Wednesday, October 26, 2016

Day 2 Executive Womens Forum Conference

Those of us who wanted to engage in such a discussion began at breakfast with an honest conversation on how to support and promote women of color in our professions.  Ours was an especially lively conversation featuring women from Bloomberg, the Santa Fe Institute, from the Department of Energy, from Wells Fargo, JPMorgan Chase, and from Fannie Mae, among others.

Breakfast was followed keynote address by Susan Keating fro the National Foundation for Credit Counseling, who went back to her days as a CEO in banking to describe risk architectural components in a large trading loss: people, processes, systems, data and reporting, and culture.

Now I'm listening to a marvelous panel on e-discovery, which features two jurists as well as an interactive "You Be the Judge" exercise.  Just excellent.

The panel I'm on this afternoon features Patty O'Boyle from Wells Fargo and CEO Galina Datskovsky.  Can't wait to hear what they have to say.

I'll add to this blog later this afternoon after I hear others speak.  But it's clear this is an excellent conference.

Tuesday, October 25, 2016

Three Days of Women Talking Risk, Infosec and Cyber

Something happened to the rest of my summer.  I never got back here to blog on volatile issues like both political conventions, or the natural disasters across the country that must be connected to climate change, or even to talk about the long chapter on root causes of conduct that I finished.

But I've stepped away for a few days from home and the university, to spend time with about 400 senior women who are immersed in risk, security, privacy issues -- and who are increasingly concerned with what were just called "digital vortexes."

There's a lot of laughter too -- witness a discussion on pseudo-anonymization of data, which deteriorated when one panelist pointed out there were two different styles of trust -- the older panelist left her purse at the table, the younger panelist brought her purse with her to the stage.

I'll be back later to report on some of the other sessions here at the conference.  As a speaker just said, "We compartmentalize but also collaborate better than the other half of the planet."''

Monday, August 1, 2016

Can the center hold?


The world just seems to get more unstable every day. Here's the opening of my column for The Risk Universe magazine this month:


  “Turning and turning in the widening gyre
    The falcon cannot hear the falconer;
    Things fall apart; the centre cannot hold;”

             William Butler Yeats, “The Second Coming” (1919)


"These first three lines of a poem that Yeats wrote after the first world war resonate with us today, and have been referenced in American political debate – and perhaps also around the Brexit vote as well.  Going it alone or going it together with other countries appears at least to be the question as discord and violence present themselves more regularly, in no small part because of the technology now available to us."

The level of political discourse has never been more base; and the level of trust for either U.S. political candidate seems to be at an all time low.

Some of us fancy we know that we are at a critical turning point in our history.  Others seem so filled with irritation and rage at the current environment that they cannot see the shape of things unfolding.

I plan to continue not to use the current election as fodder for risk-based speculations.  But I will continue to speak out when employee safety and situational awareness issues are at stake.

Wednesday, June 15, 2016

Thoughts on Domestic Terrorism

Eiffel Tower, Paris, France
City Hall, Brussels, Belgium

In our American history, only twice before have so many citizens been murdered at a single time -- first, at Wounded Knee, where 150-300 Native Americans were gunned down by the U.S. Army; and then of course on 9/11, when even more of our fellow citizens were killed by terrorists recruited to Al-Qaeda.  This is not to say that there have not been other episodes of domestic terrorism since 2001.  Since early 2015 alone, we’ve witnessed such acts in Charleston, Chattanooga, Merced, Colorado Springs, San Bernardino, Philadelphia and Columbus.  

I had a remarkable briefing on terrorism last week, before the Orlando nightclub murders took place.   Since then, as a more detailed picture of the terrorist is painted, I marvel at how closely the profile as described of a domestic terrorist align.


Photo courtesy CNN.
Research indicates that the average age of what are primarily young men is in the 20s.  The terrorist is usually already known by law enforcement; and has often tried to join either the military or a police department.  Most are converts to Islam, a conversion made easier by ISIS' presentations on the web and the graphic violence embedded in them.

