Even if your C-suite sees the value of company-specific threat intelligence in principle, it can be difficult to attract and maintain their attention in practice. Follow these five key steps to communicate your intelligence to them effectively – and be heard – on an ongoing basis.
The CSO of a well-known organisation reported to his board on the security risks his company faced diligently every month, but the directors did not seem interested in the intelligence he presented. His impression, he told us, was that threat intelligence was a low priority for the board and so they could not see the value of initiatives he considered necessary to protect their people and assets, such as a counter-intelligence exercise.
When we examined the reports he presented to the board, the problem immediately revealed itself. Eager to communicate clearly and succinctly, he used a straightforward colour-coded chart to show the risk levels the company faced. But this presented a very unsophisticated view which was never going to engage the directors. They had no real context to understand the threats in any depth or nuance, and when most threats appeared ‘amber’ or ‘green’ for months on end, with no details of the real-world threats they represented, it was hard to take them seriously. By over-simplifying the presentation, he lost the board’s attention.
Communicating with senior decision-makers around company-specific threat intelligence – or as we call it here at Dragonfly, Protective Intelligence – can be challenging. Your board may perceive the intelligence you present as a tactical rather than a strategic issue, removing it from their sphere of responsibility and interest. When this is the case, correcting this mistaken impression is often the first step in commanding their attention and another way to gain that seat at the top table.
But even once you have their interest in principle, it can be difficult to keep in practice. Boards are bombarded with relevant briefings and data, all competing for their attention. So how you present the threats that you uncover is essential, if they are to see the value of threat intelligence; fund and support the programmes and tools you need to do your job; and enable your corporate security function to work effectively.
Below you will find five keys to communicating threat intelligence successfully to senior decision-makers, based on our extensive experience helping corporate security teams report to their boards.
1. Control the agenda.
You’re on your way to a meeting when a board member passes you in a corridor. “I just read a piece about DDOS – we need to look into that urgently!” he says, pressing you to report back at the next board meeting. You know your next board report will now have to focus on a threat which is not in any way urgent or important to your company, all because of a poorly understood and poorly timed newspaper report.
Such hijacking of the agenda is most liable to occur when senior decision-makers lack the sense that you are working to a clear, defined plan. Whether rightly or wrongly, their perception may be that you fire-fight emergencies as they occur; that your intelligence operation is reactive and jumps from threat to threat, with no real definition of what is important. Therefore, they feel free to interrupt your workflow at will and impose their own priorities – reinforcing the sense that your threat intelligence is not strategic or coordinated.
The answer is to set a clear agenda for your threat-hunting. You need to show that you are strictly intelligence-led, following the evidence to reveal the threats facing your organisation, prioritising them to identify the ones that are most important to you, and then determining how to respond. Your operations are based on your threat profile – not on whims and random newspaper reports.
This will help the board understand what intelligence is, how the intelligence cycle works and how it’s used, making the value of your work clearer. And it will also keep your board focused on the most important threats facing your organisation rather than on random issues, which is naturally more useful and engaging.
How our Protective Intelligence service helps: When you work with our Protective Intelligence team, the first step is always to create an initial threat assessment, giving you a complete view of all the contemporary and emerging threats facing your organisation, its people and assets. When you have a full picture, you can make well-considered decisions about where to focus your time, effort and resources.
This sets the agenda for your threat intelligence-gathering for the foreseeable future, allowing you to give the board a clear sense of your priorities and a plan of action.
Going forward, your initial threat assessment acts as a baseline from which we work collaboratively with you to curate your bespoke Protective Intelligence service, where we monitor, identify, analyse and assess threats on your behalf. Your threat assessment is continually optimised and updated, so you can regularly refer back to it when discussing your priorities with your board, and continue to set an intelligence-led agenda.
2. Validate your approach.
Senior decision-makers need to see that your threat management programme is effective at enabling the business’s strategy in order to have confidence in it and maintain long-term interest. So you must find ways to validate your approach.
Producing numbers showing the impact of your intelligence would be best because your board members are likely to be highly data-driven. When this is not possible, another way to validate your approach is to show that your threat-hunting is neither random nor a product of the ‘dark arts’, but highly methodological.
Essentially, you must demonstrate that you are following a structured approach, by curating relevant information, analysing and assessing it to identify credible threats, and disseminating your intelligence more widely. Then after you have taken well-considered, proactive action, refine your requirements for the next round of threat-hunting.
By following this cycle, you can demonstrate that you have a systematic approach both to identifying threats and improving your threat management. Not only is this highly reassuring to decision-makers, but it – again – deepens their understanding of intelligence and how it is used. And it allows you to showcase real achievements, like delivering a comprehensive view of the company’s threat landscape; mitigating or neutralising specific risks; and focused management of the threats which matter most to your organisation.
How our Protective Intelligence service helps: It can be challenging to follow the intelligence cycle in full in-house, limited by time, resources and capacity. You may end up cutting corners, dealing with threats in a reactive manner rather than in a proactive way.
