Michael D. Moberly March 13, 2014 ‘A long form blog where attention span really matters’!
Admittedly, the title of Michael Roberto’s book “Know What You Don’t Know, How Great Leaders Prevent Problems, Before They Happen”, may appear to some, at least initially, as having virtually nothing to do with intangible assets. I respectfully beg to differ!
There are numerous facets of Dr. Roberto’s book which, for me, merge well with any business – management team decision-making processes for putting a company’s intangible assets to work insofar developing and exploiting them to create new – additional sources of value, revenue, competitive advantage, etc.
But, before we get too far, let’s not overlook an important economic fact – business reality, which is, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability today lie in or directly evolve from intangible assets!
So, for example, Chapter 1 of Roberto’s book is relevantly titled “from problem solving to problem finding”. It commences with, what I believe, is a very apropos quote from G.K. Chesterton, and English author and theologian, which I slightly paraphrase here, i.e., “it isn’t that management teams can’t see the solution, rather it’s that they often can’t see the problem”. The problem not seen, in my view, resides in overlooking and/or dismissing intangible assets as comprising the real sources of most company’s value, revenue, and competitive advantage.
Roberto makes numerous other, equally introspective points throughout his book which I translate as being relevant to my, and other intangible asset strategists’ objective, which is for intangible assets to become routine discussion – action items on c-suite and management team agendas. Another example Roberto conveys, which is the effective theme of his book, lies in the necessity to move ‘from problem solving to problem finding’. That is, for a substantial percentage of companies globally, the intangible assets their employees and business practices routinely produce frequently come to be embedded in most every business function, operation, and transaction.
However, for various reasons, many of which have been addressed here previously, company’s intangibles remain unrecognized or, at least, not exploited to the level possible, even though most business processes and/or transactions are routinely and substantially underwritten by intangible assets. So, for companies in which intangibles remain unrecognized or under-utilized as contributors to value, sources of revenue, and profitability, this should constitute in any management teams’ thinking, significant ‘business problem’ that warrants management teams collective efforts to find and solve!
In the increasingly intangible asset rooted global economies and business transaction environments, recognizing how management teams can effectively and efficiently find and solve problems, merely by recognizing, developing, and exploiting (their) intangible assets, particularly those related to sustaining – enhancing profitability, market share, competitive advantages, value, revenue sources, reputation, brand, etc., is a strong example of moving ‘from problem solving to problem finding’.
Management teams that continue to disregard and dismiss the contributory value of their intangible assets, while it may not be ‘the’ problem, it is certainly ‘a’ problem’ And, its resolution does not require pouring over extraordinary amounts of information nor the extensive use of expensive resources or personnel time to effectively achieve.
Again, as readers know, one, time honored starting point for solving most any problem is by recognizing a problem exists, i.e., ‘finding the correct problem that warrants resolution’. From my experience, an example of finding the not a problem is seldom realized through a single seminar, conference presentation, or published article authored by a subject matter expert. Rather ‘problem finding’ is rooted, in my view, through introspection, which unfortunately, in the go fast, go hard, go global context which many executives and management teams have assumed, they argue leaves little time for.
Extracting ideas from a respectfully non-descript book which Roberto has authored versus the airport bookstore business books which are consistently framed in a ‘ten easy and quick steps to…’, represents a real and viable strategy for remedying this particular problem, that is management teams ‘finding and solving the problem’ through unlocking their intangible assets by adding, if you like, an anthropological and ethnographical approach to one’s repertoire of managerial expertise.
For example, an ethnographer would observe and identify a firms’ producers – developers of intangible assets from a ‘shop floor’ perspective, i.e., in their natural settings, wherever that may be. In other words, ‘finding the problem’ means avoiding merely asking employees how things are going, or relying on survey data or focus groups as the dominant sources of insight (problem finding). Instead, management teams should be obliged to actually observe what employees do, i.e., their tasks, processes performed, and internal – external interactions, etc., in a manner comparable to an anthropologist. That is, engage and observe how employees, customers, clients, and suppliers, etc., actually behave and interact.
Doing so, leads not only to ‘problem finding’ through recognition and appreciation for the intellectual, structural, and relationship capital (intangible assets) that are woven into each.
Conducting this level of observation through the lens of an anthropologist and/or ethnographer, management teams can become more effective ‘problem identifiers’ with a particular adeptness at distinguishing – analyzing the contributory value of intangibles without the interference of potentially misleading or over analyzed data that, in turn, can produce biases and preconceptions that may serve to taint what it is to be achieved.
Too, making these observations through an intangible asset lens, management team members are (a.) better positioned to not just identify what and how intangible assets are being used, (b.) if they are being used effectively, and (c.) which, if any, intangible assets need to be developed further or acquired and ultimately integrated to make a company’s processes more effective, efficient, and profitable.
This post was inspired by Michael A. Roberto’s book ‘Know What You Don’t Know…How Great Leaders Prevent Problems Before They Happen’, Wharton School Publishing, 2009.
Reader comments and inquires are always welcome at 314-440-3593 (St. Louis) or email@example.com.
Michael D. Moberly March 12, 2014 ‘A blog where attention span matters’.
Management team’s fiduciary responsibilities now include taking consistent and affirmative steps to sustain control, use, ownership, value, defensibility, and potential monetization – commercialization of intangible assets.
Too, it’s becoming somewhat common, that at least one aspect of assessing the effectiveness of senior management team members is by how well they engage in the stewardship, oversight, and management (S.O.M.) of company intangible assets. When such, usually board level, assessments occur, areas assessed (examined) include effectiveness in…
- capturing, exploiting, and converting intangibles to enhance company value, create sources of revenue and strategies to sustain future growth.
- strengthening and building competitive advantages by creating environments in which employees (peoples) relationship, intellectual, and structural capital are being maximized and effectively utilized.
