Archive for 'Systemic Risk'
Michael D. Moberly February 16, 2017 ‘A intangible asset business blog where attention span really matters!
Deploying IA ‘risk mitigators’ (right time, right place, right way) can serve-benefit company leadership, management teams, and stakeholders anytime and any circumstance valuable – revenue generating – competitive advantage IA’s are in play.
Effective and timely deployment of IA specific risk mitigators provide important segues to…
• develop ‘best practices’ for managing-mitigating risk to IA’s in IA
intensive and dependent businesses.
• current regulatory (legal, accounting, taxation, and auditing) standards
• managerial (fiduciary) responsibilities related the stewardship,
oversight, management, and safeguarding of IA’s.
• execute effective strategies for monitoring – sustaining necessary levels
of control, use, ownership, and value of IA’s.
• assess company’s exposure to costly, momentum stifling, and potentially
irreversible risks that materialize.
• recognize sustaining IA’s contributory role and value are not mere
operational electives that can be dropped, dismissed, or delayed
• sustaining un-compromised control, use, and ownership of IA’s in play can
favorably differentiate a company within its sector, i.e., its
competitiveness, profitability, and sustainability
As consistently conveyed since the ‘Business IP and Intangible Asset Blog’ published its initial post in May, 2006, whenever, however, and wherever valuable, revenue generating, and competitive advantage IA’s are in play, company-business leadership and management teams are obliged to consider there will be various types, levels, and motives for (IA) risks to materialize. The act of identifying – assessing IA risk and the most effective mitigation techniques and strategies, i.e., to serve as (risk) offsets and/or neutralizers, does not require leadership to reach beyond-outside their professional domains of expertise to take the necessary action.
Through my lens, perhaps the most important-relevant component to recognizing, assessing, and mitigating IA specific risk(s) is to exercise prudence to…
…avoid making purely subjective and/or arbitrary assumptions –
decisions about the IA’s in play relative to their vulnerability to risk,
value, utilization and their fragility, stability, defensibility,
A common denominator to IA-specific risk is the persistent presence of (global) legacy free players, ultra-sophisticated data mining operations, and economic and competitive advantage adversaries, who, by their actions and capabilities, consistently impose risk.
Michael D. Moberly October 23, 2016 ‘A blog where intangible assets and IP meet business’!
I am consistently frustrated when allegations surface about another service (sector) company is alleged to have engaged in predatory practices toward consumers (their own) customers, i.e., prey to schemes which, at best, are sleazy and unethical. My frustrations heighten as audacious, grandiose, and lawyerly responses emerge to accommodate news cycles globally. My initial assessment (reaction) to most of the now, unfortunately, all-too-common ‘gotcha’ responses by c-suite executive is they seem to carry a subtext of condescension, i.e., the alleged acts occurred years previous and we (the company) have addressed them. Often the subtext is, the alleged acts were part of a business unit, or perhaps company-wide culture whose prey was consumer – customer gullibility. Through these lens, distinguishing right from wrong are not malleable social constructs, rather, easily defined absolutes!
Frustration also lies in organization leadership who, once brought (subpoenaed) before the public eye, frequently assert little, if any, personal knowledge of specifics, but, endeavor to characterize them as originating in a ‘rogue’ component of the larger organization. Well, of course they did, that is, until the evidentiary quicksand (truth) eventually forces them to describe it otherwise.
Another troubling aspect is that organizations frequently (initially) treat these types of allegations as mere public relations challenges which can be rapidly repaired – remediated with focused-grouped print and media ad buys. And, of course, the not-so-subtle perception such ad buy’s wish to convey is, the alleged misdeeds do not, and never have, represented the (operating) mission-principles of this organization, and oh, by the way, before judging us too harshly, consider all the nice things (contributions, donations, etc.) this organization has done – is doing in your community. Yes, in many instances that’s probably true, but, shouldn’t it prompt us to wonder the circumstances in which those contributions – donations originated? It wasn’t that many years ago when, the realities of apartheid could no longer be subjugated – forsaken to profits by numerous U.S. companies and institutions, i.e., divestiture!