When you work with Dragonfly’s Protective Intelligence service, a dedicated team of specialists proactively hunts down the threats you care about, following the intelligence cycle to completion every single time. Our robust approach to collection, analysis and assessment of information and threats helps bolster your threat intelligence management processes, so you can focus on shaping, ordering and more clearly defining the strategic importance of threat intelligence.
And as you become a trusted advisor to the board, our assessments give you actionable insight to help report to the board on the key controls in place to manage your threats and their efficiency, as well as strong evidence of a risk-assessment approach.
3. Use well-defined intelligence terms precisely.
As security professionals, we’re so immersed in intelligence that it can be difficult to remember that not everyone fully understands the terms we use as a matter of course, including other senior people in our organisations.
For example, are you confident that all your directors really understand the difference between threat and risk? Do they know what you mean when you refer to a “vulnerability”? When you categorise risk as “high”, can they visualise what that really looks and feels like?
For many, the answer will be “yes.” But for a substantial number, the answers are probably “no”. Security-speak is an alien language to them.
But without understanding such terms, they cannot take your threat assessments seriously, engage with them meaningfully or make good decisions on their basis. Your intelligence assessments just seem like… noise, with no way to measure what’s important.
Yet intelligence reports presented to senior decision-makers are often inadvertently opaque in this way. Think back to the CSO who sent his board a colour-coded chart measuring risk levels, with no explanations of what his green, amber or red labels signified. Instead of being self-explanatory, the chart over-simplified a complex issue.
A useful, engaging intelligence report uses precise, carefully defined, consistent language that helps your C-suite understand the threats you’re presenting to them rather than obscuring them.
How our Protective Intelligence service helps: The written threat-intelligence reports we send you are designed to be sent directly to your senior decision-makers, without any changes necessary. They use the same nuanced, probabilistic language you are familiar with from SIAS, and the same threat, risk and resilience level definitions and indicators. These provide utter clarity for your C-suite, so they understand your assessments and can take them seriously.
4. Be selective in what you share.
As you hunt threats, you will generate huge amounts of data and process it into intelligence. What you choose to communicate is the most important decision you will make. Sharing too much can overwhelm your board members or C-suite; it’s just creating noise instead of providing a trusted feed of intelligence that helps senior decision-making at a business strategy level. Sharing the wrong pieces of intelligence, or even sharing the right pieces at the wrong time, will quickly lose interest and make it harder for you to show value.
You are the filter. Your busy board only wants to see items which concern credible threats and potentially impact your business’s strategy and revenue-generating opportunities. They are not interested in tactical items which may be essential for you to do your job but do not help them do theirs.
So make sure you have a deep understanding of your company’s strategy and what your board needs from you in order to fulfil their function – then deliver that.
How our Protective Intelligence service helps: Protective Intelligence is a completely bespoke service, designed to meet both your needs and the needs of your internal clients. When we start working together, we jointly define the threats that matter to you and to your senior stakeholders and focus on them. Similarly, we define your alert thresholds, so we understand exactly what you consider serious enough for us to bring to your attention.
That’s why the intelligence we deliver to you is always immediately relevant and actionable – it is already carefully curated. And you can transfer it without any amendments to your C-suite, safe in the knowledge that it is directly relevant to them.
5. Presentation counts.
Before every board meeting, your directors will receive a thick pack of documents to sift through. Many will not read every one in detail. And the reality is, the ones they are most likely to scan or skip altogether are those that feel long and text-heavy.
So keep your report concise. And where possible, present information in graphic format, such as maps or charts. Not only is this eye-catching, adding variety to your intelligence reports, but it helps your audience understand and absorb critical information at a glance. And graphics are easier for you to incorporate into board paperwork and to update than reams of paperwork.
How our Protective Intelligence service helps: The intelligence assessments we send you are designed to be shared with your board, so each one begins with a summary of the most important points your directors need to know. If they read nothing else, they will still have the essential information. The assessments are also heavily visual, incorporating maps and infographics such as the one below, which shows a visual representation of the strategic level connection between the business objectives of a fictional company and the threat groups or vectors that have a fundamental opposition to those goals:
For many companies that we work with, our initial threat assessment includes baseline graphics – such as the one above – which are then updated every month. Our subsequent reports talk them through what’s changed and the rationale, so not only do they have the consistency of monitoring but the essential context to understand what they’re seeing.
Nothing is more frustrating than having critical threat intelligence to convey to your organisation – and not having it heard. By following these steps, you can ensure that your board and C-suite fully understand the value of threat intelligence and engages with it – so you can have the greatest possible impact on your company’s safety, strategy and direction.
To find out more about how our Protective Intelligence service can help you deliver company-specific threat intelligence and communicate its value to senior decision-makers, please get in touch today.
Image: Formentor lighthouse. Photo by Daniel Garrido via Getty Images.