So having her two techy views, one from the outside and one from the inside, I would like now to switch to a more say legal view. So having not so much a technology in, in view, but the consequence and risks from a, from a, from a monetary and, and regulatory side, please welcome Dr.
Scott, David.
Hello,
Scott. Thank you. Great to have you here. Great to be here. So you're a fellow Analyst of copy a call, right?
Yes, indeed. But you also let me, I hope stated that correctly, the director of policy at the center of information assurance and cybersecurity at the university of Washington.
Yes,
Indeed.
What do you do there?
So we have a program at the university of Washington, which has an open style of research for national security and other security issues. So for instance, one of our past graduates is a, went on to be the head of China cert, even though he was educated in this program in the United States. So the idea without security clearance is to create a neutral space where representatives from different companies, different countries can come in and talk about common security issues.
Hmm. Interesting, interesting.
So is that chat house, Chatham house rules, style or
Varies, depend on the program. We have a number of different programs and the educational programs, other programs that we have publication programs, different kind of conference programs, things like that. But the idea is to really create, find out where there are common issues that we can create some infrastructure, some security infrastructure that shared across different paradigms instead of having, focusing on the conflict all the time.
Okay.
Oh, interesting. So how do you see this firewall turn down approach?
I mean, well
That
Breaking down a parameter from an attorneys view,
Well, it's a perfect, actually a perfect segue into what I'm gonna talk about. The, one of the things that I'm gonna mention in the slides is that the secrecy has died and, but privacy and security don't have to die with it. And so the, if you keep an old strategy, it's like a program running in an inappropriate circumstance. So we're relying upon old views as Robbie and other folks have said, but, but they're not fit for purpose in the new condition that we're facing.
Okay. Very interesting to hear about that.
Thank you very much about your talk I a clicker
I'll clicker.
Thank you.
Oh, it's a two button binary clicker. That's very nice. So I wanna talk, as I mentioned before, about mapping mitigating and mining risk risk, it really in a new set of dimensions and the idea that want to talk about it's three parts really, and they're kind of blended in the beginning. There's a risk mapping idea. And that's really just understanding what we're talking about. The fundamental answer to the question of the spoiler alert is that risk is a shadow of organizational value. Anytime you have value, you have risk.
I know that sounds like a lawyer's view and indeed it is, but the risk you don't, if you don't care about the value of something, you don't have risk, risk mitigation. One of the things I wanna talk about is how do we govern and Robbie and alluding to that before? How do you govern in a situation where you have a very permeable membrane at the end of any organization?
And what, what I wanna talk about is outsourcing something very familiar as a model for moving from outsourcing really is a, a notion of a provisional type of governance, which we'll talk about and moving to a notion, which is more positive at interaction, which is inter governance, the idea of what governing the gaps. And then thirdly, I wanna talk about, I think it's eight or nine, eight different trends that are coming up that are affecting everyone.
As I was mentioning just a moment ago, there are some things that affect all of our organizations, all countries, all companies, they're intrinsic in the structures that we've been adopting. And, and if we don't deal with them directly, then we'll be not being effective. So the first notion is the idea of mapping the edge of organizations, the key issue. And I'm not gonna read the slide. So I'll leave that to you.
Mostly, they're not so much text, but the key issue is that boundary there's many different kinds of boundaries. We're not talking about physical. We're not talking about managerial only. We're talking about a variety of different things. Any metric becomes a boundary. So start thinking about the concept of anytime you see a measurement, that's a purported boundary. There's something being measured in a performance being measured against that. So I wanna go through a few slides on the outsourcing notion. So companies once did this extending credit. This was then we moved on to credit cards.
Whereas the third party network that was engaged. So think about that. Companies had a risk, they outsourced the risk to credit cards. Now there's other risks. Whenever you outsource, you don't get rid of risk. You just change your risk, but presumably credit cards do it better than chasing after your people owe you money.
Companies once did this, this is payroll. And then this came along, standardized payroll networks companies.
Oops, there we go. Companies once did this shipping. I think it's an interesting combination of foods they're selling there, but shipping. But then this came along FedEx and ups companies once did this advertising. Then this came along TV and then the internet companies once did this data processing internally. Well then this came along server farms. I think that a lot of it had was extra capacity that corporations had that they wanted to reuse, but in any event, so the data handling function got outsourced.
Well, companies once did this identity and this came along the internet. And so that intrinsically, when you started adopting internet technologies inside companies, you opened up your enterprise, whether you liked it or not, we didn't really understand that at the time it was just convenient.