Hopefully, organizations that find themselves adversely mired in uncorrected misdeeds will realize they are more than mere PR challenges that presume to have specific starting and ending points to a public rehabilitation. Instead, there is the materialization of indeterminate qualitative and quantitative reputation risk that will surely manifest as customers, clients, and consumers find it in their interest to wholly withdraw or minimize their relationships with culturally tainted companies. The lessons are many here, perhaps the most significant is, there are fewer organization practices, behaviors, and/or events, which, when-if they go awry, can or should be dealt with as mere amelioration of the public.
Michael D. Moberly February 5, 2016 ‘A business blog where attention span really matters’.
A proposition that influenced us to proceed further with the development of the ‘it’s time we were asked’ project stems from on-going frustrations we frequently discussed relative to defensive tactics (troop safety) applied in the Iraq and Afghanistan theaters. An example of which has to do with the presumptive sophistication of anti-personnel devices developed-used by adversaries against military personnel (in Iraq and Afghanistan). No comparison – relevance were made to comparables or the primordial anti-personnel devices used against combat troops in the Vietnam War, i.e., the variety of ways sharpened bamboo stakes and wire could be fashioned into very serious and deadly anti-personnel devices.
We understand, for perception and political reasons, it remains ‘verboten’ for senior administration officials to publically compare-contrast the insurgency rooted war in Vietnam to its comparables in Iraq and Afghanistan in terms of counterinsurgency tactics and strategy and anti-personnel devices.
A quote widely attributed to Sir Winston Churchill summed up our frustrations rather well, i.e., “those who fail to learn from history are doomed to repeat it.” In this instance soldiers were, in many instances needlessly dying or being seriously and irreparably injured as a result of failing to learn from or ignoring the combat history of the Vietnam War.
Through our lens, there was an obvious absence of ‘lessons learned’ from the multitude of similar but needless misjudgments and misdiagnosis of tactics and strategy at the outset of the Vietnam War. In other words, we suspect, had any military personnel in any leadership capacity in 2003 asked any Vietnam War combat veteran three things to expect and prepare their combat troops defensively and offensively for, they would likely be…
- ’booby traps’ of all types used in the Vietnam War, but a term/phrase nonsensically ‘upgraded’ to IED’s or improvised explosive devices for application to the Iraq and Afghanistan war…distinctions without differences.
- it is going to be a very tough, long, frustrating, and ultimately dissatisfying endeavor insofar as winning hearts and minds.
- significant tactical – strategic distinctions between the wars in Iraq, Afghanistan or Vietnam is terrain!
It’s worth noting following the April, 1996 plane crash in Croatia that killed Secretary of Commerce Ron Brown and 34 other American business leaders embarked on a trade mission, the government compiled a 7,700 page document titled ‘lessons learned’. In my judgment, one of the most significant takeaways from that document was the fact that numerous civilian and military pilots had first hand and recent knowledge of the dangers and challenges associated with negotiating a landing at that particular Croatian airport facility, but whose experience went unnoticed and un-asked.
Vietnam combat veterans interested in participating in and/or supporting the ‘it’s time we were asked’ project are encouraged to contact Mr. Moberly at email@example.com
Mr. Moberly is an intangible asset strategist and risk specialist and author of ‘Safeguarding Intangible Assets’ published by Elsevier in 2014, firstname.lastname@example.org View Mr. Moberly’s videos on YouTube at ‘safeguarding intangible assets’ or his CNN and CNBC videos at his webpage http://kpstrat.com
Michael D. Moberly February 25, 2015 ‘A blog where attention span really matters’!
Provocative implications for safeguarding information assets…
What follows are findings of a study produced by DoD’s Personnel Security Research Center (PERSEREC). The findings of this study titled, ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerabiliy to Insider Espionage’ does retain some relevancy today as it did when it was initially published in May, 2005.
For some, the findings may be contentious, divisive, arrogant…
Admittedly, the study’s findings could be viewed as prognosticative and challenging a rationale for a globally diverse workforce. Having had substantive discussions with the study’s principle investigators, I sensed absolutely no suggestion to support either perspective.
The study produced these largely intangible indicators…
- expanded global marketplace for proprietary information assets.
- has become an efficient marketplace to bring sellers-seekers-buyers together to exchange information in relative anonymity
- elevates awareness about information asset value and recognition it can be sold for a profit.
- internationalized science and commerce and places employees in positions to foster – sustain global contacts some of whom interest lie in adversely exploiting such relationship.
