Starting an intelligence program inside the enterprise can be an uphill climb, because in many cases, the security practitioners advocating most strongly for such programs lack control over necessary budget. And those with the reins on budget are often removed from the tactical or strategic benefits a well-executed intelligence program could bring to the business.
I’d like to share the following tips from my experience confronting these challenges to help security teams justify the business need and value of an intelligence program.
Security-related lines of business are often by nature siloed operations. Network administrators or desktop specialists my collaborate on network and endpoint security responsibilities but operate independently from non-security counterparts. It’s not uncommon for security teams to be uninformed about the core structures, stakeholders, and assets underpinning the business, making it impossible to define, much less demonstrate, how an intelligence program would benefit that business.
Engaging those lines of business is a crucial first step, followed closely by the realization that stakeholders responsible for assets throughout the business have a vested interest in protecting them. Security teams can build the trust and earn the support they need for an intelligence program by collaborating with these stakeholders, identifying, understanding, and prioritizing their assets, and then demonstrating how the program would help better protect the assets they care about most.
Many intelligence programs inside today’s enterprises have their roots in public-sector programs designed to support national security. Most of the terminology inherent to these programs, however, was never intended for a business environment and often fails to resonate with business-oriented audiences—including budgetary stakeholders with the authority to greenlight an intelligence program.
Perhaps the most glaring and immediate communication barrier that should be addressed are the concepts of risk and threat. Private-sector security and intelligence teams operate under terms anchored in the public sector and national security realms, meaning that discussions about operations and objectives center on language around threats rather than risk. Governments tend to be more risk-averse due to the grave potential impacts of many of the types of threats they confront.
Businesses, meanwhile, perceive threats and risk differently. Since they approach risk not from a national security lens but to evaluate how a specific endeavor might grow the business, their appetite for risk is generally higher. Threats are simply seen as a factor that influences overall risk, and in order to make an effective business case for an intelligence program, it’s crucial to communicate its benefits in the context of risk.
Remember that many decision-makers are typically far removed from security-related lines of business, so they are likely unaware of all the strategic benefits to be gained from an intelligence program. Many may assume that an intelligence program will only support network defense or will do little more than augment existing security measures, for example. This is why it’s so important to educate and share use cases that illustrate how the right intelligence can support not just network defense teams but also fraud, physical security, M&A, insider threat, supply chain, and brand reputation teams, among others.
Making a business case for an intelligence program, as I’ve mentioned, can be a complex challenge. Although following the guidance explained above can help security practitioners overcome this challenge more effectively, these suggestions should serve purely as a starting point. Just as the most successful intelligence programs are tailored to the unique needs and objectives of a business and its stakeholders, the business case for such a program should also reflect these needs and objectives in an manner that is relevant, informative, and consumable for its target audience.