jump to navigation

Random Thoughts On Piracy Summit (I have to talk about guns a little ;) May 1, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In reflecting upon the Piracy Europe even in Hamburg that I attended last week, I was struck by a few things that were said and proposed.   The speakers were generally very good although the material is getting a bit old at this point.  With piracy at near 2007 levels, security vendors are scrambling to convince shipping companies that they are still needed.  Selling on Fear, Uncertainty, and Doubt (FUD) seems to be the new way of business development.

With regard to the security vendors, there appeared to be two distinct perspectives on how to stop pirates.  Neither seemed appropriate.  One company had a rep get up and show a picture of himself with a Barrett .50 cal SASR (special application scoped rifle) (shown in the pic above with the very skilled, handsome and smart USMC Sniper..yeah its me).  The intimation was that if you have larger guns, you have more ‘firepower’ and thus better security.  This is a very simplistic way of thinking about security and demonstrates one of the challenges of maritime security.  Security is not about technology…it is about people, strategies, and tactics.  Tools (such as weapons) are useful but only if employed correctly.  You can read the whitepaper “weapons and tactics in the prevention of piracy” here. This “goons with guns” approach was not well received and quite frankly, I felt it perpetuated what the attendees think of American security…knuckle-dragging, goons with guns. Blackwater is alive and well in the minds of most of those who attended the event. (more…)

Geopolitical Context of Piracy; Dr. Heather Mark April 18, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security.
Tags: , , , , ,
add a comment

Since I am traveling to Hamburg this week for a piracy event (pirates like “ARGHH MATEY!” type)…not software pirates….to provide my readers with some piracy info, I am publishing the whitepaper:  “The Geopolitical Context of Piracy” by the illustrious Dr. Heather Mark.  This paper has an interesting history.  At one point the paper was ‘borrowed’ by a person who proceeded to publish the paper as four articles which he attributed authorship to himself.  Plagiarism is alive in 2012 😉  Fortunately, the organization who published the articles recognized something was amiss and contacted Heather.  Please read the paper….good info…No doubt the person who “borrowed” the paper will try to once again pass it off as his own as the event…

Chris Speaking at Piracy Week Hamburg- April 23-26, 2012 April 17, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security.
Tags: , , , , ,
2 comments

I am off to Hamburg, Germany next week to speak at the 11th Annual Combating Piracy event sponsored by Hanson Wade.  If you are in Germany, come by.  Hanson Wade puts on some great events.  I am speaking for Guardian Maritime Security on the topic of CyberSecurity in the Maritime Industry.  Last year I spoke on deterrence theory and the Value of armed guards in the protection of vessels.   Protection Vessels International (PVI) will be giving an update on the Evolving and Complex Tactics of Pirates.

As usual, some company will speak on “selecting a security vendor” in an attempt to win business.  I would think for 4K Euros people would expect to hear more than a sales pitch from a struggling company…but…I digress.

I am actually excited about attending to catch up with some friends, talk to new clients and most importantly…eat at Subway. That’s right..there is a Subway sandwich store in Hamburg, Germany!  Many people are unaware that Marine Corps Snipers and Subway have a long history together.

I may be taking a short hiatus while in Germany but will get back to writing as soon as I return.

“Slicing the Pie”; Risk Management 101 February 11, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

This is a followup to “Risk 101: an Introduction to Risk” Security, and Risk are interesting topics that lend themselves to endless debate (and the occasional argument).  They are concepts that are bandied about quite frequently but, in my experience, are often not well understood by those using the terms.  I have been asked by clients to describe risk management and security in business terms.  At the risk of over simplifying the concepts, I will explain the concepts in this post.  Security can be described rather simply as the implementation of controls to counter address a vulnerability or address a threat.  Consider your house as an example.  If you install a lock on the front door, you are implementing a control (the lock) to address a vulnerability (an unlocked door) and a threat (that an unauthorized person will enter).

Risk can be described as the function of the likelihood of an event occurring and the impact should it occur.  Risk can be quantified using a simple formula (R=P% x I$) or expressed qualitatively.  In the scenario used above, there is a risk that your house will be burglarized.  Depending upon where you live, and other factors, the likelihood (expressed in terms of probability) will vary from unlikely to more likely to very likely.  The impact of the burglary will be determined by, among other things, the value of the assets that can be stolen.  So how does this relate to security?  The concepts are (or should be) inextricably entwined.

Controls should be implemented commensurate with the identified risk.

This is a very important concept.  Consider the following scenario.  If I were to offer you $1,000 to either 1) install a burglar alarm in your house or 2) install a fence to keep lions out of your yard, which option would you choose?  Likely most readers would respond with the statement; “it depends upon where I live”.  This demonstrates the example of security and risk management.  There are two risks we are considering in this scenario.  First, is the risk of burglary and second is the risk of lion attacks.  If you live in the Kenyan bush, you may be more concerned about Lions as the probability is likely higher of a lion entering the yard then of a burglar.  If you live in New York City you are likely more concerned about burglaries than lions as lions are not found in NYC (at least not legally).    The controls you are considering are either a lock (to address the issues described previously) or a fence to address the threat of a lion entering the yard.  Additionally, when we talk about ‘commensurate with the risk’ it means that the controls should be enough to address the risk but not too great.  You would not put a $1,000 alarm system on a $500 car.  It simply does not make sense and is an inefficient use of your limited resources.

With those topics covered very briefly, how do we discuss risk management from business terms?  Easy.  Consider that the risks to which you or your business are exposed are infinite.  You may not believe there is a risk of being hit by a meteorite but I can assure you that as infinitesimally small as the chance may be, there is a chance (probability) and the impact is likely not very good (injury or death).   If you question the example, read about the Sylacaugqa Meteorite here.

Now consider that the resources at your disposal (man hours, money, expertise, technology, information) is finite.  You may have a huge budget, and world class expertise but the fact remains that you have finite resources to address infinite risks.  The goal of risk management is to slice the pie of resources in a manner that allows you to address the greatest risks in the most efficient and effective manner possible.  There are four primary methods of risk mitigation; Avoidance, Reduction, Sharing, and Retention or Acceptance. Using the burglary example.

Avoidance– You can ensure you don’t own anything that could be stolen. Or you could live in an isolated area where nobody else lives.

Reduction– You can reduce the risk (by reducing probability or impact) by installing locks or using a safe to protect your assets.

Sharing– You can get insurance for your assets to reimburse you if they are stolen.

Acceptance– you can simply accept the fact that burglary is a possibility but one you are willing to accept if the likelihood is remote or you have no assets to steal.

The idea is to allocate the pieces of pie (which represents your finite resources) in a manner to address as much of the risk as possible.  It should be noted that there will always be residual risk and the possibility of Black Swan events.

Chris Mark Speaking at Combating Piracy Week in Hamburg February 2, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I will be speaking at the  Combating Piracy Week in Hamburg, Germany on the topic of CyberSecurity & CyberEspionage The topic will discuss the topics with a focus on who is trying to steal your data and why.  It  will also cover the technologies and tactics of how they can steal your corporate data and what the uses of such data.  You can get a preview of the topic by reading the Maritime Executive article in which I was interviewed.

If you have not attended one of the Hanson Wade Piracy events, it is worth attending.  Hanson Wade’ personnel do a great job of coordinating networking and the speakers are all very professional and very adept.  I have had opportunity to speak at nearly 100 events in the past 12 years or so and I would put the Hanson Wade events in the top 5 in terms of value for the money.  I highly recommend this event for security companies that want to meet decision makers and speak with the people who influence the industry from a security perspective.

%d bloggers like this: