7 Reasons Why Your Company Needs a Privacy Policy

Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Creative Commons is the legal equivalent of the telephone. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?

Not so fast. The full license covers a range of essential topics that people don’t usually take time to think about.  These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on author’s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

Privacy Policies: Not a “Necessary Evil,” Just Necessary

Like telephony infrastructure and the Creative Commons licenses, Privacy Policies aren’t a “necessary evil,” they’re just a necessary part of running a business. If your business has customers or employees, then you need to safeguard and use personal information. Your business must develop privacy practices unique to your business. Laws mandate that you protect personal information, but they do not usually establish privacy practices. That’s why you need a privacy policy.

Writing a privacy policy is a tall order because it must address the broad range of activities in which your company engages, and be as simple to use as a telephone.

Privacy policies should cover online as well as offline uses of personal information, because each use carries unique challenges.  As you establish Privacy Practices and your Privacy Policy, consider the following activities:

• Goods and Services Activities: Does your privacy policy cover the information collected at point-of-sale, your iPhone app, online store, and through PayPal? Does your software periodically send licensing, version, or other information to your centralized servers? Do you collect or share purchase history, preferences, and demographic information with employees, other people, users, or other companies?
• Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?  Where is the information stored, and do you have physical and legal control over the servers?
• Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
• Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
• Education Activities: Does your company sell education material, or conduct certifications?
• Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?  What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
• Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?  Do your employees understand what they should consider private and what is accessible to the company?
• Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
• Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
• Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?

You should cover each of these topics in a customer-facing Privacy Policy or an employee-facing Privacy Policy in your employee handbook.

Beyond the Basics

Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.

Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.

State Laws. A few state laws give specific guidance on what you should include in your privacy policy. For example, California law requires any company which collects personally identifying information over the Internet to conspicuously post a privacy policy. The privacy policy must identify the categories of personal information collected, how consumers will be notified of changes, and how to update personal information. Texas has similar requirements for any company which requires the disclosure of a social security number. Massachusetts requires encryption of personal information in certain circumstances.

Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.

European Union. Unlike the United States, which has adopted narrow privacy regulations aimed at mitigating specific threats, the European Union regulates privacy on a much broader basis. If your company transfers information from the EU to the United States, you must either comply with EU law or the EU “safe harbor” principles. The U.S. Commerce Department promulgates guidance on what to include in your privacy policy, to comply with the EU safe harbor provisions.

Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.

This is by no means an exhaustive list of privacy statutes or regulations, but it should remind you that a privacy policy is more than just a formality.

7 Reasons

So to summarize, here are the 7 reasons you need a privacy policy:

1. If you have customers or employees, you need to safeguard personal information.
2. Laws do not usually establish Privacy Practices.  Privacy Policies create Privacy Practices.
3. Privacy Policies are often required by law or regulation.
4. Your business faces privacy challenges which nobody else faces.
5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
7. Your company has affirmative privacy obligations with respect to minors under 13 years old.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy.
2. Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.
3. Evaluate and Update. Evaluate your privacy policy and employee manual to make sure that they cover the range of possible privacy implications.

Into the Breach – Audio Series – Chapter 8 (Measuring Success)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.  Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

Podcast: Play in new window | Download (10.6MB)

Catalyst Consideration: Simplify

It is simplicity that makes the uneducated more effective than the educated when addressing popular audiences. — Aristotle

I’ve noticed the instinct lately – of individuals, government and security practitioners — seems to be one of more control.

When something seems broken, or the outcome is alternate than what was desired, the answer comes in the form of regulation, controls and otherwise restricting the options to prevent or influence the outcome.

And when these controls fail, it leads to finger pointing, grandstanding and… you guessed it… the call for more controls.

But what is the net effect of these additional controls?

Sometimes the solution is to strip controls away. To simplify.

I’ve spent the last few months pondering this message, and realize the more we ask ourselves “what is the problem we are trying to solve” the more effective we are. We need a foundation for success – and simple trumps complex.

Organized Fraud Prevention: Putting the L.E.D.E.R To Work

By Sharon M. Shaw, CFE

The Pink Boot (its real)

Preparing for successful fraud prevention is like preparing for a first child: the environment is carefully scoped out from the child’s level, and anything that could possibly cause the little darling harm is removed. Drawers and cupboards are locked and anything valuable is put out of sight.