Though there are subtle differences with this terrorist, in that he was a Muslim and apparently attracted to others of the same sex -- grounds in Mideastern countries for death by stoning, being dropped from a great height, or beheading -- there are enough similarities to see how sophisticated ISIS has become at appealing to alienated, ostracized and perhaps bullied, lone wolves.

At this time, we have no civil society mechanism to identify in advance and take care of such individuals in something like a diversionary program.  It is well worth thinking about what such a program would include if we could identify them before they caused such enormous damage to our society -- not just to the families and friends, but to our anxiety levels as well.  It is worthwhile for members of the community to come forward to identify dangerous citizens before they act -- this is evidently one of the hardest communications for law enforcement whether working with, say, a militia group, or a religious group.  We still have strong familial and community  loyalties and notions of "tattle tale" that get in our way, no matter how Americanized we have become.

It is inappropriate to blame the FBI for having investigated but released the murderer for lack of "reasonable cause."   In fact, as I have just explained to a good friend from France, it is that very definition of reasonable cause that protects all of us from unreasonable encroachments by law enforcement.

I won't spend a lot of time here on the topic of gun control, except to note that it is time for Congress to stand up to the NRA and pass legislation that prohibits the sale of assault weapons, to authorize background checks and forbids sales of weapons to those on the U.S. watch list.

My heart goes out to the LGBT community, the direct target of these and other such acts of late.  Just a year ago, the community won a legal battle to marry.  To have such violence and hatred spewed in this particular way, in a club that was considered a safe space, is especially wrenching.  We are better than this.

Please practice situational awareness as you go about your life, especially in public places.

Thursday, May 12, 2016

How far can finger-pointing and bad-mouthing take you?



Catholics are taught at an early age that someone is always watching you.  As a child, I didn't think of this as surveillance (not a term that the Baltimore Catechism is familiar with), but rather as being benignly supported in my efforts to be a good person.

On the irreligious side, I learned early about being a good citizen and helping others -- to "put myself in their shoes," as my mother would say.  This behavior seemed to square up with my heroes, Nancy Drew the Hardy Brothers, and with the principles taught by the Brownies and (later) Girl Scouts.
I had no sense of limitations or boundaries growing up.  I was there to grow into myself.

I've tried hard in my career to explain to colleagues and to shadowers that 1) honesty is the best policy because it's most efficient; 2) that "Every wall is a door" (Ralph Waldo Emerson); 3) that harboring resentments or engaging in finger-pointing hurts you most of all because it sucks your attention and focus into proving your hypothesis; and 4) that there is always something to learn from another, especially if you can put yourself in her/his shoes.

There's not enough time left on my runway to spend my energy negatively.  Observing the current state of politics is enough of a time sucker.  I'll spend my time working to change the world, one project (or one class) at a time.

Tuesday, April 26, 2016

Us vs the Europeans

The European Union definition of personal information and of privacy is so much more restrictive than ours that it should come as no surprise that the Europeans are not as interested in using massive data suction tools to find terrorists as this government is.

I wish I could say that any of the presidential candidates understood the issues around privacy, in particular digital privacy, but I'm afraid we are going to have to leave that to the Supreme Court.

The FBI director says he was greatly misunderstood, that he's simply interested in being able to read "clear text."  Meanwhile, we learn that there was nothing of interest on the work phone in San Bernardino that caused the FBI to take Apple to court to break the device's encryption and to create software most of us in the business call a "back door."  The FBI however is still hopeful that they might be able to figure out what the terrorists did in time not yet accounted for by checking out their GPS data.  (If they were smart enough to use burner phones, they would have been smart enough to turn off "Location Services," thus turn off GPS.)

I am looking for a leader, perhaps a former government official, to become the clear spokesperson for privacy and in particular for digital privacy.  I don't think that Tim Cook can do this and run his business at the same time.  We need a private sector leader to explain clearly to the American public what is at stake in these skirmishes. 

Thursday, April 14, 2016

A reasonable expectation of privacy.