- permits individuals to retain emotional, ethnic, and financial ties at will to other countries coupled with less inclination to seek U.S. citizenship
Fewer employees are deterred by conventional sense of loyalty…
- growing allegiance to a global community that integrates global – national values.
- less inclined to view espionage – theft of information assets to be morally wrong.
- may view such acts as being justifiable if they feel that sharing them will benefit the world community or prevent armed conflict.
- inclination of those engaged in multinational trade/transactions to regard unauthorized transfer of information assets-technology as a business matter rather than an act of betrayal.
- tendency to view human society as an evolving system of ethnically and ideologically diverse and interdependent individuals/groups which make illicit acts easier to rationalize.
These findings, in my judgment, prompt many additional questions about the entire spectrum of the ‘insider threat’. For example, there remains a need to genuinely and objectively assess…
- Employee reactions to the elevated intensity and frequency which external entities are targeting (soliciting) their company and their knowledge!
- Employee propensity – proclivity to (a.) convey receptivity to external solicitors – buyers of a companies’ information assets, and/or (b.) independently seek prospective buyers.
- Also, if such proclivities – propensities exist, do they coincide with or become exacerbated by the conventional precursors – motivators (of insider theft), i.e., disgruntlement, unmet expectations, personal predispositions, financial stress, etc.
Ultimately, the challenges presented by these findings to U.S. companies will, in all likelihood require specialized familiarity and skill sets to effectively address. This is especially critical given the economic – business reality that today, 80+% of most companies’ value, sources of revenue and ‘building blocks’ for profitability, growth, and sustainability lie in – emerge directly from intangible assets!
As always, reader comments are respected and welcome!
Michael D. Moberly – February 19, 2015 ‘A blog where attention span really matters’!
St. Louis’ reputation clearly at risk… Make no mistake, reputation is a company or cities’ most prized and valuable intangible asset, but it comes with risk. In the past six months alone, we have witnessed numerous examples of corporate and individual reputations’ plummeting due to systemic and (company) culture risks surfacing as well as prominent and/or celebrated individuals engaging in behaviors – actions that were not merely risky, but criminal. In either circumstance, the outcomes are often similar, with either losing, sometimes irreversibly, revenue, goodwill, and image.
Now, with DoJ’s pending suit against the Ferguson Police Department, preceded by St. Louis native Michael Gerson’s skillful, but stinging characterization of St. Louis’ reputation on PBS’ NewsHour recently, this city’s reputation, once again, lies at the mercy of a global audience. The recent incident that unfurled on the parking lot of a Berkley gas station prompted Ms. Woodruff (co-managing editor of PBS’ NewsHour) to raise the relevant, but perhaps disparaging question to Mr. Gerson and Mr. Shields, ”what’s going on in St. Louis”?
Impending sightseeing tours… It should come as no surprise then, not unlike New Orleans’ lower 9th Ward, following Hurricane Katrina, that St. Louis sightseeing tours will likely, if they haven’t already, include, visits to the Shaw neighborhood, the communities of Ferguson and Berkley, and Clayton’s Justice Center each of which was the origin of countless hours of live video feeds globally. Do you, like I, wonder who will write the narrative for these sure to come ‘sight seeing’ tours?
Reputation nosedive, irreversible, permanent, or salvageable… To bestow absolutely no disrespect to any of the tragic events that have occurred, or the words that have been spoken, and the hurt that is now unforgettably embedded since mid-August, 2014, our city’s reputation has taken a decided nosedive.
Materialization of reputation risks like this are humanly, emotionally, and intellectually quick, with the economic and competitive advantage consequences moving at a somewhat slower pace insofar as being fully felt. But, perhaps the latter will be one motivator that brings committed people to the table.
Precisely how the adverse reputation St. Louis has acquired is subject to some qualification. That is, how citizens of St. Louis, outside observers, visitors, and prospective businesses wishing to expand or relocate in greater St. Louis are variously dependent on how they personally understand the origins and reasons that collectively contributed to this city’s current reputational state. Obviously, merely returning to its former state, absent viable, relatively quick, permanent, and sustainable change would be a devastating blow to reputation re-builds.
Reconciliation… Experience suggests the answers to these critical questions are inseparable from the emotional trauma following the death of loved ones to their families, friends, and supporters. Deeply rooted emotional wounds of this magnitude take time to reach some point of psychological and emotional reconciliation, should it ever occur. In 2015, I would not forecast that to commence absent viable, acceptable, and trustworthy options being on the table for near term financing, execution, and follow-through.
Make no mistake… But, make no mistake, the city of St. Louis, many of its citizens, and to be sure, its businesses, large and small, have and will continue to receive both subtle and direct questions about conducting business with firms in a city with a globally tarnished civil rights reputation. That includes businesses with prospects of locating in St. Louis. The latter of course is difficult to quantify, but let there be no doubt, such issues have already been on the agenda in numerous boardrooms and c-suites across America, as well they should!
Not in my backyard… All this leaves me genuinely puzzled by the opposition to Reverend Larry Rice’s downtown shelter for homeless and how this issue is being addressed by a coalition of downtown businesses. Admittedly, my familiarity with this issue is far from that of an insider. I did however, observe a Rice shelter opponent being interviewed locally who, quite naively, in my judgment, note Rice’ shelters’ coded capacity vs. actual occupancy was the reason why existing downtown businesses are leaving and prospective businesses are electing to situate elsewhere. Through my lens as mitigating reputation risk, I am quite confident opposition of this type can only exacerbate St. Louis’ endeavor to recoup its reputation. There are always suitable and viable options, providing of course, decision makers are genuinely willing to look for them.
As always, reader comments are respected and encouraged.
Michael D. Moberly March 20, 2014 ‘A long form blog where attention span matters.’
‘Houston, we’ve got a problem’! The problem is, in my view, that far too many decision, makers, c-suites, boards, and management teams are conceiving and seeking resolution to their public persona challenges through conventional public relations lens and not as they should, through a very nuanced and sector specific reputation risk lens.
There is no question each of these corporations have taken substantial ‘direct hits’ over the past few months, and there are not likely to diminish anytime soon given relevant Congressional Committees are now gearing up for hearings and investigations, all seeking answers to the proverbial questions, i.e., who knew what, when did they know it, and what, if anything, did they do about it upon knowing about it’.
I must ask readers…
- are these mere public relations issues which presumably can be managed or otherwise expected to dissipate over a period of time with no long term detrimental – adverse financial and/or competitive advantage affects?
- or, are they merely the inevitable outcome of internal process and/or procedural malfunctions that repeatedly failed and will manifest as substantial and long term risks to each company’s reputation?
But, let me make a personal point before we proceed much deeper in this conversation, which is, while the three companies (examples) noted above, each are clearly among the Fortune 500’s, much smaller firms succumb to precisely the same circumstances, but the latter seldom makes national and international media headlines.
So, I believe what Target, GM, and Toyota are experiencing, can and should only be conceived and addressed through the lens of reputation risk. Interestingly yesterday, Attorney General Holder pointed out that Toyota sought to handle their long running accelerator problems as a public relations problem. If that is the case, clearly someone received consistently bad counsel. So, public relations is clearly the wrong lens to address, what may ultimately be determined to be systemic – internal process, procedure (company, business unit cultural) breakdowns that produce obvious and substantial consequences financially and competitively.
When does a public relations problem become a reputation risk problem…?
Admittedly, having worked almost exclusively on the intangible side of businesses for many years, this is not necessarily an easy question to answer, nor perhaps, should it be. My experiences lead me to conclude however, that boards, c-suites, and many management teams, have yet to transition from characterizing – framing such events in public relations to reputation risk contexts, as inferred by AG Holders’ remark. Clearly, in my view, the problems experienced by Toyota, GM, and Target, to name just a few, reached well beyond a conventional public relations challenge months, if not years ago, and have moved into a much longer term reputation risk cycle.
So, perhaps, that was the distinction between a public relations problem and a reputation risk problem applied by these companies, i.e., the time frame in which the problem can and/or will fester with consumers to the point it materializes to adversely affect a company’s reputation, which as we know is often for extended or perhaps even, indeterminate periods of time.
But, using time as the primary metric for distinguishing adverse events as being public relations vs. reputation risk problems falls short of a critical aspect, that is rapidly and correctly assessing the gravity of the problem, through the eyes of (factors) consumers, investors, and other stakeholders. Ultimately, materialized reputation risks are often found to be a failure or breakdown in a company’s structural capital, i.e., processes.
Again, my familiarity with such circumstances is that frequently those responsible for making (business) decisions remain challenged insofar as their inclination to characterize many adverse events in quarter by quarter contexts which, as it so happens, is more aligned with public relations ‘fixes’, versus longer term and much more adverse reputation risks.
