October 2009
|
|
SARMA thanks the Gold-Level Sponsor of our 3rd Annual Conference
|
Visit the ABS Consulting website |
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
|
Dear Fellow SARMA Members,
As you know, autumn is typically a busy time for SARMA, and this year is proving to be no exception. Here are a few examples:
- Our Strategic Planning Committee, under the leadership of Dr. Michael Gresalfi, has developed an initial outline for SARMA's Strategic Plan. This critical effort will identify the mission, vision and implementation steps that will guide SARMA's efforts for the foreseeable future. The Committee's goal is to complete progressively more detailed versions of the Strategic Plan over the coming months, and to have a final draft ready for review by the SARMA Board at its quarterly meeting in February 2010.
- The Fundraising and Membership & Outreach Committees have initiated parallel efforts to apply the resources, both physical and financial, to implement SARMA's strategic vision. The Fundraising Committee's corporate sponsorship drive is based on a new prospectus that offers companies of all sizes greater flexibility and a number of new incentives, including the opportunity to nominate individuals to serve on a SARMA Advisory Council. The Membership & Outreach Committee, under the leadership of its new Chair, Caroline Hamilton, is also kicking into high gear this month with a broad membership campaign.
- A Joint Exploratory Committee has been established to engage in discussions with the OPSEC Professionals Society (OPS) regarding the potential for a formal affiliation that would allow both organizations to leverage their respective strengths to maximize the opportunities and services available to their memberships. I am pleased to be joined on this committee by Board Chair Phil Lacombe, SARMA Executive Vice President John Paczkowski and SARMA Executive Director John Boatman. A joint statement from the two organizations explaining the nature of and timeline for our discussions can be found in this issue of The Risk Communicator.
- If you haven't done so recently, I invite you to visit SARMA's website. We've been busy updating and enhancing the site with a more dynamic home page, full archival access to The Risk Communicator and lots of added content, including 100 upcoming risk- and security-related events in the Calendar and a new Reports section. As always, we invite you to share your thoughts on how we can further improve the site's content, functionality and dynamism.
Of course, the policy-related work of the Association goes on too. SARMA has continued to engage with the Department of Homeland Security (DHS) via the Quadrennial Homeland Security Review (QHSR) process, most recently by providing a second round of comments to the Department on the proposed approach for creating a Homeland Security National Risk Assessment (HSNRA).
Similarly, SARMA's Standards Committee has engaged with standards-setting bodies in the U.S. and elsewhere to identify opportunities for SARMA's members to share their expertise on a variety of security-related initiatives. We hope to have more to report on these and other efforts before year's end.
So if it seems like there's a lot going on at SARMA these days, you're right -- which means there are plenty of opportunities to get involved. Take a moment today to consider how your time and talents could be applied, and become part of the team!
Happy Fall Season,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association |
News
|
|
HSSAI Releases Risk Analysis and Intelligence Communities Collaborative Framework
A lack of cross-discipline familiarity between risk and
intelligence analysts, as well as an inefficient supply-demand relationship
between them, are hampering anti-terrorism efforts at the Department of
Homeland Security, according to a new study by the Homeland Security Studies and Analysis Institute (HSSAI).
The institute drafted the Risk Analysis and Intelligence Communities Collaborative Framework for DHS's Science and
Technology Directorate in response to ongoing concerns that "basic differences
in the disciplines of risk and intelligence analysis" were impacting the
quality of risk assessment processes. HSSAI, formerly the Homeland Security Institute (HSI), is a congressionally chartered Federally Funded
Research and Development Center operated by Analytic Services Inc.
Mismanaged expectations have been at the heart of much of
the friction between risk and intelligence analysts, HSSAI found after conducting
extensive interviews with a broad range of DHS personnel, academics and other experts. The institute
reported that risk analysts often have exaggerated ideas about the ability of intelligence
analysts to "provide quantifiable threat inputs," while at the same time
underestimating how long it takes intelligence analysts to produce decision-quality assessments.