After the first child, prevention becomes more proficient: obvious dangers — and some not so obvious ones — are known and accounted for. For example: even though a 250lb, six foot tall man cannot get the paint can open, a three-year-old will — within seconds — and no matter how wonderful neon pink looks on the walls, it doesn’t look quite the same on Daddy’s new work boots, or as footprints on the new carpet.

Fraud prevention is similar to childproofing.

Unfortunately fraud footprints are not neon pink and are not always obvious. They can, however, be prevented with some basic common sense. The environment needs to be examined from a potential fraudsters perspective; lessen any obvious risks, and plan for the not so obvious risks.

I have developed a five-part system, dubbed LEDER (pronounced LEADER), to help with this process:

• Look
• Exploit
• Define
• Explore
• Re-Evaluate

LOOK at what rules are currently in place

First of all define what fraud or wrongdoings are within the organization.

There is no one-size fit’s all: every organization is different and what is acceptable to one company or organization is not acceptable to another.

Does the organization have an ethics policy?

The ethics policy should clearly define what is acceptable behavior, be easy to understand and follow, and should be adhered to from the top down and bottom up.

Many ethics’ policies say wonderful things but do not clearly define boundaries. They are often generalized with no real meaning to individual employees. A compliance officer’s definition of ethical behavior may be different than a sales agent’s view when he or she is trying to meet the monthly goals.

Push the Boundaries and EXPLOIT rules

Permission granted to behave like a three year old –  exploit the defined boundaries.

See how they measure up to everyday protocol. Are they adhered to vigilantly or are deviations used to make the process smoother? Where does the system break down?

Set the standard, DEFINE the intended rules in plain language

Without a policy that clearly defines boundaries, it is difficult for people to do the right thing even if they want to. It’s like being blindfolded and told not to walk off the cliff. Ethical standards need to be set throughout the organization if fraud prevention is to be successful. A well-written policy that clearly defines what can and cannot be done has little meaning if the CEO does not adhere to it, or the top sales person regularly violates it with no consequences.

EXPLORE, the magic eight balls says…

Brainstorm and explore the unknown.

Pull out the ethics policy and look at it objectively. What does it really say?

Does it clearly say what can and cannot be done?

What does “Protect and ensure proper use of company assets” actually mean? Maybe it is okay to use the company fuel card to fill up personal vehicles; after all, the card was kept safe and only used for its intended purpose.

Plan for the unusual (but believable).

The more events that are planned for the more likely the organization is to stave off fraud in the future. Creating extra steps to obtain valuable information or assets will deter would be fraudsters since most fraudsters follow the path of least resistance.

Organizations whose employees clearly understand the ethical values of the company, and adhere strictly to them, have a far better chance of preventing and detecting fraud than a company who has a well-written ethics policy that nobody really understands.

RE-EVALUATE and adapt

Were procedures exploitable?

Are there possible events that were not planned for?

Successful fraud prevention requires that knowledge be turned into power. To have power against fraud, policies and procedures must be continually re-evaluated to ensure they are resilient. Look again; what can be adapted to thwart those magic eight ball scenarios.

By “following the LEDER” it is possible to get better results:

• Look – What have you got?
• Exploit – Can it be broken?
• Define – What do the rules really mean?
• Explore – What could happen
• Re-Evaluate — Redefine policies so there are fewer opportunities for fraud to occur. .

Share your experience in the comments below.

Knowledge is power and together we are stronger in the fight against fraud.

Leading from the Front: Bringing Planned Disruption To The Organization

By Martin Fisher

What is the most important job/function of a leader?

• Inspire the team?
• Use resources effectively?
• Make tough decisions?
• Set an example?
• Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

• Changing the organizational structure? Then create a org chart to talk to and demonstrate.
• Changing processes?  Then show a picture that details before and after with the benefits.
• Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

Santarcangelo Interviewed on “The Web Squeeze” – Listen In!