In my view, there’s solid rationale for incorporating the S.O.M. of intangible assets in personnel performance assessments. For one, intangibles are the undisputable dominant driver of most company’s economic and competitive advantage health and value. If (when) they are dismissed or neglected by company management teams, there is a substantial probability that such initiatives as new project launches, competitive advantages, marketing programs, and strategic planning will be stifled, undermined, or certainly less than their potential, with asset value eroding quickly or ‘going to zero’!
Conventional financial statements and balance sheets do not provide management teams, c-suites, and boards with a complete or necessarily clear picture of a company’s fiscal soundness. This is especially relevant in today’s increasingly knowledge (intangible asset) dominant business (transaction) global economy in which it’s an economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability lie in – evolve directly from intangible assets.
So, management teams continued (perhaps sole) reliance on conventionally framed financial statements that are absent direct reference to intangibles. This circumstance unfortunately contributes to minimizing the importance of intangibles and further contributes to a sense, among some management teams, of skepticism and dismissiveness about the necessity to acquire operational familiarity with intangible assets well beyond merely goodwill!
True enough, conventional financial statements describe whether or not financial targets are being achieved, etc. In that context, they remain relevant, but they simply don’t convey the whole story (picture) about a company’s status or its’ potential with respect to the production and exploitation of intangible assets.
Too, in fairness, conventional financial reports were not designed to capture qualitative aspects and/or what we now know more specifically today as vital signs – indicators related to businesses success and sustainability, particularly those found in – emanating from company’s intangible assets.
Today however, monitoring – measuring the performance of a company’s intangible assets is neither a time – resource luxury applicable only to Fortune ranked companies. Rather, those activities are a necessity and fiduciary imperative for most all firms, including SMM’s (small, medium multinationals) SME’s, (small, medium enterprises), start-up’s, early stage companies, and university-based spin-off’s.
The prudence of striking a better balance between the stewardship, oversight, and management, of tangible vs. intangible assets can produce positive benefits and multipliers that can favorably cascade throughout an enterprise.
There are numerous factors in play today that should be influencing management teams to pay more attention to (intangible) asset monitoring as indicators of performance and contributory value irrespective of company size, maturity, or industry sector. These factors include, among others…
- increasingly aggressive, competitive, and predatorial global competition.
- the growing connection between a company’s intangible assets, stakeholders, value-supply chain, profitability, and sustainability.
- a heightened respect for the risks to and value of a company’s reputation (image, goodwill).
- accelerated innovation, product development, and launch times.
- the geographically boundary-less speed which information (intangible assets) can be developed, acquired, and disseminated.
- increasing government regulatory emphasis (globally) on reporting and measuring (accounting for) the value, performance, and materiality changes of intangible assets.
Each blog post is researched and written by me with the genuine intent they serve as a useful and respectful medium to elevate awareness and appreciation for intangible assets throughout the global business community.
Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk. As such, my blog posts are not intended to be quick bites of information piggy-backed to other sources, or unsubstantiated commentary.
Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or firstname.lastname@example.org
Michael D. Moberly March 11, 2014 ‘A blog where attention span matters’.
On February 19, 2013, Mandiant, a U.S.-based cyber-security firm released a report purporting to have evidence linking a specific unit of the (Chinese) People’s Liberation Army in Shanghai to a global cyber espionage campaign against companies in twenty economic sectors. The campaign was designed to misappropriate valuable intellectual property and other forms of intangible assets, i.e., intellectual, structural, and relationship capital. And why is this relevant? It’s because steadily rising percentages, i.e., 80+% of most company’s value, sources of revenue, profitability, and sustainability lie in – emerge directly from intangible assets!
As would be expected, Mandiant’s report received substantial media coverage, prompted no doubt in part by its immediate and categorical rejection by Chinese government officials. Of note, the following day (February 20, 2013) the Obama administration release a newly tweaked strategy to combat theft of intellectual property and other intangible assets from U.S. companies based on the argument that trade secret theft threatens U.S. national (economic) security, with five strategic actions noted…
- Focus diplomatic efforts to protect trade secrets overseas.
- Promote voluntary best practices by private industry to protect trade secrets.
- Enhance domestic law enforcement operations.
- Improve domestic legislation, and
- Public awareness and stakeholder outreach.
Economic Espionage Equates With National Security…
Economic espionage involves government and/or otherwise state sponsored initiatives to clandestinely acquire information assets from another (foreign) government or company that are in a safeguarded state. That is, the information assets
- are owned by a company.
- distinguished as being proprietary, or
- meet the requisites of trade secrecy.
- enforced, protected by intellectual property law, or,
- categorized as being classified by a government entity.
Frequently though, economic espionage is referred to as corporate or industrial espionage.
The U.S., and I assume other countries as well, are correctly inclined, in my view, particularly in a 21st century context, to equate or elevate the aggressive, increasingly sophisticated and predatorial targeting capabilities of economic espionage to national and economic security status, as expressed by former FBI Director Sessions in the mid-1990’s. Or, in more recent contexts, numerous U.S. private sector and government leaders point to economic (cyber) espionage as metastasizing to the point of being a (the) primary contributor to the “greatest transfer of wealth in history’. While this characterization may have originated with intent to dramatize the significance of this adverse phenomena, it’s hardly arguable.
I suspect, but have no direct evidence to support such a claim, there is an agenda, correctly or not, to modify the context of economic espionage, away from its 1996 roots with the passage of the Economic Espionage Act, by consistently describing it as cyber-espionage vs. the more straightforward term of economic espionage.
To be sure, well before the advent of sophisticated cyber technologies, economic espionage was just as stealthy and successful as it presumably is today. The difference being, both protectors and adversaries apparently hold the view that all valuable information assets now exist primarily in electronic ‘bits and byte’ contexts.
