Security Experts:

A Deep Dive Into Decision Advantage

Cyber Intelligence

The Most Effective Intelligence Programs Focus on Providing a Decision Advantage Over the Threats and Adversaries That Matter Most

The fundamental purpose of intelligence -- regardless of where, when, or by whom it is consumed -- is to provide a decision advantage. So, what exactly is decision advantage? And why does it matter? And, most importantly, how does it help an organization mitigate risk or make better decisions about risk? Here’s what you need to know: 

Decision advantage is what results when intelligence enables a decision-maker to better understand and address an issue. It requires:

1) Intelligence that is timely, accurate, and relevant to a given issue and;

2) At least one decision-maker who possesses the expertise and resources needed to evaluate and action the intelligence within the context of the issue.

For example, let’s say the issue is an unpatched vulnerability in a company’s network. Intelligence revealing this issue prompted the company’s security team to patch the vulnerability before any adversaries could exploit it. This intelligence-driven decision to patch the vulnerability put the security team in a more advantageous position than any adversaries who may have sought to exploit it, thereby enabling the security team to gain a decision advantage over the adversaries. 

Decision advantage reinforces that the value of intelligence lies not in the intelligence itself but in the decisions it shapes and drives. This principle is crucial because it enables us to:

● Distinguish true intelligence from data and information: As I’ve written previously, neither data nor information serve the same purpose as intelligence, yet both are often mistakenly labeled and marketed as such. When an organization believes the data or information it’s consuming are actually intelligence, it could end up making uninformed decisions with unintended consequences. The good news is that the basic principles of decision advantage can help us distinguish data or information from true intelligence. Start with questions like “why is this intelligence relevant to my organization?”, “Does this intelligence make me more informed of the issue?”, or “If unaddressed, how could this issue impact my organization?”. If you cannot confidently answer these or similar questions, the intelligence in question is likely just data or information and therefore likely insufficient to support decision-making.

 ● More effectively measure the performance of an intelligence program: A common mistake among many intelligence programs is focusing on quantitative metrics rather than qualitative results that track how the entire business is better informed about the threats facing their organizations. While metrics such as the number of intelligence reports produced or indicators of compromise (IoCs) processed, for example, can provide useful insight into workflows and efficiency, they don’t tell us much about the extent to which the intelligence program is able to shape and drive decisions. The most effective intelligence programs, meanwhile, ensure their intelligence operations map directly to the decisions their stakeholders need to make. 

● Achieve better outcomes: One of the main reasons why decision-driven intelligence programs are often more successful is that they focus on delivering finished intelligence that map to the prioritized needs of the business. A widely consumable type of intelligence, finished intelligence is derived from relevant data that has been contextualized, deeply analyzed, and presented along with all requisite details needed to support decision-making and thus provide a decision advantage. Because finished intelligence tied to a stated business need is actionable in and of itself and doesn’t require its consumers to seek additional context or analysis before making a decision, effective decisions can often occur in less time, resulting in better outcomes. 

Although the concept of decision advantage may seem obvious, realizing it is not simple. A “checkbox” approach that continues to motivate many organizations may never really address the questions decision-makers need answered to give them a decision advantage. There’s no point in having an intelligence program unless you’re able to make better decisions. This is why the most effective intelligence programs focus on providing a decision advantage over the threats and adversaries that matter most to their organizations.   

view counter
Josh Lefkowitz is the CEO of Flashpoint, the global leader in Business Risk Intelligence (BRI) from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Lefkowitz also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.