On Friday, The Web Squeeze posted an interview with me. We had a blast discussing backups, passwords, building more secure websites and a bit about the human paradox and Into the Breach.

I’m impressed with The Web Squeeze (http://thewebsqueeze.com/) and hope to get more involved in additional ways.

In the meantime, I really enjoyed the banter (enough to really get me thinking about getting a new show or two going) and the professionalism extended to me by Jacob and Linda.

I hope you consider taking a listen; more – share it with the folks you know in development and see what they say. Use this as a springboard for conversations.

Here is the link: http://www.thewebsqueeze.com/freelance-podcasts/into-the-breach.html

Data Cleanup Part 1: Primary UserIDs

Welcome to the February issue of Identity Management in 13 Easy Steps. In most parts of the country the weather is cold and dreary, and what better weather for an ID cleanup?

clean the data

So roll up the sleeves, find the glasses, and brew a lot of extra-strong coffee – it’s time to tackle those primary userIDs.

Primary userIDs – what are they?

A primary userID is the main ID that each user has in an organization. This is the one ID that they *should* have on all systems, although that is often not the case. Typically, the primary ID is the user’s network ID – that is, the ID that each person uses to log into their computer in the morning, and probably also to log into their email. Many organizations call this the LDAP ID or (for Windows-heavy shops) the Active Directory ID. Organizations that are mainframe-heavy might store their primary IDs on the mainframe.

The task at hand

On the surface, this month’s activity is simple: correlate each user’s primary ID with their name and other identity information, as this will be the basis for the identity repository going forward. Hopefully everyone’s primary ID is already stored electronically somewhere (at least in a spreadsheet) and there is some useful data already associated with each ID – like a name, an employee number, or other identifying information. If not, well, that’s where the extra-strong coffee comes in (or maybe decaf would be better?).

The task may be easy to describe, but there are three significant challenges in this cleanup process:

Challenge #1: mapping primary IDs to people

It is likely that the list of primary IDs (assuming it exists) is missing information, or has data that’s so outdated as to be useless. Worse still is a list of IDs without any information (who are bassfisher68 and jedimaster84?). Equally frustrating is the same-name problem: how many John Smiths, Trong Nguyens, and Juan Gonzalezes are in your organization… and whose name goes with which ID?

Challenge #2: are they even still here?

It is often hard to map IDs to people when the ID has persisted, but the person is long gone. Even more doubt is created when the ID belongs to someone with a common name.

Does jsmith3 belong to that contractor that was in here 2 years ago, or does it belong to the guy downstairs in accounting?

A nasty – but necessary – part of cleaning up primary IDs is identifying orphaned accounts that should no longer be active. On the upside, this is a healthy security exercise that often gets put off – after all, who wants to deal with the screaming users when the wrong IDs get disabled? But for identity management to work, this HAS to be done – no more excuses or avoidance!

Challenge #3: mapping primary IDs to primary sources of record

Once the IDs are mapped to the correct names/people and orphaned accounts are retired, it’s time to map the IDs to the corresponding accounts in the sources of record that were identified in last month’s exercise. Remember, identity management is just a facilitator of actions. A key integration is between identity management and the HR system, as that enables the automation of access creation and removal based on hire, transfer, and termination events in the HR system. Identity management can also facilitate the auto-provisioning or password self-service of a user’s other accounts (like email) based on proper linking.

The biggest difficulty in this exercise is typically matching the userID with the right HR record, due to potential differences in legal vs. preferred name. Very often, email addresses and userIDs are set up based on the individual’s preferred name (e.g., Mike, Trish, Betsy), whereas the HR record will contain their legal name (e.g., Michael, Patricia, Elizabeth).

Is Mike Smith the same guy as Michael Smith – or not?

Guessing is not allowed here – matching up the wrong user with the wrong HR record can have very serious consequences. HR doesn’t take kindly to people seeing each other’s salary information. Getting someone else’s email is generally frowned upon as well, especially if some new junior analyst was confused with a senior VP (believe me, this has happened more than once!)

Approach

There is no *right* or *easy* way to execute this cleanup.

