Most boards are coming around to the idea that they need to engage with geopolitical intelligence to manage risks to their company. But too many still do not see the value of company-specific threat intelligence. If that is the case in your organisation, you can change that with some careful positioning, says Protective Intelligence head Michael Lubieszko.
As security professionals, we all know the inherent value of robust intelligence assessments in helping to make tactical and strategic decisions. But how do you get your board and senior leadership to pay attention to you when they’re being bombarded with reams of information on a daily basis – information that, on the face of it, appears to align more closely with their responsibilities towards business success?
Consider this scenario. You’ve identified an emerging threat against your organisation and have temporary measures in place to protect your assets. But in order to tackle this threat long-term before it scales upwards and presents a pressing risk, you need to secure additional resource support from the board.
Despite your best efforts, you languish on the outer periphery of the board agenda and never get a chance to present your findings. You must deal with an impending threat on the horizon without additional resources.
If this sounds familiar, what do you need to do to capture the attention of the board and make sure they are fully engaged?
Leaving the shadows
Many boards fully see the value of company-specific intelligence. But where this is not the case, it is hardly surprising. Intelligence, after all, has long been portrayed as a dark art that lies within the shadows. The image of a nebulous, deliberately obfuscated field that’s usually hidden behind closed doors perpetuates a ‘need to know’ rather than ‘dare to share’ attitude, and doesn’t ever really seek to draw too much attention from shareholders, senior management or customers.
However, boards are increasingly taking an intelligence-led approach. And increasingly, firms are recognising the value of geopolitical intelligence and leveraging well-trodden intelligence processes to deliver foresight that can be slotted into more strategic planning.
There would be few arguing against the importance of diligently gathering, analysing and assessing this geopolitical information in order to ensure that risks are mitigated, crises are averted and effective controls are established.
But, there is a clear disconnect between the use of geopolitical intelligence and the use of company-specific threat intelligence – or Protective Intelligence, as we call it at Dragonfly – at a board level.
The value of actionable threat intelligence is still, sometimes, not understood or even acknowledged by non-security professionals, particularly when it comes to decision-making at a board / C-suite / management level.
Talk the board’s language
The root question is simple. Why do some boards still not engage with threat intelligence? The answer is perhaps more complicated.
At a very basic level, the key purpose of a board is to ensure the prosperity of a company and meet the interests of its shareholders. The board does this by helping to set broad strategic goals, supporting senior management in achieving these goals, and ensuring that the company has adequate resources to deliver those goals. It is a strategic, objective body that relies upon robust metrics to make decisions.
How do you break into this world of quantitative information?
To engage at a board level, you need to become a business leader skilled at communicating complex messages to senior leadership. The most important of those messages is that threat intelligence is the bedrock from which returns on investment in security are drawn. And that intelligence can and should be an integral part of senior decision-making at a strategic level when it comes to business continuity, profitability and growth.
In short, there is a direct feed from threat intelligence into business continuity and profitability planning.
Threat intelligence should be positioned as a data stream essential for the company to grow, become more established, or erupt into new markets. Threat intelligence needs to be seen as the critical component of decision-making that enables the board / C-suite / management to ultimately make well-informed, intelligent and accurate business decisions. To thrive, threat intelligence in strategic decision-making is no longer a ‘nice to have’, it is a necessity.
Take for example the board of a bank. Naturally, their focus will gravitate towards adhering to regulatory controls, prudent financial risk management and driving value creation. But by being so focused on traditional board responsibilities, they may sometimes fail to recognise the emerging threats posed by extremists vehemently opposed to the bank’s investment in the continued extraction of fossil fuels – a threat that you could have readily forecast, and proactively implemented effective controls against. Instead, the bank is now facing active extremists who have both intent and capability to permanently damage the reputation of the bank, tarnish its claim to operate ethically, and physically disrupt business.
But arguing that threat intelligence is a strategic issue is not enough. Believe it yourself and act on it, by becoming familiar with what the board cares about and why – if you are not so already. Make sure that each strand of work you do has a clear and unambiguous connection back to a defined business objective.
Using intelligence at a strategic level
Boards are objective and laser-focused on their goals. Metrics will allow you to demonstrate to the board that effective use of intelligence has an impact both on performance and the risk profile of the company.
Your job is to steal that focus and keep it by proving the strategic value of threat intelligence.
The easiest way to provide proof is to share metrics with the board; ideally, metrics that clearly reflect the potential reputational impact of threats, the potential financial impact to the organisation and ultimately the responsibility of board members. From our experience working with organisations across multiple sectors, it helps to:
- Provide multiple metrics from multiple perspectives. Organising metrics into a balanced scorecard aids the board’s understanding of what needs to be actioned and why
- Implement quantitative rather than qualitative scales – express results using numbers rather than high-medium-low ratings or other non-numeric methods
- Report on aspects of your security management processes that help you and your board quantify how security investments are paying off, such as tool efficacy
Not only do metrics allow you and your team to stay predictive and proactive, and able to mobilise resources to react to any new intelligence or information, but it provides comprehensive visibility into the controls you are applying and assurance that the controls are having a definite impact.
Protective Intelligence: A strategic approach to threats
Dragonfly’s Protective Intelligence service is designed to deliver threat intelligence to your organisation, which is not only directly actionable for you and your security team but also for your board and other senior decision-makers.
Working collaboratively with you, our first step is to understand your organisation. This includes what your board is interested in from a strategic business point of view, so we can stay focused on the issues that you most care about. It also includes how your organisation is perceived by hostile threat actors and groups.
This deep dive enables us to clearly detect and define connections between credible threats and business strategy. Only then do we start working closely to curate a bespoke Protective Intelligence service to monitor, analyse and assess threats on your behalf; threats that relate specifically to you and your organisation from both tactical and strategic perspectives.
But it is the combination of our content and delivery method that our clients rely upon in order to better engage their boards with threat intelligence.
Working to your internal decision-making cadence, we deliver actionable insights that are ready for board consumption.
Graphics are tailored to represent metrics that you and your board care about. The wording we use within our assessments is deliberately curated to be easily digested by board members. And our reports are consciously formatted to ensure that you do not need to translate or re-write our findings, saving you time and effort to focus on tackling the emerging issues head-on.
How we helped one company prove the value of intelligence to its board
For example, we worked with one of our clients to engage their board in threat intelligence related to separate operational projects based in over 20 global locations.
Working collaboratively with our clients to understand the issues they had previously faced with board engagement, we designed a structured approach to deliver compelling threat intelligence with a strong strategic focus.
Rather than attempting to engage board members on the novel tactical threats facing each project, we delivered a broad threat landscaping report to our client that provided oversight across all projects. Our client was then able to leverage material within this report, including our key findings, with the board immediately to deliver clear, unambiguous strategic oversight across the projects as a whole, rather than as disparate tactical issues.
This simple step change in approach switched the mindset of the board. By proving the value of intelligence to make considered, proactive strategic choices and more confident decisions, the macro view transformed the importance of threat intelligence within that board from a tactical to a strategic imperative.
To find out more about how our Protective Intelligence service can help you deliver company-specific threat intelligence and communicate its value to senior decision-makers, please get in touch today.
Image: Businessman on an escalator. Photo by EschCollection via Getty Images.