The intangible asset ‘risk of risks’ is a company’s reputation!
Company reputation is an intangible asset of the first order. So, perhaps it would be useful to say again it an economic fact that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, competitiveness, and sustainability lie in or evolve directly from intangible assets. Respectfully, I suspect this economic fact may have prompted The Economist’s Intelligence Unit (EIU) to produce a ‘global risk briefing’ paper titled Reputation: Risk of Risks.
Company reputation is defined (in the Economists’ report) as ‘how a business is perceived by stakeholders, including customers, investors, regulators, the media, and the wider public’. To be sure, it ‘declines when a company’s experiences fall short of expectations’. When not one, but multiple consumers – users die or incur serious physical injuries because their expectations were not met by a company’s product, then, ‘Houston, we do have a problem’ and its unlikely it can be readily fixed through conventional public relation strategies.
However, before this definition can be fully translated into effective (reputation risk) countermeasures, it’s important for company decision makers, not unlike, Toyota, Target, and GM to achieve crystal clear operational clarity regarding…
- whose experiences
- what experiences, and
- which expectations.
Company reputation is certainly a prized and increasingly valuable, yet vulnerable and fragile asset which the respondents to the EIU survey agreed by stating that sustaining a positive company reputation is a main concern for the majority of risk managers, ahead of, for example…
- regulatory risk
- human capital risk
- IT network risk
- market risk, and
- credit risk.
It’s fair to say now that company reputation risk has risen to the level of being a fiduciary responsibility (and concern) that extends well beyond senior risk managers to being permanent fixtures on company management team, c-suite, and board dashboards, i.e., Stone v Ritter.
What these companies needed was a deeper appreciation for the asymmetric nature (elements) of reputation risk today, which is, unsatisfactory (poor) company reputation can rapidly, and often times irreversibly and adversely affect a company economically and competitively, aside from the embarrassing and probing questions that will be inevitably posed by Congressional Committee members, especially, those who have constituent(s) who personally suffered due to a company’s obvious absence of understanding and correcting reputational risks in a timely manner that preferably exceeds regulatory agency oversight requirements and before unwitting consumers die or become injured.
Reader comments and inquires are always welcome at 314-440-3593 (St. Louis) or email@example.com.
Michael D. Moberly May 8, 2012
The term ‘systemic risk’ has a relatively long history. Its revival, in terms of becoming the presumably focus-grouped explanation for the calamities of the financial services sector beginning in early Fall, 2008 has now come to be embedded in business lexicon to represent a broad cross-section of risk.
The subsequent wide spread use of ‘systemic risk’ in legislative (House, Senate) committee hearings wherein testifying cabinet secretaries, legislators, regulatory agency heads, and financial service c-suites routinely evoked the term (systemic risk) as part of their narrative for explaining (a.) how – why financial institutions and the financial services sector were literally unraveling, (b.) the intertwined elements of the now globalized financial system, and (c.) the underlying rationale for the notion of ’too big to fail’ which eventually prompted the TARP (bailout) provisions.
One of the better understood definitions of systemic risk, in my view, is one provided by Steven Schwarcz of Duke University School of Law wherein he described it (systemic risk) as ’the probability that cumulative losses will occur from an event that ignites a series of successive losses along a chain of (financial) institutions or markets comprising a system’.
Another, but, admittedly, cherry picked definition of systemic risk is provided by BusinessDictionary.com wherein it defines systemic risk as ’the probability of loss common to all businesses, and inherent in all dealings’. In other words risk that cannot be circumvented or totally eliminated.
A commonality embedded throughout the various definitions of systemic risk is the concept of a (preceding) ‘triggering event’. A triggering event is one that causes (internal, external domino or cascading types of) consequences, usually adverse, e.g., loss or undermining of a company’s competitive advantages, asset value, market position, reputation, brand, image, goodwill, supply chain, stakeholders, etc.
In the case of companies with fairly intensive portfolios of intellectual property and other forms of intangible assets, triggering events could include (a.) theft, misappropriation, infringement, and/or premature leakage of key assets, e.g., plans, intentions, capabilities, etc., and/or (b.) significant counterfeiting or product piracy operations against company produced assets. Should anyone of these ’triggering events’ occur, it would collectively undermine or stifle asset value, competitive position, sources of revenue, and future growth opportunities, etc.
