangible asset intensive and dependant companies in which information assets exist not solely as conventional tangible assets, rather as intangible assets, i.e., intellectual, structural, relationship, and competitive capital, etc.
As information (intangible) asset safeguard specialists know all too well, variations of a company’s – organization’s proprietary – sensitive business information is often prone to percolatating throughout an enterprise making it challenging to definitively restrict, confine, or limit its accessibility solely to conventional IT products, i.e., laptops desktops, or ‘the cloud’. Again, it’s relevant to recognize that intellectual (structural, relationship, and competitive) capital seldom, if ever can be wholly concentrated in electronic ‘ones, zeros, or bits and bytes’.
Similarly, information safeguard policies and practices supported by a presumptively superior IT – cyber security system-program, can be misleading. For example, if a company installs – executes a new IT-cyber security system is proclaimed it to be effective, presumably then, a company’s proprietary information is secure, seldom becomes the reality which the company aspired. In today’s aggressively predatorial global business transaction environment eager to acquire actionable intelligence that translates into lucrative competitive advantages, that is a message no company should, even inadvertently, be communicating.
(This post was inspired by NPR’s Tom Gjelten’s three part series on cyber attacks and cyber warfare, February 11th, 12th, and 13th, 2015 on Morning Edition.)
Michael D. Moberly June 5, 2015 ‘A blog where attention span really matters’!
‘I really don’t know’ is my answer to this question. And, I should note that I am variously dubious of most who, for whatever reason, deem it necessary to say otherwise. That said, I trust my candid response does not deter further reading.
My rationale is, there are numerous sociological, psychological, economic, personal convenience and availability of equal or greater alternatives that play varying roles in how, why, or if consumers – stakeholders will react and if so, whether such reactions may be felt economically, in supply chains, or as diminution of competitive advantages.
I am writing this post in the early morning of June 4th. During the late afternoon of June 3d, a proposed class action lawsuit was filed in a Manhattan federal court by four former employees of CVS who presumably held loss prevention positions. They claimed their superiors had ordered them to track minority customers which, as most know, translate as requisites to racial profiling which they voiced objections.
What prompted me to write about this specific event, among others of equal or greater import, is that NPR (Morning Edition) presented a 3 minute and 3 second segment about the CVS lawsuit which I then read about it in greater detail at Reuters.com where the story originated.
The lawsuit (Simpson v. CVS Pharmacy Inc, U.S. District Court for the Southern District of New York, No. 15-cv-4261) included the possibility that these plaintiffs may soon be filing a companion complaint with the EEOC. Should this occur, it would presumably allow plaintiffs to add more claims to their ‘federal’ case. I do not know whether CVS acquired a ‘heads up’ to the filing of this suit, but I suspect, with confidence, they did. Regardless, Carolyn Castel, a spokesperson for the Rhode Island based CVS Health Corporation, said ‘CVS was shocked by the lawsuit and would fight the claims’.
While I cannot presume to speak for CVS customers and stakeholders, I have come to be receptive to the ageless adage ‘if-where there is smoke there is usually fire’. My receptivity to this adage is embedded in multiple years of serving in various administrative capacities which, when adverse rumors, accusations, or innuendos came to my attention, I accepted a responsibility to engage each in a discreet follow-up to assess their voracity.
One can make the case that there are fewer business risks, when they may materialize, e.g., allegations that carry even the slightest adverse messaging can manifest as genuine reputation risks.
I, like numerous colleagues in the intangibles arena, listen to and/or read about the same company – management missteps and miscues in media (news) outlets charged with securing 24×7 content, which I suspect can render them receptive to portraying ‘news’ events in contexts with potential linkage to other events or imageries.
Ironically though, I seldom hear events which are clear predicates to potentially significant (company) reputation risk, not being characterized in the mainstream and/or social media conveyances as such. This, I remain particularly curious.
Media accounts are uncharacteristically absent language-narrative that reports the potential for reputation risk to arise even though growing numbers of adverse events that materialize produce some level of reputation risk fallout to the victim – targeted company before there has been a rebuttal or rational discussion as to its merits or truthfulness.
I am not suggesting the media standing alone are the instigators or precipitators of reputation risk to private sector firms but, to be sure, media characterizations do play a role in terms of how events are characterized for viewers, readers, and listeners, i.e., consumers and stakeholders.
Michael D. Moberly June 2, 2015 ‘A blog where attention span really matters’!
