One of the arguments regularly cited for the lack of penetration of security on the board agenda is that it is difficult to show the ‘value’ of security to the c-suite. Proving the value of security when nothing ‘appears’ to happen will always be a challenge, and the perception that security is nothing more than a costcentre will remain, unless the industry can introduce new ideas and concepts to re-frame that perception.
However, the span of threats, and the ability to identify, understand, and manage those threats is not a new scenario. Having spent 18 years as a Military Intelligence Officer (MIO), I know from first-hand experience that the government’s and intelligence communities’ response to dealing with these dynamic and ambiguous threat scenarios has been the development of a comprehensive intelligence framework. It is designed with a single focus; to deliver intelligence reporting which allows decision makers to make proactive and informed security/risk decisions. Sir David Omand identified this capability as ‘strategic foresight’. They have developed a process which provides structured, repeatable, and auditable decision support to leaders. A critical characteristic of intelligence reporting is that it must be actionable, otherwise why have it? It is similar to the difference between forecasting the weather and reading the news.
So how can this translate into the security professional’s ability to ‘add value’? At its most basic component, the security manager, the intelligence officer, and the risk specialist all have a common aim. They are looking to identify (forecast) a risk which could impact their strategic objectives, identify that risk at the earliest possible junction, and attempt to avoid that risk. Perhaps the difference in many cases is that the intelligence officer and the risk specialist are more comfortable identifying dynamic risks, which are shaped by constantly changing influences, and require pro-active management. Is there something which the security manager can identify in the practices of the intelligence officer, or the risk specialist, which can allow them to deliver that ‘added value’ to the decision maker? Could the concept of security intelligence provide a more wholesome view of the threat environment, and help business leaders better ‘understand’ the threat environment in which their businesses operate.
At the heart of the intelligence process is the Intelligence cycle, which will have an air of familiarity for those who use the risk management cycle; a four-step process which provides a framework for converting information into intelligence. The intelligence cycle is the element of the process where the ‘value’ is created, and the insight/foresight is developed.
“At the heart of the intelligence process is the Intelligence cycle, which will have an air of familiarity for those who use the risk management cycle. “As the world becomes increasingly complex, the protection of assets, the appreciation of business risk, and the role of security in spanning those two evolving environments is the new-normal for the security risk manager. And the question of how to constantly ‘add value’ is now a vital part of the security conversation”
The cycle should be started with ‘direction’, which is shorthand for the decision maker articulating the priority intelligence requirements they require satisfying in order to allow them to make a decision. For the commercial world, this step could link the security organisation directly to the board, and in doing so inextricably link security intelligence directly to the development and management of the business strategy; rather than reacting to an already made business decision.
Recent academic research, conducted with over 110 leading UK security professionals, identified overwhelmingly that the board would value security intelligence reporting, which helped them understand what is ‘not normal’ and allowed quick and informed security decisions to be made; but less than 50% of organisations had a process to allow the threat environment to be analysed. The research identified that there was also confusion and contradiction within the security industry about when, and how to use security intelligence. 41% identified that there was a lack of understanding about how security intelligence could support decision making and provide insight; and 36% identified a lack of a framework, which would allow the integration of security intelligence into their organisation, or a lack of skilled resources.
So, what does this mean for the security industry? 89% of organisations questioned would actively make use of an internal capability which provided a business advantage. The framework provided by security intelligence could provide the security industry with a ‘battle proven’ process to demonstrate the ability of the security function and to bring ‘added value’ to the organisations decision makers.
Yet, many organisations will be subscribing to one of the many high-quality commercial intelligence providers, and perceive that they therefore have a security intelligence process. If the intelligence cycle is deconstructed, commercial intelligence vendors can provide 3 of the major steps of the cycle for their customers; collect, process and disseminate. Where the security manager can add significant value is by taking ownership of the ‘direction’ step. The security manager has the ability to act as the linchpin between the direction and strategy of an organisation, and the commercial intelligence vendors. Doing so allows the security manager a better understanding of the business strategy and priorities, and in return provides the business with focused and tailored intelligence assessments, which further provides a decision maker with pro-active decision support. The added benefit of this process is that the security manager can clearly link the ‘value’ of their activity to the strategic priorities of the organisation.
Perhaps the most convincing benefit of security intelligence is that many security managers already have the skills required to implement a security intelligence programme, but are lacking a framework to draw those elements together. The integration of a security intelligence framework into the security industry has the potential to help security professionals transform from a news reader to a weather forecaster.