Outside the financial services sector, insofar as IP and other intangible assets are concerned, systemic risks would represent those assets cumulative risk, i.e., the vulnerability, probability, and criticality associated with, for example, theft, misappropriation, infringement, compromise, and/or premature leakage of IP and its underlying intellectual capital. Of course, loss and/or compromise of those assets are generally less containable and can rapidly and adversely cascade – ripple throughout a company and its entire chain of stakeholders.
Such adverse affects, are in my view, on the same or comparable plain as the much touted term ‘systemic risk’ and the accompanying market shocks experienced globally by the financial services sector in 2008, i.e., in the form of defaults, bankruptcies, employee layoffs, loss of markets and market share, and competitive advantages,
Several fine studies report that systemic risks (threats) to a company’s intellectual property and other forms of intangible (knowledge-based) assets lies largely with ’insiders’ along with the proliferation of extraordinarily sophisticated and predatorial data mining, information brokering, infringement, misappropriation, and counterfeiting operations that function profitably on a global scale.
The risks (threats) presented by these entities and the subsequent asset compromises that occur are persistent, asymmetric, and frequently devastating to company’s profitability, competitive advantages, and reputation, etc. Multiple respected studies consistently report that U.S. company losses of IP (largely attributed to insiders, infringement, theft, and misappropriation, etc.) range from $45 to $200+ billion annually.
True enough, the adverse affects/consequences of IP – intangible asset losses and/or compromises incurred by small, medium enterprises (SME’s) or small, medium multinationals (SMM’s), may not rise to the same ’systemic risk level’ as experienced by the likes of AIG, Lehman Brothers, or Bank of America, etc., but, they do carry adverse cascading (systemic) affects that are often equally devastating.
Collectively then, this constitutes a fairly strong rationale why company’s should engage in routine monitoring, valuation, and ’stress tests’ regarding their IP and intangible assets. The purpose of these activities if of course, to objectively and proactively determine if any (asset) materiality changes, value erosion, and/or undermining, etc., are occurring and determine if further asset hemorrhaging can be mitigated. Such exercises are now being recognized by management teams, boards, and c-suites alike, as useful and necessary ingredients to (a.) the effective stewardship, oversight, and management of their companies’ intangible assets, and (b.) avoiding costly and often times irreversible surprise will occur.
The inspiration for this post was sparked by (1.) ‘Allegiance in a Time of Globalization’ (Defense Personnel Security Research Center, Technical Report 08-10, December, 2008) and (2.) ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability To Insider Espionage’ Defense Personnel Security Research Center Lisa A. Kramer, Richards J. Heuer, Jr., Kent S. Crawford Technical Report 05-10 May, 2005 International Journal of Intelligence and Counterintelligence as ‘America’s Increased Vulnerability to Insider Espionage’ (20: 50-64, 2007)
Cyber Security: It’s Not Synonymous Wiith Safeguarding Valuable Information-Based Intangible Assets!
Michael D. Moberly March 24, 2012
Information asset protection and cyber security policies and practices must be collaborative and cross-functional!
The attention the private sector and government agencies give to ‘cyber threats, security and warfare’ is well warranted. There should be no question about the cascading effects and infrastructure havoc that deliberate and massive cyber attacks could create. Identifying the best strategy and/or practices companies and governments should engage to address this challenge, is, of course, where much of the debate still lies. That is, the U.S. remains somewhat distinctive from most other countries because our key pillars of infrastructure are generally privately owned and operated, apart from direct government control.
From an information asset protection practitioners’ perspective however, the narrative on such an important and potential catastrophic subject is being, in my view, too narrowly framed and perhaps overly influenced by an IT – computer security orientation. Doing so, leaves little or no recognition for protecting critical – sensitive (private sector and/or government) information that exists in formats other than electronic bits and bytes. This, seemingly prevailing, but misunderstood perception about where and how valuable/sensitive/classified information is housed and safeguarded with respect to critical pieces of U.S. infrastructure creates its own sets of challenges.
By framing (public, private sector) information protection – security policies and practices primarily or solely through a cyber-attack lens, which, make no mistake, is serious and warrants our full attention, in my judgment tends to give short shrift to the economic fact that 65+% of most company’s value, sources of revenue, sustainability, and ’building blocks’ for growth evolve directly from (information-based) intangible assets today, e.g., a company’s know how, intellectual property, competitive advantages, brand, reputation, image, goodwill, etc. In other words, an organization’s most valuable information assets exist as intellectual capital and thus may not be necessarily found or housed in computer and IT systems.
