Avoiding Surprises and Taking Action to Build a Protective Intelligence Program
Knowing the threats your company faces is a crucial but often overlooked first step in any successful protective intelligence program. This information serves as the “center of gravity” — directing you to determine what data to collect and where to spend your time.
From here, there are many ways to structure teams and resources to protect against unwanted surprises, but there are a few overarching elements that successful programs have in common.
We discussed this topic and more during a panel at the 2022 Ontic Summit. Amy Sullivan, VP of Client Experience at Ontic served as the moderator with Josh Levin, Senior Director of Global Security Intelligence & Operations at Take-Two Interactive, Martin Culbreth, Chief Security Officer at Smithfield, and Amanda Mason, VP of Intelligence at Related Companies joining as panelists.
An edited excerpt of the panel discussion follows.
Amy: What do you consider to be the basic requirements to build a successful protective intelligence program?
Levin: Demonstrating the value and credibility of security intelligence goes beyond making sure the program meets the strategic goals of the company — it has to be presented in a culturally friendly way. Some prefer white papers, while others prefer emails, briefings or SPOT reports.
Mason: Recognize the threat landscape and how it’s going to impact your business. Identify the stakeholders and understand their requirements and what threats they care about.
Amy: What advice do you have for security leaders who are looking to transform security programs that have done it the same way for years?
Mason: Go into the environment and be agile — understand the cultural change and see the threat landscape evolving. If someone is stuck in their ways, they’re likely to miss something. Working with the younger generation provides insights. Keep the partnership with the predecessors, but build more. Continue to grow and educate, develop relationships with local government and law enforcement.
Amy: When building out a team for your protective intelligence, what kind of talent do you look for?
Levin: I try to find people with professionally diverse backgrounds. I like people who have been in both government and private sector and especially those who have real mission-planning and intel experience. However, it depends on the needs of the organization. If the organization is looking for strategic white papers, that is a very different strength than intel analysis for mission planning, which is very operational and tactical. Ideally, you want people with all of these skills.
Culbreth: For me, I need someone to offset different strengths from myself and my team. If one person has experience in insider threats, then that is a key ingredient that we want to build off of. We have a divergent program, so bringing in someone who can help manage it is helpful.
Amy: What processes for collecting intelligence did you put in place to set your team up for success?
Mason: Since we’re building a program from scratch, we’re learning as we go. We had to educate executives on what they need to care about — what is going on that is important and could affect the team or business. We had to do a communication flow because once you start getting the information you need to control how it flows up and down. In intel, we want free thinkers but as an intel group, we need information to pass through the right channels and teams.
Amy: Do you have fixed protocols when developing a program you’ll never deviate from?
Levin: I develop a pillar charter for an overall pillar. For security intelligence, we draft the general charter that provides a framework for pillar objectives, services provided and audiences, as well as budget and resource requirements. I then develop program charters for each program under a pillar. For example, under security intelligence, we draft charters for safe/respectful workplace programs, threat assessment, etc. Then, we build out projects by priority under each program.
Amy: We often find that our clients are constantly working to become cross-functionally important across the organization. Has it been challenging to get internal buy-in and secure budget for building your program – what has worked and what hasn’t?
Culbreth: Yes, being in my role only 15 months, I’ve had to quickly learn the company — how it works and how to bring security into it. Trying to get a budget is tough when there’s no specific framework in place. I started by working with finance and leadership at each of the plant locations. You can’t work alone, and I’ve learned the legal department is probably your best ally.
Amy: What hurdles did you encounter, and what valuable lessons did you learn from those earlier days in developing programs that seem like timeless wisdom that still apply today?
Levin: Look for early victories to demonstrate value and credibility. Don’t ask for a bloated budget before you show the need and benefit. Make sure your analysts are aware of biases, and when they design an analytical model, they should be transparent about design flaws.
Mason: Coming from a military background, it’s all about doom and gloom, so educating executives while also changing my language so that my message still resonates is something I still carry with me.