However, be assured, that does not suggest economic and competitive advantage adversaries overlook or dismiss the extraordinary value embedded in human (intellectual, structural, and relationship) capital. Readers of this blog recognize, economic (cyber) espionage has manifested itself in multiple forms in the past quarter century.
International Law and Economic (Cyber) Espionage…
Countries’ desire and need to engage in more consistently potent legal prosecutions and other countermeasures to combat economic (cyber) espionage are challenged somewhat by existing international law on espionage, says David P. Fidler, Professor of Law at the Indiana University and a Fellow at I.U.s Center for Applied Cyber-security Research and member of the American Society of International Law.
In his fine article titled ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (ASIL, March 20, 2013, Volume 17, Issue 10), Fidler points out that while a victim country, and presumably company as well, could assert that spying violates the principles of sovereignty and non-intervention, state practice has, probably unfortunately in my view, has accepted state-sponsored espionage to the extent that such appeals may not be regarded as serious or sufficient claims, standing alone.
Although cyber espionage is sometimes described as “cyber attacks” and “cyber-war,” Fidler identifies no government that regards cyber espionage as constituting a prohibited use of force. Other bodies of international law under which espionage issues arise, such as rules on armed conflict and/or with respect to diplomatic relations in periods absent a declaration of war, do not prohibit or necessarily constrain espionage, or economic espionage in particular.
Many Countries Obviously Prohibit Economic Espionage…
Many countries prohibit economic espionage under (their own) national law. However, enforcement of such laws may present challenges because the specific elements of economic espionage include foreign government participation. Using extradition or mutual legal assistance treaties proves ineffective also, especially says Fidler, when the requested state is accused of sponsoring criminal acts, i.e., economic espionage.
Is there a possible role for TRIPS…
The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) of the World Trade Organization (WTO) requires each WTO member to protect, within its territorial boundaries, certain types of intellectual property rights, including trade secrets.
Some have argued that the U.S. should use protections enunciated in international trade law regarding intellectual property against countries engaged in economic (cyber) espionage. As readers already know, private sector enterprises engaged in trade and investment agreements and/or transactions have used international law to safeguard their intellectual property rights.
However, WTO members have, to date, shown little or no interest, according to Professor Fidler, in addressing economic espionage within the constructs of WTO, despite mounting concerns. One reason is that WTO members have not used WTO-based strategies, the reason, Fidler says, lies in the difficulty of successfully formulating a claim that economic espionage actually violates WTO agreements.
WTO rules impose obligations on WTO members to fulfill within their territorial boundaries. That is, WTO members that engage in economic espionage, i.e., covertly (illegally) obtaining intellectual property and other forms of intangible assets of other WTO members which operate companies within that countries’ territorial boundaries could be in violation of those WTO obligations. No prudent business person should exhibit naiveté about such obligations.
Even if a WTO member could construct what may become a successful claim that economic (cyber) espionage violates a WTO rule, it would have to establish that another WTO member’s government is responsible for the act. Usually, Professor Fidler argues, establishing governmental responsibility for challenged acts is not difficult, but WTO cases have generally not involved accusations regarding state-sponsored economic (cyber) espionage. It is not clear, Fidler suggests, whether a WTO (nation, government) member could successfully satisfy such a burden by relying solely on evidence provided by the private sector victim, e.g., Mandiant’s report without revealing any existing counter-intelligence tradecraft that may be in place.
Far too much time focused on naming the culprits…
Far too much time, in my view, has been focused on identifying and naming who the (economic espionage) culprit countries are, with far too little attention and resources from private sector companies on designing, incorporating, and executing effective strategies to combat it. Let’s say, for instance, we accept Mandiant’s report in full, along with the annual report by the Office of the National Counterintelligence Executive, and various other reports citing China as the single most aggressive economic (cyber) espionage adversary.
I am quite confident readers of this blog are pragmatists. That is to say, we would be very surprised to learn of a company that would elect to cease operations and/or business transactions in a country with 1.2 billion+ potential consumers! Just don’t see that happening!
(A special thanks to David P. Fidler, Professor of Law at the Indiana University and a Fellow at I.U.s Center for Applied Cyber-security Research and member of the American Society of International Law for his fine article titled ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (ASIL, March 20, 2013, Volume 17, Issue 10) that inspired this post.)
Michael D. Moberly March 10, 2014 ‘A long form blog where attention span really matters’.
I have been variously engaged in studying, conducting investigative research, publishing, and consulting on a variety of open source matters related to economic espionage directed toward U.S. companies, particularly including start-ups and university-based research. To anyone paying more than passing attention to economic espionage recognize it as being an unrelenting and costly hazard, particularly to companies possessing – producing valuable and strategic intangible assets, i.e., intellectual, structural, and relationship capital.
As for extrapolating the costs – losses of economic espionage of a single company to a country’s economy as a whole, those figures come with a host of challenges, and I sense, not the least of which are, the subjective nature of the findings which, it’s not unrealistic to assume are embedded with various policy level agendas.
Interestingly, in the 25+ years that I, and numerous others, many of whom have become colleagues, have been examining and consulting in the economic espionage arena, there is little that I can readily point to insofar as objective methodologies to measure (a.) the specific damages and/or costs to a targeted/victim company, and (b.) how to specifically attribute –differentiate the source of those losses to acts of economic espionage, and then (c.) extrapolate same to the U.S. or other country’s economy as a whole.
For example, the full range of economic – competitive advantage repercussions of a single incident/act of economic espionage are challenging to fully grasp, in part due to the go fast, go hard, go global. For example, a company’s awareness of trade secret theft seldom emerges immediately and its adverse economic consequences to the victim company may be felt – realized in strategic (longer term) vs. tactical (shorter term) contexts. Based on my experiences, that’s in large part due to the reality that a single (stolen, misappropriated) trade secret may have multiple combinations of intellectual and structural capital embedded within it which could be applicable to various products in different industry sectors.