With little starting information and/or a large user base, this will be a painful and time-consuming process, but here are some things to help get organized:

-        Determine the data set that is needed. Make sure it is the bare minimum to start because once identity management is implemented and the records are linked, a lot of additional information will populate automatically. The goal here is to identify which data points are needed to accurately link records between systems – nothing more

-        Start with the cleanest source of record to build some momentum. While this is often the HR record, sometimes email is the best bet. Other sources may also be appropriate (like the mainframe). In general, the cleanest sources of record are ones that are carefully controlled and well automated in a database or a repository.

-        Enlist the help of someone good at scripting to automate some of the searches and comparisons. Done right, this saves immeasurable time!

-        Communication is key!

• Make sure the user base knows a cleanup is underway and why it benefits them
• Solicit assistance from department heads – they can help identify users and their correct/current information
• Ask the leadership to alert their people that they may be polled for information, and specify the name of the team that will do the polling (provide the names of individuals if possible). Users need to know that these requests are legitimate and not a phishing attempt (especially if they just attended training on phishing or Michael has already worked to improve your awareness program)
• Communicate the cleanup process to the leadership so they know the who, what, where, when and why of the effort. This is especially important when the team ends up with a pool of orphaned IDs and no other means of research. The only remaining option is to deactivate those accounts and see if anyone complains. Management needs to understand and support this decision before it can be executed

-        Don’t be afraid to disable IDs if reasonable research has not yielded results. Researching identities is extremely time consuming – there is a point where enough is enough, and the security risk to the company should outweigh the brief inconvenience that a handful of users may experience

-        Engage HR representatives and local technical support personnel. They tend to know the users personally, and can be of great help identifying them

If existing records are already in pretty good shape, sit back and smile smugly while everyone else beats their head against the wall for a while.

Keeping it clean

If there is no current identity management system in place, it is important to keep the new repository of primary userIDs reasonably clean until the new system is in place. Otherwise this fun exercise will need to be repeated.

Staying up-to-date manually requires a process to keep user data in good repair but the process should not be complex or labor intensive. Do the bare minimum necessary to keep the data decently clean. It’s OK if it’s not perfect – a small final cleanup is inevitable.

A word about userID naming standards

If this process reveals the lack of a userID naming standard, or a standard that no longer makes sense for the organization, this is the right time to establish a new, sensible one. This is a large and painful exercise in and of itself, but it is far better to enter into an identity management implementation with a solid and appropriate naming standard than to try to fix it later.

Here are the things to consider:

-        Grandfathering existing users vs. making them change their ID to match the new standard

• Unless there are specific technical reasons for converting everyone, I recommend grandfathering. A primary ID can be created in identity management in the new format and mapped to the untouched existing IDs. This meets the needs of identity management while minimizing impact on the users

-        Helping users with multiple ID formats across various systems consolidate to one ID format

• Although this can be a little painful, many users are happy to undergo the initial challenge in exchange for not having to remember which ID to use on which system

-        Having different ID formats for employees vs. non-employees

• I recommend not doing this. Having visual segregation of ID is much more important in a manual paradigm. With identity management there are many ways to identify a user’s employment status without segregating by ID, and having different ID formats causes more problems than it solves

-        Make sure that the selected format will work on all systems – including those legacy dinosaurs with all their length and character limitations

-        If you choose to have userIDs based on name, establish a clear policy about changing the ID in the case of marriage, divorce, sex change, etc.

• Changing someone’s display name is easy. Changing their userID can be tricky, because on many systems this isn’t possible –the old ID has to be deleted and a new one created, which leaves a lot of room for error in copying permissions, files, scripts, etc. However, some people feel very strongly about their name, especially after a nasty divorce or a sex change, so there has to be a provision for this

-        Make sure the new naming standard scales adequately for the expected growth of the company, and that it addresses situations where users may need more than one ID, or where individuals have the exact same name (possibly even same middle name or middle initial)

Parking Lot

Doing a userID cleanup of this nature can uncover all kinds of interesting issues – like fields being used to store data that they were not meant to store, IDs being created through unofficial channels that probably shouldn’t’ve been created, etc. Some of these discoveries might be security risks, some might just be sloppy administration, and still others might impact the identity management implementation down the road. In any case, it is important to document these discoveries along the way and do something about it – even if that something is just notifying the responsible manager.