So the organ, it was an organization in a sense, a big organism, but it doesn't have an identity layer. So question is now we need to solve for X what's the risk associated with that adoption. It's almost like we did the adoption, but now we're trying to figure out what we've done to ourselves.
So these, again, I'm not gonna read the slides, but we need to solve that risk issue. So anytime we have a, a system and institutions are systems, are knowledge management systems. In a sense, obviously some institutions are, have a governmental purpose, some have a commercial purpose or variety of other purposes, but at the edge, there's always monsters at the edge there be monsters. I read a book incidentally, that's indicated that the monsters were first created by early map makers for competitive advantage.
What they were trying to do is suggest that the other people's maps were inadequate and that there, the unknowns actually were a problem.
So was a competitive issue among mapmaker makers, apparently with monsters.
So again, going back to those edge risks. So think about your organization. Think about this firewall. There's a notion as if there was actually a wall there. We used that, that idea conveying that there is a wall, how high is the wall? How thick is the wall? Will it's all just conceptual. What do those edges look like? One of the big messages I have here is that the conference sessions that we're gonna engage in are part of this process. We're actually doing provisional governance right here, and we'll get back to that in a minute.
So one of the things about the edge, the edge forces innovation, there's a, a movement of French literary movement called the Lippo movement. My pronunciation may be wrong, but the authors in the movement actually caused themselves arbitrary constraint to induce creativity.
So for instance, one of them wrote a novel without using letter E or one of the people in the movement died and they wrote a eulogy just using letters of his name. So they were using constraint to invoke and invoke creativity.
When we have constraint regulatory constraints, the laws of physics, it depends on what your organization does. Those constraints can be seen as opportunities for growing and, and understanding that constraint. And then embracing that in a sense, there's a book that was written recently called a governing failure. And it was about a financial work in the development era in developing countries written by a, a woman Jennifer Best. And she came up with a concept of provisional governance. And what she said is what happens with organizations at the edges.
And again, using the development context, these four things happen quite often, you have emphasis on standards, you have harm and risk management, emphasis, performance measurement, and clarifying interest.
And she meant there as property interest in that context. But if you look at these, these are what kind of, what we're talking about here. So we have a sense that actually we're engaged in provisional governance and what I'm in fact inviting is the idea that provisional governance, isn't something that's going to happen in the future.
This is a delegation now assembled to do provisional governance. And we'll talk this about the specifics in a minute, but think about those things. When you see standards, the risk management idea, performance measurement, and clarifying interest questions during the conference, you're seeing provisional governance and each one of those is an opportunities opportunity for your own organization to grow. So one of the things I'm gonna talk about here is the idea that provisional governance is really where institutions are born.
It's it's process innovation in a sense because it's forced sometimes because again, that idea of the constraint, but one of the things that has been investigated by gentleman named importer and Ronit, they looked at, I think it was a couple of hundred different organizations, primarily European.
If I recall correctly, I think they were from the Netherlands.
I may be wrong on that, but they looked and they said, well, what's common across all rulemaking organizations, whether it's legislative, self-regulatory, et cetera, what's common were these five steps, agenda setting, problem identification, decision being made on those problems implementation, and then review it's a feedback loop. So if you think about it at the edge of your organization, you're encountering things that are unfamiliar. If you engage in these problems, say, well, there's an, I have an agenda. We just had a problem. What's the problem. Let's talk about it.
Let's make a decision about it. Let's implement UN review. And in a sense, you're mining that edge constantly probing that edge that is characteristic both of internal processes and on the edge processes. And what I'm asserting is that because it's characteristic of rule making in institutions in all institutions are rule makers, in some sense, whether it's internal rules outside rules, because it's characteristic of both the internal and external rule making that allows us to start to take that externality and bring it into the organization.
And I think that goes to Robbie's point earlier about one of the, one of the issues of how do we engage this? What does this look like? And really it's in ability to be innovative about your processes, not just your products. So the one of the things we that's, the points I was just making. It's that cultivating that inter governance in a sense, if you look at, if you have an organization you're encountering challenges at the edge, you're gonna say, I have a failure there at the edge.
And I have it's provisional governance from the perspective of inside the organization, cuz you're saying, I like to do X. Now I have to do X plus one that's provisional. We really wanna return to X when we can. But what I'm asserting is when you have the collective of organizations, all engaging in that activity, finding externalities that they're not used to, everyone has the same problem at the same time.
And that's a wonderful as a transactional lawyer for 30 years, when you see people in the room and they think they're at conflicting, but they actually are experiencing the same problem.