I am not suggesting that the loss – theft of a single trade secret is immeasurable. Rather, I am suggesting that measuring its real loss value to a company must include both longitudinal and latitudinal calculations which can only come, in my view, from recognizing that trade secrets can, and often are, embedded with not just one, but numerous intangible assets.
In a 2010 study, prepared for CENTRA Technology by the George Bush School of Government and Public Service, Texas A&M University, researchers…
- constructed a model designed for use by federal government employees
- to identify the severity and consequences of an economic espionage incident on the U.S. economy.
- the model was designed so that publically available (case) information could be applied
- to provide a qualitative estimate of “consequence” as it relates to economic losses attributed to economic espionage.
The model Texas A&M constructed applies a ‘severity score’ between 0 and 1 linked to (a.) low, (b.) moderate, and/or (c.) high adverse (economic) consequence. This model, clearly suggests the potential consequence(s) on the U.S. economy from an incident of economic espionage is dependent on the industry sector of the victim company and thus must integrate/factor two sets of variables, i.e.,
1. Industry variables i.e., assesses the significance of where the incident of economic espionage occurred. Industry is derived from a combination of the percentage of GDP in terms of value added for each of the 14 industries and the susceptibility of each of the 14 industry sectors. This process enables the model to be individualized to a specific industry by recognizing – allowing for the potentially different consequence to the U.S. economy.
2 . Case variables i.e., assesses the significance of economic espionage incidents which include, among other things the…
a. characteristics of the theft itself.
b. costs of the incident (loss) to the victim company, and
c. beneficiary or beneficiaries to the incident.
We are certainly in agreement that seldom, if ever, are two incidents of economic espionage identical. So, Texas A&M researchers developed a system of weighing the variables and the respective questions and further analysis they prompt. So, the Texas A&M model requires us to…
- first, identify the industry sector in which the incident occurred.
- second, identify (individual, specific) ‘case variables’.
Because ultimately, with all the variables measured, standardized, and weighed against each other, the model calculates an overall severity score, which corresponds to the level of individualized consequence to a specific incident of economic espionage.
This post was inspired by a George Bush School of Government and Public Service, Texas A&M University research project titled “Estimating the Economic Costs of Espionage”. The reports was prepared for CENTRA Technology by the the Capstone research team comprised of Rich Bell, J. Ethan Bennett, Jillian R. Boles, David M. Goodoien, Jeff W. Irving, Philip B. Kuhlman, and Amanda K. White.
Michael D. Moberly March 7, 2014 ‘A blog where attention span really matters’.
I am fairly confident if one were to ask, whatever may constitute the average person on the street today, the source of the greatest transfer of wealth in U.S. history is?, I suspect few would cite economic espionage. But that is precisely what the NSA Director and Commander of U.S. Cyber Command, General Alexander said during a speech at the American Enterprise Institute in 2012.
There have been numerous terms and phrases used by government officials to describe the adverse impact of economic espionage. One early remark, attributed to former FBI Director Sessions in a speech to Cleveland’s Economic Club in the early 1990’s was to equate U.S.’s ‘economic security with its national security’. Not long after that, of course, the Economic Espionage Act was passed into law.
Having engaged many different facets of economic espionage off and on since the late 1980’s, I find no compelling evidence that would prompt me to think these rather extraordinary estimates have no basis in fact.
A large part of the problem however, in my judgment, lies with assuming economic espionage can be eradicated, something which I know of no relevant practitioner who believes that will occur. Economic espionage is far too complex, multi-faceted, and literally embedded in business and nationalistic (business) cultures, or, in some instances, religious doctrine to be absolutely eradicated. An exacerbating factor to all of this is that economic espionage, either in terms of economic losses or tradecraft, becomes unnecessarily blurred, when we automatically assume cyber-attacks are synonymous with economic espionage.
Obviously, there is some truth to equating cyber-attacks with economic espionage, but doing so infers a certain simplicity or ‘quick fix’ to resolving the problem, that is put more resources into IT security. To that I say, it’s absolutely imperative that business decision makers recognize economic espionage is extraordinarily asymmetric in its methodology. This makes, in my view, the prudence of business decision makers taking time to reflect on the adverse affects of economic espionage away from a project-by-project or quarter-by-quarter perspective to a strategic resilience and sustainability perspective would help immensely. When this occurs, sufficient resources will be present, along with measurable expectations for companies to at least slow down and otherwise mitigate the persistent and increasingly sophisticated and predatorial challenges presented by the global network of players regularly engaged in economic espionage.
Key starting points insofar as making indelible inroads with companies to genuinely recognize the persistent risks and threats posed to their proprietary data, information, and intellectual and structural capital begin with…
- recognizing the targets of economic espionage today are actually any intangible asset possessed and/or produced by a company.
- unraveling the reality that countless countries are actively engaged in different forms of economic espionage that reflect what they believe they (their county, industrial base) needs to acquire in order to achieve economic growth, competitive advantages, and become respected players in the global economy.
- unraveling the perspective that economic espionage is so pervasive that most every country is engaged in at some level, so what can one company do standing alone to mitigate it?
- demystifying the notion that only Fortune 1000 companies are the primary, if not only targets of economic espionage.
- bringing clarity to the various means, methods, and sources used by economic and competitive advantage adversaries to successfully engage in economic espionage.
- drawing more attention to the small and medium sized companies, start-ups, and university spin off’s, etc., which possess and develop advanced technologies, are also being targeted, thus size really doesn’t matter!