I'm in my office before class, having started my morning with a New York University-hosted forum on the Zika virus, which actually will be up for discussion in class this afternoon. About an hour after that forum concluded, Microsoft announced that it was suing the U.S. Department of Justice, "challenging as unconstitutional the government’s authority to bar tech companies from telling customers when their data has been examined by federal agents." (Wall Street Journal)  

Now, class prep completed, I'm listening to an address that FBI director James Comey gave at Kenyon College's "Expectation of Privacy" conference.  He is of course arguing that there needs to be a way Hinto encrypted systems, with many examples being tossed out, usually about terrorists or kidnappers or murderers.  He rejects absolutely the "slippery slope" argument. He asks for a substantive thoughtful conversations of security and liberty.  He ignores the issue of the back door becoming accessible to the criminals, nation states or terrorists.

The late Antonin Scalia argued some time ago that "There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
Let's hope that the Congress can remember this, divided as it is, as one or more anti-encryption bills go forward.

I admire Director Comey enormously, including his references to FBI agent training he has instituted via a visit to the Holocaust Museum, and the order from Bobby Kennedy to wiretap Dr. Martin Luther King Jr.'s phones.  I think, though, here you will find the other side of the article missing -- the side that makes the "slippery slope" argument, that believes that source code is protected speech, and that resists creating a tool that the government asks for, one that breaks its own product.

He is right, we have never been closer to a condition of complete privacy with the advent of encryption. May I also point out that the question and answer session that follows his talk is well worth listening to.  He is a good teacher.


Thursday, March 31, 2016

Rehearsing Before Class...

So much about risk management needs to be re-emphasized on the first day of class.  To paraphrase the key points about risk in a new risk guidebook that I've been involved with:
  • Risks are not always negative.
  • If you manage risk, you are managing performance.
  • Managing risks is about managing opportunities.
I've got 13 students registered for this advanced course that looks at whether or not risk is handled differently in the public sector than in the private sector.  Add to this first class an additional seven visitors, who will be entering the MSIM program next fall.

I'm incorporating feedback I received from my winter risk course evaluation.  We'll still have eight guest speakers in the first hour, but then I'm going to take the next hour or so to engage more in a discussion than a lecture, including scenarios that will allow the students to practice the art of risk assessment before they actually have to present at the end of each week. This quarter's guest speakers are superb:

  • Lucianne Phillips, FEMA Regional Private Sector Liaison
  • Mike Hamilton, CEO of Critical Informatics, former City of Seattle CISO
  • Michele Turner, Sr. Compliance Mgr, Microsoft Universal Store
  • Al Wilson, Director of Business Continuity, BECU
  • Todd Mack, Deloitte Tech Risk, Risk and Resilience Director
  • Mike Howard, Microsoft Chief Security Officer
  • Mary Gardner, Information Security Officer, FredHutch
  • Aaron Weller, Director of Cybersecurity and Privacy, PwC 

Off I go....

Monday, March 28, 2016

"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats


Cherry Trees Outside Suzzallo Library, across from Gerberding Hall, University of Washington
 I've had a bit of a spring break.  I spent four days in New York City, speaking at a risk conference and in meetings around future publications and conferences.  I managed to complete annual checkups with my doctors, set up a new trainer who starts this week, and have a lovely day with my sister at the Museum of Modern Art and the Manhattan St. Patrick's Day parade.  That's a lot to accomplish in two weeks, especially when I was grading final papers as well.

Classes for spring quarter begin this week.  I'm teaching on Thursday evenings and managing the Master of Science in Information Management (MSIM) internship program.  Additionally, I've got deadlines on another article for The Risk Universe, final comments on a risk guide for state transportation departments, funded by the National Transportation Board, and the outline of a chapter on conduct risk to be written for a new book on that topic in the Risk Books series from England.

So the fire is lit in me, to be passed on  to my students this quarter.  I have never done just one thing at a time.  The possibilities seem endless. 