Action Recap

This month, we covered the following key actions:

1. Identify the primary ID, and determine who owns each ID
2. Identify and retire obsolete IDs
3. Connect primary IDs to the appropriate records in the target systems identified in last month’s exercise
4. Develop (and use!) a process for keeping the IDs clean until identity management can take over
5. Make sure the current ID naming standard is adequate and fix it if it isn’t

None of these actions is quick and easy, but getting them done sets a firm foundation for a successful identity management implementation.

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

Personality types: Your key to better business relationships

by Trish Smith

If there’s one lesson Michael Santarcangelo has taught me, it’s that security (and business) aren’t just “about business”. They’re about people. People who we get along with, people who we (as much as we might not like to admit it) don’t always get along with. But unless we’re Steve Jobs, we don’t have much choice who we need to interact with (and I’ll bet even Steve has to deal with people he doesn’t get along with too well, sometimes).

It’s about the people, stupid.

This article shares information to become more flexible, adaptable, and resilient in dealing with others.

Imagine the power of being able to predict, prevent, and resolve conflicts. How about improving communications with co-workers, clients, and peers?

This might sound like a pretty big claim, but when learning about personality and how it determines the ways people interact, this information is invaluable.

What is a “personality type”?

In modern psychology, there are two ways to think about personality: “traits” or “types.” Personality trait theories suggest two people can both be extroverts, but be very different in terms of how strong the trait is in their personality (for example, Bob and Mike might both be extroverts, but the trait is much stronger in Mike than it is in Bob). This view of personality sees it as existing along a continuum, rather than as an “either/or”.

“Personality type” approaches suggest people either have a characteristic or not. An individual is an introvert or an extrovert, assertive or passive, someone who works well in groups or not. This view is the more popular one among those who study personality today, and as such, is the one we’ll explore in more depth.

Defining the Type

The most common instrument to measure personality type is the Myer-Briggs Type Indicator (MBTI). It’s widely used by businesses (and individuals) to better understand personality. It usually consists of about 70 questions that ask you about your likes, dislikes, opinions, and personality characteristics. It then groups people into several “types” based on four personality traits:

• Extroversion/introversion (need external contact to recharge, or time alone?)
• Intuition/sensing (trust more in own feelings or in external observations?)
• Thinking/feeling (the dominant force relied upon to make decisions?)
• Judgement/perception (the need to organize life or let the chips fall as they may?)

Although it would be useful to be able to administer this test to everyone we deal with day-to-day (as impractical as that might be), it’s not necessary.

Usually, it’s enough to simply understand which of the different personality types someone is, and keep that in mind when dealing with others. For example, recognizing that a team member is closer to the “judgement” end of the judgement/perception scale will help explain why they need to research and plan out every move of the project.

We can understand other people’s personality differences without making value judgements. John isn’t trying to drive you crazy by going with his feelings on a decision; he’s simply on the “feeling” end of the thinking/feeling scale, and that’s how he makes decisions.

This knowledge reduces frustration and improves approach to others – especially if an action is needed on their part.

Learning how to type others

So how do we figure out which personality type someone is?

We can’t very well hand everyone a Myers-Briggs test (although if the topic is brought up, it’s likely that at least one person in the group will volunteer not only that they have taken the test, but what their result was: That they are an “INTJ”, for example).

Observation is the key to success.

People’s personality comes out in a variety of ways, even when the person isn’t aware. Everything from personal style (how they dress), to their environment (how they set up their office), to social signals (verbal and nonverbal communication), reveals information about what personality type they are.

Want to type someone out?

Listen.

Watch.

Observe the things people are doing.

Recipe for Success

Then it’s simply a matter of being conscious of others’ personality styles and how your own (yes, you have a personality style too!) interacts with theirs, for good or for ill.

If you can do this successfully, it becomes easier to do all those neat things mentioned earlier – become more flexible in dealing with others, resolve conflicts, and improve communication with everyone.