- demystifying the perspective only defense and national security products and/or information are being targeted, thus if one leads a company that manufactures dog food has no reason to be concerned with economic espionage.
- revisiting the often self-deprecating expressions of many company’s management teams that their company possesses nothing of value to economic – competitive advantage adversaries globally, so why devote resources to safeguarding what no one would want.
And yes, there are reasons why those having access to national media either inadvertently or purposefully leave the above out of their equation.
I would be hard pressed to find any colleague who would question that particular sectors of U.S. industry have been consistent and lucrative targets of economic espionage, and I’m equally confident most would agree, and there is evidence to support, the primary culprits to be China and Russia.
But, this may prompt some to gloss over the intricate, complex, and stealthily woven webs that certain lesser state sponsored entities have engaged to illicitly acquire and convert other’s proprietary intellectual and structural capital into lucrative and strategic competitive advantages.
One company, BlackOps Partners, which does counterintelligence and protection of trade secrets and competitive advantage for Fortune 500 companies, estimates, which I believe emphasis should be on estimates, that $500 billion in raw innovation is stolen from U.S. companies each year. Raw innovation of course includes such (intangible) assets as trade secrets, R&D, and intellectual and structural capital, etc., that produce, for companies, their economic and market space competitive advantage and otherwise serve as sources and drivers of a company’s value, revenue, profitability, and sustainability.
BlackOps’ CEO endeavors to draw this analogy, i.e., when the stolen innovation that is intended to underlie – drive a company’s revenue, profits, and employment for the next 10 years, the U.S. is losing the equivalent of $5 trillion out of its economy in each of those years to economic espionage. BlackOps couches this estimate in the context of income taxes, i.e., during all of 2013, they state, the U.S. will have taken in $1.5 trillion in income taxes, and $2.7 trillion in all taxes. Thus, their point is, if the original figures are correct, a five trillion dollar loss to economic espionage is significant.
But, due to the asymmetric nature of economic espionage, it is indeed challenging to arrive at objective and well grounded numbers as to the actual (real) costs – losses attributed specifically to economic espionage. Herein, in my view, lies another reason why business decision makers may be less receptive than they should, with respect to more actively and aggressively engaging economic espionage on behalf of their company, i.e., the loss numbers (a.) vary largely, (b.) appear subjectively drawn, and (c.) may be rooted in an agenda.
Too, in numerous, but really unknown number of instances, decision makers of victimized companies conclude, or are advised, often mistakenly I believe, it is not in their interest to ‘go public’ largely out of concern for how investors and other stakeholders may respond by interpreting the calamity as a ‘reputation risk’. Thus, it’s not difficult to believe why companies may want to avoid finding themselves in a position in which they must not only announce a significant breach has occurred, but naming the country – state sponsored source of the breach which they want to continue doing business.
A special thanks to Joshua Phillips of Epoch Times (October 22, 2013), ‘The Staggering Cost of Economic Espionage Against the U.S.’ for inspiring this post.
Michael D. Moberly March 5, 2014 ‘A blog where attention span really matters’.
According to Homeland Security News (March 4th) there is rising anxiety over the possibility of a cyber-attack on the U.S. power grid. In other words, both the private (industry) and government sectors respectively remain insufficiently set up to effectively counter the risks – threats posed by the cyber arena.
The report was produced by a Washington nonprofit called the Bipartisan Policy Center which admittedly did not produce much interest, primarily because there are literally hundreds of such entities ensconced throughout the ever expanding Washington, D.C. circular interstate highway system, many, if not most of which consistently seek notoriety and efficacy based on their presumed expertise and/or sought after endorsements from publicly recognized experts or airplay on C-SPAN.
With respect to this particular report, what did strike me as it having a higher level of credibility was that it was reportedly led by individuals whom most would agree possess unique insights into the subject matter, i.e., Michael V. Hayden, the former NSA and CIA director and Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission.
Readers are respectively reminded that the U.S. is one of a very few countries in which much of its infrastructure, i.e., utilities, transportation, communication, healthcare, banking, water, etc., are under private sector ownership. So what turned out to be no particular surprise in the report, but still distressing, is that a percentage of these companies remain variously reluctant to share (cyber-security, cyber-attack) information with other companies presumably inside or outside their infrastructure sector.
I understand the rationale behind most such reluctance, that is, to openly share experiential information, the basis for which has been loudly and repeatedly conveyed following the terrorist attacks of September 11, 2001, because it involves the potential for antitrust violations, or merely giving away very expensive and proprietary intellectual and structural capital that delivers competitive advantages, along with numerous other intangible assets.
That said, I am unaware of any disagreement among the more notable players and information sharing advocates (related to cyber-security and attacks) is that ‘sharing’ is essential to reducing – mitigating vulnerability which can be accompanied by the wrath, scorn, and certainly reputation risk, all of which will surely materialize and be directed to companies accused of not sharing and/or being out of compliance with cyber-security ‘rules of the day’.
Equally troubling, the report cites, are federal rules intended to safeguard, the electric/power utilities from cyber-attack, which, as one example, have a basic flaw, which is, they do not give companies sufficient incentive to continually improve and adapt to ever changing cyber risks and threats.
In my judgment, perhaps the most telling aspects of the report are…
- public utility commissions are generally well set up to address new problems, presumably risks and threat to their systems and grids for which regulated utilities can add security costs to the expenses which they bill their customers, providing the regulators determine those expenditures to be prudent and warranted. The problem lies, the report say, in the reality that many regulators lack sufficient expertise to make – distingush these types of judgments.
- the report alos raised the issue that public utility commissioners, who decide which utility expenses are prudent and eligible to be passed on to customers, have trouble determining the value of such (security) investments.
