IBM CEO Survey Insights On Customer Focus

The 2012 CEO survey conducted by IBM gives some interesting insights. Seventy-three per cent CEOs are gearing their organizations to gain meaningful insights from customer data. This is the area of highest investment.  The traditional approach to segment customer data to calculate statistical averages has been replaced with understanding the attitudes and tastes of individual customers.

The main aim of gathering holistic customer information is to devise services and products targeted at the customers and improve the response time. As stated in the report – “The challenge for organizations is two-fold: can they pick up on these cues, especially if the information comes from outside? And can the appropriate parts of the organization act on the insights discovered?” The graph depicts the main reasons for capturing customer information.

Further, the report mentions, that though most of the CEOs focus on capturing information, out-performers excel at acting on insights. The difference is innovation and execution. A quarter of the CEOs reported that their organizations are unable to derive value from the data. Speed of action is required to capture data, analyse, prepare strategies and respond to customers. As one CEO stated the most crucial characteristic is to “organize a major wake-up call.” The customer obsessed CEOs are driving the organizations to more contextual customer insights.  The graph below highlights the marked difference in under-performers and out-performers.


Risk managers can play a pivotal role in helping CEO’s achieve these objectives. They can focus on the following.

1.     Organization Culture and Process Change

A customer oriented organization culture is required to leverage the opportunities. Secondly, the organization needs to align the processes towards customer relationship management. Risk managers can conduct organization culture survey to assess customer orientation. Moreover, they can review processes to determine risks and controls to mitigate risks.

2.     Security of Data

The activity requires accumulation of extensive customer personal information. Generally, companies use separate data centres to collect and analyse the data. However, the risks of loss and theft of data is huge. As in the recent case of Facebook 1.1 million users’ data was sold for US $5. Therefore, it is a good idea to review security polices and test data centre security.

3.     Return on Investment

Data collection requires huge investments in technology and resources. As the CEOs are saying the failure rate is quite high. A review of projects, plans and strategy would identify the pain points and misdirected activity. Calculating return on investment on various programs might steer the investments in the right direction. Timely identifying failing projects and reasons for failure is critical to maintain cost effectiveness.

Closing thoughts

Technology and social media has brought customers closure to companies. The face-to-face customer interaction is gradually shifting towards social media. The companies that are able to navigate this transition successfully will outperform their peers in the industry. Hence, risk managers should support this CEO initiative to enable the organization to leverage upside risks.

What is your organization doing in this respect? How do you think risk managers should facilitate CEOs in this initiative?

References:

Leading Through Connections – IBM CEO Survey

Misunderstanding of Risks Between Business Teams and Auditors

PWC Internal Audit survey highlighted one critical shortcoming of Chief Audit Executives and Internal Audit Department. The risks that business teams consider critical are being ignored. I have been covering some of the risks on the blog, namely – people risks, competitive advantage, innovation and creativity, marketing, country risks, etc. According to the survey, more than 20% of the stakeholders reported that internal audit paid too little attention on these risks. Hence, the question is why are internal auditors and risk managers not looking at them. Take a look at this chart first.

PWC Internal Audit Survey 2012

From the survey results, two assumptions can be made. First, the internal audit function is still focused on auditing the processes that link to the financial numbers. Second, they are not understanding the business aspects of the organization. As given below, three things need to be done.

1. Understand business requirements

The situation reminds me of an Archie-Veronica joke. Veronica is trying out a new pair of jeans in a store. She looks in the mirror and says – “The jeans are tight, I wonder what could be the problem.” Archie promptly replies – “You might have gained a few pounds”. Veronica gives one whack on Archie’s head and again makes the same statement. This time Archie replies – “The store may have marked a wrong size on the jeans”. If the internal audit reports were hard hitting, business teams may give the internal auditors a rosy picture. They may not be sharing the true concerns in respect to various business risks. Hence, internal auditors would focus their energies on some unsubstantial risks.  Improve the communication with business teams to understand the risk environment. Create an environment where truthful interactions occur.

2. Add in next year business plan

Last quarter of the year has started today, and most of the organizations will prepare 2013 plans in this quarter. This is a good time to understand the business risks and prepare the 2013 annual audit plan and budgets accordingly. Coordinate with the business teams to understand their annual plans. Identify the risks relating to the plans. Discuss with the teams on how internal audit function can help them. Attempt using collective intelligence and crowd sourcing techniques to develop your plan. Where required, take a call to provide advisory services rather than assurance services. Business managers expect much more from the internal audit function. Hence, gear yourself to meet if not exceed those expectations.

3. Develop talent and skills

In the 20th century internal auditors audited the same financial numbers as external auditors. In the 21st century, the function requires revamping. In my previous article – “New Risks and Uncertainties in 21st Century” – I had conducted a poll. I had asked respondents whether they thought present day risk managers were equipped to deal with 21st century risks. Out of 17 total votes, 15 had responded that less than 50% of the risk managers can manage the new business risks. The verdict was by the risk managers about risk managers. Don’t be a dinosaur and learn new skills to survive in the market. In another 5 years when Gen Y become middle managers, Gen X may become redundant.