Throughout the 1960’s, there was consistent reference by governments and defense sectors’ about MAD (mutually assured destruction), i.e., each side possessing sufficient nuclear ‘mega-tonnage’ to assure mutual destruction of the other, should war breakout.
A similar analogy is evident today, but its origins do not lie in the delivery of nuclear weapons rather in the delivery of massive cyber attacks designed to simultaneously take down and/or substantially disrupt multiple pillars of a targeted countries’ infrastructure, ala MAD – ‘mutually assured (sector, grid) disruption’!
On the morning of September 11, 2001, I and countless others presumed the aircraft strikes in New York and Washington were diversionary, as tragic as they were, to be followed by massive cross sector cyber attacks. My anger and curiosity that a cyber attack was imminent prompted me to call acquaintances employed in various sectors throughout the U.S., one of which was the director of a top tier research university’s ‘super-computing’ center. My rationale was that a super-computing center would likely be an initial point of detection to a larger cyber attack should there be one in the offing. To my disillusionment, such a rationale was in error, at least in this instance.
The capability to thwart, mitigate, or contain the asymmetric and adverse cascading effects that a coordinated cyber attack would likely be designed to produce presents obvious challenges and creeping costs insofar as companies and organizations keeping pace with the infinite risks and threats which can seemingly materialize anytime and anyplace with no vapor trail, to maximize the intended infrastructure disruption and chaos.
I suspect there are management teams, c-suites, and boards, ranging from Fortune ranked firms to SME’s (small, medium enterprises), which have already engaged in discussions regarding the practicalities and costs of continuing to deploy state-of-the-art cyber attack – risk mitigation (data-information security) products.
There are two related reasons why I believe such discussions are inevitable…
- it is a globally universal and irreversible economic fact that rising percentages, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, primarily in the form of intellectual, structural, relationship-social and competivity capital.
- data/information generation, storage, and retrieval needs are continually ratcheting up to the mega-terabyte arena, particularly with the rapid recognition and rise of intangible asset intensive and dependant companies.
To be sure, efforts to thwart the actions of the growing global array of ultra-sophisticated economic and competitive advantage adversaries and legacy free players engaged in hacking and/or state sponsored entities capable of delivering massive cyber attacks are challenges which, at this juncture, cannot be dismissed or relegated to the uninitiated.
I am not suggesting companies disregard their fiduciary responsibilities or regulatory mandates. Instead, I am suggesting a company’s desire to curtail the rising costs and operational disruptions associated with investing and deploying all-the-more nuanced IT security products that deliver consistent and measurable returns, technologies must be developed with capabilities to differentiate company information and data on a variable continuum. For example, introducing the capability to differentiate data-information that should receive the maximum safeguards, which initially I propose, encompass these four factors, i.e., the (intangible) assets…
- contributory value to a particular project, product, and/or the company’s mission.
- continued materiality to a particular project, product, and/or the company’s mission.
- relevance to a company’s reputation (image, goodwill, brand) etc.
Michael D. Moberly June 1, 2015 A blog where attention span really matters!
In the information asset protection community, there’s an adage, or perhaps more aptly characterized as an anecdotally rooted ‘rule of thumb’, the ’20-60-20 rule’ that still carries a timely relevance since it initially caught my attention some 25+ years ago. Through my lens, this represents a reasonable and plausible characterization of the persistent ‘insider threat’ which I endeavor to explain below.
Group 1 – 20% of the people we work with…are inherently honest and possess consistently high levels of (personal, professional) integrity. It’s quite unlikely individuals in this initial 20% would be influenced, inclined, or could be persuaded to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information safeguard policies or practices.
In other words, for these individuals there would be little or no concern they would be engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP)..
Group 2 – another 20% of the people we work with…function at the opposite end of this continuum of honesty – integrity. For these individuals, when their already thin sociological – psychological veneer is peeled back, it’s likely to reveal an inherently dishonest, unethical, and misguided persona with little, if any, sense of personal – professional integrity, or employer loyalty with respect to complying with company policies or government laws/regulations related to obligations for safeguarding proprietary information, trade secrets, or IP.
Too, these individuals would likely be receptive (have the internal propensity, proclivity) when certain opportunities avail or influencers are present to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.
Group 3 – then there’s the 60% of the people we work with who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk or in jeopardy. In other words, these individuals are likely to be honest and ethical.