So tell us – do you try to be aware of different personality types in your day-to-day life? Has knowing someone’s personality type ever helped you in your work, or has the converse ever happened – not being able to understand another’s personality style negatively impacted your business? Share with us in the comments!

Giving back: The Catalyst Career Compass Program

Giving back: The Catalyst Career Compass Program

What started as a way to help friends improve their careers has started to turn into a full-fledged program called the Catalyst Career Compass™.

Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up.

More, with the help of Andy Willingham, Kevin Riggins and others, we are preparing to relaunch and improve the Security Catalyst Community. When we relauch (hoping for Q2 but the timeline is not defined), new opportunities for members include the career compass program that leads to a mentoring program.

We’re all excited about the program and the possibilities.

In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.

This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.

So it starts now.

And we’ll start small.

For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.

More details below:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

• To prepare for a raise
• To receive a promotion
• For career development
• If you are ready to move into the security field
• To find a new position (within your current company or outside it)

Determine your path and venture forth.

Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.

It is a three-step process.

1.            You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.

2.            Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.

3.            With all the background work complete, we will help you follow the compass you built.

We do not judge.

Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.

Why the Compass approach works.

We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.

You will be self-aware.

You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.

The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.

How much time does this take?

Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.

Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.

How to Avoid a Legal 500 Error With Your Privacy Policy

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

• Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
  • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
  • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
  • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
• Be Complete and Conspicuous.
• Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
• Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
• If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
• It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

1. You can adopt HIPPA as your privacy policy. HIPPA privacy rules apply.
2. The FTC is interested in your privacy policy and practices.
3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

1. False on both accounts: 1. HIPPA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPPA regulations, because they probably don’t apply to you.
2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPPA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.

Security From Scratch: Using Compliance For Good

by Dennis Kuntz

“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.

Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.

They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).

On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”

My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.

This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.

Putting Compliance In Its Place

Focusing only on compliance almost by definition limits its usefulness.

Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.

However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.

Answering for Your Efforts

Having to “answer for your compliance efforts” doesn’t always mean an audit.

Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to  understand their role.

When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).

Often, auditors are looking for proof the “letter of the law”  was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.

The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).

Using Compliance for the Greater Good

Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.

This can be an advantage to manage the company’s risk.

Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.

Ultimately our job is to protect company assets and help to manage risk.

While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.

Is Cloud Computing Right for Your Business?

By Craig Nelson – special guest to The Security Catalyst

Is Cloud Computing right for your business?

Cloud Computing.

Is it right for you? Sure.

Is it right for your business? <crickets>

By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.

By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).

Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.

But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?

Three reasons businesses choose the cloud

The business reasons cited for using “the cloud” are likely one or more of the following:

1. Lack of time or expertise (including security) to build and maintain an in-house solution.

2. Seeking the advantage/speed of new features that are released quickly.

3. It’s cheap (either free, or subscription fees).

Beyond simple points, consider the depth and complexity of each.

Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.

With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).

At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.

Can the cloud be more secure?

Many security breaches are due to improper configuration and lax administration and maintenance.

These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).

If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.  The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.  However, it’s a cost that that can be readily accepted.

The Cloud – Personal

At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.

Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).

New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).  A few years ago, I couldn’t imagine that such a service would be widely adopted.  However, now, it seems to be trickling into the “essential software” list of well-respected technologists.

The Cloud – Business

It’s a bit different at the business level.

Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”

IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”

Is the cloud right for business?

So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.

Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:

1 – What regulations is the business subject to? What operational principles and policies does the business have?  Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?

2 – Does the cloud provider offer security controls that allow an adequate level of protection?  If not, can deficiencies be mitigated?

3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).  His expertise and education is in incident response, computer forensics, and security architecture.

On tap at The Security Catalyst for February

Greetings from Myrtle Beach!

February at the Security Catalyst Online

We did it.

The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.

More important, we are liberated. I feel grounded, connected and free.

The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.

In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).

On tap for February

Our contributors have some great insights to share, including:

• The key to effective communication and overall success when working with others from Trish
• Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
• Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
• Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
• Aaron shares how to avoid legal 500 error with privacy policies

And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.

Guest Voices

Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.

We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).

Engagement is the key to success

I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!

Connecting and engaging in person is a rich experience, indeed.