Wednesday, March 2, 2016

Winding down the winter quarter

A university quarter is ten weeks long of instruction, followed by a finals week.  Not enough time to drill all the way down on so many topics.  In the operational risk course, we've had spectacular presentations on 9/11 and its aftermath, and (last week) on the Paris ISIS attacks last year.  In the ethics, policy and law course, the most interesting component of the course turns out to be the weekly reflections (250-500 words) that students turn, referencing both the readings and the class discussion in the prior week.  Both courses have had outstanding speakers -- a total of 15 speakers for me to coerce into speaking, then coordinate appearances in the classroom.  I'm feeling a bit nostalgic this week since it's the last week I lecture.  Next week, in both classes, students present executive summaries of the long papers they will have written by then.  From experience I know that at least several of them will be publishable.

I see the overlap clearly between how we think about risk and the critical thinking we bring to it from the ethics, policy and law framework where information management is concerned.  Because of what is going on in the world, both classes this week will address the important Apple v. FBI court case that somehow incorporates all the elements we've been talking about.  Code is free speech, says Apple, invoking the First Amendment as well as due process.  Just this once since we screwed up and changed the password, says the FBI.  This puts the case at the heart of questions around government overreach since 9/11 as well as citizens' privacy and Constitutional protections.

Even as we take this up one more time, our guest speakers are illustrative of the other issues we discuss:  in the risk class, our guest speaker is UW seismologist Bill Steele; and our group presentation will be on the Japanese earthquake/tsunami/nuclear reactor event several years ago.  In the ethics class, our guest speaker is UW Law Professor Kathleen O'Neill, to speak on intellectual property.  She's spent years on this topic, and I look forward to her remarks to the mid-career students, with what is bound to be a vigorous and lively discussion.


Wednesday, January 6, 2016

Expanding the discourse

When the mountain agrees to be photographed at the UW.

I can see just how complicated last quarter was by the paucity of my posts.

After several weeks of winter break, I am back in harness, reading to begin teaching two beloved courses for winter quarter.

Tomorrow, I meet 25 graduate students to kick off "Information and Operational Risk," a course I designed in 2011 and have taught since.


On Friday late afternoon, I meet 25 mostly other graduate students to teach "Ethics, Policy & Law in Information Use," a course I've taught since 2012, primarily to mid-career students working on their Master of Science in Information Management.


Just because I've taught it before doesn't mean I know how to do it again.  The students are different, and so are the questions. In fact, the real life issues that inform both courses are under rather continuous scrutiny in the real world.  So while both courses involve the presentations of frameworks and theories, they are made relevant by shining a contemporary lens on the issues, particularly on the grey areas. And though the architecture of the rooms and the size of the classes throw up real roadblocks, we're still going to try to proceed in seminar format.

Speaking to incoming MSIM students at orientation, 2014
 For the risk course, we have eight guest speakers from industry, including Jack Sullivan, VP of Safety & Security at Starbucks; Kirk Bailey, UW Chief Information Security Officer; KPMG Partner Michael Isensee; Jim Loter, Seattle Public Library IT Director; PR genius/crisis management expert Dan McConnell; economist/thought leader Bill Longbrake; and UW seismologist Bill Steele.  We have an eighth speaker yet to be announced.

For the ethics, policy & law course, we have guest speakers also, but most of them come from the university, given the topic areas:  Adam Moore, Associate Professor in the Information School (privacy); Ph.D. candidate Michael Katell, UW Information School (surveillance); Ryan Calo, Assistant Professor in the Law School (Tech Policy Lab); Doug Klunder, ACLU privacy counsel (NSA and Snowden); UW Research Assistant Professor Maria Garrido (TASCHA and social justice); UW Professor of Law Kathleen O'Neill (intellectual property); UW Assistant Professor Megan Finn (net neutrality and internet governance); and an eighth speaker, also yet to be announced.

From such courses come papers which in turn sometimes become research notes published by ASA, to expand the discourse.  Twenty six such research notes have just been published by the ASA Institute for Risk and Innovation as Reflections on Risk, Volume III, with contributions from 16 different authors.  I could not be more pleased by the quality of work that the volume represents.


For that reason and because of the energy I get back from the students,I'll keep you posted on both of these courses.