- outside experts who were not involved with the report, nevertheless, endorsed some of its findings, e.g., Samuel P. Liles, of Purdue University’s Cyber Forensics Laboratory, rather pessimistically characterized risk – threat information sharing best practices as constituting “hit or a miss” propositions.
- Nadya Bartol, a cybersecurity expert with the Utilities Telecom Council, a trade association of electric and water utilities, said the report was correct in asserting that utilities might not always come forward with helpful information. The reason, she says, is because “if utilities say, ‘I have this vulnerability,’ they may be subject to fines if the cited vulnerability turns out to be a violation. Too, this circumstance thus may prompt additional hesitation – reluctance to talk about cyber vulnerabilities because, “if a utility puts it out in the public space, it elevates the probability they may get hacked even more.”
As a side note to the general findings of this report, on the morning of September 11, 2001, within minutes of the terrorist attacks on the Pentagon, I received calls from former students who were employed in various agencies in the District of Columbia describing to me in detail, their personal observations of what was occurring. Having military experience myself, and being an ardent researcher in information asset protection strategy, I rather instinctively called an acquaintance who’s role was director of security for a super computing environment and asked her if she was observing any potential adverse activity on ‘the grid’.
My concern, and that of thousands of others, were that the attacks at the World Trade Center and Pentagon were possibly forerunners to larger secondary, but perhaps, more expansive ‘cyber attacks’ on the U.S. infrastructure.
Interestingly, the response I received from my super computer security expert was the following, ‘Mike, I don’t know if anything adverse is occurring on the grid, I’m watching CNN, I will get back to you’!
Michael D. Moberly March 4, 2014 ‘A blog where attention span really matters.’
As even the most wayward observers of the recent Olympics likely know, Under Armour, in partnership with Lockheed Martin, developed a full-body racing suit for U.S. Olympic speed skaters at Sochi. I have no objective evidence that Under Armour, and perhaps by extension, but to a lesser extent, Lockheed Martin will experience anything resembling a (crisis level) reputation risk relative to the dissatisfaction expressed by a handful of American Olympic speed skaters regarding the use of those specially designed full-body racing suits.
Initially the new suits’ were met with enthusiasm, and by most open source accounts met or exceeded expectations in Olympic trials. But that enthusiasm quickly turned to controversy in Sochi because some speed skaters’ felt they slowed the wearer down. Specifically, the suits were designed with vents at the back intended to release (body) heat, but skaters believed the vents actually let air in, thus undermining the suits’ intended aerodynamic characteristics.
Under Armour VP Kevin Haley was subsequently quoted as saying his company would “move heaven and earth to make [the suits] better.”
I am cautious not to characterize myself as a necessarily seasoned specialist in company reputation risk of the caliber of Nir Kossovsky and other experts in this increasingly specialized field. But does, or better yet, should this ‘suit issue’ really rise to the level of a company reputation risk?
It’s probably fair to assume Under Armour sought collaboration with aerospace giant Lockheed Martin, because LM had existing technologies coupled with the necessary intellectual and structural capital to execute the suits’ design. And, let’s not overlook the fact that LM is a U.S. based corporation, something which Ralph Lauren’s presumed cadre of reputation risk advisors overlooked in a previous Olympics’.
Understandably, I suspect, Under Armour believed these specialized full-body suits and their link to LM’s aerospace (advanced technology) gravitas, would elevate their relatively narrow, but expanding niche (brand) in the sports apparel sector. But, the adverse voices of a few speed skaters coupled with returning the suits for alteration, produced a ‘global podium’ for expressing their displeasure virally.
This is certainly not what Under Armour envisioned, nor is there evidence, nor should there be, that Under Armour would put their ‘brand’ on the ‘global stage’ in this manner absent well considered expectations that it would favorably advance their brand. But again, should this rise to becoming a full blown reputation risk, I just don’t think so. However, the path option(s) Under Armour chooses, to not merely put this challenge behind them, but instead work diligently and transparently to remedy this challenge with integrity and strong commitment will become their ultimate test.
Michael D. Moberly February 27, 2014 ‘A blog where attention span really matters’.
As most readers of this blog recognize, generally through their personal – professional experiences, assessment and management of (company) risk has indeed become increasingly more complex and multi-faceted, particularly as we endeavor to guide our company’s and/or clients through the respective operational, audit, compliance, and budgeting obstacle course.
Throughout this so-called obstacle course, it is likely we will become inclined, at some point, to justify most, if not all of the factors used to assign a reasonably correct ‘risk rating’ to the various business units within our company or that of our clients.
But, and probably rightfully so, more company decision makers are requiring quantitative (data) driven findings to support a particular risk rating. So, no longer can security – risk management practitioners find comfort by focusing their attention almost exclusively the rather archaic latest zero-day risk materialization or exploitation events. To be sure, that landscape has changed so significantly that we must assume greater responsibilities.
So, in the security, asset protection, and risk-threat assessment and management arena, presenting a risk-threat rating that is simply or solely based on numbers may not result in the best (risk, threat) analysis that we are seeking. Thus, one path that gets us closer to arriving at a more accurate understanding of the actual risk-threat level necessary for business strategic planning and decision making, it’s necessary to introduce and factor multiple elements in the risk-threat analysis equation.
Thus, as we more routinely adopt a more inclusive and/or multi-dimensional view toward assessing risks and threats, additional complexity will likely be one outcome, e.g., quantitative and qualitative forms of measurement.
Quantitative risk-threat assessment…
Quantitative risk assessment surfaces as we develop the ability to assign a (specific) dollar amount/value to a specific risk or threat should it materialize. As an example, let’s apply quantitative risk assessment to a healthcare institution.
For simplicity, there are 1,000 confidential patient records and data that reside in a single database. This particular database is directly accessible by a web server which resides in a semi-trusted environment. That of course, constitutes a vulnerability (risk) in itself, and any compromise of the method in which the web server communicates with the database would likely result in the exposure (comprise) of all 1,000 patient records holding confidential data as conveyed by HIPPA (Health Insurance Protection and Portability Act).