You know, you're gonna get to a good solution. So let's talk about how that inter governance might start each one of your organizations has a provisional governance setting right now you have failures at edge, somewhere, minor, hopefully minor, but if they're minor or major, how do we convert that notion of, oh, this is a problem into being an opportunity. So here's the internet and this is a couple years old. So there's even more spaghetti in the bowl now. And you're here, there, there we are right there. So how do we start to unpack that? How do we start to make that have some sense?
Well, these are some pictures that I didn't take them, but they're from New York where I'm from originally, now in Seattle, in, in Washington.
But these are pictures of districts in New York. So one of the things that can be an opportunity for starting to crystallize some of the communities is to start to look for communities of interest. So for instance, on the pictures here, you have the plant in New York, there's a plant district, there's a fashion district. And people known about that. There's a financial district and a lighting district.
The people have gotten together because there's an affinity, a community of interest in the economic there's supply chains are similar, their financing structures, their customer relationships. So they tend to aggregate another reason people aggregate it's cultural they're language issues. So we have Greek, Russian, Italian, and Chinese neighborhoods in New York. So those are natural things that drew, drew people together within the complexity of New York city. People find each other and they find communities.
What I'm suggesting is that when people have common challenges like we are gonna talk about in the, in the conference here, that those are also communities of interest, right?
They're not yet as familiar to us as some of these, but they will become familiar. And I think Martin was alluding to that before that the, he has takes less time now to explain what he does sometimes. So here we are, here's the world and we have networks. And so how, how might we get started?
Well, this is a list. If you wanna find communities of interest in community of interest governance, look at the green is the, what we call the type of entity. It's a group of entities and the blue is their output. So you can find those artifacts. So you look at markets, for instance, will they come up with trading metrics? So you'll have, if you're on an orange juice exchange, it'll be different set of trading metrics than you find in a stock exchange, for instance. And then you have standard setting organizations in a variety of these things.
So E some of these are governance and recognizable. Some of them are inter governance type of settings, where people come together and have an output to normalize their externality. And I think primary one way to say it is that primarily security is moving to a situation of excluding the externality to rendering the externality innocuous. And if a number of people simultaneously render their externalities so that they're not threatening, that's a sustainable type of security.
So one of the problems you have is that every company or every country everyone's doing it is trying to promote their own agenda. And so how do we, what do we do? What does it look like when you have organizational edges coming together again? What do those Frizzle of those opportunity spaces look like?
Well, this is a diagram that I actually used in a, some work we're doing with the United nations right now, what those are, are phase space diagrams.
It's the idea that when you make a decision, you know, if I leave this room and I turn left, I might find a, you know, some, a Euro on the ground. And if I turn right, I might get hit by a car. So the ideas as phase space opens up, you change your future. And these are just phase space, diagrams of com organizations, B, C and D.
And the, the fundamental idea with the UN is I said that when you have that intermediary norm or set of ethics or a concept, then it can make B, C and D more neutralized. You identify the commonalities as I was alluding to before, among the organizations and that that can change the idea, changing conceptualization of their risk. So now I wanna talk a little more specifically about these eight things and each one of the next slides will be one of these eight.
These are the fundamental challenges that are facing every one of your organizations and every organization and every national organizations as we alluded to before. And I wanna talk a little bit about the specifics of these and what opportunity, what risks they provide and what opportunities they provide as well. This is one of the most important. So this is a diagram you may have heard the name, Paul Barron, B a R a N in 1966.
He wrote a paper for the Rand corporation, and you can see on the left air force project, this was a, a weapon, a defensive system, a military defensive system, the internet was originally developed. So the idea here, imagine that we are all the dots. Everyone in this room is the dots.
And we're, let's say we're all employees at the same company. And let's say, we're talking about issue X. And we're all sitting at our desks and on the common corporate server, the diagram, that's a centralized diagram.
The left hand diagram there shows if the CEO or an administrator wants to go in and see what the conversation is, they have a central point. They can do. It's a centralized information flow. The challenge is if the CEO gets hit by a truck or the system goes down, that's the problem with centralized flow.
So imagine that us, the same people talking about the same issue, sitting at the same desks, being employees of the same company. Now let's say we all go on Twitter or Facebook. What happened is we just, it became decentralized. That's the right or distributed, excuse me. That's the right hand diagram. Exactly the same people dealing with the same issue.
Now, can the CEO find it? The CEO just got rendered blind immediately just like that by the adoption of that distributed network, that was the intention in the context of attack.
The challenge is when you resist attack, you also resist control. And so that's a, the, that blindness, what you're having now with the countries and companies, all hierarchical organizations utilize centralized information flows. That's what the hierarchies need. They've all been rendered blind, and what's happening now is the, to a greater lesser extent.
