By Codee Ludbey
In this issue, we will have a look at security intelligence alongside the familiar security risk management process, providing a consideration to the uncertainty that faces all corporate security practitioners in their day-to-day decision making.
Security risk management is the language of corporate security practitioners. Through it, they can effectively communicate threat, ensure duty of care and provide business justification for risk mitigation. Security risk management allows the security manager to identify security threats through examination of the current organisational context, manage risks through security and business policy and eliminate or reduce these risks through protective security measures. The risk management process is one that is always evolving, with many different approaches being undertaken depending on organisational objectives, operating environment and perceived threat. Effective risk management requires organisational commitment, extensive internal and external stakeholder engagement and strong leadership both in times of crisis and in everyday operation. Throughout the risk management process, decision making is often required in uncertain circumstances, against an uncertain threat, with uncertain outcomes. To reduce this uncertainty, robust information collection channels are required to ensure an holistic operational picture at all levels of an organisation and its external environment. Often overlooked is the application of intelligence gathering and analysis techniques to solve this problem.
Uncertainty and Decision Making
Decision making in an organisation can be a difficult task, even in ideal circumstances. The fluctuation of markets, supply and demand, employee morale, work output, and legislative and competitor pressures can introduce significant uncertainty to strategic and operational decision making. In security applications, this uncertainty is magnified due to the requirement to predict and prevent rational, intelligent actors against an ever-increasing number of vulnerable and exposed targets. There are considerable expectations on the corporate security practitioner to remain ahead of the curve, ensuring the protection of people, property, information and reputation across the organisation. These expectations can be met and exceeded through the proper implementation of a security risk management process that is often reviewed, has access to relevant and timely information and is supported with organisational and executive buy-in.
Julian Talbot and Miles Jakeman, leading authorities in the security risk management domain, claim that security decision making deals with more uncertainty, complexity and ambiguity than any other risk management context. In light of this, it is vitally important for the corporate security function to be well informed of all business operations, aware of long-term strategic goals, and embedded into corporate decision making. The complex and diverse nature of the threat facing an organisation means that the corporate security function must be proactive in developing a comprehensive and holistic threat context through extensive information collection.
Security Risk Management
Security risk management is the process undertaken by a corporate security practitioner in the identification of security threats, assessment of security risks and the implementation of risk treatments to an organisation. It allows the consideration of assets, existing controls and potential vulnerabilities when faced with specific threats to inform the decision-making process. A problem arises when faced with the extensive information requirements of such a process. How does the security manager identify all the possible threats, vulnerabilities and risks to an organisation? It is impractical to assume that all possible occurrences can be accounted for, which is why the implementation of security control measures must be targeted carefully and in such a way as to ensure umbrella protection against multiple identified risks.
The efficacy of these controls is limited to the information collection capabilities of the organisation, as it is not possible to protect against something that is unforeseen. To reduce uncertainty in the organisation’s operating environment, especially in the context of security, the implementation of robust information collection and analysis measures must be undertaken.
The Intelligence Function
Intelligence is a function often considered exclusively in the domain of governments and dedicated private organisations; however, lessons can be learned from these actors and implemented into business functions. Intelligence operations exist to reduce uncertainty in decision making by collecting information from all available sources. In the context of a business, this means news media, online information, business contacts and other information feeds that are readily available. Intelligence processes are essentially a method of acquiring sparse and incomplete information across multiple sources and building a coherent picture of events for use by a decision maker. The key differentiator of an intelligence function as opposed to a good news source is the ability for the analyst to cut through the nonsense and provide relevant, timely and informed discussion about business-specific concerns.
Good intelligence can provide an organisation and decision makers with the information they require to make difficult decisions, to identify and manage risk and to operate effectively in risky and uncertain environments where they may not have been able to in the past.
The Process
The first stage of any intelligence function requires direct input from the decision maker and knowledge of the problems that need solving. The decision maker, policy maker, or executive team must outline areas of interest, operational boundaries, strategic objectives and all other pertinent information to ensure that the function is scoped and collection methods remain relevant to the organisation.
Next, the analyst begins collection of relevant information across all available sources, such as news and social media, and internal and external contacts. Once the analyst has collected enough pertinent information, analysis begins. Analysis is the process through which information is accepted or rejected and then value added in the final report. It is vital that the analyst critically examines every piece of information being used, slowly building a picture of events that is as accurate as possible, whilst ensuring that all assumptions made about the situation or target have been examined. The analyst must be entirely impartial and must deliver the facts as they are discovered without bias, explicitly identifying missing, contradictory, or uncertain information. The analyst will also provide context for the supplied information and, if requested, thoughts on how a situation may develop over time.
Once the product has been developed, dissemination occurs. This is the crux of a strong intelligence process. Dissemination methods can vary from oral briefings, written reports, emails, video conferences, or anything in between. The method of dissemination depends on the organisational context, the needs and wants of the decision maker and the type of intelligence being disseminated. Tactical level intelligence, such as half-hourly situation updates, may be more suited to an email or in-person briefing, whereas an overview of the current and probable future outcomes of an overseas labour strike may be more suited to a multiple page report. Ideally, intelligence reporting is brief and concise, bearing in mind the decision maker’s preferences. If the intelligence function is providing reports that do not suit the information requirements of the decision maker, it is unlikely that the reporting will be read or used. To overcome this problem, it is vitally important that the analyst knows the audience and shapes the product accordingly.
Informing Risk Process
The risk management process is one based on knowledge and information. The responsibility for effective risk management rests solely on the corporate security function and, often, this function is overworked when trying to meet all of its business and protective security obligations. This strain can cause even the most effective security functions to operate on information that is not entirely up to date or accurate, leading to ineffective or inefficient security controls. Intelligence as a security function is designed specifically to fill this gap, and combining the two is common sense. An effective intelligence function will provide a more holistic and effective risk management process for any organisation. It is important that information feeds developed by the intelligence process are directed by those conducting the risk management process and that the information received is embedded in every step of the process. Both functions should be interrelated, as one cannot be truly effective without the other.
In the next issue, we will take a closer look at security intelligence and its operation within the security business unit; in particular, there will be a focus on how to integrate this into a security risk management process.