Intelligence analysts were no better at understanding their
colleagues, HSSAI found. They "typically expect risk assessments to account for
uncertainty at levels of detail that can create unmanageable complexity for
risk analysts without necessarily improving the usefulness of the results."
These problems, HSSAI reported, could be somewhat mitigated by
improved cross-discipline education and outreach, including personnel exchanges
and the creation of a "facilitating point of contact" to assist risk analysts
in working better with DHS's intelligence staff. HSSAI also recommended improving
transparency by encouraging risk analysts to share documentation generated in the
course of risk assessment to help intelligence analysts better understand their
needs.
Improvements in cross-disciplinary understanding would also
help solve the weaknesses of the current one-way "supply-demand" model of intelligence
and risk analysis. "Risk analysts need threat judgments from DHS intelligence
analysts, but the benefits for intelligence analysts are less apparent," HSSAI
said, noting that "providing support for DHS risk assessments can involve added
efforts for intelligence analysts in a way that currently competes with their
time available to fulfill standing mission requirements."
Giving intelligence analysts more of a stake in the process
is critical, HSSAI says. The institute recommends a "systemic engagement"
between the two groups, with an emphasis on encouraging risk analysts to close
the loop by providing "feedback on how their threat inputs were used and what
types of questions DHS decision-makers posed concerning the risk assessments." Involving intelligence analysts at an
early stage in the risk assessment process would also go a long way toward clarifying
expectations and setting mutual goals, HSSAI concludes.
|
Decision to Shut Down uGov Email System Sparks Criticism, Prompts Worries About IntellipediaThe intelligence community is phasing out a popular email network, raising concerns about other collaborative projects, The Atlantic magazine reported this week. In particular, the decision sparked immediate concern among analysts that the wiki-based Intellipedia information sharing system would be next to go. The uGov email domain, run by the Office of the Director of National Intelligence (ODNI), is shared by 15,000 users across 16 agencies. It also manages non-classified emails and includes a contact management and calender system, and has been popular among younger analysts who joined the intelligence community after the attacks of September 11, 2001. An ODNI official told The Atlantic
that security concerns were behind the decision to shut down the
service. Others added that the system would be replaced with one based
on Microsoft Exchange and that efforts would be made move emails and
data to the new system.
The magazine quoted numerous intelligence analysts who said they were stunned by the decision and that it represented a step backward for information sharing. "Since
major new systems are not in procurement the legacy systems are not
being turned off," Bob Gourley, a former chief technology officer
at the Defense Intelligence Agency, told the magazine. "That puts the new, innovative,
small, agile programs like uGov [and Intellipedia] ... at greater
risk. In fact, in some cases we are seeing IT departments cancel
everything associated with innovation -- which would be a sign of a
dying organization in the private sector." |
SARMA Roundup
|
|
Joint Statement of the Security Analysis and Risk Management Association and the OPSEC Professionals Society
Building on the partnership begun at the 2009 National OPSEC Conference, the Security Analysis and Risk Management Association (SARMA) and the OPSEC Professionals Society (OPS) have entered into discussions regarding a formal affiliation of the two organizations.
To sustain its tradition of support to the OPSEC community, OPS has identified the need to affiliate with an organization that represents a broader constituency. Similarly, SARMA has identified the need to grow in membership and gain access to mature and tested approaches to the development and implementation of professional training and certification programs to fulfill one of its core missions. Together, the two organizations desire to establish a construct that is financially sound, responsive to the needs of core constituencies, and respectful of history and traditions. To that end, SARMA and OPS believe an affiliation will produce a stronger, more vibrant entity better able to serve the needs of practitioners across the security risk management spectrum.
To guide these discussions, the two organizations have agreed to a framework that envisions three phases:
- Phase 1. Establishment of a Joint Exploratory Committee, retention of legal counsel and full disclosure of financial status, liabilities, litigation, etc.