Too, for discussion sake, and to add further complexity, during a recent ‘business impact analysis’ or BIA, it was found that the replacement cost for each compromised patient record would be $30. This cost includes (a.) contacting each patient to inform them of the compromise, (b.) changing each patients account numbers, and (c.) printing new health cards.
From this, one can easily determine that the maximum quantitative loss associated with a full compromise of that system is conservatively estimated at $30,000, excluding of course, the inevitable litigation. No doubt, as readers already surmise, there is more to consider. But does quantitative risk always have to ‘map out’ the money (loss or cost) aspects associated with materialized risks-threats?, probably not, because in many instances controls are automated with internally consistent and repeatable numbers being generated that can be used to create an alert dashboard or report directed to business unit managers when breaches or other adverse events occur.
Qualitative risk-threat assessment
Qualitative risk-threat assessment, on the other hand takes a different form. To demonstrate qualitative risk-threat assessment it is important to introduce additional factors, i.e., threat-risk vectors into the above example.
The first is, we learn that the patient database that previously held 1,000 records will now hold 10,000 records, possibly rising to 500,000 patient records. We also learn that (a.) multiple groups and/or business units within the healthcare institution will have access, and (b.) the capability to modify patient records, and (c.) the database/system will now come under the control of a different unit, i.e., the company’s Operations Group.
Obviously, substantive changes like this elevate – bring additional complexity to the risk-threat assessment we are endeavoring to calculate. Too add yet another layer of complexity to our risk-threat analysis, we are informed by the audit unit that the data in the database is (d.) neither encrypted in transit to the web server or at rest on the database. The coup de grace follows with the audit unit giving exactly ninety days to document and remediate these adverse set of circumstances, i.e., risks, threats, vulnerabilities, because, as it stands, this healthcare institutions IT system is not in compliance with HIPAA. Collectively, the additional factors serve to expand the risk-threat equation.
Now that these vulnerabilities (risks, threats) are known to exist relative to the institutions’ IT system, the next steps involve determining (a.) linking costs to any actual compromise, i.e., the materialization of a risk-threat or vulnerability being exploited, and also (b.) the probability that a specific or possible multiple vulnerabilities that have been identified will be discovered and adversely exploited by bad actors, or (c.) a single vulnerability materializing and cascading throughout the IT system.
The assessment process commences by examining the cost(s) associated with potential compromises, as (a.) single acts, (b.) as multiple acts occurring simultaneously, and (c.) the potential for adverse cascading effects throughout the institution, well beyond perhaps the IT system itself.
Because we now know there may be in excess of 500,000 confidential patient records stored on the database, it’s often prudent to consider – factor absolute worst-case scenarios, i.e.,
500,000 records X $30 remediation cost per record = $15 million.
In most any company’s perspective, the possibility of $15 million dollars being ‘at risk’ is significant. One problem associated with relying solely on this formula is that it is largely one-dimensional. In other words, just because a banks has $100 million in cash in its vault does not translate that the money could be easily stolen from the vault.
So, being prudent security – risk management professionals, we must have other way in which to assign a particular level of risk to a particular vulnerability that fully considers multiple (known) risk factors, not just one, or absent the possibility multiple risks could materialize in some manner of sequence and cascade. Such added (risk-threat-vulnerability) complexities should prompt practitioners to re-visit qualitative risk ratings.
One reason is because many companies, organizations, and institutions learn there is a necessity to have multiple, perhaps three to five qualitative risk levels which may be addressed in relatively simple, but in my view, ambiguous terms like low, medium and high.
Sources for quantitative and qualitative data…
Based on my own experiences, I, and many other security – risk management professionals information and insight related to quantifying probabilities for risk-threat materialization is acquired from such sources (a.) penetration tests, and (b.) vulnerability scanners.
Generally, these sources produce good and relevant information, but it’s important to acknowledge that it may be from delivering the necessary complete risk-threat-vulnerability picture because either can, and frequently does change rapidly and routinely. Consequently, in addition to conventional risk-threat-vulnerability assessments, each must be routinely monitored for the inevitable changes. A critical part of which is internal, that is information about the activities of legitimate and authorized users of the IT systems, i.e., such things as where do they go, what do they do, what do they click on, etc.
Welcome inspiration for this post is gratefully attributed to Stephen Sims of the Sans Institute Other Related Articles in Audit and Governance
Michael D. Moberly February 24, 2013 ‘A blog where attention span really matters’!
To the readers of my blog, please do not interpret this post as necessarily constituting an endorsement of a specific product or, in this instance a security technology.
But, I really did have a very stimulating, probing, and thought provoking conversation recently with one of the co-founders and now CEO of CrowdStrike, an Irvine, CA. based ‘security technology’ firm which Business Insider reported as being one of ‘The 15 Most Important Security Startups Of 2013’.
I am respectfully confident the other twelve security technology startups highlighted in the ‘Business Insider’ piece were exemplary in their own right and the various security technologies they developed and embedded in their product produce beneficial outcomes for their clientele – market space. But, in my view, CrowdStrike is perhaps, in a positive sense, somewhat atypical of numerous other technology startups which I have become familiar over the years, That is, based on my conversation with one of Crowdstrike’s founders, I surmised their experience and multiple symbiotic technologies and the relatively seamless and certainly strategic manner in which those technologies have been integrated was in no sense, merely a compilation of random outcomes of research in which someone eventually said, ‘hey, this may have some IT security applications’.