And what's happening now is they're still running the same program. And the problem is they don't know what the externality looks like.
Is that, does it say two? Perfect.
So that's, so the challenge we're all experiencing is that blindness challenge. The next one is the fact that the systems are sociotechnical. So you see here a driver, the car can't take care of what the driver's doing. There's people and op and equipment working together and creating risk. You can't deal with sociotechnical systems with just technical solutions. If you wanna render the technology and the people reliable, you need standards for both.
Technology is rendered reliable by conformity to specifications. People are rendered reliable by conformity to laws and policies.
And so they need both complexity growth. We look at complexity as a problem, but complexity is also an opportunity. Think about FEMA in Katrina, when it hit the United States, a big hurricane, that was a first order risk because it was a hurricane, but there was a second order problem of the lack of governance and ability of FEMA to react to it. So all of us has the op have the opportunity. We can't prevent hurricanes. We can't prevent attacks necessarily, but you can prevent reacting poorly to the attacks. And so that's another opportunity, scale consequences. This is a power of 10.
I dunno if people have seen the, that movie or book, it's the idea that at different scales, you have different systems that are in operation and understanding those scaling differences is very important because you can't apply the same strategy at every scale.
And we have, when you outsource, you have different scale, you have something inside the company, and then you have something shared among many companies, new metrics, fire hose. This is the idea that with big data and other data systems, we have now more data. And we see a lot of correlations, but we don't understand causation.
So the question here is, was sunburn more risky when, before we knew how it happened, right? So when you, the answer is no, but sort of, yes, because we didn't know it was risky, so we didn't perceive a risk. So now when you go to the beach and you see SPF 50 or SPF two, you can tell what kind of risk taking person you're dealing with, but the metrics are it almost invite a perception of risk. Data is a dual use technology. So this is the idea nitrogen fertilizer was used in growing apples and also used in the attack in Oklahoma city is nitrogen.
Do we stop selling nitrogen fertilizer? No.
So we don't make hammers soft. So they can't be used to hit people on the head. We make hammers hard and say, don't hit people on the head with hammers, right? You don't make cars go slow. So they can't be used in bank robberies. You make them go fast and say, don't Rob banks. So with data, it's the same thing. It can be used for poor, bad, or good. It should say can do harm or good. But that's the notion is we shouldn't. We need to approach the problem correctly, which is the use of data in this context. And then this is an aside I won't go into, but it's a, a theoretical issue.
I'll let you folks take a look at the slides later at your leisure. But data and information are different when you, the idea is data plus meaning equals information.
And that's why Facebook can reuse the same data and create new and new value because they keep putting in extra context for advertising. That's critical because it gives you more dimensionality, more freedom of movement into designing your system. Here's one that I hope seems provocative, but ultimately won't be secrecy is dead, but privacy and security don't have to die with it. And that's a choice we make.
Lastly, this is people as data producers right now. If I buy a book on Amazon, the book goes this way to me, the data goes that way. In what way am I a consumer of data? I haven't consumed the data I've produced the data. The reason these pictures are here is the Grange ideas, people as producers, the Grae organized farmers. So they could be producers with organization that could have some market efficacy. But the problem on the right side is that you also, when you become part of a system, you feel like a little bit entangled on that. So that can be a challenge as well.
And again, I'll let you glance at these, but the BU most important point is the last one. Buckle your seat belts, because it's gonna be a wild ride. Thank you very much. Thank you.
Woo. That was right. Yeah.
There's 43 slides.
Yeah.
I mean, nevertheless, it's very interesting. And I, I think one big takeaway is that we need, if we, if we use technology, then we need governance on how to use it and how it's going to be also managed in a, in an organization with people. And that the I T OT trends is going to demand for new governance processes.
Yes, indeed. Whether they are provisional, as you mentioned it, or other ones, this is still going to be seen, I think, and who's going to win the race. We don't know yet, but definitely it's something new around the corner. Yeah.
Well, you know it, and it, it, and we have the same interoperability. I mean, you learned English, I don't know German. It's an interoperable technology that we use. And so thank you because we wouldn't be able to have the interoperation of this presentation without that.
So that, that management is something that comes naturally when we understand risk and we understand leverage and the idea of these interoperable policies and adoptions is gonna be a critical part of that, I think.
Yeah. Thank you very much, Ken.
Thank you.
If you wanna see more about this, there's going to be sessions more and on Thursday, I think where you're going to get a little bit more detail on, on risk. Thank you very much.