- Phase 2. Development of the terms and conditions of the affiliation, joint efforts to sponsor events and web content, and initiation of an effort to leverage existing OPSEC training to develop and implement a complimentary security risk management training and certification program.
- Phase 3. Ratification of the terms and conditions of the affiliation by the directors and membership of each organization.
The process is envisioned to take approximately nine months and culminate in a ratification vote by the membership at each organization's 2010 annual meeting. Importantly, should either party decide that an affiliation is not in its best interest during these discussions, provisions are included in the document that allow for termination of the talks without prejudice to either party.
The full text of the SARMA-OPS Framework for Affiliation can be found here. |
Supporting Ongoing and New Initiatives at SARMAby Kerry L. ThomasAs the only association dedicated to the profession of security risk management, SARMA fulfills a unique and important role as a source of unbiased information for decision-makers responsible for making tough choices about where and how to invest in homeland security. We also serve as a vehicle for the professional development of individuals and groups who contribute to this process.
In the short time since its founding, SARMA has had a significant impact in both areas. Some of our key accomplishments include: -
Assisting in the development of a draft Homeland Security Presidential Directive on Risk Management;
-
Delivering a position paper to the Obama presidential transition team on ways to enhance federal security risk management efforts;
-
Providing input to the Quadrennial Homeland Security Review/ Homeland Security National Risk Assessment process;
-
Holding three highly successful annual conferences on security analysis and risk management;
-
Enhancing SARMA's connectivity with its members by increasing the scope and frequency of our publications and expanding social networking opportunities through sites like the SARMA LinkedIn Group;
-
Developing closer ties with other like-minded professional associations; and
-
Continuing to support university programs focused on educating the next generation of security risk analysts and managers.
Expanding on these gains, our near-term activities will include: -
Finalizing the SARMA Strategic Plan;
-
Expanding professional training and certification programs;
-
Developing additional university partnerships;
-
Implementing a series of ongoing of events to supplement the annual conference; and
-
Establishing a government advisory panel to support our efforts to provide federal agencies with unbiased advice and opinions.
As with most such endeavors, our ability to effectively implement these new initiatives is directly tied to the membership dues we collect and the generosity of our corporate patrons. And what do you and other members and sponsors receive in return for your contributions? I believe there are a number of tangible benefits, including: -
The ability to participate in the relevant discussions of the day with leading risk management practitioners in government, industry and academia;
-
Professional growth opportunities for you, your managers and your staff;
-
Marketing opportunities for your business, aimed directly at a security-focused audience; and
-
Recruiting tools that will help you identify and reach prospective employees who are equipped with the skills and expertise you require.
In addition, starting this year, our corporate sponsors will have the ability to provide input on the direction and focus of the Association via participation on SARMA's brand new Advisory Council. We have also revamped our four sponsorship categories to allow companies to choose the level of support best suited to their goals and objectives. Your support is always appreciated.
Please take a moment to review our revised prospectus, which details the Platinum, Gold, Silver and Bronze sponsorship opportunities available to our corporate patrons. And, of course, feel free to contact us with any questions!
|
|
Commentary |
|
Turning Business Risk Into Competitive Advantage
by Robert Hall
The concepts of change and
risk are usually associated with uncertainty. For many companies, this association leads to excessively
risk-averse behavior, wherein managers seek to avoid perceived dangers at all costs. In fact, adapting to change and accepting reasonable risks
are necessary to operating a successful business, and the fundamental job of a good
executive is to anticipate change and manage or even take advantage of
attendant risks. That means planning for contingencies and thinking ahead.
Not
all companies understand the need to adopt these practices. According to a 2008
survey of senior managers conducted by the UK's Chartered Management Institute,
53 percent of those surveyed said that their organizations have no specific
business continuity plans. In a separate 2008 survey by Marsh, 66 percent of executives reported that they do not look for
opportunities to turn risk to their company's competitive advantage.