Closing Thoughts

With the turmoil in various economies, the 2013 risk landscape will be drastically different. Organizations that are well geared in risk management, have a higher probability of sailing through. Internal auditors and risk managers need to incorporate the impact of globalization, technology and social media in their annual plans. There is no purpose in serving stale bread and expecting business teams to swallow it. Rejuvenate in the new business age.

Wishing all my readers a Happy Gandhi Jayanti. Let us pray that each person believes a little more in non-violence and work towards a peaceful world.

References: 

PWC Internal Audit Survey 2012

Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -”Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

References:

  1. The long view - Getting new perspective on strategic risk by Economist Intelligence Unit
  2. Brand Keys Customer Loyalty Leaders 2011
  3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Fraud Symptom 10 – Lapses in Information Assurance

The 2011 report of Panda Security titled “The Cyber Crime Black Market: Uncovered” discusses the way the crime organizations work to steal data and conduct frauds. The report mentions the ongoing rates for bank customer data – credit card information is sold between US$ 2 to US$ 90, depending on the nature of the card and information. European card details attract a higher price than US and Asia. The report mentions the roles of programmers, distributors, tech experts, hackers, fraudsters, cashiers, mules, tellers, and social engineering experts. They all have a role to play in the crime scene and collaborate to conduct high-level frauds.

In light of the increasing threat of cyber crime, information assurance plays a critical role in organizations, especially financial institutions. Media regularly provides cases of cyber attacks, which provide an external perspective. However, the foundation for sound information security is laid within the organization. Any lapses in this area, signifies a high risk of fraud. I am here giving some examples on how to identify the issues excluding the regular network breaches.

1.  Commitment to Information Assurance Policies and Procedures

The first indicator of lapses in information assurance appears on evaluating the information assurance policies and procedures. The questions to ask are – does it cover all sources of data leakage, does it monitor exceptions, how is the implementation and are regular audits conducted to ensure adherence.

To illustrate, I had once prepared an information assurance polices document for an organization. According to my estimate, on approval of the document, the implementation time was three months. However, to my surprise the management did not approve the document for over a year, despite repeated reminders on high exposure to information risks. I subsequently discovered that some senior executives were conducting frauds and laying the blame on the juniors. Their problem was that if the policies were implemented, they would not have easy escape goats.

2.    Level of Application Controls

Most organizations still lack focus on application controls – the basic input, processing and output controls and access controls. Access to critical information is available easily and hence can be stolen.

For example, in one case I had found that a VISA card application could be accessed by the employees working on the process from their homes or any internet café. Interestingly enough, all the customer information of the cards was visible outside of office premises and machines.

In another case, a Master card processing application of a bank had no input controls and verification controls on the amount. The employee could pass the transaction for US$ 5 million, when the real amount might be just US$ 5. The whole transaction was processed without verification checks and the only control available was at Master card office.

3.    Back-end Logs

From a fraud detection perspective, back-end logs are crucial. They provide the information of access of various accounts by employees, transactions conducted and the whole trail of activities. Analyzing the logs helps in identifying suspects.

However, some companies give the weird logic that maintaining back-end logs is expensive; hence, we do not keep them. With the cheap data storage facilities available, the organizations are losing the best tool available to them for fraud detection.

The second risk of back-end logs is that the information security personnel can play havoc with it. For example, if they have participated in a fraud, they can remain undetected. The simple process employed by deviant information security personnel is to download the back-end log, tamper with it to remove their own access trail and in its place put some other employee’s information. This way when the fraud is investigated, the other employee becomes the suspect.

These are just a few examples on how lapses in information assurance increase the risk of frauds.

Recommendations

To ensure that the organization is adequately covering information assurance risks, do the following:

a)  Implement information assurance policies and procedures.

b)  Put a system in place to regularly monitor adherence and address exceptions

c)  Conduct ethical network hacking to assess security vulnerabilities

d)  Review all critical applications for controls and mitigate the major weaknesses.

e)  Segregate duties of information technology and information security personnel to ensure that they do not tamper with the application. Build in some checks to monitor their activities.

f)  Investigate all breaches and incidents to determine the root cause analysis and make the environment more secure

References:

The Cyber-Crime Black Market: Uncovered by Panda Security

To read more on Fraud Symptom series, click here

High Drama Surrounds Information Leaks

This week leaks of confidential information got the world’s attention. US faced the damaging consequences of WikiLeaks and India heard the controversial Radia tapes.

Senior political leaders world over were embarrassed by the derogatory terms US officials used to describe them in the cables. Some reacted angrily to defend their image. A few strong international relationships are now on a rocky path. Time will tell whether they will be able to sustain the relationship in this turmoil or end up warring with each other. Meanwhile US government is attempting damage control by pressurizing Julian Assange and related parties to close the website.