Information protection policies and practices dominated by an IT or cyber (risk, threat) orientation tends to minimize or even over shadow the reality that most organizations today operate in an extraordinarily competitive and predatorial knowledge-intangible asset based global economy. In such an irreversible global business (transaction) environment where information is acquired, processed, and disseminated in nanoseconds, safeguarding and securing valuable information-based intangible assets should not be conceived nor practiced solely through an IT – cyber security perspective. Instead, responsibilities for safeguarding proprietary, mission critical, and/or classified information to counter and/or sustain reasonable infrastructure operation normalcy must be embedded in our respective orientation, regardless of the format which that information exists or how it is stored which increasingly is in the form of intellectual capital.
Today, information asset protection and cyber security policies and practices must be collaborative and cross-functional initiatives. As information asset protection specialists know all too well, proprietary – sensitive business information generally percolates throughout a company or organization and is not strictly confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. In other words, mission essential and value/revenue producing information-based intangible assets exist as intellectual, human, and structural capital and organizational capability, most of which are necessarily conducive to being reduced to electronic bits and bytes.
Information safeguard policies and practices that infer, by having a dominant IT – cyber security orientation, i.e., all valuable, important, and proprietary information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up by an IT system, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably the organization’s valuable, sensitive, proprietary and competitive advantage information ia also be secure, which we know is not the case. Unfortunately, in today’s increasingly predatorial and incessently thirsty global environment for information that’s a message no organization – company should accept carte blanc.
For the still unconvinced, try examining the numerous, readily accessible, and quite simple (online) ‘roadmaps’ to an organization’s crown jewels, e.g., listening to cell phone conversations in hotel lobbies and airport lounges, glancing at the laptop screen of the person seated next to you, or view social media pages and profiles of key employees and/or their families. In these venues, an economic, competitive advantage, and/or national security adversary can hear, observe, and analyze content, much of which is outside the conventional cyber (computer/IT) security arena. .
It is certainly not my intent to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by cyber-attacks which, as most realize, can target specific pillars of the U.S. infrastructure, i.e., banking, healthcare, transportation, energy, defense, first responders, etc. Having effective defenses against cyber-attacks are an essential ingredient to our national and economic security and sustainability.
But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company or organization’s most valuable and treasured trade secrets and competitive advantages and literally wreak economic, market, and thus a comparable level of infrastructure havoc, one company or one organization at a time. As former FBI Director Sessions is credited with saying, ‘our economic security equates with our national security’!
Michael D. Moberly March 7, 2012
The attention and warnings directed to cyber security (cyber-attacks, cyber-warfare, etc.) are certainly warranted. The strategic and cascading havoc that such deliberative acts could cause to even one of a country’s infrastructure pillars are indeed real.
However, being an intangible asset practitioner and advocate, in my view, the ‘cyber’ narrative is being too narrowly framed on two counts:
One, it is strongly influenced, and perhaps correctly so, by an IT – computer security orientation supported by key professional associations that offer, sometimes very sparingly, formal acknowledgement that cyber-attacks will adversely affect critical information assets which are routinely misperceived as existing solely in formats of electronic bits and bytes.
Two, cyber-attacks (directed to the private sector especially) is routinely characterized as being the portal of choice to engage in intellectual property theft (patent information) in my view may well be misleading, if not incorrect.
Both independent and state-sponsored cyber invasions are really after (need) the ‘glue’ that literally connects intellectual property to execution or manufacturing of select – targeted innovation which of course are the intangible assets, i.e., intellectual capital, know how, competitive advantages, etc.
Framing (public, private sector) information asset protection and security policies and practices primarily through a cyber-attack lens does not recognize the economic fact that 65+% of most company’s value, sources of revenue, sustainability, and ’building blocks’ for growth today evolve directly from intangible (knowledge-based) assets including intellectual capital, proprietary know how, intellectual property, competitive advantages, brand, reputation, image, and goodwill, etc. It’s essential the cyber-narrative acknowledge a company’s most valuable assets are its intangibles which are not exclusively stored in ‘the cloud’ or in a company’s computer-IT system.