This is a grave mistake. The speed at which changes in
globalization and governance are occurring means that managers must be proactive in thinking about how to
respond before challenges materialize. In the case of business continuity in
the face of pandemic influenza, for example, smart companies are already
drawing up new protocols for long-term absences, strategies for buying and
distributing anti-viral medication and masks, and campaigns for enhanced
hygiene regimes and social distancing.
Or consider the case of the devastating fire at the
Philips semiconductor plant in Albuquerque, New Mexico in 2000. By waiting to
see what the damage was for the wider market, mobile phone maker Ericsson delayed remedial action
by two weeks and so lost $400 million in potential revenue and suffered a 14-percent drop in share price when it was unable to acquire the microchips needed to produce its phones. It was eventually forced to exit phone
manufacturing and was acquired by Sony.
Ericsson competitor Nokia, on the
other hand, was proactive and anticipated the downturn in the supply of
microchips and made provisions from other suppliers before the market
became
tight. As a result, Nokia's supply chain was unaffected and it
prospered. Clearly Nokia had the insight to see risk others didn't
and to unlock
the opportunities others could not.
Managers
must also peer even further into the future to identify threats well before they strike home. If
one is able to scan the medium- and long-term horizons using a set of clearly
defined metrics, often called key risk indicators, then it may be possible to
anticipate broad patterns and shifts in market direction that will allow
suitable, prescient responses.
This skill has been deployed by militaries for many years in an effort to forecast
impending conflict. It is now appropriate for the business world in the face of
growing uncertainty and instability in the marketplace.
Robert
Hall is an independent consultant specializing in risk
and security issues. A version of this article first appeared in the August 2009 edition of ASIS International's Security Management magazine.
|
Projects
|
|
Survey: Managing Security Contracts
Allison Wylde, a researcher at London Metropolitan University Business School, is examining business performance and decision-making in the private security industry. Her research, initially funded by the London Development Agency, aims to identify how security firms and security professionals manage private, public and government contracts.
Interested readers are asked to answer a short questionnaire. Once the project is complete, the general survey results will be made public, but all answers and personal details will remain completely confidential.
|
|
Key Reports |
|
NIST: System and Network Security Acronyms and Abbreviations
A new report from the National Institute of Science and Technology contains a list of selected acronyms and abbreviations for system and network security terms along with their generally accepted or preferred definitions.
Get the report
DOJ: The Federal Bureau of Investigation's Weapons of Mass Destruction Coordinator Program
A close look at the FBI's efforts to coordinate WMD analysis and response finds significant shortcomings in training and analytical support and makes thirteen recommendations for improvement.
Get the report
GAO: High Containment Laboratories: National Strategy For Oversight is Needed
The Government Accountability Office identifies a number of glaring deficiencies is the management of the nation's high containment labs "that demonstrate failures of systems and procedures meant to maintain biosafety and biosecurity." Among the proposed solutions is the creation of an "entity charged with government-wide strategic evaluation" of the high containment lab program.
Get the report
|
Jobs
|
|
Analyst Position with the DHS Homeland Infrastructure Threat and Risk Analysis Center (HITRAC)
General:
ABSG Consulting Inc. is seeking a talented young professional to provide technical and management consulting services to the federal government, specifically in the area of homeland security risk analysis for critical infrastructure and key resources. Education and experience with the systems engineering discipline is key requirement as well as strong foundations in the physical sciences. An active security clearance is preferred.
Education:
- BS or MS in systems engineering.
Experience:
- One to two years experience in an engineering related discipline using the systems engineering lifecycle to design and engineer complex systems.
Skills:
- Strong technical background in mathematics or physical sciences required.
- Must have relevant coursework in risk analysis, operations research, or other technical disciplines designed to support data-driven decision making.
- Must possess and have demonstrated excellent written and oral communication skills for technical subjects.
Please send resumes and cover letter to:
Micah McCutchan
Program Manager
ABSG Consulting, Inc.
E-Mail: mmccutchan@absconsulting.com
|
|
|
|
|
