The security profession is at a Rubicon in its development and maturity as a component of the modern business structure. The evolution from the protection of physical assets to providing a more holistic ‘all-hazards’ approach to security risk management has been a natural process for many of us as individuals. Frustratingly, though, this evolution has been more of a struggle for the business leadership we support, where there undoubtedly remains a legacy view that security is just the ‘corporate cop’. Richard Stevens looks to employ security intelligence in a business context.
As the world becomes increasingly complex, the protection of assets, the appreciation of business risk and the role of security in spanning those two evolving environments is the ‘new normal’ for the security manager, while the question of how to constantly ‘add value’ is always now part of the security conversation.
One argument regularly cited for this lack of penetration at Boardroom level is that it’s difficult to show the ‘value’ of security to the C-Suite. To a certain extent, the profession knows this to be true: proving the value of security when nothing ‘appears’ to happen will always be a challenge. The perception that security is nothing more than a cost centre will remain unless, as a sector, we introduce new ideas and concepts to re-frame that perception.
The spectrum of threats facing the contemporary organisation, and the ability to identify, understand and manage those threats is not a new scenario. Government and the military have faced this challenge since the very concept of Government itself. Having spent 18 years as a military intelligence officer, I know from first-hand experience that the intelligence communities’ response to dealing with these dynamic and ambiguous threat scenarios has been the development of a comprehensive intelligence framework, which is designed with a single focus in mind: to allow decision-makers to make proactive and informed security/risk decisions. Sir David Omand identified this capability as “strategic foresight”, but in reality the benefits of developing a process which provides structured, repeatable and auditable decision-support to leaders is greater than just providing information (which is usually reactive).
A critical characteristic of intelligence reporting is that it must be actionable, otherwise why have it? By extension, if the intelligence is ‘actionable’ it must by definition be proactive.
Common aim in mind
How, then, can this translate into the security professional’s ability to ‘add value’? Fundamentally, the security manager, the intelligence officer and the risk specialist all have a common aim. At the earliest possible juncture, they’re all looking to identify a risk that could impact their strategic objectives and attempt to avoid that risk. Perhaps the difference in many cases is that the intelligence officer and the risk specialist are more comfortable identifying dynamic risks, shaped as they are by constantly changing influences requiring proactive management.
Traditionally, the security manager has faced a more static suite of threats and has been able to build a more static range of defences. Those defences form concentric rings which we all recognise as the concept of defence in depth. Indeed, defence in depth has served the security manager well against a range of fixed locations and defined threats. However, as the business environment becomes more complicated, and businesses themselves become increasingly complex and global, has defence in depth reached the limits of its capability? Is there something the security manager can identify in the practices of the intelligence officer or the risk specialist that can allow them to deliver that added value to the decision-maker?
Could the concept of ‘security intelligence’ be that bridging point to help cross the Rubicon? Can security intelligence provide a more complete view of the threat environment and, more crucially, help business leaders ‘understand’ the threat environment in which their businesses operate?
At the heart of the intelligence process is the intelligence cycle, which will have an air of familiarity about it for those who use the risk management cycle. Developed by the CIA in the 1960s, it’s a four-step process providing a framework for converting information into intelligence. The intelligence cycle is the element of the process where the ‘value’ is created and the insight/foresight developed.
Importantly, the cycle should be started with ‘direction’, which is shorthand for the decision-maker articulating the priority intelligence requirements that must be satisfied in order to allow them to make a decision. For the commercial world, this step could link the security organisation directly to the Board, and in doing so inextricably link security intelligence directly to the development and management of the business strategy, rather than reacting to an already made business decision.
Recent academic research that I conducted with over 110 leading UK security professionals identified overwhelmingly that the Board would value security intelligence reporting to help them understand what’s ‘not normal’ and allow quick and informed security decisions to be made. However, even though 87% of the research participants identified that security intelligence could help organisations in navigating the complex global environment, less than 50% of the organisations represented in the study had a process in place designed to allow the threat environment to be analysed.
Interestingly, when asked for which types of business decision the Board was most likely to use security intelligence, 41% identified travel security. The response was important as it suggested that many organisations currently view security intelligence as a tactical capability, primarily employed after an incident to identify what happened. The use of intelligence in a tactical way after the incident re-enforced some confusion and contradiction among the research participants about when and how to use security intelligence. 41% identified that there was a lack of understanding about how security intelligence can support decision-making and provide insight, while 36% identified a lack of a framework to allow the integration of security intelligence into their organisation or a lack of skilled resources.
Meaning for the security manager
What does this mean for the security manager? 57% of participants reported that their Board did not have a formal decision-making process, instead relying on semi-formal or informal judgements and experience. Furthermore, 89% stated that they would actively make use of an internal capability which provided a business advantage. The framework provided by security intelligence could provide the security manager with a ‘battle-proven’ process to demonstrate the ability of the security function to bring ‘added value’ to the organisation’s decision-makers.
Yet many organisations will be subscribing to one (or more) of the many high quality commercial intelligence providers, and perceive that they therefore have a security intelligence process. If the intelligence cycle is deconstructed, commercial intelligence vendors can deliver three of the four stages in the cycle for their customers: collect, process and disseminate.
Where the security manager can add significant value is by taking ownership of the ‘direction’ step. As already noted, this is where the requirements of the decision-maker are fed into the cycle. The security manager has the ability to act as the linchpin between the direction and strategy of an organisation and the commercial intelligence vendors. Doing so affords the security manager a better understanding of the business strategy and priorities, and in return provides the business with focused and tailored intelligence assessments to provide a decision-maker with proactive decision support. The added benefit of this process is that the security manager can clearly link the ‘value’ of their activity directly to the strategic priorities of the organisation.
Different frame of reference
I’m not aiming to position security intelligence as a ‘magic bullet’ for the security manager. What security intelligence does provide them with is a different frame of reference for engaging the business and delivering additional foresight to both security decisions and, potentially at least, broader strategic business decisions. In doing so, security intelligence can help to shape a new perception that when nothing ‘appears’ to happen, that isn’t an accidental or passive condition. Nothing happened because the security manager (and the organisation) took proactive action.
Perhaps the most convincing benefit of security intelligence is that many security managers already have the skills required to implement a security intelligence programme. The research participants simply lacked a framework to draw those elements together.
Having experienced first-hand the benefits of a security intelligence process in supporting senior military decision-makers, I believe unequivocally that the integration of a security intelligence process into security practice has the potential to help security professionals in the next step on their evolution from static asset protection to proactive security risk management: to be a weather forecaster and not a news reader.
Richard Stevens MSc is Associate Director for Global Security at EY and Director of Education for ASIS International’s UK Chapter
*The views reflected in this article are the views of the author and do not necessarily reflect those of the global EY organisation or its member firms