It’s Crucial to Communicate the Benefits of an Intelligence Program in the Context of Risk
There are many challenges inherent to starting an intelligence program, but making a business case for one can be among the most difficult. A primary reason for this challenge is that the security practitioners who typically advocate for—and see the most value in—such a program are rarely the ones who control the budget. Meanwhile, budgetary stakeholders are often far removed from the tactical benefits and, in many cases, are unaware of the strategic benefits that a well-executed intelligence program can bestow upon the business.
Based on my own experiences confronting these types of challenges throughout my career, the following tips can help security teams to effectively justify the business need for, and value of, an intelligence program:
Understand the business
The often-siloed structure of security-related lines of business means that while such teams tend to be closely aligned with one another–network defense and endpoint security, for example–many operate independently from their non-security counterparts. As a result, it’s not uncommon for security teams to be uninformed about the core structures, stakeholders, and assets underpinning the business. And without fully grasping how a business operates, it is nearly impossible to define, much less demonstrate, how an intelligence program would benefit that business.
The first step toward overcoming this challenge is engaging other lines of business. Keep in mind that assets exist throughout the business, as do key stakeholders who rely on these assets and care about protecting them. Security teams can build the trust and earn the support they need for an intelligence program by collaborating with these stakeholders, identifying, understanding, and prioritizing their assets, and then demonstrating how the program would help better protect the assets they care about most.
Overcome communication barriers
Much of the terminology that has long been adopted among commercial-sector intelligence programs hails from the public sector, where intelligence programs were developed to support national security. However, most of this terminology was never intended for a business environment, and as a result, it tends to not resonate as well with business-oriented audiences–including budgetary stakeholders with the authority to greenlight an intelligence program.
One of the largest culprits of communication barriers is the notion of risk versus threat. Because many commercial-sector security and intelligence practitioners, as I mentioned previously, rely on terminology that was initially conceived for the national security space, they tend to discuss their operations and objectives more with respect to threats than with risk. After all, governments tend to be more risk-averse due to the grave potential impacts of many of the types of threats they confront.
Most businesses, meanwhile, perceive threats and risk differently. Since they approach risk not from a national security lens but to evaluate how a specific endeavor might grow the business, their appetite for risk is generally higher. Threats are simply seen as a factor that influences overall risk.This is why, in order to make an effective business case for an intelligence program, it’s crucial to communicate the benefits of such a program in the context of risk.
Remember that many decision-makers are typically far removed from security-related lines of business, so they are likely unaware of all the strategic benefits to be gained from an intelligence program. Many such decision-makers may assume that an intelligence program will only support network defense or will do little more than augment existing security measures, for example. This is why it’s so important to educate and share use cases that illustrate how the right intelligence can support not just network defense teams but also fraud, physical security, M&A, insider threat, supply chain, and brand reputation teams, among others.
Making a business case for an intelligence program, as I’ve mentioned, can be a complex challenge. Although following the guidance outlined above can help security practitioners overcome this challenge more effectively, these suggestions should serve purely as a starting point. Just as the most successful intelligence programs are tailored to the unique needs and objectives of a business and its stakeholders, the business case for such a program should also reflect these needs and objectives in an manner that is relevant, informative, and consumable for its target audience.