High drama is surrounding the tapes transcripts leaked in India of Nira Radia’s conversations. Prominent personalities in politics, corporate world and media are facing the heat. Allegations are doing the rounds for lobbying, corruption and frauds. Public is now skeptical about their integrity and leadership.

The question which comes up is – are these leaks good for the society? Is this benefitting society in the long run or is this just another attention seeking method and will pass away when bigger news breaks occur.

In this post, I am putting divergent views of the benefits of the leaks. The first post – “Julian Assange and the Computer Conspiracy; To destroy this invisible government” from zunguzungu blog highlights the benefits of the leaks as it frees citizens from authoritarian leadership. The post gives an excellent intellectual argument in favor of leaks.

The second post- “The Nira Radia Tapes: Making the Wrong Call?” from Disbursed Meditations, Nandini Krishnan’s Blog, is a humorous take on the plight of prominent leaders. With emails and tapes being leaked, and frequency of sting operations increasing, the working style of corrupt officials is severely impacted. How pray are they going to function now?

In the third section, I have put two videos of Barka Dutt. In the first video, she is clarifying her role in Radia tapes leaks. In the second tape, she is discussing WikiLeaks expose.

The question is will these leaks ensure better governance, force leaders to maintain integrity and reduce corruption? Are these in public interest? Read below and think about it. Click on the headings to read the full post.

1.     Julian Assange and the Computer Conspiracy; “To destroy this invisible government” (via zunguzungu)

“To radically shift regime behavior we must think clearly and boldly for if we have learned anything, it is that regimes do not want to be changed. We must think beyond those who have gone before us, and discover technological changes that embolden us with ways to act in which our forebears could not. Firstly we must understand what aspect of government or neocorporatist behavior we wish to change or remove. Secondly we must develop a way of thinking about this behavior that is strong enough carry us through the mire of politically distorted language, and into a position of clarity. Finally must use these insights to inspire within us and others a course of ennobling, and effective action.”

Julian Assange, “State and Terrorist Conspiracies”

The piece of writing (via) which that quote introduces is intellectually substantial, but not all that difficult to read, so you might as well take a look at it yourself. Most of the news media seems to be losing their minds over Wikileaks without actually reading these essays, even though he describes the function and aims of an organization like Wikileaks in pretty straightforward terms. But, to summarize, he begins by describing a state like the US as essentially an authoritarian conspiracy, and then reasons that the practical strategy for combating that conspiracy is to degrade its ability to conspire, to hinder its ability to “think” as a conspiratorial mind. The metaphor of a computing network is mostly implicit, but utterly crucial: he seeks to oppose the power of the state by treating it like a computer and tossing sand in its diodes.

He begins by positing that conspiracy and authoritarianism go hand in hand, arguing that since authoritarianism produces resistance to itself — to the extent that its authoritarianism becomes generally known — it can only continue to exist and function by preventing its intentions (the authorship of its authority?) from being generally known. It inevitably becomes, he argues, a conspiracy:

Authoritarian regimes give rise to forces which oppose them by pushing against the individual and collective will to freedom, truth and self realization. Plans which assist authoritarian rule, once discovered, induce resistance. Hence these plans are concealed by successful authoritarian powers. This is enough to define their behavior as conspiratorial.

2.    The Nira Radia Tapes: Making the Wrong Call? (via Disbursed Meditations, Nandini Krishnan’s Blog ) 

So, the question is, how do the movers and shakers of this country keep the corruption rate intact without getting themselves into any trouble? Here are some covers that could provide our politicians with fool-proof meeting ground:

Host more parties: Munching while talking should be a good enough code, the noise would buffer…ahem, diplomatic conversations, entry is by invitation only, and since most politicians will be in attendance, the process of Chinese whispers should be quicker.

How do politicians party when the nation’s in disarray? Well, they could consider not confining their secularity to the Iftar season. With Deepavali, Christmas, Pongal, Bihu,  Holi, chhath puja, Ganesh Chathurthi, Rath Yatra, Dusshehra/ Navaraatri/ Pujo, there are opportunities through the year to host festive dinners.

Buy more IPL teams: It’s hard to conceive of a manner in which the tournament could be further tarnished. With a couple of teams having been booted out, the round-robin pattern could run into problems unless more purchases are made. Chances are that viewership will decrease anyway. A good time to buy, one would say.

3.      Barkha Dutt

The two different faces of Barkha Dutt. Which one is more credible?

If you wish to see India’s high profile editors squabbling like kids, this is a must watch. Though she tried her best, Barkha didn’t manage to come out as an innocent victim of a conspiracy. She did manage to convey that while she loved her job of putting other people in a spot, she herself reacts badly when put in the spot by others.

Watch her interview on WikiLeaks Expose and you will be completely entertained with the contrast in emotional reaction and professional stance.

What do you say, will these leaks improve governance in the society?