So, with many unremedied and forward looking concerns, risks, and threats facing businesses IT systems globally, CrowdStrike assembled a team of like-minded/experienced experts from various sectors to develop tiered-layered technologies to address the specific challenges expressed by the CFO’s, CTO’s, and CXO’s with whom they had acquired acquaintanceships.
CrowdStrike’s ‘pitch scripts’ appear o be genuinely fashioned and tailored to articulate and distinguish their technology in language c-suite’s can and do readily translate and convert in return-on-security-investment’ terms. But, more importantly, c-suites recognize CrowdStrike’s technology can mitigate problems they and many other companies were experiencing, i.e., the intangible asset losses emanating from the materialization of reputational risks, e.g., data breaches, etc.
So, by no stretch of one’s imagination could CrowdStrike’s founders’ and senior leadership be tagged as ‘newbies’ particularly in five essential areas in which appear to firmly grasp, i.e.,
· knowing – understanding, based on seemingly objective experiential research, the who, what, when, where, how, and why of networks of global adversaries.
· clarity of mission and purpose gleaned from countless conversations with c-suites globally.
· clear formulas for effectively framing the globally asymmetric contexts which risks and threats to IT systems can materialize.
· qualitative – quantitative recognition of ways which materialized (IT) risk – threats produce significant and often irreversible adverse economic – competitive advantage effects to companies.
· Integrate experienced language consistent with business decision making and risk prioritization.
Admittedly, IT security is not an arena in which I am as well versed as I am with intangible assets. As I have endeavored to convey in countless posts, I am an intangible asset strategist and risk specialist and have a clear understanding for identifying and mitigating adverse economic – competitive advantage impacts of data security breaches and/or manipulations to companies’ varied and contributory value combinations of intangible assets. And too, we know now, as economic fact, that intangible assets now routinely comprise 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability. So, any materialized risks targeting a company’s intangibles can have devastating outcomes.
I am particularly intrigued by CrowdStrikes’ development of indicators of materializing (IT security) risks and threats and their ability to link same to particular adversaries, in real time. All that, coupled with an awareness of adverse intangible asset impacts which risks-threats can bring to companies’ reputation, image, goodwill, and competitiveness, etc., solidly places them, in my view, in the category of being the right company with the right team, and the right strategy, at the right time to render them worthy of our attention, that is, possessing forward looking insights worthy of company decision makers’ attention.
Mr. Moberly personally researches and writes each post. Comments regarding my blog posts are encouraged and respected. Should a reader elect to utilize all or a portion of my posts, full attribution is expected and appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or email@example.com.
Please also see previous posts respectively titled, Intangible Assets Embedded In Security Products… and Intangible Asset Deliverables In Sales Reps’ Pitch Scripts.
Michael D. Moberly February 19, 2014 ‘A blog where attention span really matters!’
Tapping into the power of client self discovery…
There is little argument, certainly among education practitioners that what one discovers themselves, i.e., self discovery, is usually more memorable and presumably retained. Plus, it often triggers a desire for a ‘self discovery’ learner to share their discovery, suggests St. Louis-based Dale Furtwengler, author of ‘Pricing for Profit: How To Command Higher Prices For Your Products and Services’.
With respect to engaging a prospective client whom you aspire to sell a security product or system, the key to achieving ‘client self discovery’ Mr. Furtwengler says, lies in framing and posing the right questions. The questions should be posed in a manner that respectfully allows each prospective buyer to begin the process of assigning a value to the product or system in the context of the environment in which they are to be deployed.
Client self discovery however, seldom, if ever includes actually ‘telling’ a prospective client what the product or systems’ value is because in some instances, it can trigger skepticism or even resentment to being told this information versus exercising patience and respectful counsel that allows a pathway for the client to commence their own assessment and valuation process.
I define ‘pathway’ in the context of the previous days’ post which emphasized guiding prospective clients/buyers toward the concept – construct of ‘security intangibles’ produced by security products and/or systems as a value and/or return-on-security-investment assessment approach. This will allow prospective buyers to ‘discover’ at least initially…
- the added value the product/service will deliver to their space or environment, and also
- allow them to ‘validate’ that value, preferably through a particular experience, i.e., risk, threat, adverse event that has occurred to – in their company.
So, to effectively ‘tap into the power of client self-discovery’ the security sales professional needs to determine – assess whether a prospective buyer…
- understands and values the offerings, i.e., security products or systems and the ‘security intangibles’ that will be produced.
- recognizes the products – systems contributory value as a pathway for elevating company image as being a leader and innovator.
- has an interest elevating the company’s image and stature amongst its peers in its sector as an integral part of the overall value proposition innovation to the security products – systems being pitched.
Client self discovery…
Here are some qualities of an effective consultant that helped a client ‘self discover’ extracted from ‘The Strategic Planning Blog’.
“I asked a colleague recently how a strategic planning meeting with a new client turned out. Her response was conveyed as…
- the good news is, together we crafted an excellent and viable strategy.
- the bad news is, the clients believe they did it themselves. Adapted by Michael D. Moberly from a August 22, 2011 post at ‘The Strategic Planning Blog’ authored by John Johnson.
What my consultant peer considers bad (i.e., ego bruising) news would be music to my ear. Why? When the light of understanding and, thus, conviction turns on in the client’s head, it is considerately more powerful than when a vendor ‘spoon feeds’ your solution. What characterizes the development of a successful strategy is not necessarily a brilliant answer by the vendor, but a brilliant question posed by the vendor to the client that influences them to shift their thinking.
Strategy invariably involves new ways to approach problems and challenges as well as opportunities because it has become clear that the previously applied processes/ways were not working successfully. But new ways are sometimes interpreted as being threatening to some based on the assumption they are untried and therefore success is not guaranteed. The crafting of a new strategy is just the first step. The execution of that strategy is the vital next step and falls primarily in the client’s lap to ensure they are invested in its outcome.