To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.

Are you along the way?

If so, I’d love to explore how we work together.

Into the Breach – Audio Series – Chapter 7 (Putting the Strategy to Work: A Pilot)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.  Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

Podcast: Play in new window | Download (7.5MB)

Are You Using The Three “P’s” Of Successful Fraud Prevention?

By Sharon Shaw

Their SUV deeply submerged in a snowdrift John and Starry, through marital “discussion,” determine their GPS might have been wrong to suggest that last turn.

Effective fraud prevention requires an encompassing approach that looks at the chain of events before and after the current point — often called a 360-degree review. Skip this step and end up charting a course of action that has similar results to John and Starry’s adventure. Blindly relying on technology alone like John and Starry did does not ensure an unscathed surfacing from a potential fraud whiteout.

Use the three Ps: Past, Present and Potential

Potential is only realized after acknowledgement of the present and the past.

To be successful in fraud prevention requires a plan to effectively utilize all known facts, good or bad, and accounts for potential outcomes.

Accept the Past — No Matter How Unbelievable

Ask Harry Markopolos, the whistleblower in the Madoff downfall, how it ends if the reality of a situation is ignored. Had authorities taken heed of his earliest warnings the Madoff losses may not have been quite so devastating for so many.

As children we learn to avoid the truth (and responsibility) to escape the wrath of the unknown. As adults this learned response is sometimes forced to continue to satisfy unrealistic goals.

Accepting responsibility for what is happening is one of the hardest lessons to learn and some are determined to never master this ability.

Accepting the past – as it happened – is important in order to understand the path to effective fraud prevention in the future.

Realize the Present

Take a deep breath and acknowledge the current situation.

This is often an iterative process, and may require a bit more thought than initially considered. When it comes to business – the initial situation may appear that sales are being lost (and revenue declining) at an alarming rate. But is this the symptom, or the problem?

In this example, acknowledging the present requires going a bit deeper. Probe the cause(s) of the loss in sales. Is the service quality lacking, are delivery times unacceptable or is a competitor undercutting the pricing structure with major clients?

To uncover the truth often requires questions, conversations, patience and the stomach to face what the real challenge may be.

The upside of taking the time to do this is that preventing fraud is much easier when the real problem is known and defined. By dealing with the surface issues and ignoring underlying problems, the opportunity to prevent the seeds of fraud from germinating is missed. Only by removing the seed can fraud prevention be effective.

Harness the Potential

So where does the third P, potential, come in to play?

Once the problem is analyzed to the root, it needs to then be considered with the lens of “potential” – what will happen if action is not taken?

In our example, a loss of sales and revenue can easily put an organization out of business and these affects can be further reaching:  they can have a detrimental effect on the community and the world economy as a whole.

Ready to strap on a cape and save the world?

Baby steps lead to great things and the first step is the most important.

Resolve to step back and engage the three P’s of a current challenge. By analyzing the real challenge, it is possible to take control, move forward and devise a more productive plan.

Taking control is scary it means assuming responsibility for future, unknown, events.

To Decrease Fraud Risks, Review The Alternatives

The effects of fraud may not yet be felt, however if the situation goes unchecked it may not be long until they are. Talk with those involved and ask what suitable solutions could be. If both sides understand and are committed to a common goal an effective solution is easier to implement and has a higher chance of success.

Don’t hang up the cape yet; there is still work to be done.

The real problem has been found, the solution evaluated and a plan devised to implement that solution so, that’s it right?

Wrong, the process is not complete.

Successful fraud prevention is a continuous cycle that never stops. A plan devised from future goals and past experiences must be continually re-evaluated in order to be continually successful. Organizations and goals change from minute to minute so what works to prevent fraud today may not work tomorrow.

To stay one step in front of fraud, prevention plans have to be continually adapted to encompass new discoveries.

The journey of fraud prevention is only successful if everyone involved is willing to communicate and share insights. The past is key to understanding how the present became present and without understanding the present potential cannot be envisioned.

I challenge you to use the three P’s to improve one of your current activities and reduce the potential for fraud within the organization.

Share your ideas; questions and experience in the comments below to help us all improve.