There is a disappointing and frustrating nuance to Group 3 however. That is, anecdotal evidence which suggests individuals functioning at the fringe of this group, i.e., closest to Group 2 on the continuum, are recognizing the persistent overtures from external entities engaged in solicitation-elicitation initiatives to misappropriate or publicly leak their employers’ proprietary information assets.
This phenomenon is particularly worrisome…to information safeguard specialists on many levels, one of which is that such (highly personal and embedded) proclivities – propensities may be unknown at the time of hire, i.e., go undetected – unobserved in conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s who’s adverse proclivities may be awakened and influenced at some future point by the employee’s interpretation-assessment of…
- their employer’s reactions and sanctions imposed on those caught violating company information safeguard practices and policies.
- the degree, level, and consistency of monitoring which their employer engages relative to safeguarding its proprietary information, IP, and trade secrets.
- the persistence of external advances and their potential lucrative outcomes.
Admittedly, there is nothing particularly scientific or legally defensible…regarding the 20-60-20 perspective, other than to say it probably evolved from well intentioned ‘anecdotal guesstimates’ and observed incidents. Regardless, those finding relevance in this phenomenon, does draw, and properly so, our attention to the persistent and very costly challenges presented by ‘insiders’, whomever they may be, and the necessity for more effective pre-employment screening and regular monitoring.
One rather practical approach to addressing such insider challenges can be attributed to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary – competitive advantage information that necessitates safeguarding).
I suspect Ms. Dyson may not be familiar with the ’20-60-20 adage described here and its relevance to the hyper-competitive, aggressively predatorial, entrepreneurial spirited, and winner-take-all global business transaction environment.
But, there is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts!
While most of my operational familiarity with ‘insiders’ is a direct result of personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.
Michael D. Moberly May 22, 2015 ‘A blog where attention span really matters’!
Trust between employers and employees and companies and customers (clients, consumers, etc.) is an essential and very relevant IA (intangible asset) to most company’s profitability and sustainability, irrespective of sector. Through my lens, at least in business contexts, trust is embedded in – translates as relationship capital and reputation, additional key IA’s, and, as such, play increasingly significant roles in articulating, materializing, and sustaining a company’s value proposition. But trust, like many other ‘business’ terms, are frequently prey to individualized definition and translation.
Sarcastically, when I see – hear one, in a leadership role, take a podium to evangelize about the importance of trust, I find it prudent, to recognize who, for what purpose, and the context in which they are endeavoring to characterize trust. In other words, I often find expressions of trust to be circumstance and/or context specific, but sprinkled with sufficient commonalities tantamount to self-serving glue that allows the definition to retain a semblance of palatability.
Trust, like numerous other business terms, is receptive to being defined in a manner that reflects a speaker’s circumstance to casts them in a preferred (positive) light vis-à-vis their customers, clients, superiors, and/or consumers, something which I would advise Barclays, Citigroup, J.P. Morgan, and the Royal Bank of Scotland, aka “The Cartel” to not try waste resources to argue, for some time, once again.
Aside from the financial services sector, many of us remain inclined to feel that someone whom we presume possess perspectives and values similar to our own can, and should be worthy of our trust. Thus, we would likely be receptive to their overtures. More specifically, when I am engaged with individuals, in business and IA management-safeguard initiative, whom there there is evidence of shared commonalities, it’s likely I will be inclined – receptive to feeling they have my interests in mind.
That sense of course, emanates from another assumption which is, one’s present – past experiential commonalities serve as emotional entrées to trust. One might go so far as to suggest when we are surrounded by people whom we believe are like us, there will be a reciprocating inclination of trust.
Trust is a feeling, and thus a distinctly human experience says Simon Sinek. But, merely doing everything one has expressed – been interpreted as a promise you would do, does not robotically mean people will trust you. Instead, it more objectively translates that you may be reliable. To drill down further on this, most of us have friends who, by reasonable standards of assessment, could be characterized as not being particularly reliable or trustworthy, yet, because they are like us, we are inclined to trust them and remain friends, claims Sinek.
Trust is important because, when one is in the presence of individuals with shared beliefs, we are more confident – receptive to engage in some level of risk taking, experimentation, or exploration which, it’s likely we would not be inclined to do otherwise. After all, our personal – professional survivability and sustainability are, arguably dependent upon our ability to surround ourselves – serve with others with shared beliefs!
(This post evolved from NPR’s ‘Ted Radio Hour’ that aired on May 15, 2015, hosted by Guy Raz with a segment conducted by Simon Sinek, an adjuct to RAND Corporation.)