Business Risk Intelligence (BRI), as I’ve written previously, is becoming a new industry standard. As someone who’s faced the limitations of cyber threat intelligence (CTI) — BRI’s predecessor — firsthand, I can attest to the immense value to be gleaned from abandoning CTI’s indicator-centric approach in favor of a comprehensive BRI program. But since BRI’s enterprise-wide focus is a relatively new and less-familiar concept, I realize that some organizations might be unsure of how to initiate and maintain a BRI program effectively.
As such, I’d like to share the following tips and best practices to provide insight into some of the key components and processes of a successful BRI program:
Understand the Definition and Purpose of Intelligence
Regardless of an organization’s size, industry, or capability, attaining a clear understanding of the purpose and definition of intelligence is the first step in establishing a successful BRI program. Indeed, it’s crucial to recognize that much of what the industry has long as categorized as intelligence is actually just data or information.
By definition, all intelligence begins as raw data collected from any source deemed relevant. When we apply meaning and context to the data, it matures into information. The information becomes intelligence only once we have we have established the questions we would like the intelligence to answer and the specific purpose we would like the answer to serve.
The general purpose of intelligence, meanwhile, is to equip its consumer with the timely, accurate knowledge necessary to make decisions. This means that while keyword alerts, for example, are often depicted as intelligence within the scope of CTI programs, they aren’t really intelligence at all. Since these types of automated alerts are typically not enhanced with the additional context and analysis required to decipher what decision or action the organization should take in response, they are not intelligence and, more importantly, not something to strive for with BRI.
Establish Meaningful Intelligence Requirements
Before we begin gathering the data that will eventually become BRI, we first must determine what questions we will need our intelligence to answer. These needs are known as intelligence requirements (IRs). Not only do IRs enable us to prioritize our BRI needs, determine our data sources, and establish the type of analysis required to process that data, they help us identify which dissemination methods are most appropriate for the BRI we’ll ultimately produce.
Typically, the most effective IRs are highly specific, timely, tailored, and actionable. For example, executive protection teams seeking to integrate BRI into their strategy might be tempted to establish an IR like “are there physical threat actors we should be worried about?” However, this is far too broad. Instead, questions such as: “Will there be any physical threat actors in the vicinity of our CEO’s upcoming public appearance?” and “What are the capabilities and motivations of these threat actors?” are more specific, timely, and will therefore help produce BRI that is far more relevant and actionable.
While establishing IRs that align with the above guidance may seem obvious, the step is a common oversight among intelligence teams that may be blinded by vast amounts of data. These teams often lack direction and are driven by an approach that is far too broad to be effective. They may try to capture the data of all existing threats to all organizations, only to determine later which threats pose any risk whatsoever to their organization. Not only does too much data present a timely and tedious task for even the most capable of teams, it can impede the progress of those tasked with supporting critical decisions and upholding the operational continuity of their organization.
Foster Open Communication across Teams and Functions
Since BRI aims to address enterprise-wide risk, it naturally benefits from open collaboration and information sharing among teams and functions across the entire enterprise. After all, when intelligence operations are contained within certain teams or functions, others who might also benefit from or enhance such intelligence are unable to do so. But by integrating BRI and collaborating across business units, you can learn to apply intelligence more broadly to address a wider array of use cases.
For example, let’s say an intelligence analyst at your organization is monitoring a Deep & Dark Web forum and observes an adversary who appears to be seeking to physically harm your CEO. Given that your role is cybersecurity, however, you’re unsure how to respond. Who is the adversary? Where are they located? Are their claims credible? How can you protect your CEO? In such a scenario, working with the physical security and executive protection teams at your organization can provide greater insight into the physical threat landscape, help you to better assess the adversary’s claims, and enable all parties involved to mitigate the CEO’s physical security risk.
Ultimately, BRI has not become the new industry standard because it helps detect the existence of threats or collect technical indicators. BRI has become the new industry standard because it can provide organizations across all sectors with an ongoing decision advantage over threats and adversaries. While some organizations may face uncertainties and implementation challenges during the early stages of a BRI program, as intelligence professionals we know that effective decision-making and mitigation tactics require strategic planning, continual adjustments, and ongoing collaboration — all of which are foundational to BRI.