Intangible asset protection policies and practices with a dominant IT – cyber (risk, threat) orientation can minimize the equally important reality that most companies operate in an extraordinarily competitive, predatorial, and winner-take-all global economy and business transaction environment. In such an environment, all employees have a responsibility, not just those in corporate IT – cyber security units, for safeguarding valuable and mission critical intangible – information based assets, regardless of the format in which they exist, how they are stored, or how they originate.
It is also necessary to recognize that intellectual property, i.e., patents, trademarks, copyrights, and trade secrets) are actually subsets of intangible assets. So, information (intangible) asset protection and cyber security policies and practices function best if they are formulated and practiced collaboratively.
As information security specialists know, proprietary – sensitive business information often percolates throughout a company and is not strictly confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. In other words, mission essential and value/revenue producing (intangible) assets exist as intellectual, human, and structural capital.
Information security policies/practices that are dominated by an IT – cyber security orientation infers that all valuable, important, and proprietary information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up by an IT system. Those who ardently believe this convey an extraordinarily misleading, if not erroneous message, which is, ‘if the company’s IT system is proclaimed to be secure, then the company’s sensitive, proprietary and competitive advantage information must also be secure‘. Wrong! That’s an assumption (message) no company can afford to convey, inadvertently, or otherwise.
For those still unconvinced, try listening to cell phone conversations in hotel lobbies and airport lounges, glance at the laptop screen of the person seated next to you, or view social media pages and profiles of key employees. These, sometime inadvertent ‘roadmaps’ to a company’s crown jewels which economic – competitive advantage adversaries can readily access are well outside the conventional cyber (computer/IT) security realm.
It is certainly not my intent to be dismissive about a company’s need to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by cyber attacks which, as most realize, can target specific centers’ of the infrastructure, i.e., banking, healthcare, transportation, energy, etc. Having effective defenses against cyber attacks is an essential ingredient (fiduciary responsibility) to national and economic security and sustainability.
But, it’s also important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company’s most valuable and treasured trade secrets and proprietary intellectual capital (intangible assets) and literally wreak economic, competitive advantage, and market havoc, one company at a time.
Michael D. Moberly October 28, 2009
The risks (threats) to the intellectual property and intangible assets held by SME’s (small, medium enterprises) and SMM’s (small, medium multinationals) are quickly rising to systemic levels!
Those systemic risks (threats) lie largely with ‘insiders’ along with the proliferation of extraordinarily sophisticated and predatorial data mining, information brokering, infringement, misappropriation, and counterfeiting operations that function profitably on a global scale. The risks (threats) presented by these entities and the subsequent asset compromises that occur are persistent, assymetric, and frequently devastating to small company’s profitability, competitive advantages, and reputation, etc. Multiple respected studies consistently report that U.S. company’ losses of IP (largely attributed to insiders, infringement, theft, and misappropriation, etc.) range from $45 to $200+ billion annually.
True enough, the adverse affects/consequences of those IP – intangible asset losses/compromises incurred by U.S. SME’s and SMM’s, may not rise to the same ‘systemic level’ as experienced by AIG, Lehman, or Bank of America, etc., but, they do carry adverse cascading (systemic) affects that are often equally devastating in the SME and/or SMM arenas.
BusinessDictionary.com (as noted in a previous post) defines systemic risk as the probability of loss common to all businesses, and inherent in all dealings, in other words, risk that cannot be circumvented or completely eliminated. If SME’s or SMM’s wish to expand, grow, and prosper it will be necessary and perhaps inevitable, at some point, for some or all of their IP and intangible assets to be part of a (business) transaction, and therefore, in play and therefore, at risk.
Systemic risk then, is the vulnerability, probability, and criticality associated with loss, theft, misappropriation, infringement, compromise, and/or leakage of IP (know how, trade secrets) which can constitute, for SME’s and SMM’s the equivilent of ‘market shocks’ which, in turn, produce adverse ‘cascading’ affects throughout an enterprise and its alliance partners, suppliers, and service providers as well.
Of course, those adverse affects are comparable to the systemic risks experienced by the financial services industry recently, i.e., defaults, bankruptcies, employee layoffs, loss of markets and market share, and competitive advantages, which unlike the bailed out and/or merged financial services sector firms, is generally irreversable and unrecoverable for SME’s and SMM’s.